feat(SS): EC key support for signing/authentication #2400
Conversation
ovidijusnortal
force-pushed
the
XRDDEV-2694
branch
from
7f96933 to
de4db72
Compare
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTestsNo Gradle build results detected. |
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
ovidijusnortal
force-pushed
the
XRDDEV-2694
branch
from
de4db72 to
d22fcdf
Compare
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
There was a problem hiding this comment.
Some comments regarding the documentation. I leave the more detailed technical review for @ricardas-buc.
|
Also, the Security Server installation and user guides don't currently explain what needs to be done to switch the auth/sign key type from RSA to EC. It should be explained what's the default key type and how it can be changed. Also, the documentation should explain how changing the key type may affect backwards compatibility and interoperability between two X-Road instances in a federated setup. Probably the best approach is to add the documentation to the Security Server user guide and add a link to it in the Security Server installation guide. |
ovidijusnortal
force-pushed
the
XRDDEV-2695
branch
4 times, most recently
from
d1ba8a9 to
a61d026
Compare
ovidijusnortal
force-pushed
the
XRDDEV-2694
branch
from
e007a2a to
6c83c38
Compare
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
| @@ -566,6 +569,11 @@ The key can then be moved to an external host and imported to GPG keyring with t | |||
| Automated Certificate Management Environment (ACME) protocol enables automated certificate management of the authentication and sign | |||
| certificates on the Security Server. More information about the required configuration is available in the [Security Server User Guide](ug-ss_x-road_6_security_server_user_guide.md#24-configuring-acme). | |||
|
|
|||
| ### 3.7 Enabling EC keys for authentication and signing certificates | |||
There was a problem hiding this comment.
This section is missing from the Table of Contents.
Also, please update the heading:
3.7 Enabling EC Keys for Authentication and Signing Certificates
| @@ -566,6 +569,11 @@ The key can then be moved to an external host and imported to GPG keyring with t | |||
| Automated Certificate Management Environment (ACME) protocol enables automated certificate management of the authentication and sign | |||
| certificates on the Security Server. More information about the required configuration is available in the [Security Server User Guide](ug-ss_x-road_6_security_server_user_guide.md#24-configuring-acme). | |||
|
|
|||
| ### 3.7 Enabling EC keys for authentication and signing certificates | |||
|
|
|||
| Security server supports EC based authentication and signing certificates since version 7.6.0. | |||
There was a problem hiding this comment.
Security server supports
=>
Security Server supports
| @@ -263,6 +264,9 @@ Doc. ID: UG-SS | |||
| - [22 Additional Security Hardening](#22-additional-security-hardening) | |||
| - [23 Passing additional parameters to psql](#23-passing-additional-parameters-to-psql) | |||
| - [24 Configuring ACME](#24-configuring-acme) | |||
| - [25 Migrating to EC based Authentication and Signing certificates](#25-migrating-to-ec-based-authentication-and-signing-certificates) | |||
There was a problem hiding this comment.
Please update this to:
25 Migrating to EC Based Authentication and Signing Certificates
| @@ -263,6 +264,9 @@ Doc. ID: UG-SS | |||
| - [22 Additional Security Hardening](#22-additional-security-hardening) | |||
| - [23 Passing additional parameters to psql](#23-passing-additional-parameters-to-psql) | |||
| - [24 Configuring ACME](#24-configuring-acme) | |||
| - [25 Migrating to EC based Authentication and Signing certificates](#25-migrating-to-ec-based-authentication-and-signing-certificates) | |||
| - [25.1 Steps to enable EC based certificates](#251-Steps-to-enable-EC-based-certificates) | |||
There was a problem hiding this comment.
Please update this to:
25.1 Steps to Enable EC Based Certificates
| @@ -263,6 +264,9 @@ Doc. ID: UG-SS | |||
| - [22 Additional Security Hardening](#22-additional-security-hardening) | |||
| - [23 Passing additional parameters to psql](#23-passing-additional-parameters-to-psql) | |||
| - [24 Configuring ACME](#24-configuring-acme) | |||
| - [25 Migrating to EC based Authentication and Signing certificates](#25-migrating-to-ec-based-authentication-and-signing-certificates) | |||
| - [25.1 Steps to enable EC based certificates](#251-Steps-to-enable-EC-based-certificates) | |||
| - [25.2 Backwards compatibility](#252-Backwards-compatibility) | |||
There was a problem hiding this comment.
Please update this to:
25.2 Backwards Compatibility
| ``` | ||
|
|
||
| ## 25 Migrating to EC based Authentication and Signing certificates |
There was a problem hiding this comment.
Please update this to:
25 Migrating to EC Based Authentication and Signing Certificates
| ## 25 Migrating to EC based Authentication and Signing certificates | ||
|
|
||
| ### 25.1 Steps to enable EC based certificates |
There was a problem hiding this comment.
Please update this to:
25.1 Steps to Enable EC Based Certificates
| The instructions how to start using EC based certificates are listed below. |
There was a problem hiding this comment.
Consider updating this:
Since version 7.6.0 Security Server supports ECDSA based authentication and signing keys. By default, both authentication and signing keys use the RSA algorithm as in previous versions. The EC algorithm can be enabled separately for authentication and/or signing keys so migration can be done in a gradual way.
The instructions on how to start using EC based keys are listed below.
| - Older Security Servers should be able to verify requests signed with EC keys from newer Security server. | ||
| - If older Security Server makes to request to newer Security Server,which uses EC based authentication certificate, then `TLS handshake failed` error may occur. To fix this without upgrading the older Security Server, just update on that security server `xroad-tls-ciphers` property to include EC compatible TLS cypher for example: `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, read more in [UG-SYSPAR](../Manuals/ug-syspar_x-road_v6_system_parameters.md). |
There was a problem hiding this comment.
Consider updating this:
EC based keys are supported starting from X-Road version 7.6.0 (=> 7.6.0). If an X-Road instance contains Security Servers prior to version 7.6.0 (< 7.6.0), then:
- A Security Server prior to version 7.6.0 (< 7.6.0) is able to verify requests signed with EC keys from a Security Server version 7.6.0 or later (=> 7.6.0).
- If a Security Server prior to version 7.6.0 (< 7.6.0) makes a request to a Security Server version 7.6.0 or later (=> 7.6.0), which uses EC based authentication certificate, then
TLS handshake failederror may occur. To fix this without upgrading the older Security Server, update the Security Server'sxroad-tls-ciphersproperty to include EC compatible TLS cipher, e.g.:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, read more in UG-SYSPAR.
ovidijusnortal
force-pushed
the
XRDDEV-2695
branch
from
bed409c to
2226e0e
Compare
make it work Refs: XRDDEV-2694 feat(SS): EC key support for signing/authentication fix tls issue Refs: XRDDEV-2694 feat(SS): EC key support for signing/authentication also make SS admin UI login page look same as CS UI Refs: XRDDEV-2694
refactor Refs: XRDDEV-2694
update documentation Refs: XRDDEV-2694
update link in docs Refs: XRDDEV-2695
ovidijusnortal
force-pushed
the
XRDDEV-2694
branch
from
6c83c38 to
2739898
Compare
update documentation Refs: XRDDEV-2694
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTestsNo Gradle build results detected. |
|
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
...-service/core/src/main/java/org/niis/xroad/cs/admin/core/converter/CertificateConverter.java
Outdated
Show resolved
Hide resolved
Refs: XRDDEV-2694
Job Summary for GradleBuild and test :: BuildAndPackageWithUnitTests
|
No description provided.