Deprecate ca_signature_algo config (#13033)

After the merge of #12674 we no longer use the following configuration: ```yaml teleport: ca_signature_algo: "rsa-sha2-512" ``` As we now rely upon the `x/crypto` package to choose the signing algorithm (it defaults to `rsa-sha2-512`) **Demo** If we set `ca_signature_algo` (the value is irrelevant) and start `teleport` we get: ```shell root@marco:/workspace# teleport start --debug 2022-06-02T09:33:58Z WARN ca_signing_algo config option is deprecated and will be ignored, we'll always default to rsa-sha2-512. config/configuration.go:348 2022-06-02T09:33:58Z INFO Generating new host UUID: b001159a-10e0-49a7-b4dc-61c73fbe9e42. service/service.go:726 ... ``` Fixes #12905
gravitational · Jun 6, 2022 · 306d011 · 306d011
1 parent 27c38c7
commit 306d011
Show file tree

Hide file tree

Showing 27 changed files with 14 additions and 384 deletions.
diff --git a/api/types/authority.go b/api/types/authority.go
@@ -71,10 +71,6 @@ type CertAuthority interface {
 	GetRotation() Rotation
 	// SetRotation sets rotation state.
 	SetRotation(Rotation)
-	// GetSigningAlg returns the signing algorithm used by signing keys.
-	GetSigningAlg() CertAuthoritySpecV2_SigningAlgType
-	// SetSigningAlg sets the signing algorithm used by signing keys.
-	SetSigningAlg(CertAuthoritySpecV2_SigningAlgType)
 	// AllKeyTypesMatch returns true if all keys in the CA are of the same type.
 	AllKeyTypesMatch() bool
 	// Clone returns a copy of the cert authority object.
@@ -263,16 +259,6 @@ func (ca *CertAuthorityV2) ID() *CertAuthID {
 	return &CertAuthID{DomainName: ca.Spec.ClusterName, Type: ca.Spec.Type}
 }
 
-// GetSigningAlg returns the CA's signing algorithm type
-func (ca *CertAuthorityV2) GetSigningAlg() CertAuthoritySpecV2_SigningAlgType {
-	return ca.Spec.SigningAlg
-}
-
-// SetSigningAlg sets the CA's signing algorith type
-func (ca *CertAuthorityV2) SetSigningAlg(alg CertAuthoritySpecV2_SigningAlgType) {
-	ca.Spec.SigningAlg = alg
-}
-
 func (ca *CertAuthorityV2) getOldKeySet(index int) (keySet CAKeySet) {
 	// in the "old" CA schema, index 0 contains the active keys and index 1 the
 	// additional trusted keys

diff --git a/docs/pages/setup/reference/config.mdx b/docs/pages/setup/reference/config.mdx
@@ -210,11 +210,6 @@ teleport:
         write_max_capacity: int
         write_target_value: float
 
-    # CA Signing algorithm used for OpenSSH Certificates
-    # Defaults to rsa-sha2-512 in 4.3 and above.
-    # valid values are: ssh-rsa, rsa-sha2-256, rsa-sha2-512; ssh-rsa is SHA1
-    ca_signature_algo: "rsa-sha2-512"
-
     # Cipher algorithms that the server supports. This section only needs to be
     # set if you want to override the defaults.
     ciphers:

diff --git a/integration/helpers.go b/integration/helpers.go
@@ -212,7 +212,6 @@ func NewInstance(cfg InstanceConfig) *TeleInstance {
 
 	cert, err := keygen.GenerateHostCert(services.HostCertParams{
 		CASigner:      signer,
-		CASigningAlg:  defaults.CASignatureAlgorithm,
 		PublicHostKey: cfg.Pub,
 		HostID:        cfg.HostID,
 		NodeName:      cfg.NodeName,
@@ -298,8 +297,6 @@ func (s *InstanceSecrets) GetCAs() ([]types.CertAuthority, error) {
 				Cert:    s.TLSCACert,
 			}},
 		},
-		Roles:      []string{},
-		SigningAlg: types.CertAuthoritySpecV2_RSA_SHA2_512,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -320,8 +317,7 @@ func (s *InstanceSecrets) GetCAs() ([]types.CertAuthority, error) {
 				Cert:    s.TLSCACert,
 			}},
 		},
-		Roles:      []string{services.RoleNameForCertAuthority(s.SiteName)},
-		SigningAlg: types.CertAuthoritySpecV2_RSA_SHA2_512,
+		Roles: []string{services.RoleNameForCertAuthority(s.SiteName)},
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -337,8 +333,6 @@ func (s *InstanceSecrets) GetCAs() ([]types.CertAuthority, error) {
 				Cert:    s.TLSCACert,
 			}},
 		},
-		Roles:      []string{},
-		SigningAlg: types.CertAuthoritySpecV2_RSA_SHA2_512,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -57,15 +57,13 @@ import (
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/bpf"
 	"github.com/gravitational/teleport/lib/client"
-	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/pam"
 	"github.com/gravitational/teleport/lib/reversetunnel"
 	"github.com/gravitational/teleport/lib/service"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/session"
 	"github.com/gravitational/teleport/lib/srv"
-	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/utils"
 
 	"github.com/google/uuid"
@@ -191,7 +189,6 @@ func TestIntegrations(t *testing.T) {
 	t.Run("PortForwarding", suite.bind(testPortForwarding))
 	t.Run("ProxyHostKeyCheck", suite.bind(testProxyHostKeyCheck))
 	t.Run("ReverseTunnelCollapse", suite.bind(testReverseTunnelCollapse))
-	t.Run("RotateChangeSigningAlg", suite.bind(testRotateChangeSigningAlg))
 	t.Run("RotateRollback", suite.bind(testRotateRollback))
 	t.Run("RotateSuccess", suite.bind(testRotateSuccess))
 	t.Run("RotateTrustedClusters", suite.bind(testRotateTrustedClusters))
@@ -4210,154 +4207,6 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) {
 	}
 }
 
-// TestRotateChangeSigningAlg tests the change of CA signing algorithm on
-// manual rotation.
-func testRotateChangeSigningAlg(t *testing.T, suite *integrationTestSuite) {
-	ctx := context.Background()
-	// Start with an instance using default signing alg.
-	tconf := suite.rotationConfig(true)
-	teleport := suite.newTeleportInstance()
-	logins := []string{suite.me.Username}
-	for _, login := range logins {
-		teleport.AddUser(login, []string{login})
-	}
-	config, err := teleport.GenerateConfig(t, nil, tconf)
-	require.NoError(t, err)
-
-	serviceC := make(chan *service.TeleportProcess, 20)
-	runErrCh := make(chan error, 1)
-
-	restart := func(svc *service.TeleportProcess, cancel func()) (*service.TeleportProcess, func()) {
-		if svc != nil && cancel != nil {
-			// shut down the service
-			cancel()
-			// close the service without waiting for the connections to drain
-			err := svc.Close()
-			require.NoError(t, err)
-			err = svc.Wait()
-			require.NoError(t, err)
-
-			select {
-			case err := <-runErrCh:
-				require.NoError(t, err)
-			case <-time.After(20 * time.Second):
-				t.Fatalf("failed to shut down the server")
-			}
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-		go func() {
-			runErrCh <- service.Run(ctx, *config, func(cfg *service.Config) (service.Process, error) {
-				svc, err := service.NewTeleport(cfg, service.WithIMDSClient(&disabledIMDSClient{}))
-				if err == nil {
-					serviceC <- svc
-				}
-				return svc, err
-			})
-		}()
-
-		svc, err = waitForProcessStart(serviceC)
-		require.NoError(t, err)
-		return svc, cancel
-	}
-
-	assertSigningAlg := func(svc *service.TeleportProcess, alg string) {
-		hostCA, err := svc.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{Type: types.HostCA, DomainName: Site}, false)
-		require.NoError(t, err)
-		require.Equal(t, alg, sshutils.GetSigningAlgName(hostCA))
-
-		userCA, err := svc.GetAuthServer().GetCertAuthority(ctx, types.CertAuthID{Type: types.UserCA, DomainName: Site}, false)
-		require.NoError(t, err)
-		require.Equal(t, alg, sshutils.GetSigningAlgName(userCA))
-	}
-
-	rotate := func(svc *service.TeleportProcess, mode string) *service.TeleportProcess {
-		t.Logf("Rotation phase: %q.", types.RotationPhaseInit)
-		err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
-			TargetPhase: types.RotationPhaseInit,
-			Mode:        mode,
-		})
-		require.NoError(t, err)
-
-		// wait until service phase update to be broadcasted (init phase does not trigger reload)
-		err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second)
-		require.NoError(t, err)
-
-		t.Logf("Rotation phase: %q.", types.RotationPhaseUpdateClients)
-		err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
-			TargetPhase: types.RotationPhaseUpdateClients,
-			Mode:        mode,
-		})
-		require.NoError(t, err)
-
-		// wait until service reload
-		svc, err = waitForReload(serviceC, svc)
-		require.NoError(t, err)
-
-		t.Logf("Rotation phase: %q.", types.RotationPhaseUpdateServers)
-		err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
-			TargetPhase: types.RotationPhaseUpdateServers,
-			Mode:        mode,
-		})
-		require.NoError(t, err)
-
-		// wait until service reloaded
-		svc, err = waitForReload(serviceC, svc)
-		require.NoError(t, err)
-
-		t.Logf("rotation phase: %q", types.RotationPhaseStandby)
-		err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{
-			TargetPhase: types.RotationPhaseStandby,
-			Mode:        mode,
-		})
-		require.NoError(t, err)
-
-		// wait until service reloaded
-		svc, err = waitForReload(serviceC, svc)
-		require.NoError(t, err)
-
-		return svc
-	}
-
-	// Start the instance.
-	svc, cancel := restart(nil, nil)
-
-	t.Log("default signature algorithm due to empty config value")
-	// Verify the default signing algorithm with config value empty.
-	assertSigningAlg(svc, defaults.CASignatureAlgorithm)
-
-	t.Log("change signature algorithm with custom config value and manual rotation")
-	// Change the signing algorithm in config file.
-	signingAlg := ssh.KeyAlgoRSA
-	config.CASignatureAlgorithm = &signingAlg
-	svc, cancel = restart(svc, cancel)
-	// Do a manual rotation - this should change the signing algorithm.
-	svc = rotate(svc, types.RotationModeManual)
-	assertSigningAlg(svc, ssh.KeyAlgoRSA)
-
-	t.Log("preserve signature algorithm with empty config value and manual rotation")
-	// Unset the config value.
-	config.CASignatureAlgorithm = nil
-	svc, cancel = restart(svc, cancel)
-
-	// Do a manual rotation - this should leave the signing algorithm
-	// unaffected because config value is not set.
-	svc = rotate(svc, types.RotationModeManual)
-	assertSigningAlg(svc, ssh.KeyAlgoRSA)
-
-	// shut down the service
-	cancel()
-	// close the service without waiting for the connections to drain
-	svc.Close()
-
-	select {
-	case err := <-runErrCh:
-		require.NoError(t, err)
-	case <-time.After(20 * time.Second):
-		t.Fatalf("failed to shut down the server")
-	}
-}
-
 // rotationConfig sets up default config used for CA rotation tests
 func (s *integrationTestSuite) rotationConfig(disableWebService bool) *service.Config {
 	tconf := s.defaultServiceConfig()

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -180,7 +180,6 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 		oidcClients:     make(map[string]*oidcClient),
 		samlProviders:   make(map[string]*samlProvider),
 		githubClients:   make(map[string]*githubClient),
-		caSigningAlg:    cfg.CASigningAlg,
 		cancelFunc:      cancelFunc,
 		closeCtx:        closeCtx,
 		emitter:         cfg.Emitter,
@@ -339,9 +338,6 @@ type Server struct {
 	// cipherSuites is a list of ciphersuites that the auth server supports.
 	cipherSuites []uint16
 
-	// caSigningAlg is an SSH signing algorithm to use when generating new CAs.
-	caSigningAlg *string
-
 	// cache is a fast cache that allows auth server
 	// to use cache for most frequent operations,
 	// if not set, cache uses itself
@@ -673,7 +669,6 @@ func (a *Server) GenerateHostCert(hostPublicKey []byte, hostID, nodeName string,
 	// create and sign!
 	return a.generateHostCert(services.HostCertParams{
 		CASigner:      caSigner,
-		CASigningAlg:  sshutils.GetSigningAlgName(ca),
 		PublicHostKey: hostPublicKey,
 		HostID:        hostID,
 		NodeName:      nodeName,
@@ -1069,7 +1064,6 @@ func (a *Server) generateUserCert(req certRequest) (*proto.Certs, error) {
 
 	params := services.UserCertParams{
 		CASigner:              caSigner,
-		CASigningAlg:          sshutils.GetSigningAlgName(userCA),
 		PublicUserKey:         req.publicKey,
 		Username:              req.user.GetName(),
 		Impersonator:          req.impersonator,
@@ -2178,7 +2172,6 @@ func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequ
 	// generate host SSH certificate
 	hostSSHCert, err := a.generateHostCert(services.HostCertParams{
 		CASigner:      caSigner,
-		CASigningAlg:  sshutils.GetSigningAlgName(ca),
 		PublicHostKey: req.PublicSSHKey,
 		HostID:        req.HostID,
 		NodeName:      req.NodeName,
@@ -3580,15 +3573,10 @@ func (a *Server) createSelfSignedCA(caID types.CertAuthID) error {
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	sigAlg := defaults.CASignatureAlgorithm
-	if a.caSigningAlg != nil && *a.caSigningAlg != "" {
-		sigAlg = *a.caSigningAlg
-	}
 	ca, err := types.NewCertAuthority(types.CertAuthoritySpecV2{
 		Type:        caID.Type,
 		ClusterName: caID.DomainName,
 		ActiveKeys:  keySet,
-		SigningAlg:  sshutils.ParseSigningAlg(sigAlg),
 	})
 	if err != nil {
 		return trace.Wrap(err)

diff --git a/lib/auth/clt_test.go b/lib/auth/clt_test.go
@@ -165,8 +165,6 @@ func newCertAuthority(t *testing.T, name string, caType types.CertAuthType) type
 				Key:  key,
 			}},
 		},
-		Roles:      nil,
-		SigningAlg: types.CertAuthoritySpecV2_RSA_SHA2_256,
 	})
 	require.NoError(t, err)
 	return ca

diff --git a/lib/auth/init.go b/lib/auth/init.go
@@ -159,11 +159,6 @@ type InitConfig struct {
 	// CipherSuites is a list of ciphersuites that the auth server supports.
 	CipherSuites []uint16
 
-	// CASigningAlg is a signing algorithm used for SSH (certificate and
-	// handshake) signatures for both host and user CAs. This option only
-	// affects newly-created CAs.
-	CASigningAlg *string
-
 	// Emitter is events emitter, used to submit discrete events
 	Emitter apievents.Emitter
 
@@ -1105,7 +1100,6 @@ func migrateDBAuthority(ctx context.Context, asrv *Server) error {
 				// Copy only TLS keys as SSH are not needed.
 				TLS: cav2.Spec.ActiveKeys.TLS,
 			},
-			SigningAlg: cav2.Spec.SigningAlg,
 		})
 		if err != nil {
 			return trace.Wrap(err)