Implement known_keys_file support for PubKey authentication#2590
Implement known_keys_file support for PubKey authentication#2590milyin wants to merge 21 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds support for the transport/auth/pubkey/known_keys_file configuration option in the unicast transport PubKey authenticator, and updates auth initialization to accommodate async file I/O.
Changes:
- Make
AuthPubKey::from_configasync and load authorized public keys fromknown_keys_file. - Wire the new async
AuthPubKey::from_configinto transport auth initialization. - Minor import reordering and dependency lockfile update.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
zenoh/src/api/builders/scouting.rs |
Import order tweak (no functional change). |
io/zenoh-transport/src/unicast/establishment/ext/auth/pubkey.rs |
Implement known_keys_file loading and refactor keypair selection logic; from_config becomes async. |
io/zenoh-transport/src/unicast/establishment/ext/auth/mod.rs |
Await the now-async pubkey authenticator config initialization. |
Cargo.lock |
Records updated dependency graph (adds const_format entry). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
oteffahi
left a comment
oteffahi
left a comment
There was a problem hiding this comment.
IMHO pubkey auth extension is a naive and very verbose attempt at what mTLS already performs in a much safer and scalable way (which is also already integrated in ACL). This extension is internally used for mutlilink, which does not require the known_keys file. The best course of action to me is to remove auth/pub_key from the config file.
If we still want to go along with exposing this, I've left a few comments.
| for line in content.lines() { | ||
| let trimmed = line.trim(); | ||
| current_key.push_str(line); | ||
| current_key.push('\n'); | ||
| if trimmed == "-----END RSA PUBLIC KEY-----" { | ||
| let public_key = RsaPublicKey::from_pkcs1_pem(¤t_key).map_err(|e| { | ||
| zerror!("{S} Invalid RSA public key in known keys file: {}.", e) | ||
| })?; | ||
| known_keys.insert(public_key.into()); | ||
| current_key.clear(); | ||
| } | ||
| } | ||
| if current_key.chars().any(|c| !c.is_whitespace()) { | ||
| bail!("{S} Truncated RSA public key in known keys file."); | ||
| } |
There was a problem hiding this comment.
I don't agree with this file format where PKCS#1 PEMs are chained together. I'd rather have the base64 encoding of each public key in PKCS#1 PEM, so each line is a single encoded public key, which simplifies the parsing.
Furthermore, this logic should not be inlined here. Consider extracting this in a helper function or wrapping the public keys file logic in its own type.
| /// RSA public key in PKCS#1 PEM format (inline string). | ||
| /// If both `public_key_pem` and `public_key_file` are set, `public_key_pem` takes priority. | ||
| public_key_pem: Option<String>, | ||
| /// RSA private key in PKCS#1 PEM format (inline string). | ||
| /// If both `private_key_pem` and `private_key_file` are set, `private_key_pem` takes priority. | ||
| private_key_pem: Option<String>, | ||
| /// Path to a file containing the RSA public key in PKCS#1 PEM format. | ||
| /// Ignored when `public_key_pem` is also set. | ||
| public_key_file: Option<String>, | ||
| /// Path to a file containing the RSA private key in PKCS#1 PEM format. | ||
| /// Ignored when `private_key_pem` is also set. | ||
| private_key_file: Option<String>, | ||
| key_size: Option<usize>, | ||
| /// Path to a file containing one or more trusted peer RSA public keys in PKCS#1 PEM format. | ||
| /// Requires private and public keys to also be set. | ||
| known_keys_file: Option<String>, |
There was a problem hiding this comment.
Please add this documentation to DEFAULT_CONFIG.json5
| /// Path to a file containing the RSA private key in PKCS#1 PEM format. | ||
| /// Ignored when `private_key_pem` is also set. | ||
| private_key_file: Option<String>, | ||
| key_size: Option<usize>, |
There was a problem hiding this comment.
This does not seem to be used anywhere in the code. I believe it was added in the event that we make the size of the generated RSA key for multilink configurable. IMO It does not belong here and therefore should be removed.
|
From testing it seems like the PR allows providing a pub/priv key-pair without providing a trusted_keys file. This should be considered an invalid config. Since the extension requires mutual authentication, this config results in an instance that cannot connect or accept any connections, since it requires any peer to support auth_pubkey, and hold a trusted keypair (which is impossible since the trusted_keys file was not provided). This can be considered a breaking change, since we previously allowed this configuration (which doesn't make sense). Additionally, this configuration is valid when used by the multilink extension which does not use a trusted_keys file (its requirement is that the same keypair is used for two links on the same transport, it doesn't require that said keypair is known ahead of time). Please take this into consideration when making this change. |
Co-authored-by: Oussama Teffahi <70609372+oteffahi@users.noreply.github.com>
Description
Improve
AuthPubKey::from_config: addknown_keys_fileparameter support previously marked as TBDWhat does this PR do?
known_keys_fileconfig parameterAuthPubKey::from_configWhy is this change needed?
Declared functionality was missing with TBD comment
Related Issues
Fixes #1339, based on #2211
🏷️ Label-Based Checklist
Based on the labels applied to this PR, please complete these additional requirements:
Labels:
enhancement✨ Enhancement Requirements
Since this PR enhances existing functionality:
Remember: Enhancements should not introduce new APIs or breaking changes.
Instructions:
- [ ]to- [x])This checklist updates automatically when labels change, but preserves your checked boxes.