Skip to content

Commit

Permalink
refactored CA key generation into own function
Browse files Browse the repository at this point in the history
  • Loading branch information
@miampf
miampf committed Jan 9, 2025
1 parent 62b0c66 commit fa57092
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 30 deletions.
13 changes: 2 additions & 11 deletions bootstrapper/internal/initserver/initserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@ package initserver

import (
"bufio"
"bytes"
"context"
"crypto/ed25519"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -234,16 +232,9 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe
}
return err
}
_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
ca, err := crypto.GenerateEmergencySSHCAKey(key)
if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating signing key for emergency ssh CA: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
}
ca, err := ssh.NewSignerFromSigner(priv)
if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "signing emergency ssh CA key: %s", err)); e != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating emergency SSH CA key: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
Expand Down
1 change: 1 addition & 0 deletions bootstrapper/internal/joinclient/BUILD.bazel
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ go_library(
"//internal/attestation",
"//internal/cloud/metadata",
"//internal/constants",
"//internal/crypto",
"//internal/file",
"//internal/nodestate",
"//internal/role",
Expand Down
12 changes: 3 additions & 9 deletions bootstrapper/internal/joinclient/joinclient.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,7 @@ If the JoinClient finds an existing cluster, it will attempt to join it as eithe
package joinclient

import (
"bytes"
"context"
"crypto/ed25519"
"errors"
"fmt"
"log/slog"
Expand All @@ -33,6 +31,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/attestation"
"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/nodestate"
"github.com/edgelesssys/constellation/v2/internal/role"
Expand Down Expand Up @@ -274,14 +273,9 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
return fmt.Errorf("writing kubelet key: %w", err)
}

// derive CA key from emergency key
_, priv, err := ed25519.GenerateKey(bytes.NewReader(ticket.EmergencyCaKey))
ca, err := crypto.GenerateEmergencySSHCAKey(ticket.EmergencyCaKey)
if err != nil {
return fmt.Errorf("deriving ed25519 ssh emergency key: %w", err)
}
ca, err := ssh.NewSignerFromSigner(priv)
if err != nil {
return fmt.Errorf("creating emergency SSH CA key: %w", err)
return fmt.Errorf("generating emergency SSH CA key: %s", err)
}

if err := c.fileHandler.Write(constants.SSHCAKeyPath, ssh.MarshalAuthorizedKey(ca.PublicKey()), file.OptMkdirAll); err != nil {
Expand Down
11 changes: 2 additions & 9 deletions cli/internal/cmd/ssh.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ SPDX-License-Identifier: AGPL-3.0-only
package cmd

import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"fmt"
"os"
Expand Down Expand Up @@ -77,14 +75,9 @@ func runSSH(cmd *cobra.Command, _ []string) error {
return fmt.Errorf("Failed to retrieve key from key management service: %s", err)
}

_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
ca, err := crypto.GenerateEmergencySSHCAKey(key)
if err != nil {
return fmt.Errorf("Failed to create signing key from master secret: %s", err)
}

ca, err := ssh.NewSignerFromSigner(priv)
if err != nil {
return fmt.Errorf("Failed to create ssh CA key from master secret: %s", err)
return fmt.Errorf("Failed to generate emergency SSH CA key: %s", err)
}

debugLogger.Debug("SSH CA KEY generated", "key", string(ssh.MarshalAuthorizedKey(ca.PublicKey())))
Expand Down
5 changes: 4 additions & 1 deletion internal/crypto/BUILD.bazel
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ go_library(
srcs = ["crypto.go"],
importpath = "github.com/edgelesssys/constellation/v2/internal/crypto",
visibility = ["//:__subpackages__"],
deps = ["@org_golang_x_crypto//hkdf"],
deps = [
"@org_golang_x_crypto//hkdf",
"@org_golang_x_crypto//ssh",
],
)

go_test(
Expand Down
14 changes: 14 additions & 0 deletions internal/crypto/crypto.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ package crypto

import (
"bytes"
"crypto/ed25519"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
Expand All @@ -18,6 +19,7 @@ import (
"math/big"

"golang.org/x/crypto/hkdf"
"golang.org/x/crypto/ssh"
)

const (
Expand Down Expand Up @@ -62,6 +64,18 @@ func GenerateRandomBytes(length int) ([]byte, error) {
return nonce, nil
}

func GenerateEmergencySSHCAKey(key []byte) (ssh.Signer, error) {
_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
if err != nil {
return nil, err
}
ca, err := ssh.NewSignerFromSigner(priv)
if err != nil {
return nil, err
}
return ca, nil
}

// PemToX509Cert takes a list of PEM-encoded certificates, parses the first one and returns it
// as an x.509 certificate.
func PemToX509Cert(raw []byte) (*x509.Certificate, error) {
Expand Down

0 comments on commit fa57092

Please sign in to comment.