Add support for TLS curves in TLSProfile

Signed-off-by: Davide Salerno <dsalerno@redhat.com>

Author: davidesalerno

config/v1/types_tlssecurityprofile.go

@@ -202,6 +202,27 @@ const (
 	TLSProfileCustomType TLSProfileType = "Custom"
 )
 
+// TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+// There is a one-to-one mapping between these names and the curve IDs defined
+// in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+//
+// +kubebuilder:validation:Enum=X25519;P-256;P-384;P-521;X25519MLKEM768
+type TLSCurve string
+
+const (
+	// TLSCurveX25519 represents X25519.
+	TLSCurveX25519 TLSCurve = "X25519"
+	// TLSCurveP256 represents P-256 (secp256r1).
+	TLSCurveP256 TLSCurve = "P-256"
+	// TLSCurveP384 represents P-384 (secp384r1).
+	TLSCurveP384 TLSCurve = "P-384"
+	// TLSCurveP521 represents P-521 (secp521r1).
+	TLSCurveP521 TLSCurve = "P-521"
+	// TLSCurveX25519MLKEM768 represents X25519MLKEM768.
+	TLSCurveX25519MLKEM768 TLSCurve = "X25519MLKEM768"
+)
+
 // TLSProfileSpec is the desired behavior of a TLSSecurityProfile.
 type TLSProfileSpec struct {
 	// ciphers is used to specify the cipher algorithms that are negotiated
@@ -213,6 +234,37 @@ type TLSProfileSpec struct {
 	//
 	// +listType=atomic
 	Ciphers []string `json:"ciphers"`
+	// curves is used to specify the elliptic curves that are used during
+	// the TLS handshake.  Operators may remove entries their operands do
+	// not support.
+	//
+	// TLSProfiles Old, Intermediate, Modern are including by default the following
+	// curves: X25519, P-256, P-384, X25519MLKEM768
+	// TLSProfiles Custom do not include any curves by default.
+	// NOTE: since this field is optional, if no curves are specified, the default curves
+	// used by the underlying TLS library will be used.
+	//
+	// For example, to use X25519 and P-256 (yaml):
+	//
+	// # Example: Force PQC-only encryption
+	// apiVersion: config.openshift.io/v1
+	// kind: APIServer
+	// spec:
+	//   tlsSecurityProfile:
+	//     type: Custom
+	//     custom:
+	//       ciphers:
+	// 	       - TLS_AES_128_GCM_SHA256
+	//         - TLS_AES_256_GCM_SHA384
+	//         - TLS_CHACHA20_POLY1305_SHA256
+	//       curves:
+	//         - X25519MLKEM768  # PQC-only: only hybrid quantum-resistant curve
+	//       minTLSVersion: VersionTLS13
+	//
+	// +optional
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=5
+	Curves []TLSCurve `json:"curves,omitempty"`
 	// minTLSVersion is used to specify the minimal version of the TLS protocol
 	// that is negotiated during the TLS handshake. For example, to use TLS
 	// versions 1.1, 1.2 and 1.3 (yaml):
@@ -283,6 +335,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 			"AES256-SHA",
 			"DES-CBC3-SHA",
 		},
+		Curves: []TLSCurve{
+			TLSCurveX25519,
+			TLSCurveP256,
+			TLSCurveP384,
+			TLSCurveX25519MLKEM768,
+		},
 		MinTLSVersion: VersionTLS10,
 	},
 	TLSProfileIntermediateType: {
@@ -299,6 +357,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 			"DHE-RSA-AES128-GCM-SHA256",
 			"DHE-RSA-AES256-GCM-SHA384",
 		},
+		Curves: []TLSCurve{
+			TLSCurveX25519,
+			TLSCurveP256,
+			TLSCurveP384,
+			TLSCurveX25519MLKEM768,
+		},
 		MinTLSVersion: VersionTLS12,
 	},
 	TLSProfileModernType: {
@@ -307,6 +371,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 			"TLS_AES_256_GCM_SHA384",
 			"TLS_CHACHA20_POLY1305_SHA256",
 		},
+		Curves: []TLSCurve{
+			TLSCurveX25519,
+			TLSCurveP256,
+			TLSCurveP384,
+			TLSCurveX25519MLKEM768,
+		},
 		MinTLSVersion: VersionTLS13,
 	},
 }

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -330,6 +330,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml

@@ -261,6 +261,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -330,6 +330,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -330,6 +330,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol

config/v1/zz_generated.deepcopy.go

@@ -261,6 +261,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml

@@ -330,6 +330,38 @@ spec:
                           type: string
                         type: array
                         x-kubernetes-list-type: atomic
+                      curves:
+                        description: "curves is used to specify the elliptic curves
+                          that are used during\nthe TLS handshake.  Operators may
+                          remove entries their operands do\nnot support.\n\nTLSProfiles
+                          Old, Intermediate, Modern are including by default the following\ncurves:
+                          X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom
+                          do not include any curves by default.\nNOTE: since this
+                          field is optional, if no curves are specified, the default
+                          curves\nused by the underlying TLS library will be used.\n\nFor
+                          example, to use X25519 and P-256 (yaml):\n\n# Example: Force
+                          PQC-only encryption\napiVersion: config.openshift.io/v1\nkind:
+                          APIServer\nspec:\n  tlsSecurityProfile:\n    type: Custom\n
+                          \   custom:\n      ciphers:\n\t       - TLS_AES_128_GCM_SHA256\n
+                          \       - TLS_AES_256_GCM_SHA384\n        - TLS_CHACHA20_POLY1305_SHA256\n
+                          \     curves:\n        - X25519MLKEM768  # PQC-only: only
+                          hybrid quantum-resistant curve\n      minTLSVersion: VersionTLS13"
+                        items:
+                          description: |-
+                            TLSCurve is a named curve identifier that can be used in TLSProfile.Curves.
+                            There is a one-to-one mapping between these names and the curve IDs defined
+                            in crypto/tls package based on IANA's "TLS Supported Groups" registry:
+                            https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+                          enum:
+                          - X25519
+                          - P-256
+                          - P-384
+                          - P-521
+                          - X25519MLKEM768
+                          type: string
+                        maxItems: 5
+                        type: array
+                        x-kubernetes-list-type: atomic
                       minTLSVersion:
                         description: |-
                           minTLSVersion is used to specify the minimal version of the TLS protocol