Skip to content

feat: hardware key service#53435

Closed
Joerger wants to merge 18 commits intomasterfrom
joerger/hardware-key-service
Closed

feat: hardware key service#53435
Joerger wants to merge 18 commits intomasterfrom
joerger/hardware-key-service

Conversation

@Joerger
Copy link
Copy Markdown
Contributor

@Joerger Joerger commented Mar 26, 2025
edited
Loading

Part of RFD 199

Structural changes:

  • Add the hardwarekey package with a new hardware key Service interface
    • The hardware key service is held by the client store and passed during key parsing, rather than having the parsing logic default to the direct PIV implementation.
    • Also moved attestation, hardware key prompt, and other strictly hardware key related code to this package
    • In a follow up PR, I'll add the agent implementation
  • Add the piv package, which provides the PIV implementation of ^
    • This was moved over from the previous yubikey.go direct implementation to fit into the service interface without any major changes, outside of those noted below.
  • Add hardwarekey.PrivateKey implementation of crypto.Signer. This is essentially a generalized version of the previous YubiKeyPrivateKey struct.

Functional changes:

  • Enrich the PEM encoded hardware private key file.
  • Add ctx to hardwarekey.Service to be used as the default context during signatures, since the crypto.Signer interface does not support ctx directly.
  • Replace global YubiKeyPrivateKey cache with a global YubiKey cache, which supports proper cross-cluster connection caching for Connect
  • Only attest the key when needed (at login) to improve performance. This shaves off ~500ms for each non-login command

Minor changes:

  • Add tests
  • Remove keys.HardwareSigner interface in favor of hardware.PrivateKey
  • Tidy up PIV slot handling with the PIVSlotKey and PIVSlotKeyString types

Follow ups (TODO comments):

  • Initialize client store and hardware key service at the start of tsh, tctl, and tshd, so that PIV connectionsand prompts can be shared (and without global caches/mutexes). Note that sharing the PIN caching will take place within the prompt, so sharing the prompt across the process will be necessary.
  • feat: Hardware Key Agent - set hardware key service in client store #53563
  • Remove rootClusterURI dependency from daemon service prompt, instead supplying this to the prompt from the key store (which has proxy/cluster/username known in the keyring index).

Note that the last couple commits were reverting the follow ups ^ in order to reduce the size of this PR.

@Joerger Joerger mentioned this pull request Mar 26, 2025
Closed
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from f4eef27 to e53e243 Compare March 28, 2025 18:24
Joerger added 9 commits March 28, 2025 11:47
@Joerger
* Add HardwareKeyService interface and HardwarePrivateKey implementation
4779b47 
* Replace CustomHardwareKeyPrompt in ParsePrivateKeyOpts with HardwareKeyService
* Export CLIPrompt
@Joerger
Propogate hardware key service through client store; Remove custom ha…
66eab80 
…rdware key prompt in favor in favor of hardware key service with prompt field.
@Joerger
Add key info to HardwareKeyPrompt args instead of setting it in the p…
7a21dc3 
…rompt itself.
@Joerger
Shift piv implementation into YubiKeyPIVService, with notable alterat…
1b8d036 
…ions noted below:

* Replace global *YubiKeyPrivateKey cache with a global *YubiKey cache, which supports proper cross-cluster connection caching for Connect

* Replace HardwareSigner interface with HardwarePrivateKey, since the service within the key is now the interface

* Add context to signatures through the context passed to the hardware key service

* Only attest the key when needed (login) to avoid its performance cost
@Joerger
Add hardwarekey and piv packages.
2a36bb6
@Joerger
Cleanup.
8d7c4d8
@Joerger
Query hardware key for missing login key ref details.
72de3a1
@Joerger
Cleanup piv slot constants; Combine NewPrivateKey and NewSoftwarePriv…
596ef2b 
…ateKey; Add tests for marshaling/parsing hardware private keys and hardware key methods.
@Joerger
Cleanup.
c2aae79
@Joerger Joerger force-pushed the joerger/hardware-key-service branch 3 times, most recently from 4aacc7a to e3a0d9c Compare March 28, 2025 21:22
@Joerger Joerger marked this pull request as ready for review March 28, 2025 21:27
@github-actions github-actions Bot requested review from Tener and timothyb89 March 28, 2025 21:28
@github-actions github-actions Bot added size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Mar 28, 2025
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from e3a0d9c to 6bb5317 Compare March 28, 2025 21:37
@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Mar 28, 2025
@Joerger Joerger mentioned this pull request Mar 28, 2025
Merged
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from 6bb5317 to 596bac7 Compare March 28, 2025 23:55
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from 596bac7 to 0552e33 Compare March 29, 2025 00:30
Joerger
Joerger commented Mar 31, 2025
View reviewed changes
Comment thread api/utils/keys/hardwarekey/attestation.go

attestationv1 "github.com/gravitational/teleport/api/gen/proto/go/attestation/v1"
)

Copy link
Copy Markdown
Contributor Author

@Joerger Joerger Mar 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file was moved from hardwaresigner.go, no changes.

Comment thread api/utils/keys/policy.go
return privateKeyPolicyErrRegex.MatchString(err.Error())
}

// AttestationData is attested information about the hardware private key matching the public key.
Copy link
Copy Markdown
Contributor Author

@Joerger Joerger Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved from hardwaresigner.go. Due to PrivateKeyPolicy dependency, it can't go in hardwarekey/attestation.go. We could consider moving PrivateKeyPolicy to the hardwarekey package in a follow up, 👍 if you'd like me to do that.

@Joerger Joerger mentioned this pull request Mar 31, 2025
Merged
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from 5c23246 to 7fe86f4 Compare March 31, 2025 22:59
@Joerger
Copy link
Copy Markdown
Contributor Author

Joerger commented Apr 1, 2025

@Tener @timothyb89 Friendly ping to review, tests should be passing now.

@Joerger Joerger force-pushed the joerger/hardware-key-service branch from ef7b2ff to d14db39 Compare April 2, 2025 00:39
@Joerger Joerger force-pushed the joerger/hardware-key-service branch from d14db39 to cfcb9fb Compare April 2, 2025 01:03
@Tener
Copy link
Copy Markdown
Contributor

Tener commented Apr 2, 2025
edited
Loading

@Joerger sorry, I was travelling now is the first time I can take a look at this PR. Just looking at the description I feel it would make sense to split this PR to a bunch of smaller PRs to make the review easier and more focused. Let me know if this is makes sense; if not I can try to review this PR as is, but I feel it will actually make the overall review longer.

@Joerger Joerger mentioned this pull request Apr 2, 2025
Merged
@Joerger
Copy link
Copy Markdown
Contributor Author

Joerger commented Apr 2, 2025

@Joerger sorry, I was travelling now is the first time I can take a look at this PR. Just looking at the description I feel it would make sense to split this PR to a bunch of smaller PRs to make the review easier and more focused. Let me know if this is makes sense; if not I can try to review this PR as is, but I feel it will actually make the overall review longer.

Fair enough. A lot of the changes are interconnected, but I'll give a shot at splitting the change out further.

@Joerger Joerger closed this Apr 2, 2025
@Joerger Joerger mentioned this pull request Apr 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tener Tener Awaiting requested review from Tener

@timothyb89 timothyb89 Awaiting requested review from timothyb89

Assignees

No one assigned

Labels

no-changelog Indicates that a PR does not require a changelog entry size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Joerger @Tener