Skip to content

crypto: add TLS group/curve mapping support#2347

Open
damdo wants to merge 1 commit into
openshift:masterfrom
damdo:tls-curve-preferences-crypto
Open

crypto: add TLS group/curve mapping support#2347
damdo wants to merge 1 commit into
openshift:masterfrom
damdo:tls-curve-preferences-crypto

Conversation

@damdo

@damdo damdo commented Jul 3, 2026

Copy link
Copy Markdown
Member

Map OpenShift API TLSGroup constants to Go's tls.CurveID values, following the same pattern used for cipher suite mapping. This enables downstream consumers (observer, operators) to resolve curve preferences from TLS security profiles.

SecP256r1MLKEM768 and SecP384r1MLKEM1024 use raw IANA IDs (4587, 4590) because Go 1.25 does not yet define named constants for them. Go silently ignores CurveIDs it does not implement, so these are no-ops until Go 1.26.

Summary by CodeRabbit

  • New Features
    • Added TLS group-to-curve identifier conversion to support selecting the appropriate negotiated cryptographic parameters.
    • Added the ability to list all TLS groups supported by the current runtime.
  • Bug Fixes
    • Improved behavior when unsupported TLS groups are provided by filtering them out while returning which selections could not be used.
    • Expanded compatibility across both newer and older TLS group options, including post-quantum and hybrid selections.
  • Tests
    • Added coverage to validate TLS group mappings and supported group completeness.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 52f6af49-6ac1-439d-8d40-c134b9d35cac

📥 Commits

Reviewing files that changed from the base of the PR and between 41e0932 and fdc7682.

📒 Files selected for processing (2)
  • pkg/crypto/crypto.go
  • pkg/crypto/crypto_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • pkg/crypto/crypto.go
  • pkg/crypto/crypto_test.go

Walkthrough

This PR adds TLS group-to-curve mappings in pkg/crypto, exposes conversion and validation helpers, and expands tests to cover Go TLS constant alignment and group translation behavior.

Changes

TLS Group Mapping

Layer / File(s) Summary
Internal maps and helpers
pkg/crypto/crypto.go
Defines goTLSGroups and tlsGroupToCurveID, then adds helpers to map a single group, convert slices of groups, and list supported groups.
Mapping tests
pkg/crypto/crypto_test.go
Extends constant-map checks for TLS groups and adds coverage for profile group mappings, helper outputs, unsupported filtering, and sorted valid groups.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related issues

  • openshift/controller-runtime-common#20 — Adds TLS group-to-tls.CurveID mapping helpers that would support wiring profile groups into TLS curve preferences.
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding TLS group and curve mapping support in crypto.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The new tests use static, deterministic titles; no Ginkgo-style or run-varying names were added.
Test Structure And Quality ✅ Passed PASS: These are plain deterministic unit tests; they use table-driven cases, no external resources or waits, and match the package’s existing style.
Microshift Test Compatibility ✅ Passed The added tests are plain Go unit tests, not Ginkgo e2e tests, and they reference no MicroShift-unsupported OpenShift APIs or patterns.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR only adds pkg/crypto unit tests with testing.T; no Ginkgo e2e tests or SNO/multi-node assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only TLS group mapping helpers/tests changed; no manifests, controllers, or scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed No main/init/TestMain/RunSpecs or top-level init stdout writes were added; only ordinary Test* functions print, which the check explicitly exempts.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests were added; only pkg/crypto unit/library code changed, with no external connectivity requirements.
No-Weak-Crypto ✅ Passed The PR only adds TLSGroup↔CurveID mappings and tests; no new MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed Only pkg/crypto/*.go changed; no privileged, hostPID/network/IPC, allowPrivilegeEscalation, or SYS_ADMIN settings were added.
No-Sensitive-Data-In-Logs ✅ Passed The PR adds TLS group mappings/tests only; no new log statements or sensitive-data-bearing messages were introduced in changed lines.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from bertinatto and deads2k July 3, 2026 08:02
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: damdo
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
pkg/crypto/crypto_test.go (1)

40-50: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add SecP to the group discovery prefixes in pkg/crypto/crypto_test.go:48 so TestConstantMaps catches Go 1.26’s tls.SecP256r1MLKEM768/tls.SecP384r1MLKEM1024 constants and forces the goTLSGroups TODO to be updated.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/crypto/crypto_test.go` around lines 40 - 50, Add SecP to the group-prefix
discovery in TestConstantMaps so the crypto test suite picks up Go 1.26’s new
tls.SecP256r1MLKEM768 and tls.SecP384r1MLKEM1024 constants. Update the prefix
checks in the loop over pkg.Scope().Names() alongside the existing CurveP and
X25519 handling, so discoveredGroups includes these symbols and the goTLSGroups
TODO will fail until it is updated.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/crypto/crypto.go`:
- Around line 392-397: The doc comments for CurveIDForTLSGroup and
ValidTLSGroups are misleading for the PQ-hybrid groups because the returned
bool/list currently reflects mapped or known TLSGroup values, not actual Go
version support. Update the comments to describe that these APIs return
known/mapped groups (including the hybrid no-op IDs) rather than claiming
“supported by this Go version,” and keep the wording aligned with
tlsGroupToCurveID and ValidTLSGroups so callers don’t infer unsupported groups
are rejected.

---

Nitpick comments:
In `@pkg/crypto/crypto_test.go`:
- Around line 40-50: Add SecP to the group-prefix discovery in TestConstantMaps
so the crypto test suite picks up Go 1.26’s new tls.SecP256r1MLKEM768 and
tls.SecP384r1MLKEM1024 constants. Update the prefix checks in the loop over
pkg.Scope().Names() alongside the existing CurveP and X25519 handling, so
discoveredGroups includes these symbols and the goTLSGroups TODO will fail until
it is updated.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e6fcba51-5d2f-4da6-9863-513f119e4e68

📥 Commits

Reviewing files that changed from the base of the PR and between fd74bb5 and 41e0932.

📒 Files selected for processing (2)
  • pkg/crypto/crypto.go
  • pkg/crypto/crypto_test.go

Comment thread pkg/crypto/crypto.go
Map OpenShift API TLSGroup constants to Go's tls.CurveID values,
following the same pattern used for cipher suite mapping. This enables
downstream consumers (observer, operators) to resolve curve preferences
from TLS security profiles.

SecP256r1MLKEM768 and SecP384r1MLKEM1024 use raw IANA IDs (4587, 4590)
because Go 1.25 does not yet define named constants for them. Go silently
ignores CurveIDs it does not implement, so these are no-ops until Go 1.26.
@damdo damdo force-pushed the tls-curve-preferences-crypto branch from 41e0932 to fdc7682 Compare July 3, 2026 09:41
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@damdo

damdo commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

Comment thread pkg/crypto/crypto.go
"X25519": tls.X25519, // IANA 29
"X25519MLKEM768": tls.X25519MLKEM768, // IANA 4588
// TODO: add "SecP256r1MLKEM768": tls.SecP256r1MLKEM768 (IANA 4587) when Go 1.26 is the minimum version
// TODO: add "SecP384r1MLKEM1024": tls.SecP384r1MLKEM1024 (IANA 4590) when Go 1.26 is the minimum version

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// TODO: add "SecP384r1MLKEM1024": tls.SecP384r1MLKEM1024 (IANA 4590) when Go 1.26 is the minimum version
// TODO: add "SecP384r1MLKEM1024": tls.SecP384r1MLKEM1024 (IANA 4589) when Go 1.26 is the minimum version

https://www.ietf.org/archive/id/draft-ietf-tls-ecdhe-mlkem-01.html#name-secp384r1mlkem1024

probably safer to document as 4589 - unless I'm incorrect and this is something specific to Go

Comment thread pkg/crypto/crypto_test.go
if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") || strings.HasPrefix(declName, "TLS_AES_") || strings.HasPrefix(declName, "TLS_CHACHA20_") {
discoveredCiphers[declName] = true
}
if strings.HasPrefix(declName, "CurveP") || strings.HasPrefix(declName, "X25519") {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this filter need SecP and MLKEM prefixes? Or will that be updated when addressing the TODOs for go 1.26 >= ?

Comment thread pkg/crypto/crypto.go
"CurveP521": tls.CurveP521, // IANA 25
"X25519": tls.X25519, // IANA 29
"X25519MLKEM768": tls.X25519MLKEM768, // IANA 4588
// TODO: add "SecP256r1MLKEM768": tls.SecP256r1MLKEM768 (IANA 4587) when Go 1.26 is the minimum version

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be antipattern, but we could reduce all these TODOs by creating a separate file with something like:

//go:build go1.26

package crypto

import (
	"crypto/tls"

	configv1 "github.com/openshift/api/config/v1"
)

func init() {
	goTLSGroups["SecP256r1MLKEM768"] = tls.SecP256r1MLKEM768
	goTLSGroups["SecP384r1MLKEM1024"] = tls.SecP384r1MLKEM1024

	tlsGroupToCurveID[configv1.TLSGroupSecP256r1MLKEM768] = tls.SecP256r1MLKEM768
	tlsGroupToCurveID[configv1.TLSGroupSecP384r1MLKEM1024] = tls.SecP384r1MLKEM1024
}

Not sure if we normally leverage this in the project, just trying to think of ways to not have to come back to the TODOs 😄

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a good idea to me. This would make it possible for projects using older go to continue using newer library-go.

Comment thread pkg/crypto/crypto_test.go
discoveredVersions := map[string]bool{}
discoveredCiphers := map[string]bool{}
discoveredGroups := map[string]bool{}
for _, declName := range pkg.Scope().Names() {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should have a default kind of case here, where we register all other known unrelated constants in the package. That way if a new constant is added that doesn't match one of our existing patterns, this test fails and we are forced to decide:

  • is this a new version?
  • is this a new cipher?
  • is this a new group?
  • is it unrelated

And add it to the respective set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants