Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use go-secure-stdlib's RSA key generator backed by a DRBG #29020

Open
wants to merge 31 commits into
base: main
Choose a base branch
from
Open

Use go-secure-stdlib's RSA key generator backed by a DRBG #29020

wants to merge 31 commits into from
+304 −205

Conversation

sgmiller
Copy link
Collaborator

@sgmiller sgmiller commented Nov 25, 2024
edited
Loading

If the random source is not crypto/rand.Reader, use a secure deterministic
random bit generator seeded by the random source to generate RSA keys,
rather than the source directly. This massively improves performance for
RSA key generation if the source is a slow RNG, as can be found in many
HSMs.

This fixes customer issues resulting in timeouts as key generation can take several minutes on some HSMs, needing to pull thousands of candidate numbers for primes. In particular:
https://hashicorp.atlassian.net/browse/VAULT-21911 and https://hashicorp.atlassian.net/browse/VAULT-31473

This feature is on by default but can be overridden by setting VAULT_DISABLE_RSA_DRBG
to true.

https://hashicorp.atlassian.net/browse/VAULT-32705

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
    • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@sgmiller
Use DRBG based RSA key generation everywhere
3cc333b
@sgmiller
switch to the conditional generator
eaa1bae
@sgmiller
Use DRBG based RSA key generation everywhere
1d632fc
@sgmiller
switch to the conditional generator
6150e1b
@sgmiller
Add an ENV var to disable the DRBG in a pinch
a0a63a0
@sgmiller
Merge branch 'sgm/prng-rsa' of github.com:/hashicorp/vault into sgm/p…
5515c96 
…rng-rsa
@sgmiller
update go.mod
e0700b3
@sgmiller
Use DRBG based RSA key generation everywhere
b756246
@sgmiller
switch to the conditional generator
4c2f9d4
@sgmiller
Add an ENV var to disable the DRBG in a pinch
e6baaa7
@sgmiller
Use DRBG based RSA key generation everywhere
5a55c89
@sgmiller
update go.mod
bd8f565
@sgmiller
fix import
afb7027
@sgmiller
Remove rsa2 alias, remove test code
2fd9552
@sgmiller
Merge branch 'sgm/prng-rsa' of github.com:/hashicorp/vault into sgm/p…
d05ec3c 
…rng-rsa
@sgmiller
move cryptoutil/rsa.go to sdk
19f23bb
@sgmiller
move imports too
1df8a42
@sgmiller sgmiller requested review from a team as code owners November 25, 2024 19:07
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Nov 25, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 25, 2024
edited
Loading

CI Results: failed ❌
Failures:

Test Type Package Test Logs

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 25, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@sgmiller sgmiller marked this pull request as draft November 25, 2024 19:29
@sgmiller sgmiller marked this pull request as ready for review November 25, 2024 19:31
@sgmiller sgmiller added this to the 1.19.0-rc milestone Nov 26, 2024
stevendpclark
stevendpclark reviewed Nov 28, 2024
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a reference to rsa.GenerateKey within sdk/helper/certutil/helpers.go line 371 that was missed.

Beyond that and the go.mod conflict 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.19.0-rc
Development

Successfully merging this pull request may close these issues.
2 participants
@sgmiller @stevendpclark