[algs][1] Support configurable algorithm suites for CA keys #43305
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
2d0b09c to
b56b405
Compare
nklaassen
added
the
no-changelog
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
b56b405 to
4754767
Compare
nklaassen
commented
Jun 20, 2024
| @@ -275,7 +275,7 @@ func newAuthConfig(t *testing.T, log utils.Logger) *servicecfg.Config { | |||
| } | |||
| var err error | |||
| config.Auth.ClusterName, err = services.NewClusterNameWithRandomID(types.ClusterNameSpecV2{ | |||
| ClusterName: "testcluster", | |||
| ClusterName: "test-cluster", | |||
There was a problem hiding this comment.
this just matches the cluster name used in lib/auth/keystore tests so that it's easier to find all the test keys in e.g. the AWS console
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
4754767 to
c20955d
Compare
nklaassen
changed the base branch from
nklaassen/algs-ca-merge-base
to
nklaassen/algs0
nklaassen
force-pushed
the
nklaassen/algs0
branch
from
e50fbe0 to
16e5b21
Compare
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
c20955d to
c58e850
Compare
greedy52
approved these changes
Jun 25, 2024
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
4cc0d87 to
dbe5bd7
Compare
|
friendly ping @tigrato |
tigrato
approved these changes
Jun 26, 2024
nklaassen
force-pushed
the
nklaassen/algs0
branch
from
205ff64 to
f6d09da
Compare
nklaassen
force-pushed
the
nklaassen/algs1
branch
from
dbe5bd7 to
12aa3d2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR continues the implementation of RFD 136 - Modern Signature Algorithms.
The current base branch
nklaassen/algs-ca-merge-basemerges both #43260 and #43152 which this PR depends on, I will update it tomasteronce both of those merge.This adds support for CAs to use the correct algorithm for the current configured algorithm suite when they generate new keys, during startup or a CA rotation. This works whether the CA is backed by software, HSM, GCP KMS, or AWS KMS keys, and I have tested it on each platform.
We currently don't support signing JWTs with anything other than RSA, so I reverted the algorithm for those keys to RSA in the
-devsuites for now, I will update them to ECDSA after I add support.I have not tested that every protocol and integration works with the new key algorithms. My plan is to incrementally add support for each protocol while updating the subject/client/server key generation and test each protocol as I go. I am not changing any defaults here, you will only start to see the new algorithms used for new CA keys if you manually configure your
cluster_auth_preference.signature_algorithm_suitetobalanced-dev,hsm-dev, orfips-dev. The default is stilllegacy.