Feat/support p384 p521 certs (#12)

Nicopfy · web-flow · commit d276186fa5e2 · 2025-06-19T10:14:09.000+02:00
Co-authored-by: Nicolas Puffay &lt;nicolas.puffay@numberly.com&gt;
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -21,7 +21,7 @@ jobs:
       with:
         go-version: "1.17"
     - run: make build-linux
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       with:
         name: bin
         path: bin/
diff --git a/README.md b/README.md
@@ -139,7 +139,7 @@ Downstream TLS certificates can be dynamically fetched and updated from Kubernet
 
 In this mode, only a single `certificate` may be specified in Yggdrasil configuration. It will be used for hosts with misconfigured or invalid secret.
 
-**Note**: ECDSA >256 keys are not supported by envoy and will be discarded. See https://github.com/envoyproxy/envoy/issues/10855
+**Note**: ECDSA P-256, P-384 and P-521 keys are now supported by envoy (see https://github.com/envoyproxy/envoy/issues/10855)
 
 ## Configuration
 Yggdrasil can be configured using a config file e.g:
diff --git a/pkg/envoy/ingress_translator.go b/pkg/envoy/ingress_translator.go
@@ -338,8 +338,8 @@ func validateTlsSecret(secret *v1.Secret) (bool, error) {
 		return false, nil
 	}
 
-	// discard P-384 EC private keys
-	// see https://github.com/envoyproxy/envoy/issues/10855
+	// discard > P-521 EC private keys
+	// P-256, P-384 & P-521 are now supported (see https://github.com/envoyproxy/envoy/issues/10855)
 	block, _ := pem.Decode(tlsCert)
 	if block == nil {
 		return false, fmt.Errorf("error parsing x509 certificate - no PEM block found")
@@ -353,8 +353,8 @@ func validateTlsSecret(secret *v1.Secret) (bool, error) {
 		if !ok {
 			return false, fmt.Errorf("error in *ecdsa.PublicKey type assertion")
 		}
-		if ecdsaPub.Curve.Params().BitSize > 256 {
-			logrus.Infof("skipping ECDSA %s certificate %s/%s: only P-256 certificates are supported", ecdsaPub.Curve.Params().Name, secret.Namespace, secret.Name)
+		if ecdsaPub.Curve.Params().BitSize > 521 {
+			logrus.Infof("skipping ECDSA %s certificate %s/%s: only P-256, P-384 and P-521 certificates are supported", ecdsaPub.Curve.Params().Name, secret.Namespace, secret.Name)
 			return false, nil
 		}
 	}
diff --git a/pkg/envoy/ingress_translator_test.go b/pkg/envoy/ingress_translator_test.go
@@ -53,6 +53,28 @@ HMDnomVYrn/CmceQFWDWQ/dLG3OgiffsjhxOS0IaaDKgUxJH7/eW5AesWmhg1z9x
 0JSjab6mTneQMtHukPZEaLmwPlksEA1k2A/wph9mEjyZpgS4IogLORA=
 -----END PRIVATE KEY-----`
 
+	// dummy p-521 cert
+	p521crt = `-----BEGIN CERTIFICATE-----
+MIIB/TCCAV6gAwIBAgIUalLHxUR4R/cATXoia/hwou1UYY0wCgYIKoZIzj0EAwIw
+EDEOMAwGA1UEAwwFZHVtbXkwHhcNMjUwNjE3MDgyNzU5WhcNMjYwNjE3MDgyNzU5
+WjAQMQ4wDAYDVQQDDAVkdW1teTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAKIU
+tBnFN/IIlNPkg/qiWSq8OtOJA76BrltrjGm7RkXCh7AGEi4JhBo7kElp/oqE8D6W
+Lze2+NHoczEZ6P2vOXbPAHIj9J+ti1fFm9prRTeV0Hn+YOqWBirnzu+2X3Vi2gSF
+q2tmIIMyWQBqt+T4zGo1qBTpfX1cIBG7baMMjK4xC7QJo1MwUTAdBgNVHQ4EFgQU
+aZAE5vnNQV2ztM/47huVttmWHjYwHwYDVR0jBBgwFoAUaZAE5vnNQV2ztM/47huV
+ttmWHjYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgOBjAAwgYgCQgDtOZt1
+OrmrEMbnB48DR52iFw1OR1ppXdCno4Owk2Amu/N3tuIsKctxtSrxQhejh4L+BNHh
+y1mXVMilq41U+gbhZAJCAUKFcuGqUdMFUhCmKHC78YIN8PCeZ56mE2hqSwprBJGS
+pzAmjBamDqkRJP4UdTjER1KyQfZJ1126r/TxA9+Tnn1j
+-----END CERTIFICATE-----`
+	p521key = `-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIAmn+TNqs72qAK6BfgaeNDlE+lr/+vP54s+zQAv4dWwJoGLoouzNSr
+Tim9rC01Ut1+5b9M4W5Ridx+E6aOU8G46fCgBwYFK4EEACOhgYkDgYYABACiFLQZ
+xTfyCJTT5IP6olkqvDrTiQO+ga5ba4xpu0ZFwoewBhIuCYQaO5BJaf6KhPA+li83
+tvjR6HMxGej9rzl2zwByI/SfrYtXxZvaa0U3ldB5/mDqlgYq587vtl91YtoEhatr
+ZiCDMlkAarfk+MxqNagU6X19XCARu22jDIyuMQu0CQ==
+-----END EC PRIVATE KEY-----`
+
 	// dummy rsa2048 cert
 	rsa2048crt = `-----BEGIN CERTIFICATE-----
 MIIDETCCAfkCFArEpbFYH4WmMV2id+QeAriE3c+CMA0GCSqGSIb3DQEBCwUAMEUx
@@ -530,15 +552,27 @@ func TestValidateWrongPEMTlsSecret(t *testing.T) {
 	}
 }
 
+func TestValidateP521TlsSecret(t *testing.T) {
+	sec := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "sec"}, Data: map[string][]byte{
+		"tls.crt": []byte(p521crt),
+		"tls.key": []byte(p521key),
+	}}
+	if v, err := validateTlsSecret(sec); err != nil {
+		t.Errorf("expected no error, caught: %s", err.Error())
+	} else if !v {
+		t.Errorf("expected ECDSA P-521 cert to be valid")
+	}
+}
+
 func TestValidateP384TlsSecret(t *testing.T) {
 	sec := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "sec"}, Data: map[string][]byte{
 		"tls.crt": []byte(p384crt),
 		"tls.key": []byte(p384key),
 	}}
 	if v, err := validateTlsSecret(sec); err != nil {
 		t.Errorf("expected no error, caught: %s", err.Error())
-	} else if v {
-		t.Errorf("expected ECDSA >256 cert to be invalid")
+	} else if !v {
+		t.Errorf("expected ECDSA P-384 cert to be valid")
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -338,8 +338,8 @@ func validateTlsSecret(secret *v1.Secret) (bool, error) {`
`338`	`338`	`return false, nil`
`339`	`339`	`}`
`340`	`340`
`341`		`- // discard P-384 EC private keys`
`342`		`- // see https://github.com/envoyproxy/envoy/issues/10855`
	`341`	`+ // discard > P-521 EC private keys`
	`342`	`+ // P-256, P-384 & P-521 are now supported (see https://github.com/envoyproxy/envoy/issues/10855)`
`343`	`343`	`block, _ := pem.Decode(tlsCert)`
`344`	`344`	`if block == nil {`
`345`	`345`	`return false, fmt.Errorf("error parsing x509 certificate - no PEM block found")`
`@@ -353,8 +353,8 @@ func validateTlsSecret(secret *v1.Secret) (bool, error) {`
`353`	`353`	`if !ok {`
`354`	`354`	`return false, fmt.Errorf("error in *ecdsa.PublicKey type assertion")`
`355`	`355`	`}`
`356`		`- if ecdsaPub.Curve.Params().BitSize > 256 {`
`357`		`- logrus.Infof("skipping ECDSA %s certificate %s/%s: only P-256 certificates are supported", ecdsaPub.Curve.Params().Name, secret.Namespace, secret.Name)`
	`356`	`+ if ecdsaPub.Curve.Params().BitSize > 521 {`
	`357`	`+ logrus.Infof("skipping ECDSA %s certificate %s/%s: only P-256, P-384 and P-521 certificates are supported", ecdsaPub.Curve.Params().Name, secret.Namespace, secret.Name)`
`358`	`358`	`return false, nil`
`359`	`359`	`}`
`360`	`360`	`}`