From a0ebdd17ab153aae8f3a821b5a69da864cc37f22 Mon Sep 17 00:00:00 2001 From: Dan Bond Date: Wed, 10 Jan 2024 13:05:56 +0000 Subject: [PATCH] manual backport --- .changelog/20112.txt | 3 ++ agent/auto-config/auto_encrypt_test.go | 40 ++++++++++++++++++++++++++ agent/connect/generate.go | 4 +-- 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 .changelog/20112.txt diff --git a/.changelog/20112.txt b/.changelog/20112.txt new file mode 100644 index 000000000000..99a2a2ecd02b --- /dev/null +++ b/.changelog/20112.txt @@ -0,0 +1,3 @@ +```release-note:security +Update RSA key generation to use a key size of at least 2048 bits. +``` diff --git a/agent/auto-config/auto_encrypt_test.go b/agent/auto-config/auto_encrypt_test.go index 10a7c8da4688..d0768080248c 100644 --- a/agent/auto-config/auto_encrypt_test.go +++ b/agent/auto-config/auto_encrypt_test.go @@ -7,6 +7,7 @@ import ( "context" "crypto/x509" "crypto/x509/pkix" + "encoding/pem" "fmt" "net" "net/url" @@ -107,6 +108,45 @@ func TestAutoEncrypt_generateCSR(t *testing.T) { } } +func TestAutoEncrypt_generateCSR_RSA(t *testing.T) { + testCases := []struct { + name string + keySize int + expectedKeySize int + }{ + { + name: "DefaultKeySize", + keySize: 0, + expectedKeySize: 4096, + }, + { + name: "KeySize2048", + keySize: 2048, + expectedKeySize: 2048, + }, + } + + for _, tcase := range testCases { + t.Run(tcase.name, func(t *testing.T) { + ac := AutoConfig{config: &config.RuntimeConfig{ + ConnectCAConfig: map[string]interface{}{ + "PrivateKeyType": "rsa", + "PrivateKeyBits": tcase.keySize, + }, + }} + + // Generate a private RSA key. + _, key, err := ac.generateCSR() + require.NoError(t, err) + + // Parse the private key and check it's length. + pemBlock, _ := pem.Decode([]byte(key)) + priv, _ := x509.ParsePKCS1PrivateKey(pemBlock.Bytes) + require.Equal(t, tcase.expectedKeySize, priv.N.BitLen()) + }) + } +} + func TestAutoEncrypt_hosts(t *testing.T) { type testCase struct { serverProvider ServerProvider diff --git a/agent/connect/generate.go b/agent/connect/generate.go index 7fb80e9cbf38..e955649f7b3b 100644 --- a/agent/connect/generate.go +++ b/agent/connect/generate.go @@ -97,9 +97,9 @@ func generateECDSAKey(keyBits int) (crypto.Signer, string, error) { // GeneratePrivateKey generates a new Private key func GeneratePrivateKeyWithConfig(keyType string, keyBits int) (crypto.Signer, string, error) { switch strings.ToLower(keyType) { - case "rsa": + case PrivateKeyTypeRSA: return generateRSAKey(keyBits) - case "ec": + case DefaultPrivateKeyType: return generateECDSAKey(keyBits) default: return nil, "", fmt.Errorf("unknown private key type requested: %s", keyType)