-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kas): Partial implementation EC384 and EC521 support in KAS #883
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not backward compatible and will break hsm.go. Can you test with hsm enabled?
Also, we may need instructions about how to upgrade - e.g. what do people need to change in their opentdf.yaml files and/or rename their existing EC key files? Will this break existing nanotdf documents?
@biscoe916 can we get a definitive decision on HSM? |
a690ea3
to
a3bf7b5
Compare
Enabled EC384 and EC521 support in KAS and added relevant unit tests. The config file now supports the new EC384 and EC521 key types. Also, test keys for both types have been generated and added.
Improved the clarity of an error message in the "NewOpenTDFServer" method. Refactored key configurations in the dev and example YAML files to differentiate between multiple elliptic curve securities. Also made updates to various scripts to generate and handle these keys suitably.
This commit includes the refactoring of the publicKey.go file for better error handling and support for different algorithms. The log messages have been updated to provide clearer context upon failure of key generation methods for both EC and RSA algorithms. Also, changes were made to the init-temp-keys.cmd script to correct the path of the generated keys.
The code was updated to address an issue where an unknown key algorithm could be passed to the publicKey functions. It now properly catches this event and logs an error message. The additional condition checks if the algorithm is not RSA in addition to being non-empty, helping prevent potential configuration errors.
This commit modifies the execution of the `init-temp-keys.sh` script in `.github/workflows/checks.yaml` file. The change includes passing '--output ./keys/' argument to the script to dictate where the keys will be stored. This specifies the directory for the keys and enhances organization.
Updated the paths for secp256r1, secp384r1, and secp521r1 key files in the opentdf-dev.yaml file, removing the '/keys/' prefix. Also modified the path in the init-temp-keys.sh command within checks.yaml. This adjustment accommodates a change in file structure and ensures consistent script execution.
This commit includes modifications to symmetric key generation in the crypto provider. Now, GenerateNanoTDFSymmetricKey requires a keyID in addition to ephemeralPublicKeyBytes. This change allows for better security features as the encryption processes are enhanced. Minor changes such as comments added to the decrypt file and an adjustment to test output validation were also implemented.
The attributes.swagger.json file in the policy documentation was deleted. It was located in the docs/openapi/policy/attributes directory. This file contains the OpenAPI specification for attribute related services. The commit message should reflect the elimination of this detailed specification file.
The if-else constructs in the GetCurveName() method of the NanoTDFHeader struct in nanotdf.go have been refactored to a switch-case statement for better readability. Also, the invocation to retrieve the public key algorithm has been updated to use req.GetAlgorithm rather than directly accessing the property.
Added secp256k1 to the ECCMode in nanotdf.go. Also, the logging level for the 'kas public key algorithm' has been downgraded from Info to Debug to reflect its utilization better and reduce log volume in non-debug scenarios.
The kNanoTDFGMACLength constant and ErrInternal error constant were removed as they were not being used. The unnecessary ECCurve fetching code was also removed, now ECCurve is fetched directly from the header. The CryptoProvider now generates keys based on this directly fetched ECCurve.
The public key handling process has been updated to accommodate three different elliptic curve algorithms: EC256R1, EC384R1 and EC512R1. The tests have also been adjusted to ensure these changes function as expected. Algorithm constants in the crypto provider code file have also been updated to reflect these changes in public key handling.
The cryptoProvider configuration in both opentdf-dev.yaml and opentdf-example.yaml files has been refactored. The rsa and ec field structure has now been replaced with a simpler, streamlined `keys` field, which should enhance readability and maintainability of these configurations.
Updated both the .cmd and .sh versions of the init-temp-keys scripts to include the generation of elliptic curve (EC) keys with prime256v1 curve. Now, alongside RSA and secp256r1 key pairs, the scripts also generate prime256v1 EC key pairs.
369e2fe
to
6b1fc14
Compare
The encryption functionality has been updated to allow for more options, such as the nano format and ability to disable storing key identifiers in TDF KAOs. The encrypt command has also been refactored for conciseness and clarity. Code for token endpoint during client creation is removed, and new options have been added to address the nanoTDF format and managing key identifiers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you want to submit this as is we can do the e2e test in the bats as a follow up
Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
…ort-additional-elliptic-curves # Conflicts: # docs/openapi/policy/attributes/attributes.swagger.json # docs/openapi/policy/namespaces/namespaces.swagger.json
2f5d945
replaced with kid work |
Pull request was closed
Enabled EC384 and EC521 support in KAS and added relevant unit tests. The config file now supports the new EC384 and EC521 key types. Also, test keys for both types have been generated and added.
This will enable creation of a nanotdf with different curves. This will NOT enable decryption of nanotdf since we have no place to put the key identifier, see: #900
partially resolves: #881