-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(core): New cryptoProvider config (#939)
- define new `cryptoProvider` config structs to support rotation with different keys - this means the algorithm must be present - I'm using some heuristics to maintain backward compatibility of standard crypto configs, but hsm configs must be updated - Adds `kid` in response to kas_public_key - Adds `kid` in key access objects produced by SDK - Still no support in nanotdf, as we have not agreed on how/where to store the `kid` value in the header. See #900 New Config: ```yaml server: cryptoProvider: type: standard standard: keys: - kid: r1 alg: rsa:2048 private: kas-private.pem cert: kas-cert.pem - kid: r0 alg: rsa:2048 private: kas-private-old.pem cert: kas-cert-old.pem - kid: e1 alg: ec:secp256r1 private: kas-ec-private.pem cert: kas-ec-cert.pem services: kas: enabled: true keyring: - alg: rsa:2048 kid: r1 - alg: rsa:2048 kid: r0 legacy: true - alg: ec:secp256r1 kid: e1 ``` some notes: - `kid` values should be unique, preferably for the lifetime of the kas host domain name - `kid` values should short strings (I'd suggest maxing out at 44 characters) - `private` and `cert` indicate the location of private key and a certificate, if available - For `hsm` keys, these should be label values - For `standard` keys, these should be paths to PEM files relative to the current working directory - I've deprecated the `eccertid` for a new `keyring` parameter which describes how KAS will interpret the key. So we have two sections: `server.cryptoProvider` describes what keys are available, while `service.kas.keyring` describes how KAS uses those keys. - We don't have a 'rotate' script yet. To do this manually, update the init-temp-keys script to use a new name/label and rerun and add the new keys to the list, updating the `certid` fields to point to the new values To come: 1. nanoTDF support
- Loading branch information
1 parent
1d76303
commit 8150623
Showing
30 changed files
with
722 additions
and
373 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.