-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support ssl key-encrypt-salt rotation #7925
feat: support ssl key-encrypt-salt rotation #7925
Conversation
key_encrypt_salt: edd1c9f0985e76a2 # If not set, will save origin ssl key into etcd. | ||
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC | ||
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! | ||
key_encrypt_salt: # If not set, will save origin ssl key into etcd. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a breaking change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's backward compatible, we could use 2 ways at the same time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have test case about this case
apisix/ssl.lua
Outdated
local aes_with_iv = assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv = iv})) | ||
core.table.insert(_aes_128_cbc_with_iv_tbl, aes_with_iv) | ||
else | ||
core.log.error("the key_encrypt_salt does not meet the " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use ,
instead of ..
as separator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apisix/ssl.lua
Outdated
if not decrypted then | ||
core.log.error("decrypt ssl key failed. key[", key, "] ") | ||
local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv() | ||
if core.table.isempty(aes_128_cbc_with_iv_tbl) then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use #
would be better as the table must be array
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
t/admin/ssl4.t
Outdated
ngx.say(body) | ||
} | ||
} | ||
--- request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move the common part to the top like other test files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apisix/ssl.lua
Outdated
|
||
if type_ivs == "table" then | ||
for index, iv in ipairs(ivs) do | ||
if type(iv) == "string" and #iv == 16 then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to check this via schema in https://github.com/apache/apisix/blob/master/apisix/cli/schema.lua
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
key_encrypt_salt: # If not set, will save origin ssl key into etcd. | ||
- edd1c9f0985e76a2 # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC | ||
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! | ||
# Only use the first key to encrypt, and decrypt in the order of the array. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment is not accurate to describe the field, since the comment says it "must be a string of length 16".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment is still wrong.
The key_encrypt_salt
should either be a string whose size is 16
or an array whose elements are string, and the size is also 16
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we only recommend using array?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm updating this to a hexadecimal string of length 16
. It's technically a 8 byte value in hex representation. Size isn't accurate.
apisix/cli/schema.lua
Outdated
key_encrypt_salt = { | ||
anyOf = { | ||
{ | ||
type = "array", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add length check for the array
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minItems = 1? why need this check?
apisix/cli/schema.lua
Outdated
maxLength = 16 | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why add an extra blank line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apisix/ssl.lua
Outdated
local aes_with_iv = assert(aes:new(iv, nil, aes.cipher(128, "cbc"), {iv = iv})) | ||
core.table.insert(_aes_128_cbc_with_iv_tbl, aes_with_iv) | ||
end | ||
elseif type_ivs == "string" and #ivs == 16 then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can remove the #ivs == 16
check as we already checked it in the schema.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
node_listen: 1984 | ||
ssl: | ||
key_encrypt_salt: "edd1c9f0985e76a1" | ||
--- response_body eval |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The judgment of the response body does not seem necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a double check, i prefer to leave it there
t/admin/ssl4.t
Outdated
while true do | ||
local line, err = sock:receive() | ||
if not line then | ||
-- ngx.say("failed to receive response status line: ", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove redundant comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
}, | ||
key_encrypt_salt = { | ||
anyOf = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know anyOf
can satisfy the schema check but it should be oneOf
in this scene?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this is the conventional way in APISIX, it's used everywhere, so i think i should follow this.
key_encrypt_salt: # If not set, will save origin ssl key into etcd. | ||
- edd1c9f0985e76a2 # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC | ||
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! | ||
# Only use the first key to encrypt, and decrypt in the order of the array. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment is still wrong.
The key_encrypt_salt
should either be a string whose size is 16
or an array whose elements are string, and the size is also 16
.
apisix/ssl.lua
Outdated
@@ -55,23 +56,32 @@ function _M.server_name() | |||
end | |||
|
|||
|
|||
local _aes_128_cbc_with_iv = false | |||
local _aes_128_cbc_with_iv_tbl = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to avoid using boolean value as the default value of a table?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
…nkeyDluffy6017/apisix into support-ssl-key-encrypt-salt-rotation
Description
Currently, the key_encryption_salt cannot be changed once users use it to encrypt the private key, otherwise, Apache APISIX cannot decrypt the private key correctly. This may become a pain point when the user leaks the salt.
As a user, I can configure multiple key_encryption_salt for Apache APISIX, and Apache APISIX will use them to decrypt private keys in turn
Checklist