MWI: Add new JWT CA for signing bound keypair documents#54822
Merged
timothyb89 merged 3 commits intomasterfrom May 15, 2025
Merged
MWI: Add new JWT CA for signing bound keypair documents#54822timothyb89 merged 3 commits intomasterfrom
timothyb89 merged 3 commits intomasterfrom
Conversation
This adds a new JWT CA for signing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining.
timothyb89
added
machine-id
no-changelog
boxofrad
approved these changes
May 15, 2025
greedy52
reviewed
May 15, 2025
Removes `bound_keypair` from the list of exportable CAs in tctl, and switches the `legacy` suite algorithm to ECDSAP256 due to hsm compatibility requirements.
greedy52
approved these changes
May 15, 2025
timothyb89
added a commit
that referenced
this pull request
Aug 16, 2025
* MWI: Add new JWT CA for signing bound keypair documents This adds a new JWT CA for signing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining. * Fix issues from code review Removes `bound_keypair` from the list of exportable CAs in tctl, and switches the `legacy` suite algorithm to ECDSAP256 due to hsm compatibility requirements. * Add note about FIPS/HSM compatibility for CA suites
timothyb89
added a commit
that referenced
this pull request
Aug 16, 2025
* MWI: Add new JWT CA for signing bound keypair documents This adds a new JWT CA for signing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining. * Fix issues from code review Removes `bound_keypair` from the list of exportable CAs in tctl, and switches the `legacy` suite algorithm to ECDSAP256 due to hsm compatibility requirements. * Add note about FIPS/HSM compatibility for CA suites
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 28, 2025
* MWI: Bound Keypair Joining - Minimal Client Implementation (#54372) * MWI: Bound Keypair Joining - Minimal Client Implementation This contains a minimal client-side implementation of bound keypair joining for `tbot`. This first iteration supports only preregistered keys, and so adds a new `tbot keypair create` subcommand that generates a keypair and prints a public key that can be copied into a token. In an effort to still take advantange of tbot's secure filesystem abstraction and to not permanently tie the new join method to it, this includes a minimal filesystem wrapper to adapt tbot's destinations to a generic file read/write interface. * Rebase join client to handle interactive rotation messages This updates the client implementation to handle the revised challenge handler signature. Rotation still isn't implemented (see TODOs), but the message handler now explicitly accounts for rotation-type requests from the server. * Fix breakage after upstream changes, idempotent key generation The `keypair generate` command is now idempotent and will not generate a new keypair if one already exists in the specified destination. Also, added a `--format=json` flag to print the key as machine-readable JSON. * Remove unnecessary whitespace * Small TODO and doc comment updates * Fix lints * Mark `keypair create` as a hidden command for now This hides it from `tbot help` so we can opt to tweak the CLI contract before fully releasing the feature. It will be unhidden in the near future. * Fix typo * MWI: Add new JWT CA for signing bound keypair documents (#54822) * MWI: Add new JWT CA for signing bound keypair documents This adds a new JWT CA for signing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining. * Fix issues from code review Removes `bound_keypair` from the list of exportable CAs in tctl, and switches the `legacy` suite algorithm to ECDSAP256 due to hsm compatibility requirements. * Add note about FIPS/HSM compatibility for CA suites * MWI: Issue and verify join state documents (#54940) * MWI: Issue and verify join state documents This adds join state document issuance and verification to the bound keypair joining process. This is described in more detail in the [RFD], but in short, this adds a mechanism similar to the generation counter to verify bound keypair recovery events. Each time a recovery is performed, the join counter (stored in the token's status field) is incremented. This value is embedded in a JWT and signed by Auth, and the result is passed to the client alongside their cert bundle. This document effectively gives clients permission to lock themselves out in the future: if another client attempts to use their credentials, the original client will eventually present an outdated join state document, and trigger a lockout. [RFD]: https://github.com/gravitational/teleport/blob/rfd/0205-improved-onprem-joining/rfd/0205-improved-onprem-joining.md * Allow selecting all recovery modes * Remove TODO and debug log * Add tests for join state issuance and verification * Add join state tests for RegisterUsingBoundKeypairMethod Adds some minor error message and comment fixes caught while writing tests. * Fix imports * Fix lints * Fix failing unit test * Add notes about lack of expiry field in join state JWTs * Fix missing CAs in tests * Fix broken test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a new JWT CA for issuing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining.