Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-14 17:55:34 -04:00
Code Issues Projects Releases Packages Wiki Activity

also derive the key on the control plane nodes

Browse source
This commit is contained in:
miampf 2025-01-09 15:54:34 +01:00
parent 6ec18eb7ca
commit d336d06480
No known key found for this signature in database
GPG key ID: EF039364B5B6886C
2 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
bootstrapper/internal/initserver/BUILD.bazel
View file

@ -11,6 +11,7 @@ go_library(
"//bootstrapper/internal/journald", "//bootstrapper/internal/journald",
"//internal/atls", "//internal/atls",
"//internal/attestation", "//internal/attestation",
"//internal/constants",
"//internal/crypto", "//internal/crypto",
"//internal/file", "//internal/file",
"//internal/grpc/atlscredentials", "//internal/grpc/atlscredentials",
@ -26,6 +27,7 @@ go_library(
"@org_golang_google_grpc//keepalive", "@org_golang_google_grpc//keepalive",
"@org_golang_google_grpc//status", "@org_golang_google_grpc//status",
"@org_golang_x_crypto//bcrypt", "@org_golang_x_crypto//bcrypt",
"@org_golang_x_crypto//ssh",
], ],
) )

33
bootstrapper/internal/initserver/initserver.go
View file

@ -19,7 +19,9 @@ package initserver
import ( import (
"bufio" "bufio"
"bytes"
"context" "context"
"crypto/ed25519"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -33,6 +35,7 @@ import (
"github.com/edgelesssys/constellation/v2/bootstrapper/internal/journald" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/journald"
"github.com/edgelesssys/constellation/v2/internal/atls" "github.com/edgelesssys/constellation/v2/internal/atls"
"github.com/edgelesssys/constellation/v2/internal/attestation" "github.com/edgelesssys/constellation/v2/internal/attestation"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials" "github.com/edgelesssys/constellation/v2/internal/grpc/atlscredentials"
@ -44,6 +47,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/role" "github.com/edgelesssys/constellation/v2/internal/role"
"github.com/edgelesssys/constellation/v2/internal/versions/components" "github.com/edgelesssys/constellation/v2/internal/versions/components"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/ssh"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/codes" "google.golang.org/grpc/codes"
"google.golang.org/grpc/keepalive" "google.golang.org/grpc/keepalive"
@ -222,6 +226,35 @@ func (s *Server) Init(req *initproto.InitRequest, stream initproto.API_InitServe
return err return err
} }
// Derive the emergency ssh CA key
key, err := cloudKms.GetDEK(stream.Context(), crypto.DEKPrefix+constants.SSHCAKeySuffix, 256)
if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "retrieving DEK for key derivation: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
}
_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "generating signing key for emergency ssh CA: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
}
ca, err := ssh.NewSignerFromSigner(priv)
if err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "signing emergency ssh CA key: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
}
if err := s.fileHandler.Write(constants.SSHCAKeyPath, ssh.MarshalAuthorizedKey(ca.PublicKey()), file.OptMkdirAll); err != nil {
if e := s.sendLogsWithMessage(stream, status.Errorf(codes.Internal, "writing ssh CA pubkey: %s", err)); e != nil {
err = errors.Join(err, e)
}
return err
}
clusterName := req.ClusterName clusterName := req.ClusterName
if clusterName == "" { if clusterName == "" {
clusterName = "constellation" clusterName = "constellation"