Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL #35

Open
richardkazuomiller opened this issue Jul 29, 2024 · 3 comments
Open

CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL #35

richardkazuomiller opened this issue Jul 29, 2024 · 3 comments
Labels
known issue Known issues or intended limitations

Comments

@richardkazuomiller
Copy link

I ran into the 100 character limit while trying to set up support for key rotation in my project and banged my head against the wall before finding the reason in the documentation. My understanding is that it looks like like the underlying cause is in the libp11 library but it's not entirely clear what is going on and there hasn't been any movement on getting it fixed.

Is there any chance this could be solved in this library somehow? Maybe by using a cryptoKey instead of a keyring as the slot or something.

In the short term I think I will need to create a new key with a shorter name to meet deadlines but I think anything that GCP supports should also be supported in this library one way or another.
@tdbhacks
Copy link
Member

I see you have already commented on OpenSC/libp11#531, that's the issue I was going to point out because I believe the root cause is upstream. I've asked the maintainers to confirm this though, just in case I missed something in our own implementation, see my latest comment.

I definitely share the sentiment that this is annoying, but I wouldn't want to do a significant library redesign / behavior shift because of this issue alone, given the easy workaround. I appreciate your help in trying to push for this to be addressed in the open libp11 issue! In the meantime, I'll keep this open so that other people might be able to find out about this known issue more quickly.

@tdbhacks tdbhacks changed the title Any chance of a solution to the 100 character ID limit? [KI] CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL Jul 29, 2024
@tdbhacks tdbhacks added the known issue Known issues or intended limitations label Jul 29, 2024
@tdbhacks tdbhacks changed the title [KI] CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL Jul 29, 2024
@richardkazuomiller
Copy link
Author

I agree that the workaround is relatively easy if you know about it from the start, but if someone creates a key version with a too long name and finds out about this after they start the process of rotating their key like I did, they will be in a situation where the key they already started using can no longer be used. I caught this in my dev environment but I didn’t check the length of the key version that was already used to sign software that we delivered, so we might already be in a situation where using multiple key versions isn’t possible.

@richardkazuomiller
Copy link
Author

I checked when I got to work today and believe it or not, our existing key version name is exactly 101 characters long 😆

@tdbhacks tdbhacks mentioned this issue Sep 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
known issue Known issues or intended limitations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richardkazuomiller @tdbhacks