Support of ECDSA

[blaggacao]

don't use ECDSA as it's not supported currently

However it looks as if spiffe SVID's are EC keys 😕

cat /tls/svid_key.pem
-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmpfbqNxh2xD4L54j
gjZG3etUNQbEJCvTP+JUTVotOJihRANCAASV+Amcy6jWEeqn6cnFCjbFcRrRcyG8
yauvxlUY3VRp/6v5SUTsM/VxiTw5GgQHAdr4NlZm+BlW0/oYAtpAQFgE
-----END EC PRIVATE KEY-----

Unfortunately, fore spire, as result of their secure default policy, it's hard coded

[blaggacao]

marching through the institutions

• Add ec support to rustls [try] → Implement ecdsa keys parsing rustls/rustls#409
• Add ec support to Rocket [try] → Implement ecdsa keys rwf2/Rocket#1449
• Use patched rustls & hyper-sync-rustls in here for trow [try] → 5d0a02c

[amouat]

Well done digging into the underlying code!

We're currently in the middle of refactoring the code to swap from Rocket to Actix, but will probably still use rustls as the underlying TLS implementation.

What do you want to happen with this issue? It seems to be outside of the control of this repo. We could keep it with a "blocked" label, but then I would like a simple test so that we can check when it does start working.

[blaggacao]

Yeah a test sounds like an excellent idea! I'll throw something together today.

[blaggacao]

@amouat rwf2/Rocket@af48d1f

It looks like this just unblocked. I would be very keen to be able to end-to-end test my poc setup from half a year ago on hope to retake where I had to stop.

Could you bump the rocket version?