terraform-provider-tls icon indicating copy to clipboard operation
terraform-provider-tls copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support for x25519

Open jackivanov opened this issue 4 years ago • 13 comments
trafficstars

Hi there,

I would be nice to have curve25519 supported

https://godoc.org/golang.org/x/crypto/curve25519

edit:

I have published a custom provider for now https://registry.terraform.io/providers/jackivanov/x25519/latest/docs

jackivanov avatar Dec 01 '20 15:12 jackivanov

duplicate(?) of #26

azrdev avatar Mar 18 '21 11:03 azrdev

This sounds like it's covered by the work ongoing in #150. Closing, but if it's different, please provide a lot more details of how the desired feature would look like.

Thank you :)

detro avatar Feb 21 '22 18:02 detro

@detro curve25519 is kinda different feature than just ED25519

jackivanov avatar Feb 21 '22 19:02 jackivanov

@detro Take a look at my draft in this fork

jackivanov avatar Feb 21 '22 19:02 jackivanov

OK, I gave a quick read to the RFC but I won't pretend to be "an expert" or anything on the topic.

From what I gather, it's describe a Curve and can be used for implementing Cryptographic functions/tools.

Sorry, but the reason it feels out of place here, is because it's too "low level" compared to what this Provider does: even if we expose the data of such a curve, what would then be the use? It's not a certificate or a key, something that can be fed to other systems during a Terraform Apply.

But if you can document/describe a more concrete end-2-end example of where having such a resource in Terraform would be usable and beneficial, we could revisit this.

Hope it makes sense.

thank you

detro avatar Feb 22 '22 14:02 detro

@detro We can use that to generate a private/public key pair and feed to any application that supports it. For example, WireGuard. I'm not an expert too, but you can take a look at my PoC, and the resource codebase in in my previous comment. WireGuard code has been recently added to the linux kernel natively, and I'm pretty sure there'll be more systems in future.

jackivanov avatar Feb 22 '22 14:02 jackivanov

So, I did a quick googling to learn a bit more about X25519 and it's relationship with ED25519: https://words.filippo.io/using-ed25519-keys-for-encryption/

What I'm concerned about here at this point, is that we (HashiCorp) don't want to add new features to this provider unless they are absolutely well established features that "should be here".

It's a delicate balance to chose when something is common enough to be needed. So, what I could do is to re-open the issue, waiting for more input/interest from the community.

detro avatar Feb 23 '22 19:02 detro

I can definitely contribute and file a PR for your review if you'd like

jackivanov avatar Feb 23 '22 21:02 jackivanov

If implementing Curve25519 generically would allow Terraform to work with Wireguard keys in the same vein as other SSL/TLS/SSH keys, that would be a huge win for me. Being able to do all this in Vault too without having to use Key/Value would be even better.

AlexHunterCodes avatar Feb 23 '22 23:02 AlexHunterCodes

What happened to this? PR closed but not merged.

thekev avatar Sep 06 '23 17:09 thekev

It seems that the project maintainers may not have shown much interest in contributions from the community. I'll be happy to rework whatever's required to get this merged.

jackivanov avatar Sep 06 '23 19:09 jackivanov

For everyone interested I have published a provider - https://registry.terraform.io/providers/jackivanov/x25519/latest/docs

jackivanov avatar Dec 10 '23 20:12 jackivanov

ZeroMQ also uses the Curve25519 and being able to generate the keys would be helpful to me as well.

ptwohig avatar Dec 29 '23 00:12 ptwohig