trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard
verified publisher icon cert-manager

Support RSA Keys

Open drewwells opened this issue 2 years ago • 3 comments

I'm trying to point a bundle at an RSA Private key ie.

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Unfortunately, trust-manager only supports der formatted keys and not pem. I thought perhaps I could load my private key into cert-manager since it's more flexible to convert this into a format that trust-manager supports, but external secrets is blocked on evidence https://github.com/cert-manager/cert-manager/issues/2507.

Is there any way to source RSA private/public keys for distributing via trust-manager?

drewwells avatar Mar 26 '24 17:03 drewwells

Log message

 trust/manager/events "msg"="Failed to build bundle sources: invalid PEM data in source: invalid PEM block in bundle; invalid PEM certificate: invalid PEM block in bundle: only CERTIFICATE blocks are permitted but found 'RSA PRIVATE KEY'"

drewwells avatar Mar 26 '24 17:03 drewwells

Why do you want to source a private key?

erikgb avatar Mar 26 '24 21:03 erikgb

I want to publish a public key across all namespaces matching a private key that I provisioned. I can source private or public key

drewwells avatar Mar 27 '24 00:03 drewwells

Hey, Erik just pointed me here!

Based on the description I don't think we'd be likely to action anything like this. There are a few things here:

  1. We only support reading PEM formatted X.509 certificates.
  2. Certificates contain public keys, and only public keys are required for trust purposes.
  3. trust-manager doesn't currently handle truly secret data and we're not likely to start because that would significiantly change our threat model

Put another way, trust-manager is only focused on X.509 trust bundles - i.e. all of the public keys are wrapped in X.509 certificates and we don't handle private keys at all.

I think my best reading of what you're asking is that you want to point trust-manager at a private key, then have it generate the corresponding public key and add that to a bundle. That would be way out of scope for trust-manager today, since we only deal with public keys wrapped in X.509 certificates. Plus, since we don't deal with secret data, we'd be reluctant to add such a feature for that reason.

I'm going to close this since we're not likely to add a feature like that. If your ask was for something different please feel free to comment!

SgtCoDFish avatar Jul 17 '24 09:07 SgtCoDFish

You're right, I thought trust-manager would produce a public key when given a private key. I think because it focuses on reading secrets and certificates pointed at secrets, it led me to believe this. It appears all it does is validate public keys then mirror them.

Given that Trust-Manager installs RBAC to read all secrets in the cluster, Trust-Manager is already in a dangerous threat model. https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/templates/role.yaml#L1-L16

Maybe I'm misunderstanding but why not just calculate the public key from private key(s)? Or a lesser ask, support mirroring of RSA public keys like it does with x509 certificates today? All I needed was to mirror some RSA public keys a few months ago. We ended up rolling our own solution to this with script-operator.

drewwells avatar Jul 17 '24 12:07 drewwells

Given that Trust-Manager installs RBAC to read all secrets in the cluster, Trust-Manager is already in a dangerous threat model. https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/templates/role.yaml#L1-L16

This is a nitpick, but it explicitly doesn't do that and we've been super careful not to do that! That's a namespaced Role you linked.

We can read all secrets in the trust namespace .Values.app.trust.namespace, but you can't just add a secret in any namespace and have trust-manager read it.

It's possible to write bundles to Secrets, which does require wider permissions (see here) but that's opt-in and will always be opt-in for the reason that it massively expands permissions.

Maybe I'm misunderstanding but why not just calculate the public key from private key(s)? Or a lesser ask, support mirroring of RSA public keys like it does with x509 certificates today? All I needed was to mirror some RSA public keys a few months ago. We ended up rolling our own solution to this with script-operator.

We couldn't calculate RSA public keys from RSA private keys because we don't support RSA public key bundles. I could imagine there'd be room in the world for a RSAKeyBundle resource which stitches together non-X.509 public keys, but that's not in trust-manager's purview at the moment!

It doesn't really make sense to mix X.509 bundles (which we currently support) and RSA public key bundles.

We in theory could read private keys and generate a self-signed X.509 cert from that private key to add to the bundle, but that would require the user to specify additional information (like what goes in the cert's subject, duration, etc).

SgtCoDFish avatar Jul 17 '24 12:07 SgtCoDFish