Add method to use ed25519 ssh key #104
Conversation
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
f2aeab3
to
35301f6
Compare
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
35301f6
to
7909dd5
Compare
|
I had to re-work some of this PR; my initial testing wasn't sufficient. The only problem is, openssh creation / marshaling isn't supported upstream directly, so the package I'm using is 3rd party. |
slickwarren
force-pushed
the
cwarren/ed25519
branch
2 times, most recently
from
bc0e62f
to
f9ff225
Compare
cmd/create.go
Outdated
| "sync" | ||
|
|
||
| "github.com/mikesmitty/edkey" |
There was a problem hiding this comment.
This mod hasn't been up modified in 6 years. I think it would be better to copy over the code so we can at least maintain it. Will refer to Jake though on what he thinks is best.
There was a problem hiding this comment.
Even though the code is MIT we should never copy code wholesale without attribution. Also, we should prefer forking if a repo isn't properly maintained, and only if we plan to modify it in some way.
There was a problem hiding this comment.
Sounds good Jake understood. Well in this instance the repo doesn't have a go.mod file, it's causing failures in the validate checks for the PR. Do you recommend forking and adding a go.mod for our purposes?
There was a problem hiding this comment.
Did a little digging, according to the docs x509.MarshalPKCS8PrivateKey should work: https://cs.opensource.google/go/go/+/go1.20.5:src/crypto/x509/pkcs8.go;l=101
MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.
The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey (not a pointer), and *ecdh.PrivateKey. Unsupported key types result in an error.
This way we can use the go standard library and not have an external dependency at all.
There was a problem hiding this comment.
@slickwarren Circling back on this, were you able to test the above method?
There was a problem hiding this comment.
I tried that at the time of original testing, but it was not working as expected for me. I can try this again after the upcoming release to make sure I didn't miss anything. But I worked at it for awhile before finding this alternative.
There was a problem hiding this comment.
okay, it appears that this works if you cast the key to its expected type before sending to PKCS8, tested and working with both ed25519 and rsa keys now without the custom code
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
f9ff225
to
7bfdea6
Compare
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
7bfdea6
to
c2783e2
Compare
cmd/create.go
Outdated
| var privDER []byte | ||
| var err error | ||
| if strings.Contains(blockType, "OPENSSH") { | ||
| // Necessary to cast type in order to correctly marshal the key for OpenSSH | ||
| privDER, _ = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | ||
| } else if strings.Contains(blockType, "RSA") { | ||
| privDER = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | ||
| } else { | ||
| privDER, err = x509.MarshalPKCS8PrivateKey(key) | ||
| } | ||
|
|
||
| if err != nil { | ||
| logrus.Fatal("failed to marshal PKCS8 private key: ", err) | ||
| } |
There was a problem hiding this comment.
| var privDER []byte | |
| var err error | |
| if strings.Contains(blockType, "OPENSSH") { | |
| // Necessary to cast type in order to correctly marshal the key for OpenSSH | |
| privDER, _ = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | |
| } else if strings.Contains(blockType, "RSA") { | |
| privDER = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | |
| } else { | |
| privDER, err = x509.MarshalPKCS8PrivateKey(key) | |
| } | |
| if err != nil { | |
| logrus.Fatal("failed to marshal PKCS8 private key: ", err) | |
| } | |
| var privBytes []byte | |
| var err error | |
| if strings.Contains(blockType, "OPENSSH") { | |
| // Necessary to cast type in order to correctly marshal the key for OpenSSH | |
| privBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey)) | |
| if err != nil { | |
| logrus.Fatalf("failed to marshal PKCS8 private key: %v", err) | |
| } | |
| } else if strings.Contains(blockType, "RSA") { | |
| privBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) | |
| } else { // is this block expected? or should it fatal | |
| privBytes, err = x509.MarshalPKCS8PrivateKey(key) | |
| if err != nil { | |
| logrus.Fatalf("failed to marshal PKCS8 private key: %v", err) | |
| } | |
| } |
There was a problem hiding this comment.
I believe we should leave it in, in case someone wants to use some other key type? Otherwise I can rip this out and just fatal.
cmd/create.go
Outdated
| pubkey, _ := generatePublicKey(&privkey.PublicKey) | ||
| corr.PrivateKey = string(encodePrivateKeyToPEM(privkey)) | ||
| corr.PublicKey = string(pubkey) | ||
| if corr.Vars["corral_ssh_key_type"] == ED25519_KEY_TYPE { |
There was a problem hiding this comment.
we should probably check these errors as well, even if we weren't before
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
c2783e2
to
634c205
Compare
cmd/create.go
Outdated
| @@ -35,6 +37,7 @@ corral create k3s ghcr.io/rancher/k3s | |||
| corral create k3s-ha -v controlplane_count=3 ghcr.io/rancher/k3s | |||
| corral create k3s-custom /home/rancher/issue-1234 | |||
| ` | |||
| const ED25519_KEY_TYPE = "ed25519" | |||
There was a problem hiding this comment.
| const ED25519_KEY_TYPE = "ed25519" | |
| const ed25519KeyType = "ed25519" |
Once that's fixed feel free to merge
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
634c205
to
ec69e75
Compare
slickwarren
force-pushed
the
cwarren/ed25519
branch
from
ec69e75
to
e6cc016
Compare
addresses: #96
tested locally using ubuntu 20.04, and am able to create + login using an ed25519 key instead of rsa by having the user set
coral_ssh_key_type