cli: add mt cert create-tenant-signing command#74646
cli: add mt cert create-tenant-signing command#74646craig[bot] merged 1 commit intocockroachdb:masterfrom
Conversation
|
This change is |
29de99e to
d6a7c03
Compare
catj-cockroach
left a comment
There was a problem hiding this comment.
I have a few quick requests about how we're generating the certificate and verifying information output by them, but this looks good to me otherwise!
Reviewed 37 of 37 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @knz and @rafiss)
pkg/security/x509.go, line 285 at r1 (raw file):
publicKey crypto.PublicKey, privateKey crypto.PrivateKey, lifetime time.Duration, ) ([]byte, error) { template, err := newTemplate(caCommonName, lifetime)
In my opinion we should use a distinct template for the tenant signing key, rather than reusing the generate template code. We need to store very little information in the certificate, something like this would be sufficient:
template := &x509.Certificate{
Subject: pkix.Name{
CommonName: fmt.Sprintf("Tenant %d Token Signing Certificate", tenantID),
},
SerialNumber: big.NewInt(1), // The serial number does not matter because we are not using a certificate authority and replace this certificate with a new certificate.
BasicConstraintsValid: true,
IsCA: false, // This certificate CANNOT sign other certificates.
PublicKey: publicKey,
NotAfter: time.Now().Add(lifetime),
KeyUsage: x509.KeyUsageDigitalSignature, // This certificate can ONLY make signatures.
}pkg/security/certs_tenant_test.go, line 162 at r1 (raw file):
payload := []byte{1, 2, 3} signature := ed25519.Sign(ed25519PrivateKey, payload) ed25519PubKey, isEd25519 := signingCert.ParsedCertificates[0].PublicKey.(ed25519.PublicKey)
Rather than interacting with the ParsedCertificates, could we use the CheckSignature function?
err = certActual.CheckSignature(x509.PureEd25519, payload, signature)
require.NoError(t, err)
rafiss
left a comment
There was a problem hiding this comment.
Reviewable status:
pkg/security/x509.go, line 285 at r1 (raw file):
Previously, catj-cockroach (Cat J) wrote…
In my opinion we should use a distinct template for the tenant signing key, rather than reusing the generate template code. We need to store very little information in the certificate, something like this would be sufficient:
template := &x509.Certificate{ Subject: pkix.Name{ CommonName: fmt.Sprintf("Tenant %d Token Signing Certificate", tenantID), }, SerialNumber: big.NewInt(1), // The serial number does not matter because we are not using a certificate authority and replace this certificate with a new certificate. BasicConstraintsValid: true, IsCA: false, // This certificate CANNOT sign other certificates. PublicKey: publicKey, NotAfter: time.Now().Add(lifetime), KeyUsage: x509.KeyUsageDigitalSignature, // This certificate can ONLY make signatures. }
oh, nice, happy to simplify this
pkg/security/certs_tenant_test.go, line 162 at r1 (raw file):
Previously, catj-cockroach (Cat J) wrote…
Rather than interacting with the
ParsedCertificates, could we use the CheckSignature function?err = certActual.CheckSignature(x509.PureEd25519, payload, signature) require.NoError(t, err)
nice, this seems like a better way (i still had to access ParsedCertificates[0], but maybe i'm missing something from your suggestion
d6a7c03 to
3d06d94
Compare
knz
left a comment
There was a problem hiding this comment.
I like this. Just a nit and this is good to go from my perspective (but I'll let Catherine approve).
Reviewed 7 of 37 files at r1, 3 of 27 files at r2.
Reviewable status:
pkg/cli/mt_cert.go, line 126 at r2 (raw file):
If --overwrite is true, any existing files are overwritten. `, Args: cobra.MinimumNArgs(1),
ExactArgs?
3d06d94 to
7e16c1f
Compare
rafiss
left a comment
There was a problem hiding this comment.
Reviewable status:
pkg/cli/mt_cert.go, line 126 at r2 (raw file):
Previously, knz (kena) wrote…
ExactArgs?
fixed
This key/cert will be used to generate session revival tokens. No release note since this is only intended to be used internally. Release note: None
7e16c1f to
124a8f4
Compare
catj-cockroach
left a comment
There was a problem hiding this comment.
Reviewed 2 of 37 files at r1, 26 of 27 files at r2, 1 of 1 files at r3, 1 of 1 files at r4, all commit messages.
Reviewable status:
pkg/security/certs_tenant_test.go, line 162 at r1 (raw file):
Previously, rafiss (Rafi Shamim) wrote…
nice, this seems like a better way (i still had to access
ParsedCertificates[0], but maybe i'm missing something from your suggestion
Ahhh, I thought signingCert was an x509.Certificate. In this case, i might throw a require.Len(t, signingCert.ParsedCertificates, 1) in there but other than that looks good to me!
|
tftr! bors r=knz,catj-cockroach |
|
Build succeeded: |
refs #74643
This key/cert will be used to generate session revival tokens.
No release note since this is only intended to be used internally.
Release note: None