matrix-org/matrix-hookshot

Use ed25519 instead of RSA for crypto keys

Opened this issue · 3 comments

ed25519 is more secure than a 4096 RSA and I suggest to use it e.g. for passkey.pem.

Yeah, probably a good shout. We need to figure out a migration path though since everyone's data will be encoded in a certain way :)

For config.yml I made already a diff:

diff --git a/config.sample.yml b/config.sample.yml
index 7182a9b..67906b1 100644
--- a/config.sample.yml
+++ b/config.sample.yml
@@ -9,7 +9,7 @@ bridge:
   bindAddress: 127.0.0.1
 passFile:
   # A passkey used to encrypt tokens stored inside the bridge.
-  # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
+  # Run openssl genpkey -out passkey.pem -outform PEM -algorithm ed25519
   passkey.pem
 logging:
   # Logging settings. You can have a severity debug,info,warn,error
diff --git a/helm/hookshot/values.yaml b/helm/hookshot/values.yaml
index a4b1302..ab6f74c 100644
--- a/helm/hookshot/values.yaml
+++ b/helm/hookshot/values.yaml
@@ -212,7 +212,7 @@ hookshot:
       # secret: "!secretToken"
     passFile: passkey.pem
     # A passkey used to encrypt tokens stored inside the bridge.
-    # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
+    # Run openssl genpkey -out passkey.pem -outform PEM -algorithm ed25519 to generate
     #
     # bot:
       # (Optional) Define profile information for the bot user
diff --git a/src/config/Config.ts b/src/config/Config.ts
index 374c295..fa0198f 100644
--- a/src/config/Config.ts
+++ b/src/config/Config.ts
@@ -493,7 +493,7 @@ export class BridgeConfig {
     @configKey(`Permissions for using the bridge. See docs/setup.md#permissions for help`, true)
     public readonly permissions: BridgeConfigActorPermission[];
     @configKey(`A passkey used to encrypt tokens stored inside the bridge.
- Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate`)
+ Run openssl genpkey -out passkey.pem -outform PEM -algorithm ed25519 to generate`)
     public readonly passFile: string;
     @configKey("Configure this to enable GitHub support", true)
     public readonly github?: BridgeConfigGitHub;

which seems to work fine on my testing. But there are way more usages of RSA inside the code.

Ma27 commented

Btw for anybody else who tried this out and tried to upgrade to 5.3, this will break in 5.3+ with

Error reading private key: PrivateKey8(PublicKey(OidUnknown { oid: ObjectIdentifier(1.2.840.113549.1.1.1) }))

Solution until this is implemented is probably to stay on 5.2.1.