Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eliminate rsa.GenerateKey and lib/auth/native #47768

Merged
merged 1 commit into from
Oct 21, 2024
Merged

eliminate rsa.GenerateKey and lib/auth/native #47768

merged 1 commit into from
Oct 21, 2024

Conversation

nklaassen
Copy link
Contributor

This PR eliminates almost all remaining calls of rsa.GenerateKey from the codebase. Most calls were going through the lib/auth/native package, which this PR almost completely removes except for a few reference still called from teleport.e code, which will be removed in a follow-up PR. The RSA key precomputation logic used in 2 places in the codebase plus a number of tests is still supported, the code has just been moved to lib/cryptosuites/internal/rsa.

This change almost exclusively effects tests, most production code has already migrated away from hardcoding RSA key generation. The one change to product code is the removal of lib/auth/native.GenerateEICEKey, which has been replaced by a call to cryptosuites.GenerateKey(ctx, cryptosuites.GetCurrentSuiteFromAuthPreference(s.GetAccessPoint()), cryptosuites.EC2InstanceConnect) which will now use ECDSAP256 instead of RSA2048 when the cluster is in FIPS mode.

There will be a buddy PR to teleport.e removing some calls there, then a follow-up PR here to remove the unused functions and add a lint rule so that no-one can use rsa.GenerateKey in the future without explicitly ignoring the lint rule.

@nklaassen nklaassen added the no-changelog Indicates that a PR does not require a changelog entry label Oct 21, 2024
@github-actions github-actions bot added application-access database-access Database access related issues and PRs kubernetes-access machine-id size/sm tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Oct 21, 2024
@nklaassen nklaassen mentioned this pull request Oct 21, 2024
Merged
@nklaassen nklaassen added this pull request to the merge queue Oct 21, 2024
Merged via the queue into master with commit 0a0d413 Oct 21, 2024
80 of 83 checks passed
@nklaassen nklaassen deleted the nklaassen/eliminate-rsa branch October 21, 2024 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@zmb3 zmb3 zmb3 approved these changes

@tigrato tigrato tigrato approved these changes

Assignees
No one assigned
Labels
application-access database-access Database access related issues and PRs kubernetes-access machine-id no-changelog Indicates that a PR does not require a changelog entry size/sm tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nklaassen @tigrato @zmb3 @rosstimothy