Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix to allow seeding via KMS #56

Merged
merged 1 commit into from
Nov 17, 2022
Merged

Bugfix to allow seeding via KMS #56

merged 1 commit into from
Nov 17, 2022

Conversation

skiptomyliu
Copy link
Member

@skiptomyliu skiptomyliu commented Nov 16, 2022
edited
Loading

bless generates ephemeral certs and relies on entropy to generate these ephemeral keys.

For some reason the lambda in us-east-1 kernel is reporting that we only have 256 bits available from /proc/sys/kernel/random/entropy_avail, whereas bless has a minimum of 2046 bits it uses for random generation that would allow us to securely generate certs.

When this occurs, we fallback on using KMS for the random generation, which is currently broken. us-west-2 looks to be unaffected.

This PR fixes KMS:
KMS GenerateRandom function returns random bytes. urandom.write expects a string. To write the string to we b64 encode so we're able to seed /dev/urandom to give it extra randomness.

@skiptomyliu skiptomyliu force-pushed the lyft-user-nov-16-2022 branch from 1ab6f38 to 7058dc8 Compare November 17, 2022 00:02
@skiptomyliu skiptomyliu merged commit e14cdb8 into master Nov 17, 2022
@skiptomyliu skiptomyliu deleted the lyft-user-nov-16-2022 branch November 17, 2022 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meng-han meng-han meng-han approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@skiptomyliu @meng-han