NO-JIRA: Add ECDSA P-256 support for certificates and CAs

[fabiendupont]

Extends the crypto package to generate ECDSA P-256 key pairs and certificates in addition to existing RSA support, enabling OpenShift components to use modern elliptic curve cryptography.

Changes

Key generation:

• KeyAlgorithm type for algorithm selection (AlgorithmRSA, AlgorithmECDSA)
• ECDSA P-256 key pair generation with proper SubjectKeyIdentifier hashing (SHA-1 per RFC 5280)
• newKeyPairWithAlgorithm() for unified key generation dispatch

Server certificates:

• CA.MakeServerCertWithAlgorithm() and CA.MakeServerCertForDurationWithAlgorithm()

CA certificates:

• MakeSelfSignedCAConfigForDurationWithAlgorithm() for ECDSA root CAs
• MakeCAConfigForDurationWithAlgorithm() for ECDSA intermediate CAs

Template cleanup:

• Removed hardcoded SignatureAlgorithm: x509.SHA256WithRSA from certificate templates
• x509.CreateCertificate infers the correct algorithm from the signing key (SHA256WithRSA for RSA, ECDSAWithSHA256 for ECDSA P-256)
• This is backward compatible and enables correct cross-algorithm signing (e.g. RSA CA signing ECDSA leaf certs)

All existing APIs remain unchanged — new functionality is opt-in through *WithAlgorithm variants.

Test coverage

• Key generation, signature algorithm detection, and ECDSA PEM encoding
• Server certs: RSA CA + ECDSA leaf, ECDSA CA + RSA leaf, ECDSA CA + ECDSA leaf
• MakeServerCertForDurationWithAlgorithm (production code path from certrotation/target.go)
• Self-signed ECDSA CAs and mixed-algorithm intermediate CA chains
• Backwards compatibility: all existing RSA tests pass unchanged

[openshift-ci-robot]

@fabiendupont: This pull request explicitly references no jira issue.

Details

In response to this:

Extends the crypto package to generate ECDSA P-256 key pairs in addition to existing RSA support, enabling OpenShift components to use modern elliptic curve cryptography.

Adds:

• KeyAlgorithm type for algorithm selection (RSA, ECDSA)
• newECDSAKeyPair() and newECDSAKeyPairWithHash() functions using P-256 curve
• newKeyPairWithAlgorithm() for unified key generation
• signatureAlgorithmForKey() for automatic algorithm detection
• CA.MakeServerCertWithAlgorithm() and CA.MakeServerCertForDurationWithAlgorithm()

All existing APIs remain unchanged, preserving 100% backwards compatibility. New functionality is opt-in through *WithAlgorithm functions.

ECDSA P-256 provides equivalent security to 3072-bit RSA with smaller keys (~87% smaller), faster operations, and better performance. This prepares OpenShift for modern TLS deployments and aligns with industry best practices.

Test coverage includes:

• Unit tests for key generation, signature algorithm detection, and encoding
• Integration tests for RSA CA + ECDSA server and vice versa
• Backwards compatibility tests verifying existing RSA functionality

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[p0lyn0mial]

Hmm, I might be wrong, but it looks like MakeServerCert and MakeServerCertWithAlgorithm are very similar. There are two differences. The first is the key algorithm, and the second is that MakeServerCertWithAlgorithm sets the signature algorithm.

I’m wondering if it would make sense to create a private common function for both. I think something like the following could work:

func (ca *CA) MakeServerCertWithAlgorithm(hostnames sets.Set[string], lifetime time.Duration, algorithm KeyAlgorithm, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error) {
	sigFn := func(template *x509.Certificate) error {
		template.SignatureAlgorithm = signatureAlgorithmForKey(ca.Config.Key)
		return nil
	}
	fns = append([]CertificateExtensionFunc{sigFn}, fns...)
	return ca.makeServerCertWithAlgorithm(hostnames, lifetime, algorithm, fns...)
}

and

func (ca *CA) MakeServerCert(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error) {
	return ca.makeServerCertWithAlgorithm(hostnames, lifetime, AlgorithmRSA, fns...)
}

[p0lyn0mial]

Since this is a private method I think we could return an error for unsupported algorithms.

[p0lyn0mial]

am I right that the differences between MakeServerCertForDuration and MakeServerCertForDurationWithAlgorithm mirror those between MakeServerCert and MakeServerCertWithAlgorithm (key algorithm and signature algorithm)? If so, could we refactor them in the same way?

[fabiendupont]

Good feedback. Makes sense.

[fabiendupont]

@p0lyn0mial, I extended the changes to add the ECDSA CA support as well, so we can have a full ECDSA chain.

[p0lyn0mial]

OK. I think that the SignatureAlgorithm will be set by x509.CreateCertificate and our unit tests assert this. Is that correct ?

[fabiendupont]

Yes, that's correct. When SignatureAlgorithm is zero-valued in the template, x509.CreateCertificate infers it from the signing key — SHA256WithRSA for RSA keys, ECDSAWithSHA256 for ECDSA P-256 keys. Our tests assert the resulting SignatureAlgorithm on the generated certs for all combinations (RSA CA + RSA leaf, RSA CA + ECDSA leaf, ECDSA CA + RSA leaf, ECDSA CA + ECDSA leaf).

[p0lyn0mial]

It looks like the error message will take the form of unsupported key algorithm: 2, which isn't meaningful to someone debugging. Is there a way to make it more descriptive ?

[fabiendupont]

Good point. This default branch can only be reached if a new KeyAlgorithm constant is added to the const block (e.g. AlgorithmEd25519) without adding a corresponding case in this switch.

Since newKeyPairWithAlgorithm is private and the callers always pass one of the defined constants, a developer hitting this error would know they forgot to wire up their new algorithm.

I added a comment to clarify that, and kept %d so the numeric value is visible for debugging.

[p0lyn0mial]

I might be wrong but
MakeSelfSignedCAConfigForDurationWithAlgorithm & MakeCAConfigForDurationWithAlgorithm use newSigningCertificateTemplateForDuration which sets

KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,

I found RFC 5480 where Section 3 says:

If the keyUsage extension is present in a Certification Authority
   (CA) certificate that indicates id-ecPublicKey in
   SubjectPublicKeyInfo, then any combination of the following values
   MAY be present:

     digitalSignature;
     nonRepudiation;
     keyAgreement;
     keyCertSign; and
     cRLSign.

which tells me that x509.KeyUsageKeyEncipherment (in newSigningCertificateTemplateForDuration) should not be used for ECDSA only for RSA.

[fabiendupont]

Added a keyUsageForAlgorithm helper that returns:

• RSA: KeyEncipherment | DigitalSignature
• ECDSA: DigitalSignature only

Per RFC 5480 Section 3, KeyEncipherment is not valid for ECDSA keys. The CA, server, and intermediate cert templates now receive the algorithm and set KeyUsage accordingly. Tests assert the correct KeyUsage for both RSA and ECDSA certs.

The public client cert template functions (NewClientCertificateTemplate / NewClientCertificateTemplateForDuration) are unchanged since client cert creation currently always uses RSA.

[p0lyn0mial]

I think the issue described at https://github.com/openshift/library-go/pull/2116/changes#r2826380341 is also applicable to the server, client cert template.

[p0lyn0mial]

Added a few more nits, overall lgtm.

Before merging, should we pull the changes to the service-ca-operator to make sure the backward compatibility path works?

Also, are we planning some e2e tests for the service-ca-operator to cover the new path?

[p0lyn0mial]

nit: could we rename this to baseKeyUsageForAlgorithm (or something similar) to indicate the returned value is a starting point that callers may need to extend?

[fabiendupont]

Done. Renamed to baseKeyUsageForAlgorithm to make it clear the returned value is a starting point that callers extend (e.g. | KeyUsageCertSign for CAs).

[p0lyn0mial]

why not to t.Fatal for unrecognized values?

[fabiendupont]

Done. signatureAlgorithmForKey now takes testing.TB and calls t.Fatalf on unrecognized key types instead of silently defaulting to RSA.

[p0lyn0mial]

nit: this is unreachable code - i think this could be removed.

[fabiendupont]

Unfortunately Go requires it — t.Fatalf does not have a "never returns" type, so the compiler needs a return statement to satisfy the function signature. Added a // unreachable, but required by the compiler comment and moved the t.Fatalf + return outside the switch to make it clearer.

[p0lyn0mial]

mhm, ok, thanks for checking.

[p0lyn0mial]

/lgtm

/hold
putting this on hold until the service-ca-operator PR gets reviewed and we are confident the changes introduced in this PR are the ones we need.

@fabiendupont thanks for the pr and all your work :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabiendupont, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[benluddy]

This looks reasonable. I spoke with @sanchezl about potential overlap with openshift/enhancements#1882 and I don't think it would be harmful to grow a second way to do this in the future or have to do some refactoring.

[benluddy]

The difference between MakeServerCert[WithAlgorithm] and MakeServerCertForDuration[WithAlgorithm] appears to come down to whether they call newServerCertificateTemplate or newServerCertificateTemplateForDuration, and those two have evolved in a strange way.

The first accepted the lifetime as number of days, applied a default, then converted it to a time.Duration before delegating to the ...ForDuration func. Last year, this was changed so that both accept time.Duration. The remaining differences are (1) the first form applies a default lifetime and (2) has a side effect of writing to stderr.

I think this means that MakeServerCert[WithAlgorithm] will apply a default when the provided lifetime is <= 0, whereas MakeServerCertForDuration[WithAlgorithm] will not. I doubt this difference is obvious to anyone who might be using this package. I agree with what Fabien has done in this PR (i.e., MakeServerCertWithAlgorithm is consistent with MakeServerCert, and MakeServerCertForDuration is consistent with MakeServerCertForDurationWithAlgorithm), but this feels like something we should improve later (cc @p0lyn0mial @sanchezl).

[p0lyn0mial]

sgtm, the distinction is almost invisible.

[fabiendupont]

Done. Consolidated the two paths:

• Removed makeServerCertForDuration — MakeServerCertForDuration and MakeServerCertForDurationWithAlgorithm now delegate to makeServerCert.
• Removed the newServerCertificateTemplate lifetime-defaulting wrapper — newServerCertificateTemplateForDuration is now the sole newServerCertificateTemplate.
• Updated TestValidityPeriodOfServerCertificate to remove the test cases for 0 and negative lifetime that relied on the removed defaulting behavior.

[benluddy]

Instead of making the function variadic with a default (and tossing all but the first KeyAlgorithm), can we make the KeyAlgorithm a normal parameter and update the callers to always provide a value?

[fabiendupont]

Done. newSigningCertificateTemplate now takes algorithm KeyAlgorithm as a required parameter. All callers updated to explicitly pass AlgorithmRSA (or tt.caAlgorithm for the mixed test).

[benluddy]

Would https://pkg.go.dev/crypto/ecdsa#PublicKey.Equal be suitable for this test?

[fabiendupont]

Done. Replaced the manual X.Cmp/Y.Cmp checks with publicKey.Equal(&privateKey.PublicKey).

[hasbro17]

Not a review, just a note for the PKI feature team that will refactor this down the line openshift/enhancements#1882

Support RSA (with configurable key sizes: 2048, 3072, 4096) and ECDSA (with configurable curves: P-256, P-384, P-521) algorithms in the initial implementation

/cc @rh-roman @sanchezl We'll have to thread the key size here and for newKeyPairWithHash() for the RSA case.

library-go/pkg/crypto/crypto.go

Line 1005 in 5d9eb62

func newKeyPairWithHash() (crypto.PublicKey, crypto.PrivateKey, []byte, error) {

And through newKeyPairWithAlgorithm() as well.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@fabiendupont: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.