Skip to content

Commit 61a4c58

Browse files
ameukamameukam
committed
Increase the key size for KubeConfig private key
It's now required to have a minimum of 1024 bits the RSA private key. https://pkg.go.dev/crypto/rsa@master#GenerateKey Signed-off-by: Arnaud Meukam <[email protected]>
1 parent 6192c69 commit 61a4c58

File tree

2 files changed

+23
-6
lines changed

2 files changed

+23
-6
lines changed

pkg/kubeconfig/create_kubecfg_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,7 +142,7 @@ func fakeKeyset() *fi.Keyset {
142142

143143
func TestBuildKubecfg(t *testing.T) {
144144
originalPKIDefaultPrivateKeySize := pki.DefaultPrivateKeySize
145-
pki.DefaultPrivateKeySize = 512
145+
pki.DefaultPrivateKeySize = 2048
146146
defer func() {
147147
pki.DefaultPrivateKeySize = originalPKIDefaultPrivateKeySize
148148
}()

pkg/pki/issue_test.go

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,11 @@ package pki
1818

1919
import (
2020
"context"
21+
"crypto/rand"
2122
"crypto/rsa"
2223
"crypto/x509"
2324
"crypto/x509/pkix"
25+
"math/big"
2426
"net"
2527
"os"
2628
"testing"
@@ -54,12 +56,27 @@ func TestIssueCert(t *testing.T) {
5456
os.Setenv("KOPS_RSA_PRIVATE_KEY_SIZE", origSize)
5557
}()
5658

57-
caCertificate, err := ParsePEMCertificate([]byte("-----BEGIN CERTIFICATE-----\nMIIBRjCB8aADAgECAhAzhRMOcwfggPtgZNIOFU19MA0GCSqGSIb3DQEBCwUAMBIx\nEDAOBgNVBAMTB1Rlc3QgQ0EwHhcNMjAwNTE1MDIzNjI0WhcNMzAwNTE1MDIzNjI0\nWjASMRAwDgYDVQQDEwdUZXN0IENBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM/S\ncagGaiDA3jJWBXUr8rM19TWLA65jK/iA05FCsmQbyvETs5gbJdBfnhQp8wkKFlkt\nKxZ34k3wQUzoB1lv8/kCAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB\n/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADQQCDOxvs58AVAWgWLtD3Obvy7XXsKx6d\nMzg9epbiQchLE4G/jlbgVu7vwh8l5XFNfQooG6stCU7pmLFXkXzkJQxr\n-----END CERTIFICATE-----\n"))
59+
caKey, err := rsa.GenerateKey(rand.Reader, 2048)
5860
require.NoError(t, err)
59-
caPrivateKey, err := ParsePEMPrivateKey([]byte("-----BEGIN RSA PRIVATE KEY-----\nMIIBPAIBAAJBAM/ScagGaiDA3jJWBXUr8rM19TWLA65jK/iA05FCsmQbyvETs5gb\nJdBfnhQp8wkKFlktKxZ34k3wQUzoB1lv8/kCAwEAAQJBAJzXQZeBX87gP9DVQsEv\nLbc6XZjPFTQi/ChLcWALaf5J7drFJHUcWbKIHzOmM3fm3lQlb/1IcwOBU5cTY0e9\nBVECIQD73kxOWWAIzKqMOvFZ9s79Et7G1HUMnVAVKJ1NS1uvYwIhANM7LULdi0YD\nbcHvDl3+Msj4cPH7CXAJFyPWaQZPlXPzAiEAhDg6jpbUl0n57guzT6sFFk2lrXMy\nzyB2PeVITp9UzkkCIEpcF7flQ+U2ycmuvVELbpdfFmupIw5ktNex4DEPjR5PAiEA\n68vR1L1Kaja/GzU76qAQaYA/V1Ag4sPmOQdEaVZKu78=\n-----END RSA PRIVATE KEY-----\n"))
61+
62+
// Create pki.PrivateKey wrapper for CA key
63+
caPrivateKey := &PrivateKey{Key: caKey} // Use your package's PrivateKey type
64+
65+
caTemplate := &x509.Certificate{
66+
SerialNumber: big.NewInt(1),
67+
Subject: pkix.Name{CommonName: "Test CA"},
68+
NotBefore: time.Now(),
69+
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
70+
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
71+
BasicConstraintsValid: true,
72+
IsCA: true,
73+
}
74+
75+
caCertDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
6076
require.NoError(t, err)
61-
privateKey, err := ParsePEMPrivateKey([]byte("-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBANgL5cR2cLOB7oZZTiuiUmMwQRBaia8yLULt+XtBtDHf0lPOrn78\nvLPh7P7zRBgHczbTddcsg68g9vAfb9TC5M8CAwEAAQJAJytxCv+WS1VhU4ZZf9u8\nKDOVeEuR7uuf/SR8OPaenvPqONpYbZSVjnWnRBRHvg3HaHchQqH32UljZUojs9z4\nEQIhAO/yoqCFckfqswOGwWyYX1oNOtU8w9ulXlZqAtZieavVAiEA5n/tKHoZyx3U\nbZcks/wns1WqhAoSmDJpMyVXOVrUlBMCIDGnalQBiYasYOMn7bsFRSYjertJ2dYI\nQJ9tTK0Er90JAiAmpVQx8SbZ80pmhWzV8HUHkFligf3UHr+cn6ocJ6p0mQIgB728\npdvrS5zRPoUN8BHfWOZcPrElKTuJjP2kH6eNPvI=\n-----END RSA PRIVATE KEY-----"))
77+
caCert, err := x509.ParseCertificate(caCertDER)
6278
require.NoError(t, err)
79+
caCertificate := &Certificate{Certificate: caCert}
6380

6481
for _, tc := range []struct {
6582
name string
@@ -115,7 +132,7 @@ func TestIssueCert(t *testing.T) {
115132
CommonName: "Test client/server",
116133
},
117134
AlternateNames: []string{"*.internal.test.cluster.local", "localhost", "127.0.0.1"},
118-
PrivateKey: privateKey,
135+
PrivateKey: caPrivateKey,
119136
},
120137
expectedKeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
121138
expectedExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
@@ -131,7 +148,7 @@ func TestIssueCert(t *testing.T) {
131148
CommonName: "Test server",
132149
},
133150
AlternateNames: []string{"*.internal.test.cluster.local", "localhost", "127.0.0.1"},
134-
PrivateKey: privateKey,
151+
PrivateKey: caPrivateKey,
135152
},
136153
expectedKeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
137154
expectedExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

0 commit comments

Comments
 (0)