Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support parse PKCS8 private key #5600

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Support parse PKCS8 private key #5600

wants to merge 3 commits into from

Conversation

biningo
Copy link

@biningo biningo commented May 10, 2024
edited

What type of PR is this?
/kind feature

What this PR does / why we need it:
PKCS8 private key cannot be parsed

Which issue(s) this PR fixes:

Fixes #5599

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

@kubeedge-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign zc2638 after the PR has been reviewed.
You can assign the PR to them by writing /assign @zc2638 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubeedge-bot
Copy link
Collaborator

Welcome @biningo! It looks like this is your first PR to kubeedge/kubeedge 🎉

@kubeedge-bot kubeedge-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 10, 2024
@biningo biningo force-pushed the x509-private-key-parse branch 3 times, most recently from cbba52b to 26ae2a2 Compare May 10, 2024 09:55
@biningo
support parse PKCS8 private key
59076dd 
Signed-off-by: biningo <biningo.cn@gmail.com>
@kubeedge-bot kubeedge-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 10, 2024
@biningo biningo changed the title support parse PKCS8 private key Support parse PKCS8 private key May 11, 2024
wbc6080
wbc6080 reviewed May 13, 2024
View reviewed changes
Copy link
Contributor

@wbc6080 wbc6080 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain in detail under what circumstances you need to parse other types of private keys? If we use ECPrivateKey by default, seems we don't need to parse other types?

@biningo
Copy link
Author

biningo commented May 13, 2024

Can you explain in detail under what circumstances you need to parse other types of private keys? If we use ECPrivateKey by default, seems we don't need to parse other types?

Hi @wbc6080

If the CA certificate does not exist in the cloud, cloudcore will automatically generate the CA private key and CA certificate. As you said, the auto-generated private key is EC format.

KubeEdge supports users to generate CA private key and CA certificate by themselves, if users use PKCS1 format or PKCS8 format private key, it will fail to parse.

kubeedge/cloud/pkg/cloudhub/servers/httpserver/server.go

Lines 265 to 301 in 58bf767

if hubconfig.Config.Ca == nil && hubconfig.Config.CaKey == nil {
var caDER, caKeyDER []byte
klog.Info("Ca and CaKey don't exist in local directory, and will read from the secret")
// Check whether the ca exists in the secret
caSecret, err := GetSecret(CaSecretName, constants.SystemNamespace)
if err != nil {
klog.Info("Ca and CaKey don't exist in the secret, and will be created by CloudCore")
var caKey crypto.Signer
caDER, caKey, err = NewCertificateAuthorityDer()
if err != nil {
klog.Errorf("failed to create Certificate Authority, error: %v", err)
return err
}
caKeyDER, err = x509.MarshalECPrivateKey(caKey.(*ecdsa.PrivateKey))
if err != nil {
klog.Errorf("failed to convert an EC private key to SEC 1, ASN.1 DER form, error: %v", err)
return err
}
err = CreateCaSecret(caDER, caKeyDER)
if err != nil {
klog.Errorf("failed to create ca to secrets, error: %v", err)
return err
}
} else {
caDER = caSecret.Data[CaDataName]
caKeyDER = caSecret.Data[CaKeyDataName]
}
UpdateConfig(caDER, caKeyDER, nil, nil)
} else {
// HubConfig has been initialized
if err := CreateCaSecret(hubconfig.Config.Ca, hubconfig.Config.CaKey); err != nil {
klog.Errorf("failed to save ca and key to the secret, error: %v", err)
return err
}
}

@kubeedge-bot kubeedge-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 13, 2024
@biningo biningo force-pushed the x509-private-key-parse branch 2 times, most recently from 93855f4 to 4304020 Compare May 13, 2024 15:24
@biningo
Set the private key in EC/PKCS1/PKCS8 format to meet unit test coverage
0fbf511 
Signed-off-by: biningo <biningo.cn@gmail.com>
@biningo
Add ParseX509PrivateKey function doc comment
48f1db4 
Signed-off-by: biningo <biningo.cn@gmail.com>
wbc6080
wbc6080 reviewed May 17, 2024
View reviewed changes
cloud/pkg/cloudhub/servers/httpserver/certutil.go
Comment on lines +131 to +139
caKeyEc, ecErr := x509.ParseECPrivateKey(der)
if ecErr == nil {
return caKeyEc, nil
}

caKeyPKCS1, pkcs1Err := x509.ParsePKCS1PrivateKey(der)
if pkcs1Err == nil {
return caKeyPKCS1, nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to distinguish the encryption type of the key that needs to be parsed? Or to put it another way, if the PKCS1 secret key calls the ParseECPrivateKey method, an error will be reported, right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah
If the private key is not in the correct format, it will return err.
Parsing the private key format is the same as parsing the private key.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can distinguish the encryption type of the key from caCert.PublicKey type.
If provided PrivateKey doesn't match parent's PublicKey, CreateCertificate will fail
https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/x509.go#L1648

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls.X509KeyPair is better. but look at here

@biningo biningo requested a review from wbc6080 May 21, 2024 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@forsaken628 forsaken628 forsaken628 left review comments

@Iceber Iceber Awaiting requested review from Iceber

@Poor12 Poor12 Awaiting requested review from Poor12

@wbc6080 wbc6080 Awaiting requested review from wbc6080

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PKCS8 private key cannot be parsed
4 participants
@biningo @kubeedge-bot @forsaken628 @wbc6080