Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use ed25519 instead of rsa in self signed certs #513

Merged
merged 1 commit into from
Oct 29, 2024
Merged

Use ed25519 instead of rsa in self signed certs #513

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/content/userguide/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -537,7 +537,7 @@ the proxy will use the default certificate. If you wish to verify the
trust, you’ll need to generate a CA, for example.

``` bash
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem
$ openssl req -x509 -nodes -days 365 -newkey ed2551 -keyout ca.key -out ca.pem
$ bin/gatekeeper \
--enable-forwarding \
--forwarding-username=USERNAME \
Expand Down
1 change: 0 additions & 1 deletion pkg/constant/constant.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ const (
PKCECodeVerifierLength = 96
PATRefreshInPercent = 0.85
HTTPCompressionLevel = 5
SelfSignedRSAKeyLength = 2048
SelfSignedMaxSerialBits = 128
CookiesPerDomainSize = 4069
RedisTimeout = 10 * time.Second
Expand Down
31 changes: 20 additions & 11 deletions pkg/encryption/self_signed.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ package encryption

import (
"context"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
Expand All @@ -44,7 +44,7 @@ type SelfSignedCertificate struct {
// hostnames is the list of host names on the certificate
hostnames []string
// privateKey is the rsa private key
privateKey *rsa.PrivateKey
privateKey *ed25519.PrivateKey
// the logger for this service
log *zap.Logger
// stopCh is a channel to close off the rotation
Expand All @@ -67,14 +67,14 @@ func NewSelfSignedCertificate(hostnames []string, expiry time.Duration, log *zap
zap.String("common_name", hostnames[0]),
)

key, err := rsa.GenerateKey(rand.Reader, constant.SelfSignedRSAKeyLength)
_, key, err := ed25519.GenerateKey(rand.Reader)

if err != nil {
return nil, err
}

// @step: create an initial certificate
certificate, err := CreateCertificate(key, hostnames, expiry)
certificate, err := CreateCertificate(&key, hostnames, expiry)

if err != nil {
return nil, err
Expand All @@ -88,7 +88,7 @@ func NewSelfSignedCertificate(hostnames []string, expiry time.Duration, log *zap
expiration: expiry,
hostnames: hostnames,
log: log,
privateKey: key,
privateKey: &key,
cancel: cancel,
}

Expand All @@ -114,7 +114,11 @@ func (c *SelfSignedCertificate) rotate(ctx context.Context) error {
return
case <-time.After(ticker):
}
c.log.Info("going to sleep until required for rotation", zap.Time("expires", expires), zap.Duration("duration", time.Until(expires)))
c.log.Info(
"going to sleep until required for rotation",
zap.Time("expires", expires),
zap.Duration("duration", time.Until(expires)),
)

// @step: got to sleep until we need to rotate
time.Sleep(time.Until(expires))
Expand Down Expand Up @@ -154,7 +158,7 @@ func (c *SelfSignedCertificate) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Cer
}

// createCertificate is responsible for creating a certificate
func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Duration) (tls.Certificate, error) {
func CreateCertificate(key *ed25519.PrivateKey, hostnames []string, expire time.Duration) (tls.Certificate, error) {
// @step: create a serial for the certificate
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), constant.SelfSignedMaxSerialBits))
if err != nil {
Expand All @@ -168,9 +172,8 @@ func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Dura
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
NotAfter: time.Now().Add(expire),
NotBefore: time.Now().Add(-30 * time.Second),
PublicKeyAlgorithm: x509.ECDSA,
PublicKeyAlgorithm: x509.Ed25519,
SerialNumber: serial,
SignatureAlgorithm: x509.SHA512WithRSA,
Subject: pkix.Name{
CommonName: hostnames[0],
Organization: []string{"Gatekeeper"},
Expand All @@ -189,12 +192,18 @@ func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Dura
}

// @step: create the certificate
cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
cert, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
if err != nil {
return tls.Certificate{}, err
}

pkcsPrivKey, err := x509.MarshalPKCS8PrivateKey(*key)
if err != nil {
return tls.Certificate{}, err
}

certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "X25519 PRIVATE KEY", Bytes: pkcsPrivKey})

return tls.X509KeyPair(certPEM, keyPEM)
}
Expand Down
25 changes: 0 additions & 25 deletions tests/ca-config.json
View file
Open in desktop

This file was deleted.

19 changes: 0 additions & 19 deletions tests/ca-csr.json
View file
Open in desktop

This file was deleted.

27 changes: 0 additions & 27 deletions tests/ca-key.pem
View file
Open in desktop

This file was deleted.

23 changes: 0 additions & 23 deletions tests/ca.pem
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions tests/proxy-csr.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
"algo": "ecdsa",
"size": 256
},
"names": [
{
Expand Down
32 changes: 5 additions & 27 deletions tests/proxy-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,5 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwNM8DDZe1IIw1Y2h5Rit9DJr4YKkUJsGicCKBAj47Z9r6O3Q
t1V8T6t13eR7M1/7nEqjWx4MpRMoAV7QhtmcyuEvu/XKSkQ4MAyKLiCwvARSAs3m
51ZIw+TVJhv3DNxn168OgPN7FrbkTkzFJATf+lx/1RVNqfym5bXYj5k+pNuFttzU
kjEkEnNRW5leppIUAG7AQfM9SbIAL+7nmvBrIVVaAk6kmbFk4H8LaMrQYh9uzmx3
121MraH1ik4pwuDpLzUl3P1WC8N972oSm5MWffgdhRu3cmD10wY7xsVIUKQi/TG6
vI1MYPra9vQAusawUY5N4xx/qdbUiB0a4YacYQIDAQABAoIBAQCaOpqF3hsdeICc
3usF9iZ08rttJXRN8KFbHwCFV7PbRC8ooMbXTO3gP3FIKM8N+ZCjouNkJvXQNzFB
X1gE9Bu//juS6HaDzmruq6j+WjFiQUZjbdNpZ49N+EMwdx+0TrpUPnWoWJc0RNb5
ddgdBjUr6D5q7d4vv6CyjS+JM/ZyHqvHhrtaf2BAGCFtIPFL4xr4tw4qhIqcq1X1
PgMwiUnjx4SmVlFkhYBOwax+MBtjgNaCC84vKPn753lFfqbmSF/GkY4olS1UbP0v
WhaZmf1KwQlVN9qDtjp+HvPpwqhqX3pooQ9cqoAzuNUoFK/koM7ZjgNkoP1R7x+Y
OZuZxE1NAoGBANNHlmE+xbZPHCLb7Gx2qI0YTlcVoqBL+7Bt7abiQgoZngiv3ljq
rldtQEXaBTw24cQGRLZfJIhN1Zc6InZeYWKExeW4V8UGh4ghbuhSkrAGiFgunjil
+2buKKfGG9wLRKKL+Iv3iJxQ10NPKpHxkcz9NlzLNwmfRjPuVcOgsSb/AoGBAOmj
q5GQlHGKbvt8qRc4pbFWYacxkProsV78wtnyE8cZg+jTXoFriLTPLnG27sArFWBW
/PLiMSJQMUysXbVK67XFApvJHARMPzWyXMCD0/p5VvOKogHhNmAhcOuCtS6dIlWJ
yUWs9PU5q4lP9WzseTMAM9YuTk4fQBAVrYQ8RJyfAoGAGdyLZb/fR5+LXCD7YZNs
skilXjeBvolOd5wdGO5dEwtrsriESPIBASaYVXSIa4R0QiBaTNB8kkqkuGwfR8np
tbt21dWouK9B68Hb54gj+HP0QIcESv7WNRU12MOBKYAfmJ31gHx+NlQW5WBNX6vo
IuVjwBwH0p+yYizsRpPm21UCgYEA1nsk7n1+eHjwBzhadfHP0euNvBG5mUzyP1Pk
gHVFiLo4qQ0ZLdAM8IddiJC5vnoOpqFUlpflKS3bBBsb72j216gjC+ZkLOHeCSpT
EXwzpjWsB+kVbopUA43PfrRAJamkskfKGId9XH1zpptbn4G6hYJDE/Twd7Eie2Gb
J9C339sCgYEAwTVJmmoEK3Use7hINiFiP19HQOj8+PDfb0jbtM2J9Bgd6LJEEbo9
rn3xdIc0dnr48Rna8T+RxwFaSrc3h2yXmPTygYmWbC36qnXvBhsqCQ5KtLKUVes2
6cFDdCkWpLJH+9xIfHs1EtA05apK3+pQtMVqCJg/evmWad+e1q+qMow=
-----END RSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDzEWDbI3C978OX7/yOX1xmnmLynnEVY0nu7jYDD/jBMoAoGCCqGSM49
AwEHoUQDQgAE9LJY8+DREb/KzT3ybvzJsxq0QJi6WXz3rqliZ2jjSosaDCdCCNFm
gq+KxNjqhoP4vAkfTSY9sPxmLiXldQoVmQ==
-----END EC PRIVATE KEY-----
34 changes: 12 additions & 22 deletions tests/proxy.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,14 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIUHmkQU1W8HzjP6gQNGWxpj1OOg1AwDQYJKoZIhvcNAQEL
BQAwezELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9u
ZG9uMRcwFQYDVQQKEw5LZXljbG9hayBQcm94eTEYMBYGA1UECxMPRGV2IEVudmly
b25tZW50MRcwFQYDVQQDEw5LZXljbG9hayBQcm94eTAeFw0xNjA0MjMwOTE1MDBa
Fw0xODA0MjMwOTE1MDBaMGsxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24x
DzANBgNVBAcTBkxvbmRvbjEXMBUGA1UEChMOS2V5Y2xvYXkgUHJveHkxCzAJBgNV
BAsTAklUMRQwEgYDVQQDEwsqLmxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMDTPAw2XtSCMNWNoeUYrfQya+GCpFCbBonAigQI+O2fa+jt
0LdVfE+rdd3kezNf+5xKo1seDKUTKAFe0IbZnMrhL7v1ykpEODAMii4gsLwEUgLN
5udWSMPk1SYb9wzcZ9evDoDzexa25E5MxSQE3/pcf9UVTan8puW12I+ZPqTbhbbc
1JIxJBJzUVuZXqaSFABuwEHzPUmyAC/u55rwayFVWgJOpJmxZOB/C2jK0GIfbs5s
d9dtTK2h9YpOKcLg6S81Jdz9VgvDfe9qEpuTFn34HYUbt3Jg9dMGO8bFSFCkIv0x
uryNTGD62vb0ALrGsFGOTeMcf6nW1IgdGuGGnGECAwEAAaOBkjCBjzAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUH6wX3y5G+00o/oY2BRM8De3A2QcwHwYDVR0jBBgwFoAUVaLwvBbtydaM
WlF9nEMq6D/rwK0wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQCbN2zfXg5xyaMtbAbXaHsBiApan++cgJZf5pxm7X8NbVHDotXh
Y1fQkejN/dX+C8aSL83pxi19WZBQXuq50i+ocNtGIYyAlXL7c1j++CWeTY64m3kO
FkpismDobvwdGkzPMR1xUZdAvxywuYTQrmZKZyVNNVAwidVPJ1ZyqobY8R2SFaai
vNm/J8U3lnItDdLIJkfACe1mq/AzwdzZ4i+U3FnW7yJEnDicEY4aIcZg0zNSqoQ/
EQMrH0O5ibGYsXInuQBXIIKygG7No4PMKYJtLwrx1sjKVKrqmDg4gBdLzjMzlY1r
PbDsAkmVmOEhOB0zPNtUm+Or2l+KddUXCs/3
MIICKTCCAdCgAwIBAgIIch1hRdLotKIwCgYIKoZIzj0EAwIwazELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRcwFQYDVQQKEw5L
ZXljbG9heSBQcm94eTELMAkGA1UECxMCSVQxFDASBgNVBAMTCyoubG9jYWxob3N0
MB4XDTI0MTAyOTIyMTAyMVoXDTI1MDEyOTA0MTUyMVowazELMAkGA1UEBhMCR0Ix
DzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRcwFQYDVQQKEw5LZXlj
bG9heSBQcm94eTELMAkGA1UECxMCSVQxFDASBgNVBAMTCyoubG9jYWxob3N0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9LJY8+DREb/KzT3ybvzJsxq0QJi6WXz3
rqliZ2jjSosaDCdCCNFmgq+KxNjqhoP4vAkfTSY9sPxmLiXldQoVmaNeMFwwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBS1iJwIhIK7PLspuzPVBppVeYpEbjAKBggqhkjO
PQQDAgNHADBEAiAdq5gSWeY5r8Q3Gcwl6QWKMV0isio3+gMjb8kupHCO3gIgJFT5
S+DOPOTC5G73V5f8zlC21CO2RtKyGwJBLE1B530=
-----END CERTIFICATE-----
Loading