ed25519 keys cannot be used to sign prehashed content via transit #31574
Description
Describe the bug
Since Vault 1.19.x, ed25519 keys cannot be used to sign pre-hashed content anymore via the Transit engine.
Last known working version is 1.18.4. Version 1.20.4, which contains a fix for #30665, unfortunately did not solve this problem.
To Reproduce
Assuming you have docker or podman installed along with Python, the following Python snippet is a self-contained test to check for the bug:
#!/usr/bin/env python3
# you need testcontainers installed: e.g. `pip install testcontainers`
import base64
import hashlib
import requests
from testcontainers.vault import VaultContainer
# VERSION_TO_TEST = "1.18.4" # this version is fine
VERSION_TO_TEST = "1.20.4" # this version has the issue
with VaultContainer(f"hashicorp/vault:{VERSION_TO_TEST}") as vault:
base_url = vault.get_connection_url() + "/v1"
headers = {"X-Vault-Token": vault.root_token, "Content-Type": "application/json"}
requests.post(f"{base_url}/sys/mounts/transit", json={"type": "transit"}, headers=headers)
# Create ed25519 key
requests.post(f"{base_url}/transit/keys/test-key", json={"type": "ed25519"}, headers=headers)
# Try to sign with key
text = b"This text should be signed"
digest = base64.b64encode(hashlib.sha512(text).digest()).decode('ascii')
response = requests.post(
f"{base_url}/transit/sign/test-key",
json={"prehashed": True, "input": digest, "hash_algorithm": "sha2-512"},
headers=headers
)
print(f"Status: {response.status_code}")
print(f"Response: {response.json()}")Expected behavior
Receive a signature back from the /transit/sign/test-key endpoint as it used to happen before 1.19.0.
Environment:
- Vault Server Version: 1.20.4:
- Vault CLI Version: N/A
- Server Operating System/Architecture: Debian 13 "trixie" (but reproducible also on other Linux OSes)
Vault server configuration file(s): stock official container with default configuration.
Additional context
Add any other context about the problem here.