feat(core): New cryptoProvider config (#939)

- define new `cryptoProvider` config structs to support rotation with different keys - this means the algorithm must be present - I'm using some heuristics to maintain backward compatibility of standard crypto configs, but hsm configs must be updated - Adds `kid` in response to kas_public_key - Adds `kid` in key access objects produced by SDK - Still no support in nanotdf, as we have not agreed on how/where to store the `kid` value in the header. See #900 New Config: ```yaml server: cryptoProvider: type: standard standard: keys: - kid: r1 alg: rsa:2048 private: kas-private.pem cert: kas-cert.pem - kid: r0 alg: rsa:2048 private: kas-private-old.pem cert: kas-cert-old.pem - kid: e1 alg: ec:secp256r1 private: kas-ec-private.pem cert: kas-ec-cert.pem services: kas: enabled: true keyring: - alg: rsa:2048 kid: r1 - alg: rsa:2048 kid: r0 legacy: true - alg: ec:secp256r1 kid: e1 ``` some notes: - `kid` values should be unique, preferably for the lifetime of the kas host domain name - `kid` values should short strings (I'd suggest maxing out at 44 characters) - `private` and `cert` indicate the location of private key and a certificate, if available - For `hsm` keys, these should be label values - For `standard` keys, these should be paths to PEM files relative to the current working directory - I've deprecated the `eccertid` for a new `keyring` parameter which describes how KAS will interpret the key. So we have two sections: `server.cryptoProvider` describes what keys are available, while `service.kas.keyring` describes how KAS uses those keys. - We don't have a 'rotate' script yet. To do this manually, update the init-temp-keys script to use a new name/label and rerun and add the new keys to the list, updating the `certid` fields to point to the new values To come: 1. nanoTDF support
opentdf · Jun 12, 2024 · 8150623 · 8150623
1 parent 1d76303
commit 8150623
Show file tree

Hide file tree

Showing 30 changed files with 722 additions and 373 deletions.
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -169,7 +169,7 @@ jobs:
         if: matrix.crypto == 'standard'
       - name: Added Trusted Certs
         run: |
-          sudo chmod -R 777 ./keys 
+          sudo chmod -R 777 ./keys
           sudo apt-get install -y ca-certificates
           sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates
           sudo update-ca-certificates

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
diff --git a/examples/cmd/encrypt.go b/examples/cmd/encrypt.go
@@ -65,10 +65,11 @@ func encrypt(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
-	if !nanoFormat {
+	attributes := strings.Split(joinedDataAttributes, " ")
 
+	if !nanoFormat {
 		tdf, err := client.CreateTDF(out, in,
-			sdk.WithDataAttributes(strings.Split(joinedDataAttributes, " ")...),
+			sdk.WithDataAttributes(attributes...),
 			sdk.WithKasInformation(
 				sdk.KASInfo{
 					// examples assume insecure http
@@ -83,19 +84,12 @@ func encrypt(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			return err
 		}
-
-		// Print Manifest
 		cmd.Println(string(manifestJSON))
 	} else {
-		attributes := []string{
-			"https://example.com/attr/attr1/value/value1",
-		}
-
 		nanoTDFConfig, err := client.NewNanoTDFConfig()
 		if err != nil {
 			return err
 		}
-
 		nanoTDFConfig.SetAttributes(attributes)
 		nanoTDFConfig.EnableECDSAPolicyBinding()
 		err = nanoTDFConfig.SetKasURL(fmt.Sprintf("http://%s/kas", platformEndpoint))

diff --git a/go.work.sum b/go.work.sum
@@ -1784,6 +1784,7 @@ golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1846,6 +1847,7 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1879,6 +1881,7 @@ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1987,6 +1990,7 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808 h1:+Kc94D8UVEVxJnLXp/+FMfqQARZtWHfVrcRtcG8aT3g=
 golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808/go.mod h1:KG1lNk5ZFNssSZLrpVb4sMXKMpGwGXOxSG3rnu2gZQQ=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
@@ -2090,6 +2094,7 @@ golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=

diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
@@ -11,6 +11,8 @@ logger:
 services:
   kas:
     enabled: true
+    eccertid: e1
+    rsacertid: r1
   policy:
     enabled: true
   authorization:
@@ -98,17 +100,15 @@ server:
   cryptoProvider:
     type: standard
     standard:
-      rsa:
-        123:
-          private_key_path: kas-private.pem
-          public_key_path: kas-cert.pem
-        456:
-          private_key_path: kas-private.pem
-          public_key_path: kas-cert.pem
-      ec:
-        123:
-          private_key_path: kas-ec-private.pem
-          public_key_path: kas-ec-cert.pem
+      keys:
+        - kid: r1
+          alg: rsa:2048
+          private: kas-private.pem
+          cert: kas-cert.pem
+        - kid: e1
+          alg: ec:secp256r1
+          private: kas-ec-private.pem
+          cert: kas-ec-cert.pem
   port: 8080
 opa:
   embedded: true # Only for local development
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -11,6 +11,8 @@ db:
 services:
   kas:
     enabled: true
+    eccertid: e1
+    rsacertid: r1
   policy:
     enabled: true
   entityresolution:
@@ -97,17 +99,15 @@ server:
   cryptoProvider:
     type: standard
     standard:
-      rsa:
-        123:
-          private_key_path: /keys/kas-private.pem
-          public_key_path: /keys/kas-cert.pem
-        456:
-          private_key_path: /keys/kas-private.pem
-          public_key_path: /keys/kas-cert.pem
-      ec:
-        123:
-          private_key_path: /keys/kas-ec-private.pem
-          public_key_path: /keys/kas-ec-cert.pem
+      keys:
+        - kid: r1
+          alg: rsa:2048
+          private: /keys/kas-private.pem
+          cert: /keys/kas-cert.pem
+        - kid: e1
+          alg: ec:secp256r1
+          private: /keys/kas-ec-private.pem
+          cert: /keys/kas-ec-cert.pem
   port: 8080
 opa:
   embedded: true # Only for local development
diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml
@@ -11,6 +11,8 @@ logger:
 services:
   kas:
     enabled: true
+    eccertid: e1
+    rsacertid: r1
   policy:
     enabled: true
   entityresolution:
@@ -106,10 +108,12 @@ server:
       pin: "12345"
       slotlabel: "dev-token"
       keys:
-        rsa:
-          label: development-rsa-kas
-        ec:
-          label: development-ec-kas
+        - kid: r1
+          alg: rsa:2048
+          private: development-rsa-kas
+        - kid: e1
+          alg: ec:secp256r1
+          private: development-ec-kas
   port: 8080
 opa:
   embedded: true # Only for local development