From a88660e4b145f2214ffe0308a46a083e92acccc2 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Mon, 12 Aug 2024 23:08:14 +0200 Subject: [PATCH] authority: increase secret seed size to 64 bytes --- coordinator/internal/authority/userapi.go | 10 +++++++--- e2e/workloadsecret/workloadsecret_test.go | 7 ++++--- internal/constants/constants.go | 7 +++++++ 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/coordinator/internal/authority/userapi.go b/coordinator/internal/authority/userapi.go index 72d71e91dd..a87e698e9b 100644 --- a/coordinator/internal/authority/userapi.go +++ b/coordinator/internal/authority/userapi.go @@ -15,6 +15,7 @@ import ( "github.com/edgelesssys/contrast/coordinator/history" "github.com/edgelesssys/contrast/internal/ca" + "github.com/edgelesssys/contrast/internal/constants" "github.com/edgelesssys/contrast/internal/crypto" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/userapi" @@ -50,11 +51,14 @@ func (a *Authority) SetManifest(ctx context.Context, req *userapi.SetManifestReq } } else if a.se.Load() == nil { // First SetManifest call, initialize seed engine. - seedSalt, err := crypto.GenerateRandomBytes(64) + seed, err := crypto.GenerateRandomBytes(constants.SecretSeedSize) if err != nil { - return nil, status.Errorf(codes.Internal, "generating random bytes: %v", err) + return nil, status.Errorf(codes.Internal, "generating random bytes for seed: %v", err) + } + salt, err := crypto.GenerateRandomBytes(constants.SecretSeedSaltSize) + if err != nil { + return nil, status.Errorf(codes.Internal, "generating random bytes for seed salt: %v", err) } - seed, salt := seedSalt[:32], seedSalt[32:] seedShares, err := manifest.EncryptSeedShares(seed, m.SeedshareOwnerPubKeys) if err != nil { diff --git a/e2e/workloadsecret/workloadsecret_test.go b/e2e/workloadsecret/workloadsecret_test.go index 99a7fdd4a8..089e448e8f 100644 --- a/e2e/workloadsecret/workloadsecret_test.go +++ b/e2e/workloadsecret/workloadsecret_test.go @@ -17,6 +17,7 @@ import ( "github.com/edgelesssys/contrast/e2e/internal/contrasttest" "github.com/edgelesssys/contrast/e2e/internal/kubeclient" + "github.com/edgelesssys/contrast/internal/constants" "github.com/edgelesssys/contrast/internal/kuberesource" "github.com/edgelesssys/contrast/internal/manifest" "github.com/edgelesssys/contrast/internal/platforms" @@ -97,7 +98,7 @@ func TestWorkloadSecrets(t *testing.T) { require.NotEmpty(stdout) webWorkloadSecretBytes, err = hex.DecodeString(stdout) require.NoError(err) - require.Len(webWorkloadSecretBytes, 32) + require.Len(webWorkloadSecretBytes, constants.SecretSeedSize) }) t.Run("workload secret seed is the same between pods in the same deployment", func(t *testing.T) { @@ -111,7 +112,7 @@ func TestWorkloadSecrets(t *testing.T) { require.NotEmpty(stdout) otherWebWorkloadSecretBytes, err := hex.DecodeString(stdout) require.NoError(err) - require.Len(otherWebWorkloadSecretBytes, 32) + require.Len(otherWebWorkloadSecretBytes, constants.SecretSeedSize) require.Equal(webWorkloadSecretBytes, otherWebWorkloadSecretBytes) }) @@ -131,7 +132,7 @@ func TestWorkloadSecrets(t *testing.T) { require.NotEmpty(stdout) emojiWorkloadSecretBytes, err = hex.DecodeString(stdout) require.NoError(err) - require.Len(emojiWorkloadSecretBytes, 32) + require.Len(emojiWorkloadSecretBytes, constants.SecretSeedSize) require.NotEqual(webWorkloadSecretBytes, emojiWorkloadSecretBytes) }) } diff --git a/internal/constants/constants.go b/internal/constants/constants.go index e3e3dfaf46..da0ef62142 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -9,3 +9,10 @@ var ( MicrosoftGenpolicyVersion = "0.0.0-dev" KataGenpolicyVersion = "0.0.0-dev" ) + +const ( + // SecretSeedSize is the size of the secret seed generated in the coordinator. + SecretSeedSize = 64 + // SecretSeedSaltSize is the size of the secret seed salt generated in the coordinator. + SecretSeedSaltSize = 32 +)