New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key #120064
Conversation
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
||
k := len(decodedKey) | ||
switch k { | ||
case 16, 24, 32: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
our util is flexible to allow various key sizes:
func EncryptBytes(data, key []byte) ([]byte, error) { |
but we do hardcode the required (security wize, default) size to 32 bytes only.
randBytes, err := cryptoutil.CreateRandBytes(kubeadmconstants.CertificateKeySize) |
here in the validation we can do:
if len(decodedKey) != kubeadmconstants.CertificateKeySize {
allErrs = append(allErrs, field.Invalid(fldPath, certificateKey, fmt.Sprintf("invalid certificate key size %d, the key must be an AES key of size %d", k, kubeadmconstants.CertificateKeySize)))
one issue around DecryptBytes is that i don't see size validation impleneted already for it. this means users could have written a valid AES key with smaller size and it would have worked. ..and that's why the comments about validation.go were left i guess.
the main point is that kubeadm by default generates 32 bytes, which is secure.
i think we should just error for size != 32.
…hex encoded AES key
7228a3d
to
75a80d5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/retest
please check the extra args v1beta4 pr when you can.
LGTM label has been added. Git tree hash: bff1f3edc14d92db160aed6dd9cec3e6ada6c092
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, SataQiu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
kubeadm: add validation to verify that the CertificateKey is a valid hex encoded AES key
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: