From 74b3227f19a22530cc980195c91e039906ed28d0 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Wed, 15 Sep 2021 11:59:28 -0500 Subject: [PATCH] Use the system rand reader for SSH keypair generation (#12560) * Use the system rand reader for SSH keypair generation * changelog --- builtin/logical/ssh/path_config_ca.go | 10 +++++++--- changelog/12560.txt | 3 +++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 changelog/12560.txt diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 5cdb65d33f5c1..3381a64b5aa47 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "encoding/pem" "fmt" + "io" multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/sdk/framework" @@ -190,7 +191,7 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, } if generateSigningKey { - publicKey, privateKey, err = generateSSHKeyPair() + publicKey, privateKey, err = generateSSHKeyPair(b.Backend.GetRandomReader()) if err != nil { return nil, err } @@ -264,8 +265,11 @@ func (b *backend) pathConfigCAUpdate(ctx context.Context, req *logical.Request, return nil, nil } -func generateSSHKeyPair() (string, string, error) { - privateSeed, err := rsa.GenerateKey(rand.Reader, 4096) +func generateSSHKeyPair(randomSource io.Reader) (string, string, error) { + if randomSource == nil { + randomSource = rand.Reader + } + privateSeed, err := rsa.GenerateKey(randomSource, 4096) if err != nil { return "", "", err } diff --git a/changelog/12560.txt b/changelog/12560.txt new file mode 100644 index 0000000000000..0b76337b3021f --- /dev/null +++ b/changelog/12560.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/ssh: Use entropy augmentation when available for generation of the signing key. +``` \ No newline at end of file