revert SPIFFE CA JWT key to RSA

gravitational · Oct 3, 2024 · a0eaaf9 · a0eaaf9
1 parent 2b778a9
commit a0eaaf9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/lib/cryptosuites/suites.go b/lib/cryptosuites/suites.go
@@ -193,7 +193,7 @@ var (
 		OIDCIdPCAJWT:            RSA2048,
 		SAMLIdPCATLS:            RSA2048,
 		SPIFFECATLS:             ECDSAP256,
-		SPIFFECAJWT:             ECDSAP256,
+		SPIFFECAJWT:             RSA2048,
 		OktaCAJWT:               ECDSAP256,
 		UserSSH:                 Ed25519,
 		UserTLS:                 ECDSAP256,
@@ -222,7 +222,7 @@ var (
 		OIDCIdPCAJWT:            RSA2048,
 		SAMLIdPCATLS:            RSA2048,
 		SPIFFECATLS:             ECDSAP256,
-		SPIFFECAJWT:             ECDSAP256,
+		SPIFFECAJWT:             RSA2048,
 		OktaCAJWT:               ECDSAP256,
 		UserSSH:                 ECDSAP256,
 		UserTLS:                 ECDSAP256,
@@ -253,7 +253,7 @@ var (
 		OIDCIdPCAJWT:            RSA2048,
 		SAMLIdPCATLS:            RSA2048,
 		SPIFFECATLS:             ECDSAP256,
-		SPIFFECAJWT:             ECDSAP256,
+		SPIFFECAJWT:             RSA2048,
 		OktaCAJWT:               ECDSAP256,
 		UserSSH:                 Ed25519,
 		UserTLS:                 ECDSAP256,

diff --git a/rfd/0136-modern-signature-algorithms.md b/rfd/0136-modern-signature-algorithms.md
@@ -166,10 +166,14 @@ The following key types will be used when the configured algorithm suite is
     * JWT: ECDSA with NIST P-256
   * OIDC IdP CA
     * JWT: 2048-bit RSA
-      * the OIDC spec required RSA support
+      * the OIDC spec requires RSA support
   * SAML IdP CA
     * TLS: 2048-bit RSA
       * much of the SAML ecosystem still only supports RSA
+  * SPIFFE CA
+    * TLS: ECDSA with NIST P-256
+    * JWT: 2048-bit RSA
+      * should be OIDC-compatible, the OIDC spec requires RSA support
   * Okta CA
     * JWT: ECDSA with NIST P-256
 * Subject key types
@@ -212,7 +216,8 @@ The following key types will be used when the configured algorithm suite is
   * tbot impersonated identities
     * SSH+TLS: ECDSA with NIST P-256 (SSH and X.509 certs signed by host CA)
   * tbot SPIFFE SVIDs
-    * TLS: ECDSA with NIST P-256 (X.509 cert signed by host CA)
+    * TLS: ECDSA with NIST P-256 (X.509 cert signed by spiffe CA)
+    * JWT: 2048-bit RSA (JWT signed by spiffe CA)
 
 This suite will *not* be compatible with clusters running in FIPS mode and/or
 configured to use an HSM or KMS for CAs.