GoogleCloudPlatform / kms-integrations

https://cloud.google.com/kms
Apache License 2.0
39 stars 13 forks source link

CryptoKeyVersion resource names (CKA_IDs) longer than 100 characters are rejected by OpenSSL #35

Open richardkazuomiller opened 3 months ago

richardkazuomiller commented 3 months ago

I ran into the 100 character limit while trying to set up support for key rotation in my project and banged my head against the wall before finding the reason in the documentation. My understanding is that it looks like like the underlying cause is in the libp11 library but it's not entirely clear what is going on and there hasn't been any movement on getting it fixed.

Is there any chance this could be solved in this library somehow? Maybe by using a cryptoKey instead of a keyring as the slot or something.

In the short term I think I will need to create a new key with a shorter name to meet deadlines but I think anything that GCP supports should also be supported in this library one way or another.

tdbhacks commented 3 months ago

I see you have already commented on https://github.com/OpenSC/libp11/issues/531, that's the issue I was going to point out because I believe the root cause is upstream. I've asked the maintainers to confirm this though, just in case I missed something in our own implementation, see my latest comment.

I definitely share the sentiment that this is annoying, but I wouldn't want to do a significant library redesign / behavior shift because of this issue alone, given the easy workaround. I appreciate your help in trying to push for this to be addressed in the open libp11 issue! In the meantime, I'll keep this open so that other people might be able to find out about this known issue more quickly.

richardkazuomiller commented 3 months ago

I agree that the workaround is relatively easy if you know about it from the start, but if someone creates a key version with a too long name and finds out about this after they start the process of rotating their key like I did, they will be in a situation where the key they already started using can no longer be used. I caught this in my dev environment but I didn’t check the length of the key version that was already used to sign software that we delivered, so we might already be in a situation where using multiple key versions isn’t possible.

richardkazuomiller commented 3 months ago

I checked when I got to work today and believe it or not, our existing key version name is exactly 101 characters long 😆