Use separate keys for payload mechanism and mTLS #1129
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
ansasaki
added a commit
to ansasaki/keylime-tests
that referenced
this pull request
Sep 22, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
ansasaki
added a commit
to ansasaki/keylime-tests
that referenced
this pull request
Sep 22, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
sarroutbi
reviewed
Sep 22, 2025
sarroutbi
reviewed
Sep 22, 2025
sarroutbi
reviewed
Sep 22, 2025
Contributor
sarroutbi
left a comment
sarroutbi
left a comment
There was a problem hiding this comment.
Changes LGTM. Just a pair of naming and comments improvements
This allows algorithms other than RSA to be used for mTLS. The payload encryption mechanism requires an RSA key pair, so always generate an RSA key for the payload mechanism. This renames the 'nk_pub' and 'nk_priv' respectively as 'mtls_pub' and 'mtls_priv' when they are used for mTLS. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Contributor
Author
|
I proposed an update to the test suite via RedHat-SP-Security/keylime-tests#900 |
sarroutbi
approved these changes
Sep 23, 2025
Contributor
sarroutbi
left a comment
sarroutbi
left a comment
There was a problem hiding this comment.
Thanks for the changes regarding naming. Rest of changes LGTM
ansasaki
added a commit
to ansasaki/keylime-tests
that referenced
this pull request
Sep 25, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. When testing PQC algorithms, set ECDSA keys for the agent due to https://issues.redhat.com/browse/RHEL-117439. Once this is fixed, the special treatment for the agent mTLS should be removed. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
ansasaki
added a commit
to ansasaki/keylime-tests
that referenced
this pull request
Sep 25, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. When testing PQC algorithms, set ECDSA keys for the agent due to https://issues.redhat.com/browse/RHEL-117439. Once this is fixed, the special treatment for the agent mTLS should be removed. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
ansasaki
added a commit
to ansasaki/keylime-tests
that referenced
this pull request
Sep 25, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. When testing PQC algorithms, set ECDSA keys for the agent due to https://issues.redhat.com/browse/RHEL-117439. Once this is fixed, the special treatment for the agent mTLS should be removed. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
kkaarreell
pushed a commit
to RedHat-SP-Security/keylime-tests
that referenced
this pull request
Oct 3, 2025
Previously, the agent supported only RSA key/certificate as the mTLS key because it was also used to encrypt data in the secure payload mechanism. With keylime/rust-keylime#1129, the agent is now able to use different algorithms for mTLS. When testing PQC algorithms, set ECDSA keys for the agent due to https://issues.redhat.com/browse/RHEL-117439. Once this is fixed, the special treatment for the agent mTLS should be removed. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows other algorithms to be used for mTLS.
The payload encryption mechanism requires an RSA key pair, so always generate an RSA key for the payload mechanism.
Fixes #1126