From 529be58e95b48f9133fc9f25c64fcff7c67064ee Mon Sep 17 00:00:00 2001 From: Shailesh Patil <53746241+mineme0110@users.noreply.github.com> Date: Thu, 4 Apr 2024 14:43:40 +0100 Subject: [PATCH] =?UTF-8?q?fix(mediator):=20Update=20the=20readme=20and=20?= =?UTF-8?q?docker=20with=20type=20of=20key=20forma=E2=80=A6=20(#267)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs(medeiator): Updated the readme and docker with type of key format used for mediator identity * docs(medeiator): Updated the readme and docker with type of key format used for mediator identity * fix(mediator): Update application.conf and removed the default identity keys for the mediator Add readme for how to create keys for mediator identity * fix(mediator): Add restart with envVariables * fix(mediator): Add restart with envVariables --------- Signed-off-by: Shailesh Patil <53746241+mineme0110@users.noreply.github.com> Signed-off-by: Shailesh Patil --- README.md | 7 ++- build.sbt | 15 +++++ docker-compose.yml | 3 + .../charts/mediator/templates/deployment.yaml | 8 +++ mediator-identity-key-generation.md | 59 +++++++++++++++++++ mediator/src/main/resources/application.conf | 4 -- 6 files changed, 91 insertions(+), 5 deletions(-) create mode 100644 mediator-identity-key-generation.md diff --git a/README.md b/README.md index 5c9723e2..eb95c8e5 100644 --- a/README.md +++ b/README.md @@ -133,8 +133,13 @@ The default configuration is set up [application.conf](/mediator/src/main/resour So in order to configure the mediator for your needs. You can either change the default configuration or you can set up environment variables that overrides the defaults: -#### identity +#### identity +> KEY_AGREEMENT, KEY_AUTHENTICATION use JOSE (JSON Object Signing and Encryption) format, utilizing OKP (Octet Key Pair) type with base64url-safe encoded keys. + To set up the mediator identity: + +[How to generate mediator identity](./mediator-identity-key-generation.md) + - `KEY_AGREEMENT_D` - is the key agreement private key (MUST be a X25519 OKP key type). - `KEY_AGREEMENT_X` - is the key agreement public key (MUST be a X25519 OKP key type). - `KEY_AUTHENTICATION_D` - is the key authentication private key (MUST be an Ed25519 OKP key type). diff --git a/build.sbt b/build.sbt index 93b3caa9..7dfed453 100644 --- a/build.sbt +++ b/build.sbt @@ -99,6 +99,19 @@ lazy val NPM = new { val sha256 = Seq("js-sha256" -> "0.9.0") } +lazy val ENV = new { + val keyAgreementD = "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c" + val keyAgreementX = "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw" + val keyAuthenticationD = "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug" + val keyAuthenticationX = "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA" + val envVars = Map( + "KEY_AGREEMENT_D" -> keyAgreementD, + "KEY_AGREEMENT_X" -> keyAgreementX, + "KEY_AUTHENTICATION_D" -> keyAuthenticationD, + "KEY_AUTHENTICATION_X" -> keyAuthenticationX + ) +} + inThisBuild( Seq( scalacOptions ++= Seq( @@ -241,6 +254,8 @@ lazy val mediator = project Assets / WebKeys.packagePrefix := "public/", Runtime / managedClasspath += (Assets / packageBin).value, ) + .settings(run / fork := true) + .settings(envVars ++= ENV.envVars ) .enablePlugins(WebScalaJSBundlerPlugin) .enablePlugins(JavaAppPackaging, DockerPlugin) diff --git a/docker-compose.yml b/docker-compose.yml index 7299ff26..19d74bce 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,6 +19,9 @@ services: - "8080:8080" environment: # Creates the identity: + # These keys are for demo purpose only for production deployments generate keys + # Please follow the README file for guidelines on How to generate JWK format keys + # KEY_AGREEMENT KEY_AUTHENTICATION are using format JOSE(JWK) OKP type base64urlsafe encoded keys - KEY_AGREEMENT_D=Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c - KEY_AGREEMENT_X=Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw - KEY_AUTHENTICATION_D=INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug diff --git a/infrastructure/charts/mediator/templates/deployment.yaml b/infrastructure/charts/mediator/templates/deployment.yaml index c94027fc..a0a1a210 100644 --- a/infrastructure/charts/mediator/templates/deployment.yaml +++ b/infrastructure/charts/mediator/templates/deployment.yaml @@ -27,6 +27,14 @@ spec: ports: - containerPort: 8080 env: + - name: KEY_AGREEMENT_D + value: "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c" + - name: KEY_AGREEMENT_X + value: "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw" + - name: KEY_AUTHENTICATION_D + value: "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug" + - name: KEY_AUTHENTICATION_X + value: "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA" - name: MONGODB_USER value: "admin" - name: MONGODB_PASSWORD diff --git a/mediator-identity-key-generation.md b/mediator-identity-key-generation.md new file mode 100644 index 00000000..5d97bf7d --- /dev/null +++ b/mediator-identity-key-generation.md @@ -0,0 +1,59 @@ +### Step-by-Step Guide to Generate Keys for the Mediator Identity + +1. **Install OpenSSL**: + - **Linux**: + - If you haven't already, install OpenSSL on your Linux system using your package manager. Here are the commands for various package managers: + ```bash + sudo apt-get update && sudo apt-get install openssl + ``` + ```bash + sudo yum install openssl # Red Hat-based systems + ``` + ```bash + sudo pacman -S openssl # Arch Linux + ``` + - **macOS**: + - OpenSSL is typically pre-installed on macOS. If it's not available or you need a newer version, you can install it using Homebrew: + ```bash + brew install openssl + ``` + +2. **Install jq**: + - **Linux**: + - If you haven't already, install jq on your Linux system using your package manager. Here are the commands for various package managers: + ```bash + sudo apt-get update && sudo apt-get install jq + ``` + ```bash + sudo yum install jq # Red Hat-based systems + ``` + ```bash + sudo pacman -S jq # Arch Linux + ``` + - **macOS**: + - If you haven't already, install jq on your macOS system using Homebrew: + ```bash + brew install jq + ``` + +3. **Generate X25519 Key (for KEY_AGREEMENT)**: + - Run the following command to generate the X25519 key: + ```bash + openssl genpkey -algorithm X25519 -out private_key_x25519.pem + ``` +4. **Format X25519 Key into JWK**: + - Run the following command to format the X25519 key into JWK format: + ```bash + jq -nR --arg d "$(openssl pkey -inform pem -in private_key_x25519.pem -noout -text | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" --arg x "$(openssl pkey -inform pem -in private_key_x25519.pem -noout -text | awk '/pub:/{flag=1; next} /priv:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" '{kty: "OKP", crv: "X25519", x: $x, d: $d}' + ``` +5. **Generate Ed25519 Key (for KEY_AUTHENTICATION)**: + - Run the following command to generate the Ed25519 key: + ```bash + openssl genpkey -algorithm Ed25519 -out private_key_ed25519.pem + ``` +6. **Format Ed25519 Key into JWK**: + - Run the following command to format the Ed25519 key into JWK format: + ```bash + jq -nR --arg d "$(openssl pkey -inform pem -in private_key_ed25519.pem -noout -text | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" --arg x "$(openssl pkey -inform pem -in private_key_ed25519.pem -noout -text | awk '/pub:/{flag=1; next} /priv:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" '{kty: "OKP", crv: "Ed25519", x: $x, d: $d}' + ``` +These commands will guide you to generate X25519 and Ed25519 keys using OpenSSL and format them into JWK format suitable for use as KEY_AGREEMENT and KEY_AUTHENTICATION keys, respectively. diff --git a/mediator/src/main/resources/application.conf b/mediator/src/main/resources/application.conf index 3ae8f0c4..5c5e13bb 100644 --- a/mediator/src/main/resources/application.conf +++ b/mediator/src/main/resources/application.conf @@ -3,17 +3,13 @@ mediator = { keyAgreement = { kty = "OKP" crv = "X25519" - d = "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c" d = ${?KEY_AGREEMENT_D} - x = "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw" x = ${?KEY_AGREEMENT_X} } keyAuthentication = { kty = "OKP" crv = "Ed25519" - d = "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug" d = ${?KEY_AUTHENTICATION_D} - x = "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA" x = ${?KEY_AUTHENTICATION_X} } endpoints = "http://localhost:8080;ws://localhost:8080/ws"