9

问题

我使用 secp256k1 通过 OpenSSL 生成了密钥和证书,rke从 Rancher Kubernetes Engine (RKE) 运行版本 v1.2.8,并收到以下错误:

FATA[0000] Failed to read certificates from dir [/home/max/cluster_certs]: failed to read certificate [kube-apiserver-requestheader-ca.pem]: x509: unsupported elliptic curve

kubectl version

Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:18:45Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

我通过以下方式生成了根 CA 密钥和证书:

openssl ecparam -name secp256k1 -genkey -noout -out ca-pvt.pem -rand random.bin -writerand random.bin
openssl req -config .\openssl.cnf -x509 -sha256 -new -nodes -key ca-pvt.pem -days 10227 -out ca-cert.cer -rand random.bin -writerand random.bin

然后我用它来签署rke cert generate-csr从我的 Kubernetes Rancher生成的 CSR cluster.yml

批准 CSR 的命令行如下:

openssl ca -config openssl.cnf -batch -in %1 -out %2 -create_serial -notext -rand random.bin -writerand random.bin

问题

secp256k1如果产生x509: unsupported elliptic curve错误消息,Kubernetes 今天支持哪些曲线用于证书?

附言

我也试过了prime256v1,也叫secp256r1. 与 相比,它进一步发展secp256k1,但仍然出现错误。

有了 prime256v1,RKE没有抱怨x509: unsupported elliptic curve

相反,它给出了一个错误panic: interface conversion: interface {} is *ecdsa.PrivateKey, not *rsa.PrivateKey。这是完整的错误消息:

这是完整的错误消息:

DEBU[0000] Certificate file [./cluster_certs/kube-apiserver-requestheader-ca.pem] content is greater than 0 
panic: interface conversion: interface {} is *ecdsa.PrivateKey, not *rsa.PrivateKey 
goroutine 1 [running]: github.com/rancher/rke/pki.getKeyFromFile(0x7ffe6294c74e, 0xf, 0xc00105cb10, 0x27, 0x8, 0xc00105cb10, 0x27) 
/go/src/github.com/rancher/rke/pki/util.go:656 +0x212
4

1 回答 1

10

secp256k1如果产生x509: unsupported elliptic curve错误消息,Kubernetes 今天支持哪些曲线用于证书?

为了尝试回答这个问题,我将直接查看源代码。你可以找到那里给出错误的行unsupported elliptic curve

case *ecdsa.PublicKey:
        publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
        oid, ok := oidFromNamedCurve(pub.Curve)
        if !ok {
            return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
        }

这里有两个函数负责处理曲线:

  • 元帅:
// Marshal converts a point on the curve into the uncompressed form specified in
// section 4.3.6 of ANSI X9.62.
func Marshal(curve Curve, x, y *big.Int) []byte {
    byteLen := (curve.Params().BitSize + 7) / 8

    ret := make([]byte, 1+2*byteLen)
    ret[0] = 4 // uncompressed point

    x.FillBytes(ret[1 : 1+byteLen])
    y.FillBytes(ret[1+byteLen : 1+2*byteLen])

    return ret
}
  • oidFromNamedCurve:
// OIDFromNamedCurve returns the OID used to specify the use of the given
// elliptic curve.
func OIDFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
    switch curve {
    case elliptic.P224():
        return OIDNamedCurveP224, true
    case elliptic.P256():
        return OIDNamedCurveP256, true
    case elliptic.P384():
        return OIDNamedCurveP384, true
    case elliptic.P521():
        return OIDNamedCurveP521, true
    case secp192r1():
        return OIDNamedCurveP192, true
    }

    return nil, false
}

因此,最终的答案在开关中。支持的椭圆曲线有:

您需要将曲线更改为secp256r1。主要区别在于它secp256k1是 Koblitz 曲线,而secp256r1不是。众所周知,Koblitz 曲线比其他曲线弱一些。

OpenSSL 支持“secp256r1”,它只是称为“prime256v1”。查看 RFC 5480 中的第 2.1.1.1 节,其中“secp192r1”曲线称为“prime192v1”,“secp256r1”曲线称为“prime256v1”。

于 2021-06-23T10:55:13.827 回答