Merge pull request #468 from smallstep/mariano/aws-rsa384

Add missing signature algorithms for awskms

Author: maraino

kms/awskms/awskms.go

@@ -46,6 +46,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
 		3072: types.KeySpecRsa3072,
 		4096: types.KeySpecRsa4096,
 	},
+	apiv1.SHA384WithRSA: map[int]types.KeySpec{
+		0:    types.KeySpecRsa3072,
+		2048: types.KeySpecRsa2048,
+		3072: types.KeySpecRsa3072,
+		4096: types.KeySpecRsa4096,
+	},
 	apiv1.SHA512WithRSA: map[int]types.KeySpec{
 		0:    types.KeySpecRsa3072,
 		2048: types.KeySpecRsa2048,
@@ -58,6 +64,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
 		3072: types.KeySpecRsa3072,
 		4096: types.KeySpecRsa4096,
 	},
+	apiv1.SHA384WithRSAPSS: map[int]types.KeySpec{
+		0:    types.KeySpecRsa3072,
+		2048: types.KeySpecRsa2048,
+		3072: types.KeySpecRsa3072,
+		4096: types.KeySpecRsa4096,
+	},
 	apiv1.SHA512WithRSAPSS: map[int]types.KeySpec{
 		0:    types.KeySpecRsa3072,
 		2048: types.KeySpecRsa2048,

kms/awskms/awskms_test.go

@@ -371,6 +371,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
 		{"SHA256WithRSA+2048", args{apiv1.SHA256WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
 		{"SHA256WithRSA+3072", args{apiv1.SHA256WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
 		{"SHA256WithRSA+4096", args{apiv1.SHA256WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
+		{"SHA384WithRSA", args{apiv1.SHA384WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
+		{"SHA384WithRSA+2048", args{apiv1.SHA384WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
+		{"SHA384WithRSA+3072", args{apiv1.SHA384WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
+		{"SHA384WithRSA+4096", args{apiv1.SHA384WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
 		{"SHA512WithRSA", args{apiv1.SHA512WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
 		{"SHA512WithRSA+2048", args{apiv1.SHA512WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
 		{"SHA512WithRSA+3072", args{apiv1.SHA512WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
@@ -379,6 +383,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
 		{"SHA256WithRSAPSS+2048", args{apiv1.SHA256WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
 		{"SHA256WithRSAPSS+3072", args{apiv1.SHA256WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
 		{"SHA256WithRSAPSS+4096", args{apiv1.SHA256WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
+		{"SHA384WithRSAPSS", args{apiv1.SHA384WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
+		{"SHA384WithRSAPSS+2048", args{apiv1.SHA384WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
+		{"SHA384WithRSAPSS+3072", args{apiv1.SHA384WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
+		{"SHA384WithRSAPSS+4096", args{apiv1.SHA384WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
 		{"SHA512WithRSAPSS", args{apiv1.SHA512WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
 		{"SHA512WithRSAPSS+2048", args{apiv1.SHA512WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
 		{"SHA512WithRSAPSS+3072", args{apiv1.SHA512WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},

kms/mackms/mackms.go

@@ -402,7 +402,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([
 
 	cert, err := loadCertificate(u.label, u.serialNumber, nil)
 	if err != nil {
-		return nil, fmt.Errorf("mackms LoadCertificateChain failed1: %w", apiv1Error(err))
+		return nil, fmt.Errorf("mackms LoadCertificateChain failed: %w", apiv1Error(err))
 	}
 
 	chain := []*x509.Certificate{cert}
@@ -424,6 +424,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([
 		chain = append(chain, cert)
 	}
 
+	//nolint:nilerr // return only the intermediates present in keychain
 	return chain, nil
 }