Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Util: Support parsing PKCS1 and PKCS8 private keys #575

Closed
brucec5 opened this issue Jul 27, 2021 · 1 comment · Fixed by #843
Closed

TLS Util: Support parsing PKCS1 and PKCS8 private keys #575

brucec5 opened this issue Jul 27, 2021 · 1 comment · Fixed by #843
Labels
theme/tls About running Consul with TLS type/enhancement New feature or request

Comments

@brucec5
Copy link
Contributor

brucec5 commented Jul 27, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Is your feature request related to a problem? Please describe.

Similar to hashicorp/consul#7622, it appears that consul-k8s only supports EC private keys. This is despite the fact that consul itself supports EC, PKCS1, and PKCS8 private keys.

The consul-k8s code in question:

consul-k8s/helper/cert/tls_util.go

Lines 153 to 168 in 8946d1a

// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
// is expected to be the first block in the PEM value.
func ParseSigner(pemValue string) (crypto.Signer, error) {
// The _ result below is not an error but the remaining PEM bytes.
block, _ := pem.Decode([]byte(pemValue))
if block == nil {
return nil, fmt.Errorf("no PEM-encoded data found")
}
switch block.Type {
case "EC PRIVATE KEY":
return x509.ParseECPrivateKey(block.Bytes)
default:
return nil, fmt.Errorf("unknown PEM block type for signing key: %s", block.Type)
}
}

The similar code in consul:
https://github.com/hashicorp/consul/blob/27de64da7095570012e9f8f7aec16aaf66d2a773/agent/connect/parsing.go#L112-L141

Feature Description

Support parsing all of the private key formats that Consul supports. I'm not sure if you can just use the existing tlsutil package from the consul repo, so worst case I guess you could just copy/paste in that same bit of code.

Use Case(s)

We should be able to specify an RSA private key in the .global.tls.caKey values.yaml entry.

Contributions
@brucec5 brucec5 added the type/enhancement New feature or request label Jul 27, 2021
@ndhanushkodi ndhanushkodi added the theme/tls About running Consul with TLS label Jul 29, 2021
@david-yu
Copy link
Contributor

Hi @brucec5 thank you submitting this feature request. This is a great feature request and we will add this to our backlog. It is likely we won't be able to get to in some time since we have some other feature work going on right now. As a follow up question, I assume you are using PKCS1 or PKCS8 in Vault? Which one of the two do you have a preference for to helps us prioritize between the two?

@lkysow lkysow mentioned this issue Nov 4, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/tls About running Consul with TLS type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support PKCS1 and PKCS8 private keys hashicorp/consul-k8s
3 participants
@david-yu @brucec5 @ndhanushkodi