Merge branch 'main' into vault-32676-add-vault-license-check-info-to-…

…system-view-plugin-env

builtin/logical/transit/path_keys.go

@@ -135,6 +135,16 @@ key.`,
 				Description: `The parameter set to use. Applies to ML-DSA and SLH-DSA key types.
 For ML-DSA key types, valid values are 44, 65, or 87.`,
 			},
+			"hybrid_key_type_pqc": {
+				Type: framework.TypeString,
+				Description: `The key type of the post-quantum key to use for hybrid signature schemes.
+Supported types are: ML-DSA.`,
+			},
+			"hybrid_key_type_ec": {
+				Type: framework.TypeString,
+				Description: `The key type of the elliptic curve key to use for hybrid signature schemes.
+Supported types are: ecdsa-p256, ecdsa-p384, ecdsa-p521.`,
+			},
 		},
 
 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -184,6 +194,8 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 	managedKeyName := d.Get("managed_key_name").(string)
 	managedKeyId := d.Get("managed_key_id").(string)
 	parameterSet := d.Get("parameter_set").(string)
+	pqcKeyType := d.Get("hybrid_key_type_pqc").(string)
+	ecKeyType := d.Get("hybrid_key_type_ec").(string)
 
 	if autoRotatePeriod != 0 && autoRotatePeriod < time.Hour {
 		return logical.ErrorResponse("auto rotate period must be 0 to disable or at least an hour"), nil
@@ -241,6 +253,16 @@ func (b *backend) pathPolicyWrite(ctx context.Context, req *logical.Request, d *
 			return logical.ErrorResponse(fmt.Sprintf("invalid parameter set %s for key type %s", parameterSet, keyType)), logical.ErrInvalidRequest
 		}
 
+		polReq.ParameterSet = parameterSet
+	case "hybrid":
+		polReq.KeyType = keysutil.KeyType_HYBRID
+
+		var err error
+		polReq.HybridConfig, err = getHybridKeyConfig(pqcKeyType, parameterSet, ecKeyType)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf("invalid config for hybrid key: %s", err)), logical.ErrInvalidRequest
+		}
+
 		polReq.ParameterSet = parameterSet
 	default:
 		return logical.ErrorResponse(fmt.Sprintf("unknown key type %v", keyType)), logical.ErrInvalidRequest
@@ -393,6 +415,11 @@ func (b *backend) formatKeyPolicy(p *keysutil.Policy, context []byte) (*logical.
 		resp.Data["parameter_set"] = p.ParameterSet
 	}
 
+	if p.Type == keysutil.KeyType_HYBRID {
+		resp.Data["hybrid_key_type_pqc"] = p.HybridConfig.PQCKeyType.String()
+		resp.Data["hybrid_key_type_ec"] = p.HybridConfig.ECKeyType.String()
+	}
+
 	switch p.Type {
 	case keysutil.KeyType_AES128_GCM96, keysutil.KeyType_AES256_GCM96, keysutil.KeyType_ChaCha20_Poly1305:
 		retKeys := map[string]int64{}
@@ -401,7 +428,7 @@ func (b *backend) formatKeyPolicy(p *keysutil.Policy, context []byte) (*logical.
 		}
 		resp.Data["keys"] = retKeys
 
-	case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ECDSA_P384, keysutil.KeyType_ECDSA_P521, keysutil.KeyType_ED25519, keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096, keysutil.KeyType_ML_DSA:
+	case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ECDSA_P384, keysutil.KeyType_ECDSA_P521, keysutil.KeyType_ED25519, keysutil.KeyType_RSA2048, keysutil.KeyType_RSA3072, keysutil.KeyType_RSA4096, keysutil.KeyType_ML_DSA, keysutil.KeyType_HYBRID:
 		retKeys := map[string]map[string]interface{}{}
 		for k, v := range p.Keys {
 			key := asymKey{
@@ -488,6 +515,36 @@ func (b *backend) pathPolicyDelete(ctx context.Context, req *logical.Request, d
 	return nil, nil
 }
 
+func getHybridKeyConfig(pqcKeyType, parameterSet, ecKeyType string) (keysutil.HybridKeyConfig, error) {
+	config := keysutil.HybridKeyConfig{}
+
+	switch pqcKeyType {
+	case "ml-dsa":
+		config.PQCKeyType = keysutil.KeyType_ML_DSA
+
+		if parameterSet != keysutil.ParameterSet_ML_DSA_44 &&
+			parameterSet != keysutil.ParameterSet_ML_DSA_65 &&
+			parameterSet != keysutil.ParameterSet_ML_DSA_87 {
+			return keysutil.HybridKeyConfig{}, fmt.Errorf("invalid parameter set %s for key type %s", parameterSet, pqcKeyType)
+		}
+	default:
+		return keysutil.HybridKeyConfig{}, fmt.Errorf("invalid PQC key type: %s", pqcKeyType)
+	}
+
+	switch ecKeyType {
+	case "ecdsa-p256":
+		config.ECKeyType = keysutil.KeyType_ECDSA_P256
+	case "ecdsa-p384":
+		config.ECKeyType = keysutil.KeyType_ECDSA_P384
+	case "ecdsa-p521":
+		config.ECKeyType = keysutil.KeyType_ECDSA_P521
+	default:
+		return keysutil.HybridKeyConfig{}, fmt.Errorf("invalid key type for hybrid key: %s", ecKeyType)
+	}
+
+	return config, nil
+}
+
 const pathPolicyHelpSyn = `Managed named encryption keys`
 
 const pathPolicyHelpDesc = `

builtin/logical/transit/path_keys_test.go

@@ -254,6 +254,42 @@ func TestTransit_CreateKey(t *testing.T) {
 			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "87"},
 			entOnly:        true,
 		},
+		"Hybrid ML-DSA-44-ECDSA-P256": {
+			creationParams: map[string]interface{}{"type": "hybrid", "parameter_set": "44", "hybrid_key_type_ec": "ecdsa-p256", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-44-ECDSA-P384": {
+			creationParams: map[string]interface{}{"type": "hybrid", "parameter_set": "44", "hybrid_key_type_ec": "ecdsa-p384", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-44-ECDSA-P521": {
+			creationParams: map[string]interface{}{"type": "hybrid", "parameter_set": "44", "hybrid_key_type_ec": "ecdsa-p521", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-65-ECDSA-P256": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "65", "hybrid_key_type_ec": "ecdsa-p256", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-65-ECDSA-P384": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "65", "hybrid_key_type_ec": "ecdsa-p384", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-65-ECDSA-P521": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "65", "hybrid_key_type_ec": "ecdsa-p521", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-87-ECDSA-P256": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "87", "hybrid_key_type_ec": "ecdsa-p256", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-87-ECDSA-P384": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "87", "hybrid_key_type_ec": "ecdsa-p384", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
+		"Hybrid ML-DSA-87-ECDSA-P521": {
+			creationParams: map[string]interface{}{"type": "ml-dsa", "parameter_set": "87", "hybrid_key_type_ec": "ecdsa-p521", "hybrid_key_type_pqc": "ml-dsa"},
+			entOnly:        true,
+		},
 		"bad key type": {
 			creationParams: map[string]interface{}{"type": "fake-key-type"},
 			shouldError:    true,

changelog/29117.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core/seal (enterprise): Fix decryption of the raft bootstrap challenge when using seal high availability.
+```

changelog/29128.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off.
+```

changelog/29131.txt

@@ -0,0 +1,3 @@
+```release-note:change
+secrets/openldap: Update plugin to v0.14.4
+```

command/operator_diagnose_test.go

@@ -10,11 +10,13 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/hashicorp/cli"
 	"github.com/hashicorp/vault/helper/constants"
+	pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki"
 	"github.com/hashicorp/vault/vault/diagnose"
 )
 
@@ -31,8 +33,55 @@ func testOperatorDiagnoseCommand(tb testing.TB) *OperatorDiagnoseCommand {
 	}
 }
 
+func generateTLSConfigOk(t *testing.T, ca pkihelper.LeafWithIntermediary) string {
+	t.Helper()
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "tls_config_ok.hcl")
+
+	templateFile := "./server/test-fixtures/tls_config_ok.hcl"
+	contents, err := os.ReadFile(templateFile)
+	if err != nil {
+		t.Fatalf("failed to read file %s: %v", templateFile, err)
+	}
+	contents = []byte(strings.ReplaceAll(string(contents), "{REPLACE_LEAF_CERT_FILE}", ca.Leaf.CertFile))
+	contents = []byte(strings.ReplaceAll(string(contents), "{REPLACE_LEAF_KEY_FILE}", ca.Leaf.KeyFile))
+
+	err = os.WriteFile(configPath, contents, 0o644)
+	if err != nil {
+		t.Fatalf("failed to write file %s: %v", configPath, err)
+	}
+
+	return configPath
+}
+
+func generateTransitTLSCheck(t *testing.T, ca pkihelper.LeafWithIntermediary) string {
+	t.Helper()
+	tmpDir := t.TempDir()
+	configPath := filepath.Join(tmpDir, "diagnose_seal_transit_tls_check.hcl")
+
+	templateFile := "./server/test-fixtures/diagnose_seal_transit_tls_check.hcl"
+	contents, err := os.ReadFile(templateFile)
+	if err != nil {
+		t.Fatalf("failed to read file %s: %v", templateFile, err)
+	}
+	contents = []byte(strings.ReplaceAll(string(contents), "{REPLACE_LEAF_CERT_FILE}", ca.Leaf.CertFile))
+	contents = []byte(strings.ReplaceAll(string(contents), "{REPLACE_LEAF_KEY_FILE}", ca.Leaf.KeyFile))
+	contents = []byte(strings.ReplaceAll(string(contents), "{REPLACE_COMBINED_CA_CHAIN_FILE}", ca.CombinedCaFile))
+
+	err = os.WriteFile(configPath, contents, 0o644)
+	if err != nil {
+		t.Fatalf("failed to write file %s: %v", configPath, err)
+	}
+
+	return configPath
+}
+
 func TestOperatorDiagnoseCommand_Run(t *testing.T) {
 	t.Parallel()
+	testca := pkihelper.GenerateCertWithIntermediaryRoot(t)
+	tlsConfigOkConfigFile := generateTLSConfigOk(t, testca)
+	transitTLSCheckConfigFile := generateTransitTLSCheck(t, testca)
+
 	cases := []struct {
 		name     string
 		args     []string
@@ -349,7 +398,7 @@ func TestOperatorDiagnoseCommand_Run(t *testing.T) {
 		{
 			"diagnose_listener_config_ok",
 			[]string{
-				"-config", "./server/test-fixtures/tls_config_ok.hcl",
+				"-config", tlsConfigOkConfigFile,
 			},
 			[]*diagnose.Result{
 				{
@@ -461,7 +510,7 @@ func TestOperatorDiagnoseCommand_Run(t *testing.T) {
 		{
 			"diagnose_seal_transit_tls_check_fail",
 			[]string{
-				"-config", "./server/test-fixtures/diagnose_seal_transit_tls_check.hcl",
+				"-config", transitTLSCheckConfigFile,
 			},
 			[]*diagnose.Result{
 				{

command/server/test-fixtures/diagnose_seal_transit_tls_check.hcl

@@ -20,9 +20,9 @@ backend "consul" {
 seal "transit" {
 
   // TLS Configuration
-  tls_ca_cert        = "./../vault/diagnose/test-fixtures/chain.crt.pem"
-  tls_client_cert    = "./../vault/diagnose/test-fixtures/goodcertwithroot.pem"
-  tls_client_key     = "./../vault/diagnose//test-fixtures/goodkey.pem"
+  tls_ca_cert        = "{REPLACE_COMBINED_CA_CHAIN_FILE}"
+  tls_client_cert    = "{REPLACE_LEAF_CERT_FILE}"
+  tls_client_key     = "{REPLACE_LEAF_KEY_FILE}"
   tls_server_name    = "vault"
   tls_skip_verify    = "false"
 }

command/server/test-fixtures/tls_config_ok.hcl

@@ -8,8 +8,8 @@ ui = true
 
 listener "tcp" {
     address = "127.0.0.1:1025"
-    tls_cert_file = "./../api/test-fixtures/keys/cert.pem"
-    tls_key_file = "./../api/test-fixtures/keys/key.pem"
+    tls_cert_file = "{REPLACE_LEAF_CERT_FILE}"
+    tls_key_file = "{REPLACE_LEAF_KEY_FILE}"
 }
 
 backend "consul" {

go.mod

@@ -100,7 +100,6 @@ require (
 	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
-	github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0
 	github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1
 	github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.3
@@ -151,7 +150,7 @@ require (
 	github.com/hashicorp/vault-plugin-secrets-kubernetes v0.9.0
 	github.com/hashicorp/vault-plugin-secrets-kv v0.20.0
 	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0
-	github.com/hashicorp/vault-plugin-secrets-openldap v0.14.3
+	github.com/hashicorp/vault-plugin-secrets-openldap v0.14.4
 	github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0
 	github.com/hashicorp/vault-testing-stepwise v0.3.2
 	github.com/hashicorp/vault/api v1.15.0
@@ -239,6 +238,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect
+	github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect

go.sum

@@ -1602,8 +1602,8 @@ github.com/hashicorp/vault-plugin-secrets-kv v0.20.0 h1:p1RVmd4x1rgGK0tN8DDu21J2
 github.com/hashicorp/vault-plugin-secrets-kv v0.20.0/go.mod h1:bCpMggD3Z0+H+3dOmTCoQjBHC53jA08lPqOLmFrHBi8=
 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0 h1:BeDS7luTeOW0braIbtuyairFF8SEz7k3nvi9e+mJ2Ok=
 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0/go.mod h1:sprde+S70PBIbgOLUAKDxR+xNF714ksBBVh77O3hnWc=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.14.3 h1:HY8q7qVmhtBYiNa5K24wws72jPjwzkSuAt7LwkRcT8Q=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.14.3/go.mod h1:wqOf/QJqrrNXjnm0eLUnm5Ju9s/LIZUl6wEKmnFL9Uo=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.14.4 h1:BA5gf+itQ4FtEg4gyXvEZW0ioRCSUNnO3+XBrxDNi9A=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.14.4/go.mod h1:mdECWDLyILokYVpdBgwvHWkPJ+cEnSTxR6yDT0TBS98=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0 h1:YzOJrpuDRNrw5SQ4i7IEjedF40I/7ejupQy+gAyQ6Zg=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0/go.mod h1:j2nbB//xAQMD+5JivVDalwDEyzJY3AWzKIkw6k65xJQ=
 github.com/hashicorp/vault-testing-stepwise v0.3.2 h1:FCe0yrbK/hHiHqzu7utLcvCTTKjghWHyXwOQ2lxfoQM=