-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add separation between keys when exporting CAs #18562
Conversation
7e00de1
to
162bf78
Compare
I do not understand how this could fix the flakiness. |
It doesn't. At least not 100%. So, the output is two blobs and this adds a little mark between them. |
162bf78
to
b5d8fc0
Compare
Sorry @marcoandredinis I still don't understand. Isn't this the equivalent of changing |
Almost the same, yes. I agree this does not ensure that it won't happen again However, IMO having a low probability is enough. > go test ./lib/client/ -run TestExportAuthorities/windows_exportSecrets --count 20_000 -race
ok github.com/gravitational/teleport/lib/client 469.146s I'm ok with going a step further We can parse the keys with So, we would remove the write // pkcs1PrivateKey is a structure which mirrors the PKCS #1 ASN.1 for an RSA private key.
type pkcs1PrivateKey struct {
Version int
N *big.Int
E int
D *big.Int
P *big.Int
Q *big.Int
}
validatePrivateKeyDERFunc := func(t *testing.T, s string) {
bs := []byte(s)
var priv pkcs1PrivateKey
rest, err := asn1.Unmarshal(bs, &priv)
require.NoError(t, err)
privateKeyBytes, err := asn1.Marshal(priv)
require.NoError(t, err)
privKey, err := x509.ParsePKCS1PrivateKey(privateKeyBytes)
require.NoError(t, err, "x509.ParsePKCS1PrivateKey failed")
require.NotNil(t, privKey, "x509.ParsePKCS1PrivateKey returned a nil certificate")
validateTLSCertificateDERFunc(t, string(rest))
} What do you think? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So to clarify as I don't think this is very clear: am I right in saying the test currently flakes because there is a chance that that the generated secret keys binary output may contain the equivalent of \n\n
which matches the separator we are using. And hence by increasing the length of the separator, it becomes far less likely that the binary output of the secret key will collide with it ?
I see two issues with this fix:
- It doesn't actually correct the code - just reduces the chance by which this bug occurs. This bug could theoretically occur in a user's actual environment.
- It changes the output output format.
The first issue is relatively minor, but the second issue is more interesting to me. Are we trying to match some prescribed format here so that something else can ingest it ? If so, changing the separator is not appropriate and will break whatever is trying to read this output.
If this output format is something of our choosing - then why are we outputting binary data raw like this at all ???
Surely we could encode the key data using base64 or similar, then output a newline, and then output the certificate encoded as base64 and this would completely avoid the possibility of an erroneous newline slipping in.
That is correct 👍 We currently have a command that outputs the windows certificate (der format):
It can also output the key (so it prints two blobs):
In a previous PR I added the ability to do the same using an HTTP endpoint (it doesn't offer the If you try to use the command This is ok for most types (as in I'm ok in testing this using another method like I mentioned in the previous comment |
This is what I was missing. Now I understand. I think if you're requesting a binary format like DER, it's really not safe to combine multiple different pieces of data in the same file. Could we instead write the different pieces to different files? Maybe the DER-encoded cert could be written to stdout, and we make |
Even simpler, could we have it so It would be nice to have some consistency between the types, it seems pretty hit or miss whether |
b5d8fc0
to
b5c5adb
Compare
@strideynet @zmb3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with this change in behaviour - but I think we need to make sure that any docs referencing this command have been updated :) We may need to consider releasing this in a major release since it's effectively a breaking change in the CLI interface.
Agree 👍 I'm not backporting this change, so this will go out on a major release. |
eac482e
to
8daf156
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I put the release-notes
label on this so we remember to include a note in the v12 release notes.
Adding a new line was sometimes not enough to separate the keys. This was causing our tests to sometimes fail.
8daf156
to
8285b88
Compare
To ease the creation of the release notes, the breaking change is:
(feel free to adapt the wording if necessary) |
Adding a new line was sometimes not enough to separate the keys.
This was causing our tests to sometimes fail.
$ go test ./lib/client/ -run TestExportAuthorities/windows_exportSecrets --count 2000 -race ok github.com/gravitational/teleport/lib/client 46.648s
Fixes #18309