Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SCEPDecrypter configuration #55

Merged
merged 12 commits into from
Sep 25, 2023
Merged

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented Jun 1, 2023

Moved KMS to a separate file to be able to reuse it within the SCEP provisioner. From what I can tell, this should not affect existing serialized (and persisted) authority configurations with KMS objects; the generated protobuf code only has internal changes. Does that sound sensible?

@@ -166,13 +167,21 @@ message K8sSAProvisioner {

message SSHPOPProvisioner {}

message SCEPDecrypter {
config.KMS kms = 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, we should not include this.

Copy link
Member Author

@hslatman hslatman Jun 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have made some changes locally, and got a basic version working with just the decrypterKey configuration, so we should be able to do without.

It would require the decrypterKey to contain the full configuration for the KMS and to be passed in using the Options.URI in all cases and for all options. We may have to check/update some KMSs to have this logic, but we can do so when users need it, IMO.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is in e0d92c8.

Comment on lines 172 to 173
bytes decrypterCertificate = 2;
string decrypterKey = 3;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both should be the same type, but we have mixed values between the certificates and keys in the Configuration type, and the ones in the provisioners.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To verify: decrypterKey should thus become bytes too? Then try base64 decoding to see if there's a PEM formatted key in there, and if so, use that as the (softkms) key? If base64 decoding fails, try interpreting it as a key URI?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, because the provisioners can be configured remotely, we should send store the key itself, a PEM, or the URI that represents it. For a PEM, bytes are "easier"; for the URI, a string is easier. We can consider having two fields if it makes this easier. We can use oneof or Any, but these are more difficult than just adding two incompatible fields that will be verified on the server side.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is in f2f59aa.

config.KMS kms = 1;
bytes decrypterCertificate = 2;
string decrypterKey = 3;
string decrypterKeyPassword = 4;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bytes per Configuration.password.

Copy link
Member Author

@hslatman hslatman Jun 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a decrypterKeyPasswordFile too? Or try interpreting decrypterKeyPassword as a path to a file? I think the latter could be confusing and unexpected behavior.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a file it should be a flag --decrypter-password-file

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now I'll only support a password stored as bytes. If a password file is used (locally), the contents have to be read first and then stored in the provisioner.

hslatman and others added 9 commits August 2, 2023 15:44
This reverts the change to move `KMS` into its own file.
For SCEP we need a new webhook to notify a system that a certificate
was issued successfully or failed. The `NOTIFYING` webhook type
can be used for this, but is also somewhat generically named, so
that it can be used for other use cases too.
Reorder existing properties and change key properties to have
one for both a PEM as well as an URI.
…tep/linkedca into herman/scep-provisioner-decrypter
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hslatman hslatman merged commit 29330a8 into main Sep 25, 2023
12 checks passed
@hslatman hslatman deleted the herman/scep-provisioner-decrypter branch September 25, 2023 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants