Skip to content

Commit

Permalink
Use ed25519 instead of rsa in self signed certs
Browse files Browse the repository at this point in the history
  • Loading branch information
p53 committed Oct 29, 2024
1 parent a77b4e7 commit 9c5d809
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 158 deletions.
2 changes: 1 addition & 1 deletion docs/content/userguide/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -537,7 +537,7 @@ the proxy will use the default certificate. If you wish to verify the
trust, you’ll need to generate a CA, for example.

``` bash
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem
$ openssl req -x509 -nodes -days 365 -newkey ed2551 -keyout ca.key -out ca.pem
$ bin/gatekeeper \
--enable-forwarding \
--forwarding-username=USERNAME \
Expand Down
1 change: 0 additions & 1 deletion pkg/constant/constant.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ const (
PKCECodeVerifierLength = 96
PATRefreshInPercent = 0.85
HTTPCompressionLevel = 5
SelfSignedRSAKeyLength = 2048
SelfSignedMaxSerialBits = 128
CookiesPerDomainSize = 4069
RedisTimeout = 10 * time.Second
Expand Down
31 changes: 20 additions & 11 deletions pkg/encryption/self_signed.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ package encryption

import (
"context"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
Expand All @@ -44,7 +44,7 @@ type SelfSignedCertificate struct {
// hostnames is the list of host names on the certificate
hostnames []string
// privateKey is the rsa private key
privateKey *rsa.PrivateKey
privateKey *ed25519.PrivateKey
// the logger for this service
log *zap.Logger
// stopCh is a channel to close off the rotation
Expand All @@ -67,14 +67,14 @@ func NewSelfSignedCertificate(hostnames []string, expiry time.Duration, log *zap
zap.String("common_name", hostnames[0]),
)

key, err := rsa.GenerateKey(rand.Reader, constant.SelfSignedRSAKeyLength)
_, key, err := ed25519.GenerateKey(rand.Reader)

if err != nil {
return nil, err
}

// @step: create an initial certificate
certificate, err := CreateCertificate(key, hostnames, expiry)
certificate, err := CreateCertificate(&key, hostnames, expiry)

if err != nil {
return nil, err
Expand All @@ -88,7 +88,7 @@ func NewSelfSignedCertificate(hostnames []string, expiry time.Duration, log *zap
expiration: expiry,
hostnames: hostnames,
log: log,
privateKey: key,
privateKey: &key,
cancel: cancel,
}

Expand All @@ -114,7 +114,11 @@ func (c *SelfSignedCertificate) rotate(ctx context.Context) error {
return
case <-time.After(ticker):
}
c.log.Info("going to sleep until required for rotation", zap.Time("expires", expires), zap.Duration("duration", time.Until(expires)))
c.log.Info(
"going to sleep until required for rotation",
zap.Time("expires", expires),
zap.Duration("duration", time.Until(expires)),
)

// @step: got to sleep until we need to rotate
time.Sleep(time.Until(expires))
Expand Down Expand Up @@ -154,7 +158,7 @@ func (c *SelfSignedCertificate) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Cer
}

// createCertificate is responsible for creating a certificate
func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Duration) (tls.Certificate, error) {
func CreateCertificate(key *ed25519.PrivateKey, hostnames []string, expire time.Duration) (tls.Certificate, error) {
// @step: create a serial for the certificate
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), constant.SelfSignedMaxSerialBits))
if err != nil {
Expand All @@ -168,9 +172,8 @@ func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Dura
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
NotAfter: time.Now().Add(expire),
NotBefore: time.Now().Add(-30 * time.Second),
PublicKeyAlgorithm: x509.ECDSA,
PublicKeyAlgorithm: x509.Ed25519,
SerialNumber: serial,
SignatureAlgorithm: x509.SHA512WithRSA,
Subject: pkix.Name{
CommonName: hostnames[0],
Organization: []string{"Gatekeeper"},
Expand All @@ -189,12 +192,18 @@ func CreateCertificate(key *rsa.PrivateKey, hostnames []string, expire time.Dura
}

// @step: create the certificate
cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
cert, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
if err != nil {
return tls.Certificate{}, err
}

pkcsPrivKey, err := x509.MarshalPKCS8PrivateKey(*key)
if err != nil {
return tls.Certificate{}, err
}

certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "X25519 PRIVATE KEY", Bytes: pkcsPrivKey})

return tls.X509KeyPair(certPEM, keyPEM)
}
Expand Down
25 changes: 0 additions & 25 deletions tests/ca-config.json

This file was deleted.

19 changes: 0 additions & 19 deletions tests/ca-csr.json

This file was deleted.

27 changes: 0 additions & 27 deletions tests/ca-key.pem

This file was deleted.

23 changes: 0 additions & 23 deletions tests/ca.pem

This file was deleted.

4 changes: 2 additions & 2 deletions tests/proxy-csr.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
"algo": "ecdsa",
"size": 256
},
"names": [
{
Expand Down
32 changes: 5 additions & 27 deletions tests/proxy-key.pem
Original file line number Diff line number Diff line change
@@ -1,27 +1,5 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwNM8DDZe1IIw1Y2h5Rit9DJr4YKkUJsGicCKBAj47Z9r6O3Q
t1V8T6t13eR7M1/7nEqjWx4MpRMoAV7QhtmcyuEvu/XKSkQ4MAyKLiCwvARSAs3m
51ZIw+TVJhv3DNxn168OgPN7FrbkTkzFJATf+lx/1RVNqfym5bXYj5k+pNuFttzU
kjEkEnNRW5leppIUAG7AQfM9SbIAL+7nmvBrIVVaAk6kmbFk4H8LaMrQYh9uzmx3
121MraH1ik4pwuDpLzUl3P1WC8N972oSm5MWffgdhRu3cmD10wY7xsVIUKQi/TG6
vI1MYPra9vQAusawUY5N4xx/qdbUiB0a4YacYQIDAQABAoIBAQCaOpqF3hsdeICc
3usF9iZ08rttJXRN8KFbHwCFV7PbRC8ooMbXTO3gP3FIKM8N+ZCjouNkJvXQNzFB
X1gE9Bu//juS6HaDzmruq6j+WjFiQUZjbdNpZ49N+EMwdx+0TrpUPnWoWJc0RNb5
ddgdBjUr6D5q7d4vv6CyjS+JM/ZyHqvHhrtaf2BAGCFtIPFL4xr4tw4qhIqcq1X1
PgMwiUnjx4SmVlFkhYBOwax+MBtjgNaCC84vKPn753lFfqbmSF/GkY4olS1UbP0v
WhaZmf1KwQlVN9qDtjp+HvPpwqhqX3pooQ9cqoAzuNUoFK/koM7ZjgNkoP1R7x+Y
OZuZxE1NAoGBANNHlmE+xbZPHCLb7Gx2qI0YTlcVoqBL+7Bt7abiQgoZngiv3ljq
rldtQEXaBTw24cQGRLZfJIhN1Zc6InZeYWKExeW4V8UGh4ghbuhSkrAGiFgunjil
+2buKKfGG9wLRKKL+Iv3iJxQ10NPKpHxkcz9NlzLNwmfRjPuVcOgsSb/AoGBAOmj
q5GQlHGKbvt8qRc4pbFWYacxkProsV78wtnyE8cZg+jTXoFriLTPLnG27sArFWBW
/PLiMSJQMUysXbVK67XFApvJHARMPzWyXMCD0/p5VvOKogHhNmAhcOuCtS6dIlWJ
yUWs9PU5q4lP9WzseTMAM9YuTk4fQBAVrYQ8RJyfAoGAGdyLZb/fR5+LXCD7YZNs
skilXjeBvolOd5wdGO5dEwtrsriESPIBASaYVXSIa4R0QiBaTNB8kkqkuGwfR8np
tbt21dWouK9B68Hb54gj+HP0QIcESv7WNRU12MOBKYAfmJ31gHx+NlQW5WBNX6vo
IuVjwBwH0p+yYizsRpPm21UCgYEA1nsk7n1+eHjwBzhadfHP0euNvBG5mUzyP1Pk
gHVFiLo4qQ0ZLdAM8IddiJC5vnoOpqFUlpflKS3bBBsb72j216gjC+ZkLOHeCSpT
EXwzpjWsB+kVbopUA43PfrRAJamkskfKGId9XH1zpptbn4G6hYJDE/Twd7Eie2Gb
J9C339sCgYEAwTVJmmoEK3Use7hINiFiP19HQOj8+PDfb0jbtM2J9Bgd6LJEEbo9
rn3xdIc0dnr48Rna8T+RxwFaSrc3h2yXmPTygYmWbC36qnXvBhsqCQ5KtLKUVes2
6cFDdCkWpLJH+9xIfHs1EtA05apK3+pQtMVqCJg/evmWad+e1q+qMow=
-----END RSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDzEWDbI3C978OX7/yOX1xmnmLynnEVY0nu7jYDD/jBMoAoGCCqGSM49
AwEHoUQDQgAE9LJY8+DREb/KzT3ybvzJsxq0QJi6WXz3rqliZ2jjSosaDCdCCNFm
gq+KxNjqhoP4vAkfTSY9sPxmLiXldQoVmQ==
-----END EC PRIVATE KEY-----
34 changes: 12 additions & 22 deletions tests/proxy.pem
Original file line number Diff line number Diff line change
@@ -1,24 +1,14 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIUHmkQU1W8HzjP6gQNGWxpj1OOg1AwDQYJKoZIhvcNAQEL
BQAwezELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9u
ZG9uMRcwFQYDVQQKEw5LZXljbG9hayBQcm94eTEYMBYGA1UECxMPRGV2IEVudmly
b25tZW50MRcwFQYDVQQDEw5LZXljbG9hayBQcm94eTAeFw0xNjA0MjMwOTE1MDBa
Fw0xODA0MjMwOTE1MDBaMGsxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24x
DzANBgNVBAcTBkxvbmRvbjEXMBUGA1UEChMOS2V5Y2xvYXkgUHJveHkxCzAJBgNV
BAsTAklUMRQwEgYDVQQDEwsqLmxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMDTPAw2XtSCMNWNoeUYrfQya+GCpFCbBonAigQI+O2fa+jt
0LdVfE+rdd3kezNf+5xKo1seDKUTKAFe0IbZnMrhL7v1ykpEODAMii4gsLwEUgLN
5udWSMPk1SYb9wzcZ9evDoDzexa25E5MxSQE3/pcf9UVTan8puW12I+ZPqTbhbbc
1JIxJBJzUVuZXqaSFABuwEHzPUmyAC/u55rwayFVWgJOpJmxZOB/C2jK0GIfbs5s
d9dtTK2h9YpOKcLg6S81Jdz9VgvDfe9qEpuTFn34HYUbt3Jg9dMGO8bFSFCkIv0x
uryNTGD62vb0ALrGsFGOTeMcf6nW1IgdGuGGnGECAwEAAaOBkjCBjzAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUH6wX3y5G+00o/oY2BRM8De3A2QcwHwYDVR0jBBgwFoAUVaLwvBbtydaM
WlF9nEMq6D/rwK0wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQCbN2zfXg5xyaMtbAbXaHsBiApan++cgJZf5pxm7X8NbVHDotXh
Y1fQkejN/dX+C8aSL83pxi19WZBQXuq50i+ocNtGIYyAlXL7c1j++CWeTY64m3kO
FkpismDobvwdGkzPMR1xUZdAvxywuYTQrmZKZyVNNVAwidVPJ1ZyqobY8R2SFaai
vNm/J8U3lnItDdLIJkfACe1mq/AzwdzZ4i+U3FnW7yJEnDicEY4aIcZg0zNSqoQ/
EQMrH0O5ibGYsXInuQBXIIKygG7No4PMKYJtLwrx1sjKVKrqmDg4gBdLzjMzlY1r
PbDsAkmVmOEhOB0zPNtUm+Or2l+KddUXCs/3
MIICKTCCAdCgAwIBAgIIch1hRdLotKIwCgYIKoZIzj0EAwIwazELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRcwFQYDVQQKEw5L
ZXljbG9heSBQcm94eTELMAkGA1UECxMCSVQxFDASBgNVBAMTCyoubG9jYWxob3N0
MB4XDTI0MTAyOTIyMTAyMVoXDTI1MDEyOTA0MTUyMVowazELMAkGA1UEBhMCR0Ix
DzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRcwFQYDVQQKEw5LZXlj
bG9heSBQcm94eTELMAkGA1UECxMCSVQxFDASBgNVBAMTCyoubG9jYWxob3N0MFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9LJY8+DREb/KzT3ybvzJsxq0QJi6WXz3
rqliZ2jjSosaDCdCCNFmgq+KxNjqhoP4vAkfTSY9sPxmLiXldQoVmaNeMFwwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBS1iJwIhIK7PLspuzPVBppVeYpEbjAKBggqhkjO
PQQDAgNHADBEAiAdq5gSWeY5r8Q3Gcwl6QWKMV0isio3+gMjb8kupHCO3gIgJFT5
S+DOPOTC5G73V5f8zlC21CO2RtKyGwJBLE1B530=
-----END CERTIFICATE-----

0 comments on commit 9c5d809

Please sign in to comment.