Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-26 00:35:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

added test for CA generation + use SeedSize constant

Browse source 
Previously, I just hard coded 256 as the key length that seeds the key
generation since it worked. Now, it uses ed25519.SeedSize (32) instead.
This commit is contained in:
miampf 2025-01-09 17:24:32 +01:00
parent 0be301fa3a
commit bee3f6c159
No known key found for this signature in database
GPG key ID: EF039364B5B6886C
3 changed files with 38 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
bootstrapper/internal/initserver/initserver.go
View file

@ -20,6 +20,7 @@ package initserver
import ( import (
"bufio" "bufio"
"context" "context"
"crypto/ed25519"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -225,7 +226,7 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe
} }
// Derive the emergency ssh CA key // Derive the emergency ssh CA key
key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256) key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
if err != nil { if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err)); e != nil { if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err)); e != nil {
err = errors.Join(err, e) err = errors.Join(err, e)

3
cli/internal/cmd/ssh.go
View file

@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
package cmd package cmd
import ( import (
"crypto/ed25519"
"crypto/rand" "crypto/rand"
"fmt" "fmt"
"os" "os"
@ -70,7 +71,7 @@ func runSSH(cmd *cobra.Command, _ []string) error {
if err != nil { if err != nil {
return fmt.Errorf("setting up KMS: %s", err) return fmt.Errorf("setting up KMS: %s", err)
} }
key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256) key, err := kms.GetDEK(cmd.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
if err != nil { if err != nil {
return fmt.Errorf("retrieving key from KMS: %s", err) return fmt.Errorf("retrieving key from KMS: %s", err)
} }

34
internal/crypto/crypto_test.go
View file

@ -7,6 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
package crypto package crypto
import ( import (
"crypto/ed25519"
"crypto/x509" "crypto/x509"
"testing" "testing"
@ -121,6 +122,39 @@ func TestGenerateRandomBytes(t *testing.T) {
assert.Len(n3, 16) assert.Len(n3, 16)
} }
func TestGenerateEmergencySSHCAKey(t *testing.T) {
nullKey := make([]byte, ed25519.SeedSize)
for i := range nullKey {
nullKey[i] = 0x0
}
testCases := map[string]struct {
key []byte
wantErr bool
}{
"invalid key": {
key: make([]byte, 0),
wantErr: true,
},
"valid key": {
key: nullKey,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
_, err := GenerateEmergencySSHCAKey(tc.key)
if tc.wantErr {
assert.NotNil(err)
} else {
assert.Nil(err)
}
})
}
}
func TestPemToX509Cert(t *testing.T) { func TestPemToX509Cert(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
pemCert []byte pemCert []byte