Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(fips): remove keystore subcommand and config handling #15545

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(fips): remove keystore subcommand and config handling #15545

wants to merge 1 commit into from
+161 −48

Conversation

kruskall
Copy link
Member

@kruskall kruskall commented Feb 4, 2025
edited
Loading

Motivation/summary

the keystore is providing obfuscation of data on disk by using an empty password by default.
This fails in fips only mode with the following error:

crypto/hmac: use of keys shorter than 112 bits is not allowed in FIPS 140-only mode

Disable the keystore subcommand and do not try to create one when loading the config.

Checklist

For functional changes, consider:

  • Is it observable through the addition of either logging or metrics?
  • Is its use being published in telemetry to enable product improvement?
  • Have system tests been added to avoid regression?

How to test these changes

  • download gotip/go1.24
  • build apm-server with the stdlib in fips only mode
  • run apm-server

Related issues

@kruskall
feat(fips): remove keystore subcommand and config handling
f7434ce 
the keystore is providing obfuscation of data on disk by using
an empty password by default.
This fails in fips only mode with the following error:

crypto/hmac: use of keys shorter than 112 bits is not allowed in FIPS 140-only mode

Disable the keystore subcommand and do not try to create one
when loading the config.
@kruskall kruskall requested a review from a team as a code owner February 4, 2025 17:01
@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 4, 2025

This pull request does not have a backport label. Could you fix it @kruskall? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-7.17 is the label to automatically backport to the 7.17 branch.
  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • backport-9./d is the label to automatically backport to the 9./d branch. /d is the digit.
  • backport-8.x is the label to automatically backport to the 8.x branch.

@kruskall kruskall added backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch labels Feb 4, 2025
1pkg
1pkg reviewed Feb 4, 2025
View reviewed changes
internal/beatcmd/config_nofips_test.go
"github.com/elastic/elastic-agent-libs/keystore"
)

func TestLoadConfigKeystore(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this test fail if build with requirefips?

1pkg
1pkg reviewed Feb 4, 2025
View reviewed changes
internal/beatcmd/config_nofips.go
)

// loadKeystore returns the appropriate keystore based on the configuration.
func loadKeystore(cfg *config.C) (libkeystore.Keystore, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: why not to add this function directly to internal/beatcmd/keystore_nofips.go file?

1pkg
1pkg reviewed Feb 4, 2025
View reviewed changes
internal/beatcmd/config_fips.go
)

// loadKeystore returns the appropriate keystore based on the configuration.
func loadKeystore(cfg *config.C) (libkeystore.Keystore, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: why not to add this function directly to internal/beatcmd/keystore_fips.go file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@1pkg 1pkg 1pkg approved these changes

Assignees
No one assigned
Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kruskall @1pkg