Use CA signing alg from config file on manual rotation

This allows users to manually switch to a different algorithm by:
- setting the config file field
- running "tctl auth rotate"

If config file field is not set, existing signing algorithm of the CA is
preserved.

integration/helpers.go

@@ -187,7 +187,7 @@ func NewInstance(cfg InstanceConfig) *TeleInstance {
 
 	cert, err := keygen.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: cfg.Priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       cfg.Pub,
 		HostID:              cfg.HostID,
 		NodeName:            cfg.NodeName,
@@ -256,11 +256,25 @@ func (s *InstanceSecrets) GetRoles() []services.Role {
 // case we always return hard-coded userCA + hostCA (and they share keys
 // for simplicity)
 func (s *InstanceSecrets) GetCAs() []services.CertAuthority {
-	hostCA := services.NewCertAuthority(services.HostCA, s.SiteName, [][]byte{s.PrivKey}, [][]byte{s.PubKey}, []string{})
+	hostCA := services.NewCertAuthority(
+		services.HostCA,
+		s.SiteName,
+		[][]byte{s.PrivKey},
+		[][]byte{s.PubKey},
+		[]string{},
+		services.CertAuthoritySpecV2_RSA_SHA2_512,
+	)
 	hostCA.SetTLSKeyPairs([]services.TLSKeyPair{{Cert: s.TLSCACert, Key: s.PrivKey}})
 	return []services.CertAuthority{
 		hostCA,
-		services.NewCertAuthority(services.UserCA, s.SiteName, [][]byte{s.PrivKey}, [][]byte{s.PubKey}, []string{services.RoleNameForCertAuthority(s.SiteName)}),
+		services.NewCertAuthority(
+			services.UserCA,
+			s.SiteName,
+			[][]byte{s.PrivKey},
+			[][]byte{s.PubKey},
+			[]string{services.RoleNameForCertAuthority(s.SiteName)},
+			services.CertAuthoritySpecV2_RSA_SHA2_512,
+		),
 	}
 }
 

lib/auth/auth.go

@@ -207,6 +207,9 @@ type AuthServer struct {
 	// cipherSuites is a list of ciphersuites that the auth server supports.
 	cipherSuites []uint16
 
+	// caSigningAlg is an SSH signing algorithm to use when generating new CAs.
+	caSigningAlg *string
+
 	// cache is a fast cache that allows auth server
 	// to use cache for most frequent operations,
 	// if not set, cache uses itself

lib/auth/init.go

@@ -142,7 +142,7 @@ type InitConfig struct {
 	// CASigningAlg is a signing algorithm used for SSH (certificate and
 	// handshake) signatures for both host and user CAs. This option only
 	// affects newly-created CAs.
-	CASigningAlg string
+	CASigningAlg *string
 }
 
 // Init instantiates and configures an instance of AuthServer
@@ -320,6 +320,10 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+		sigAlg := defaults.CASignatureAlgorithm
+		if cfg.CASigningAlg != nil {
+			sigAlg = *cfg.CASigningAlg
+		}
 
 		userCA := &services.CertAuthorityV2{
 			Kind:    services.KindCertAuthority,
@@ -332,7 +336,7 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 				ClusterName:  cfg.ClusterName.GetClusterName(),
 				Type:         services.UserCA,
 				SigningKeys:  [][]byte{priv},
-				SigningAlg:   services.ParseSigningAlg(cfg.CASigningAlg),
+				SigningAlg:   services.ParseSigningAlg(sigAlg),
 				CheckingKeys: [][]byte{pub},
 				TLSKeyPairs:  []services.TLSKeyPair{{Cert: certPEM, Key: keyPEM}},
 			},
@@ -376,6 +380,11 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+		sigAlg := defaults.CASignatureAlgorithm
+		if cfg.CASigningAlg != nil {
+			sigAlg = *cfg.CASigningAlg
+		}
+
 		hostCA = &services.CertAuthorityV2{
 			Kind:    services.KindCertAuthority,
 			Version: services.V2,
@@ -387,7 +396,7 @@ func Init(cfg InitConfig, opts ...AuthServerOption) (*AuthServer, error) {
 				ClusterName:  cfg.ClusterName.GetClusterName(),
 				Type:         services.HostCA,
 				SigningKeys:  [][]byte{priv},
-				SigningAlg:   services.ParseSigningAlg(cfg.CASigningAlg),
+				SigningAlg:   services.ParseSigningAlg(sigAlg),
 				CheckingKeys: [][]byte{pub},
 				TLSKeyPairs:  []services.TLSKeyPair{{Cert: certPEM, Key: keyPEM}},
 			},

lib/auth/init_test.go

@@ -30,6 +30,7 @@ import (
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/lite"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils"
 
@@ -72,7 +73,7 @@ func (s *AuthInitSuite) TestReadIdentity(c *C) {
 
 	cert, err := t.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       pub,
 		HostID:              "id1",
 		NodeName:            "node-name",
@@ -94,7 +95,7 @@ func (s *AuthInitSuite) TestReadIdentity(c *C) {
 	expiryDate := time.Now().Add(ttl)
 	bytes, err := t.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       pub,
 		HostID:              "id1",
 		NodeName:            "node-name",
@@ -122,7 +123,7 @@ func (s *AuthInitSuite) TestBadIdentity(c *C) {
 	// missing authority domain
 	cert, err := t.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       pub,
 		HostID:              "id2",
 		NodeName:            "",
@@ -138,7 +139,7 @@ func (s *AuthInitSuite) TestBadIdentity(c *C) {
 	// missing host uuid
 	cert, err = t.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       pub,
 		HostID:              "example.com",
 		NodeName:            "",
@@ -154,7 +155,7 @@ func (s *AuthInitSuite) TestBadIdentity(c *C) {
 	// unrecognized role
 	cert, err = t.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: priv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       pub,
 		HostID:              "example.com",
 		NodeName:            "",

lib/auth/native/native_test.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/lib/auth/test"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils"
 
@@ -171,7 +172,7 @@ func (s *NativeSuite) TestBuildPrincipals(c *check.C) {
 		hostCertificateBytes, err := s.suite.A.GenerateHostCert(
 			services.HostCertParams{
 				PrivateCASigningKey: caPrivateKey,
-				CASigningAlg:        ssh.SigAlgoRSASHA2512,
+				CASigningAlg:        defaults.CASignatureAlgorithm,
 				PublicHostKey:       hostPublicKey,
 				HostID:              tt.inHostID,
 				NodeName:            tt.inNodeName,
@@ -219,7 +220,7 @@ func (s *NativeSuite) TestUserCertCompatibility(c *check.C) {
 
 		userCertificateBytes, err := s.suite.A.GenerateUserCert(services.UserCertParams{
 			PrivateCASigningKey:   priv,
-			CASigningAlg:          ssh.SigAlgoRSASHA2512,
+			CASigningAlg:          defaults.CASignatureAlgorithm,
 			PublicUserKey:         pub,
 			Username:              "user",
 			AllowedLogins:         []string{"centos", "root"},
@@ -237,7 +238,7 @@ func (s *NativeSuite) TestUserCertCompatibility(c *check.C) {
 		userCertificate, ok := publicKey.(*ssh.Certificate)
 		c.Assert(ok, check.Equals, true, comment)
 		// Check that the signature algorithm is correct.
-		c.Assert(userCertificate.Signature.Format, check.Equals, ssh.SigAlgoRSASHA2512)
+		c.Assert(userCertificate.Signature.Format, check.Equals, defaults.CASignatureAlgorithm)
 		// check if we added the roles extension
 		_, ok = userCertificate.Extensions[teleport.CertExtensionTeleportRoles]
 		c.Assert(ok, check.Equals, tt.outHasRoles, comment)

lib/auth/rotate.go

@@ -121,6 +121,8 @@ type rotationReq struct {
 	// privateKey is passed by tests to supply private key for cert authorities
 	// instead of generating them on each iteration
 	privateKey []byte
+	// caSigningAlg is an SSH signing algorithm to use with the new CA.
+	caSigningAlg *string
 }
 
 // RotateCertAuthority starts or restarts certificate authority rotation process.
@@ -214,13 +216,14 @@ func (a *AuthServer) RotateCertAuthority(req RotateRequest) error {
 			return trace.Wrap(err)
 		}
 		rotated, err := processRotationRequest(rotationReq{
-			ca:          existing,
-			clock:       a.clock,
-			targetPhase: req.TargetPhase,
-			schedule:    *req.Schedule,
-			gracePeriod: *req.GracePeriod,
-			mode:        req.Mode,
-			privateKey:  a.privateKey,
+			ca:           existing,
+			clock:        a.clock,
+			targetPhase:  req.TargetPhase,
+			schedule:     *req.Schedule,
+			gracePeriod:  *req.GracePeriod,
+			mode:         req.Mode,
+			privateKey:   a.privateKey,
+			caSigningAlg: a.caSigningAlg,
 		})
 		if err != nil {
 			return trace.Wrap(err)
@@ -546,6 +549,9 @@ func startNewRotation(req rotationReq, ca services.CertAuthority) error {
 	}
 	ca.SetTLSKeyPairs(keyPairs)
 	ca.SetRotation(rotation)
+	if req.caSigningAlg != nil {
+		ca.SetSigningAlg(*req.caSigningAlg)
+	}
 	return nil
 }
 

lib/auth/test/suite.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 
@@ -64,7 +65,7 @@ func (s *AuthSuite) GenerateHostCert(c *check.C) {
 	cert, err := s.A.GenerateHostCert(
 		services.HostCertParams{
 			PrivateCASigningKey: priv,
-			CASigningAlg:        ssh.SigAlgoRSASHA2512,
+			CASigningAlg:        defaults.CASignatureAlgorithm,
 			PublicHostKey:       pub,
 			HostID:              "00000000-0000-0000-0000-000000000000",
 			NodeName:            "auth.example.com",
@@ -95,7 +96,7 @@ func (s *AuthSuite) GenerateUserCert(c *check.C) {
 
 	cert, err := s.A.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   priv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              "user",
 		AllowedLogins:         []string{"centos", "root"},
@@ -125,7 +126,7 @@ func (s *AuthSuite) GenerateUserCert(c *check.C) {
 
 	_, err = s.A.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   priv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              "user",
 		AllowedLogins:         []string{"root"},
@@ -138,7 +139,7 @@ func (s *AuthSuite) GenerateUserCert(c *check.C) {
 
 	_, err = s.A.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   priv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              "user",
 		AllowedLogins:         []string{"root"},
@@ -151,7 +152,7 @@ func (s *AuthSuite) GenerateUserCert(c *check.C) {
 
 	_, err = s.A.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   priv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              "user",
 		AllowedLogins:         []string{"root"},
@@ -165,7 +166,7 @@ func (s *AuthSuite) GenerateUserCert(c *check.C) {
 	inRoles := []string{"role-1", "role-2"}
 	cert, err = s.A.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   priv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              "user",
 		AllowedLogins:         []string{"root"},

lib/client/keyagent_test.go

@@ -31,6 +31,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/fixtures"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshutils"
@@ -239,7 +240,7 @@ func (s *KeyAgentTestSuite) TestHostCertVerification(c *check.C) {
 	c.Assert(err, check.IsNil)
 	hostCertBytes, err := keygen.GenerateHostCert(services.HostCertParams{
 		PrivateCASigningKey: caPriv,
-		CASigningAlg:        ssh.SigAlgoRSASHA2512,
+		CASigningAlg:        defaults.CASignatureAlgorithm,
 		PublicHostKey:       hostPub,
 		HostID:              "5ff40d80-9007-4f28-8f49-7d4fda2f574d",
 		NodeName:            "server01",
@@ -430,7 +431,7 @@ func (s *KeyAgentTestSuite) makeKey(username string, allowedLogins []string, ttl
 
 	certificate, err := keygen.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   pemBytes,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         publicKey,
 		Username:              username,
 		AllowedLogins:         allowedLogins,

lib/client/keystore_test.go

@@ -242,7 +242,7 @@ func (s *KeyStoreTestSuite) makeSignedKey(c *check.C, makeExpired bool) *Key {
 
 	cert, err = s.keygen.GenerateUserCert(services.UserCertParams{
 		PrivateCASigningKey:   CAPriv,
-		CASigningAlg:          ssh.SigAlgoRSASHA2512,
+		CASigningAlg:          defaults.CASignatureAlgorithm,
 		PublicUserKey:         pub,
 		Username:              username,
 		AllowedLogins:         allowedLogins,

lib/config/configuration.go

@@ -287,7 +287,7 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 	if fc.MACAlgorithms != nil {
 		cfg.MACAlgorithms = fc.MACAlgorithms
 	}
-	if fc.CASignatureAlgorithm != "" {
+	if fc.CASignatureAlgorithm != nil {
 		cfg.CASignatureAlgorithm = fc.CASignatureAlgorithm
 	}
 

lib/config/fileconf.go

@@ -349,8 +349,8 @@ func (conf *FileConfig) Check() error {
 			return trace.BadParameter("MAC algorithm %q is not supported; supported algorithms: %q", m, sc.MACs)
 		}
 	}
-	if conf.CASignatureAlgorithm != "" && !utils.SliceContainsStr(validCASigAlgos, conf.CASignatureAlgorithm) {
-		return trace.BadParameter("CA signature algorithm %q is not supported; supported algorithms: %q", conf.CASignatureAlgorithm, validCASigAlgos)
+	if conf.CASignatureAlgorithm != nil && !utils.SliceContainsStr(validCASigAlgos, *conf.CASignatureAlgorithm) {
+		return trace.BadParameter("CA signature algorithm %q is not supported; supported algorithms: %q", *conf.CASignatureAlgorithm, validCASigAlgos)
 	}
 
 	return nil
@@ -412,7 +412,7 @@ type Global struct {
 	// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
 	// algorithm that the server uses for signing user and host certificates.
 	// If omitted, the default will be used.
-	CASignatureAlgorithm string `yaml:"ca_signature_algo,omitempty"`
+	CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"`
 
 	// CAPin is the SKPI hash of the CA used to verify the Auth Server.
 	CAPin string `yaml:"ca_pin"`

lib/defaults/defaults.go

@@ -26,6 +26,7 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/lib/limiter"
 	"github.com/gravitational/teleport/lib/utils"
+	"golang.org/x/crypto/ssh"
 )
 
 // Default port numbers used by all teleport tools
@@ -345,6 +346,10 @@ var (
 
 	// NodeQueueSize is node service queue size
 	NodeQueueSize = 128
+
+	// CASignatureAlgorithm is the default signing algorithm to use when
+	// creating new SSH CAs.
+	CASignatureAlgorithm = ssh.SigAlgoRSASHA2512
 )
 
 // Default connection limits, they can be applied separately on any of the Teleport

lib/service/cfg.go

@@ -144,7 +144,7 @@ type Config struct {
 	// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
 	// algorithm that the server uses for signing user and host certificates.
 	// If omitted, the default will be used.
-	CASignatureAlgorithm string
+	CASignatureAlgorithm *string
 
 	// DiagnosticAddr is an address for diagnostic and healthz endpoint service
 	DiagnosticAddr utils.NetAddr
@@ -484,7 +484,6 @@ func ApplyDefaults(cfg *Config) {
 	cfg.Ciphers = sc.Ciphers
 	cfg.KEXAlgorithms = kex
 	cfg.MACAlgorithms = macs
-	cfg.CASignatureAlgorithm = ssh.SigAlgoRSASHA2512
 
 	// Auth service defaults.
 	cfg.Auth.Enabled = true