Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: generate a subject key identifier when creating a certificate #6379

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: generate a subject key identifier when creating a certificate #6379

wants to merge 3 commits into from
+16 −0

Conversation

kruskall
Copy link
Member

What does this PR do?

If a subject key id is omitted, go will generate one using sha1. This is described as method 1 in RFC 5280 Section 4.2.1.2.

Update the code to explicitly pass a subject key id to avoid calling sha1 functions. The new SubjectKeyId is generated using method 1 in RFC 7093 Section 2 which takes 160-bits of the SHA-256 hash.

Why is it important?

When sha1 is not available (e.g. fips only mode) this method will panic.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

How to test this PR locally

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...

@kruskall
feat: generate a subject key identifier when creating a certificate
d587478 
If a subject key id is omitted, go will generate one using sha1.
This is described as method 1 in RFC 5280 Section 4.2.1.2.

When sha1 is not available (e.g. fips only mode) this method will
panic.

Update the code to explicitly pass a subject key id to avoid calling
sha1 functions. The new SubjectKeyId is generated using
method 1 in RFC 7093 Section 2 which takes 160-bits of the SHA-256 hash.
@kruskall kruskall added enhancement New feature or request skip-changelog labels Dec 18, 2024
@kruskall kruskall requested a review from a team as a code owner December 18, 2024 02:40
@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 18, 2024

This pull request does not have a backport label. Could you fix it @kruskall? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 18, 2024

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Dec 18, 2024
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@swiatekm swiatekm added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Dec 31, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

michalpristas
michalpristas reviewed Jan 2, 2025
View reviewed changes
Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add UT tests making sure we don't panic on [:20] (we won't not but let's make sure we have changes in golang standard library checked)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpristas michalpristas michalpristas left review comments

@blakerouse blakerouse Awaiting requested review from blakerouse blakerouse is a code owner automatically assigned from elastic/elastic-agent-control-plane

At least 1 approving review is required to merge this pull request.

Assignees

@kruskall kruskall

Labels
backport-8.x Automated backport to the 8.x branch with mergify enhancement New feature or request skip-changelog Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kruskall @elasticmachine @michalpristas @swiatekm