Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Tink signing backend #645

Merged
merged 1 commit into from
Jun 28, 2022
Merged

Commits on Jun 28, 2022

  1. Add Tink signing backend

    This adds support for using encrypted Tink keysets to load a signer.
    There are two main benefits from this work: We can leverage this instead
    of KMS if we need to support a higher QPS, and Tink keysets use strong
    secure defaults. Keysets can be encrypted with AESGCM, do not rely on a
    KDF, cannot be brute-forced, and access to the key can be audited
    through cloud audit logs.
    
    Tink does not provide a method to extract the signing key from the
    keyset intentionally, so I wrote a helper library to reach into the key
    handle proto to construct a crypto.Signer.
    
    Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
    haydentherapper committed Jun 28, 2022
    Configuration menu
    Copy the full SHA
    c0e23ef View commit details
    Browse the repository at this point in the history