I have an issue when trying to import ecdsa-p256 private key to Vault transit.
I’m testing it having vault server running locally with transit enabled:
vault server -dev -dev-root-token-id root vault secrets enable transit
My vault version is
Vault v1.13.0 (a4cf0dc4437de35fce4860857b64569d092a9b5a), built 2023-03-01T14:58:13Z
Steps to reproduce:
openssl ecparam -genkey -name secp256r1 -out private_key.pem openssl ec -in private_key.pem -outform DER -out private_key.der base64 -i private_key.der > private_key.base64 vault transit import transit/keys/test-key-imported @private_key.base64 type=ecdsa-p256
I get the following output:
Retrieving transit wrapping key. Wrapping source key with ephemeral key. Encrypting ephemeral key with transit wrapping key. Submitting wrapped key to Vault transit. failed to call import:Error making API request. URL: PUT http://127.0.0.1:8200/v1/transit/keys/test-key-imported/import Code: 500. Errors: * 1 error occurred: * error importing key: error parsing asymmetric key: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)
I would expect the key to be successfully imported.
Looking at the error description it looks like Vault is wrongly calling
x509.ParsePKCS8PrivateKey(key) instead of x509.ParseECPrivateKey(key) for the type (https://github.com/hashicorp/vault/blob/6bb1f6a9046a0dc1d301cf2d2a8191bbe81fe4c8/sdk/helper/keysutil/policy.go#L1463)
Or is it me doing something wrong?