Skip to content

Comments

Bugfix to allow seeding via KMS#56

Merged
skiptomyliu merged 1 commit intomasterfrom
lyft-user-nov-16-2022
Nov 17, 2022
Merged

Bugfix to allow seeding via KMS#56
skiptomyliu merged 1 commit intomasterfrom
lyft-user-nov-16-2022

Conversation

@skiptomyliu
Copy link
Member

@skiptomyliu skiptomyliu commented Nov 16, 2022
edited
Loading

bless generates ephemeral certs and relies on entropy to generate these ephemeral keys.

For some reason the lambda in us-east-1 kernel is reporting that we only have 256 bits available from /proc/sys/kernel/random/entropy_avail, whereas bless has a minimum of 2046 bits it uses for random generation that would allow us to securely generate certs.

When this occurs, we fallback on using KMS for the random generation, which is currently broken. us-west-2 looks to be unaffected.

This PR fixes KMS:
KMS GenerateRandom function returns random bytes. urandom.write expects a string. To write the string to we b64 encode so we're able to seed /dev/urandom to give it extra randomness.

@skiptomyliu skiptomyliu force-pushed the lyft-user-nov-16-2022 branch from 1ab6f38 to 7058dc8 Compare November 17, 2022 00:02
@skiptomyliu skiptomyliu merged commit e14cdb8 into master Nov 17, 2022
@skiptomyliu skiptomyliu deleted the lyft-user-nov-16-2022 branch November 17, 2022 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@meng-han meng-han meng-han approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skiptomyliu @meng-han