gravitational · awly · Jun 24, 2020 · May 27, 2020 · Jun 4, 2020 · Jun 11, 2020
diff --git a/Makefile b/Makefile
@@ -351,7 +351,10 @@ buildbox:
 # proto generates GRPC defs from service definitions
 .PHONY: grpc
 grpc: buildbox
-	docker run -v $(shell pwd):/go/src/github.com/gravitational/teleport $(BUILDBOX_TAG) make -C /go/src/github.com/gravitational/teleport buildbox-grpc
+	docker run \
+		--rm \
+		-v $(shell pwd):/go/src/github.com/gravitational/teleport $(BUILDBOX_TAG) \
+		make -C /go/src/github.com/gravitational/teleport buildbox-grpc
 
 # proto generates GRPC stuff inside buildbox
 .PHONY: buildbox-grpc

diff --git a/integration/helpers.go b/integration/helpers.go
@@ -187,6 +187,7 @@ func NewInstance(cfg InstanceConfig) *TeleInstance {
 
 	cert, err := keygen.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: cfg.Priv,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       cfg.Pub,
 		HostID:              cfg.HostID,
 		NodeName:            cfg.NodeName,
@@ -255,11 +256,25 @@ func (s *InstanceSecrets) GetRoles() []services.Role {
 // case we always return hard-coded userCA + hostCA (and they share keys
 // for simplicity)
 func (s *InstanceSecrets) GetCAs() []services.CertAuthority {
-	hostCA := services.NewCertAuthority(services.HostCA, s.SiteName, [][]byte{s.PrivKey}, [][]byte{s.PubKey}, []string{})
+	hostCA := services.NewCertAuthority(
+		services.HostCA,
+		s.SiteName,
+		[][]byte{s.PrivKey},
+		[][]byte{s.PubKey},
+		[]string{},
+		services.CertAuthoritySpecV2_RSA_SHA2_512,
+	)
 	hostCA.SetTLSKeyPairs([]services.TLSKeyPair{{Cert: s.TLSCACert, Key: s.PrivKey}})
 	return []services.CertAuthority{
 		hostCA,
-		services.NewCertAuthority(services.UserCA, s.SiteName, [][]byte{s.PrivKey}, [][]byte{s.PubKey}, []string{services.RoleNameForCertAuthority(s.SiteName)}),
+		services.NewCertAuthority(
+			services.UserCA,
+			s.SiteName,
+			[][]byte{s.PrivKey},
+			[][]byte{s.PubKey},
+			[]string{services.RoleNameForCertAuthority(s.SiteName)},
+			services.CertAuthoritySpecV2_RSA_SHA2_512,
+		),
 	}
 }
 

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -3442,6 +3442,153 @@ func (s *IntSuite) TestRotateTrustedClusters(c *check.C) {
 	}
 }
 
+// TestRotateChangeSigningAlg tests the change of CA signing algorithm on
+// manual rotation.
+func (s *IntSuite) TestRotateChangeSigningAlg(c *check.C) {
+	// Start with an instance using default signing alg.
+	tconf := rotationConfig(true)
+	t := NewInstance(InstanceConfig{ClusterName: Site, HostID: HostID, NodeName: Host, Ports: s.getPorts(5), Priv: s.priv, Pub: s.pub})
+	logins := []string{s.me.Username}
+	for _, login := range logins {
+		t.AddUser(login, []string{login})
+	}
+	config, err := t.GenerateConfig(nil, tconf)
+	c.Assert(err, check.IsNil)
+
+	serviceC := make(chan *service.TeleportProcess, 20)
+	runErrCh := make(chan error, 1)
+
+	restart := func(svc *service.TeleportProcess, cancel func()) (*service.TeleportProcess, func()) {
+		if svc != nil && cancel != nil {
+			// shut down the service
+			cancel()
+			// close the service without waiting for the connections to drain
+			err := svc.Close()
+			c.Assert(err, check.IsNil)
+			err = svc.Wait()
+			c.Assert(err, check.IsNil)
+
+			select {
+			case err := <-runErrCh:
+				c.Assert(err, check.IsNil)
+			case <-time.After(20 * time.Second):
+				c.Fatalf("failed to shut down the server")
+			}
+		}
+
+		ctx, cancel := context.WithCancel(context.Background())
+		go func() {
+			runErrCh <- service.Run(ctx, *config, func(cfg *service.Config) (service.Process, error) {
+				svc, err := service.NewTeleport(cfg)
+				if err == nil {
+					serviceC <- svc
+				}
+				return svc, err
+			})
+		}()
+
+		svc, err = waitForProcessStart(serviceC)
+		c.Assert(err, check.IsNil)
+		return svc, cancel
+	}
+
+	assertSigningAlg := func(svc *service.TeleportProcess, alg string) {
+		hostCA, err := svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: Site}, false)
+		c.Assert(err, check.IsNil)
+		c.Assert(hostCA.GetSigningAlg(), check.Equals, alg)
+
+		userCA, err := svc.GetAuthServer().GetCertAuthority(services.CertAuthID{Type: services.UserCA, DomainName: Site}, false)
+		c.Assert(err, check.IsNil)
+		c.Assert(userCA.GetSigningAlg(), check.Equals, alg)
+	}
+
+	rotate := func(svc *service.TeleportProcess, mode string) *service.TeleportProcess {
+		c.Logf("rotation phase: %q", services.RotationPhaseInit)
+		err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{
+			TargetPhase: services.RotationPhaseInit,
+			Mode:        mode,
+		})
+		c.Assert(err, check.IsNil)
+
+		// wait until service phase update to be broadcasted (init phase does not trigger reload)
+		err = waitForProcessEvent(svc, service.TeleportPhaseChangeEvent, 10*time.Second)
+		c.Assert(err, check.IsNil)
+
+		c.Logf("rotation phase: %q", services.RotationPhaseUpdateClients)
+		err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{
+			TargetPhase: services.RotationPhaseUpdateClients,
+			Mode:        mode,
+		})
+		c.Assert(err, check.IsNil)
+
+		// wait until service reload
+		svc, err = waitForReload(serviceC, svc)
+		c.Assert(err, check.IsNil)
+
+		c.Logf("rotation phase: %q", services.RotationPhaseUpdateServers)
+		err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{
+			TargetPhase: services.RotationPhaseUpdateServers,
+			Mode:        mode,
+		})
+		c.Assert(err, check.IsNil)
+
+		// wait until service reloaded
+		svc, err = waitForReload(serviceC, svc)
+		c.Assert(err, check.IsNil)
+
+		c.Logf("rotation phase: %q", services.RotationPhaseStandby)
+		err = svc.GetAuthServer().RotateCertAuthority(auth.RotateRequest{
+			TargetPhase: services.RotationPhaseStandby,
+			Mode:        mode,
+		})
+		c.Assert(err, check.IsNil)
+
+		// wait until service reloaded
+		svc, err = waitForReload(serviceC, svc)
+		c.Assert(err, check.IsNil)
+
+		return svc
+	}
+
+	// Start the instance.
+	svc, cancel := restart(nil, nil)
+
+	c.Log("default signature algorithm due to empty config value")
+	// Verify the default signing algorithm with config value empty.
+	assertSigningAlg(svc, defaults.CASignatureAlgorithm)
+
+	c.Log("change signature algorithm with custom config value and manual rotation")
+	// Change the signing algorithm in config file.
+	signingAlg := ssh.SigAlgoRSA
+	config.CASignatureAlgorithm = &signingAlg
+	svc, cancel = restart(svc, cancel)
+	// Do a manual rotation - this should change the signing algorithm.
+	svc = rotate(svc, services.RotationModeManual)
+	assertSigningAlg(svc, ssh.SigAlgoRSA)
+
+	c.Log("preserve signature algorithm with empty config value and manual rotation")
+	// Unset the config value.
+	config.CASignatureAlgorithm = nil
+	svc, cancel = restart(svc, cancel)
+
+	// Do a manual rotation - this should leave the signing algorithm
+	// unaffected because config value is not set.
+	svc = rotate(svc, services.RotationModeManual)
+	assertSigningAlg(svc, ssh.SigAlgoRSA)
+
+	// shut down the service
+	cancel()
+	// close the service without waiting for the connections to drain
+	svc.Close()
+
+	select {
+	case err := <-runErrCh:
+		c.Assert(err, check.IsNil)
+	case <-time.After(20 * time.Second):
+		c.Fatalf("failed to shut down the server")
+	}
+}
+
 // rotationConfig sets up default config used for CA rotation tests
 func rotationConfig(disableWebService bool) *service.Config {
 	tconf := service.MakeDefaultConfig()

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -106,6 +106,7 @@ func NewAuthServer(cfg *InitConfig, opts ...AuthServerOption) (*AuthServer, erro
 		oidcClients:     make(map[string]*oidcClient),
 		samlProviders:   make(map[string]*samlProvider),
 		githubClients:   make(map[string]*githubClient),
+		caSigningAlg:    cfg.CASigningAlg,
 		cancelFunc:      cancelFunc,
 		closeCtx:        closeCtx,
 		AuthServices: AuthServices{
@@ -207,6 +208,9 @@ type AuthServer struct {
 	// cipherSuites is a list of ciphersuites that the auth server supports.
 	cipherSuites []uint16
 
+	// caSigningAlg is an SSH signing algorithm to use when generating new CAs.
+	caSigningAlg *string
+
 	// cache is a fast cache that allows auth server
 	// to use cache for most frequent operations,
 	// if not set, cache uses itself
@@ -370,6 +374,7 @@ func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName str
 	// create and sign!
 	return s.Authority.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: caPrivateKey,
+		CASigningAlg:        ca.GetSigningAlg(),
 		PublicHostKey:       hostPublicKey,
 		HostID:              hostID,
 		NodeName:            nodeName,
@@ -507,6 +512,7 @@ func (s *AuthServer) generateUserCert(req certRequest) (*certs, error) {
 	}
 	sshCert, err := s.Authority.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   privateKey,
+		CASigningAlg:          ca.GetSigningAlg(),
 		PublicUserKey:         req.publicKey,
 		Username:              req.user.GetName(),
 		AllowedLogins:         allowedLogins,
@@ -1013,6 +1019,7 @@ func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedK
 	// generate hostSSH certificate
 	hostSSHCert, err := s.Authority.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: caPrivateKey,
+		CASigningAlg:        ca.GetSigningAlg(),
 		PublicHostKey:       pubSSHKey,
 		HostID:              req.HostID,
 		NodeName:            req.NodeName,

diff --git a/lib/auth/init.go b/lib/auth/init.go
@@ -138,6 +138,11 @@ type InitConfig struct {
 
 	// CipherSuites is a list of ciphersuites that the auth server supports.
 	CipherSuites []uint16
+
+	// CASigningAlg is a signing algorithm used for SSH (certificate and
+	// handshake) signatures for both host and user CAs. This option only
+	// affects newly-created CAs.
+	CASigningAlg *string
 }
 
 // Init instantiates and configures an instance of AuthServer
@@ -315,6 +320,10 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+		sigAlg := defaults.CASignatureAlgorithm
+		if cfg.CASigningAlg != nil && *cfg.CASigningAlg != "" {
+			sigAlg = *cfg.CASigningAlg
+		}
 
 		userCA := &services.CertAuthorityV2{
 			Kind:    services.KindCertAuthority,
@@ -327,6 +336,7 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 				ClusterName:  cfg.ClusterName.GetClusterName(),
 				Type:         services.UserCA,
 				SigningKeys:  [][]byte{priv},
+				SigningAlg:   services.ParseSigningAlg(sigAlg),
 				CheckingKeys: [][]byte{pub},
 				TLSKeyPairs:  []services.TLSKeyPair{{Cert: certPEM, Key: keyPEM}},
 			},
@@ -370,6 +380,11 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+		sigAlg := defaults.CASignatureAlgorithm
+		if cfg.CASigningAlg != nil && *cfg.CASigningAlg != "" {
+			sigAlg = *cfg.CASigningAlg
+		}
+
 		hostCA = &services.CertAuthorityV2{
 			Kind:    services.KindCertAuthority,
 			Version: services.V2,
@@ -381,6 +396,7 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 				ClusterName:  cfg.ClusterName.GetClusterName(),
 				Type:         services.HostCA,
 				SigningKeys:  [][]byte{priv},
+				SigningAlg:   services.ParseSigningAlg(sigAlg),
 				CheckingKeys: [][]byte{pub},
 				TLSKeyPairs:  []services.TLSKeyPair{{Cert: certPEM, Key: keyPEM}},
 			},