Rename some Transit wrapping key variables. Ensure the Transit wrapping key is...

Rename some Transit wrapping key variables. Ensure the Transit wrapping key is correctly typed and formatted in a unit test.

builtin/logical/transit/path_wrapping_key.go

@@ -48,9 +48,9 @@ func (b *backend) pathWrappingKeyRead(ctx context.Context, req *logical.Request,
 		p.Unlock()
 	}
 
-	rsaPublicKey := p.Keys[strconv.Itoa(p.LatestVersion)]
+	wrappingKey := p.Keys[strconv.Itoa(p.LatestVersion)]
 
-	derBytes, err := x509.MarshalPKIXPublicKey(rsaPublicKey.RSAKey.Public())
+	derBytes, err := x509.MarshalPKIXPublicKey(wrappingKey.RSAKey.Public())
 	if err != nil {
 		return nil, fmt.Errorf("error marshaling RSA public key: %w", err)
 	}

builtin/logical/transit/path_wrapping_key_test.go

@@ -2,6 +2,9 @@ package transit
 
 import (
 	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"testing"
 
 	"github.com/hashicorp/vault/sdk/logical"
@@ -37,7 +40,18 @@ func TestTransit_WrappingKey(t *testing.T) {
 	if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
 		t.Fatal("expected non-nil response")
 	}
-	pubKey := resp.Data["public_key"]
+	pubKeyPEM := resp.Data["public_key"]
+
+	// Ensure the returned key is a 4096-bit RSA key.
+	pubKeyBlock, _ := pem.Decode([]byte(pubKeyPEM.(string)))
+	rawPubKey, err := x509.ParsePKIXPublicKey(pubKeyBlock.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse public wrapping key: %s", err)
+	}
+	wrappingKey, ok := rawPubKey.(*rsa.PublicKey)
+	if !ok || wrappingKey.Size() != 512 {
+		t.Fatal("public wrapping key is not a 4096-bit RSA key")
+	}
 
 	// Request the wrapping key again to ensure it isn't regenerated.
 	req = &logical.Request{
@@ -52,7 +66,7 @@ func TestTransit_WrappingKey(t *testing.T) {
 	if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
 		t.Fatal("expected non-nil response")
 	}
-	if resp.Data["public_key"] != pubKey {
+	if resp.Data["public_key"] != pubKeyPEM {
 		t.Fatal("wrapping key public component changed between requests")
 	}
 }