terraform-provider-tls icon indicating copy to clipboard operation
terraform-provider-tls copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

public_key_fingerprint_x509_sha256

Open alanraison opened this issue 2 years ago • 5 comments

Resolves #202

I am a little concerned with the long name of this property, though it fits in with the other property names, and also whether the name is accurate.

I believe this is a good location for this fingerprint, rather than in a separate provider, since the key material is already available.

alanraison avatar May 04 '22 21:05 alanraison

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar May 04 '22 21:05 hashicorp-cla

Hello and thanks for providing this.

Before I proceed further, I have to ask: why is this property https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key#public_key_fingerprint_sha256 not enough for your purpose?

For clarity, the public_key_fingerprint_sha256 is nothing more than the value returned by https://pkg.go.dev/golang.org/x/crypto/ssh#FingerprintSHA256, that is very very close to your implementation if you look at the code.

detro avatar May 06 '22 12:05 detro

Hi there @detro. Unfortunately the ssh-format hash is not the same as used by kubernetes to calculate the Key Id during OIDC authentication. I am trying to use a tls_private_key to populate a jwks key set for my cluster, so the hash algorithm has to match.

I have to agree that it doesn't feel quite right to have arbitrary hash methods in this resource, and I can't find any evidence that the kubernetes method is at all standard (other than by using similarly available go crypto functions), so if you have any suggestions about where else this could live I'd be happy to consider it.

alanraison avatar May 07 '22 06:05 alanraison

One potential way to address the issue here from what I can tell would be to return the base64 encoded value of the DER encoding. From there, Terraform would be able to base64 decode the value, sha256sum it, and base64 encode it back using built-in functions.

Providing only the base64 encoded DER value is arguably more flexible for future use cases.

For context, I'm trying to solve the same problem as @alanraison.

thefirstofthe300 avatar Jul 05 '22 22:07 thefirstofthe300

I don't think providing the base64 of the DER would be enough, since when you go to base64decode it would decode it into a terraform string (utf8). Unless terraform provides function to sha256 base64 encoded content it would need to be done in provider.

ThatsMrTalbot avatar Feb 13 '23 10:02 ThatsMrTalbot