Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate encrypted client config #1899

Open
bbockelm opened this issue Jan 15, 2025 · 0 comments
Open

Rotate encrypted client config #1899

bbockelm opened this issue Jan 15, 2025 · 0 comments
Assignees
@h2zh
Labels
client Issue affecting the OSDF client enhancement New feature or request
Milestone
v7.15

Comments

@bbockelm
Copy link
Collaborator

In working on #1748, we realized that the encrypted client configuration depends on the issuer key -- but there's currently no way to determine which issuer key did the encryption. This prevents us from performing key rotation as the new key cannot decrypt the configuration signed by the old key.

Here's how to move forward:

  1. We persist the information about the session key in a PEM block that looks like this:

    -----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAiToI6vI9miVQICJxAw
MZMYHVcOHt8UVhwabQA=
-----END ENCRYPTED PRIVATE KEY-----

    PEM blocks have "headers" that can be set when writing. Upgrade the client encryption routines to add a KeyId header indicating which key was used for signing.

  2. When the encrypted configuration is read, select the appropriate key based on the header.

  3. If there is no header recorded (backward compatibility case), then assume the "oldest key" (as defined by the key sorting algorithm) was used and try that. Do not iterate through all the keys, trying them one-by-one.

  4. When the encrypted configuration is read, check the "current" key and compare it against the key used to sign the encrypted file. If it differs, immediately rewrite the encrypted configuration using the current key.

Note that #1898 outlines an approach for making better decisions about the "active" key when configured in server mode. In the case of a client configuration, I think we can simply use the "latest" key -- no database needed.
@bbockelm bbockelm added enhancement New feature or request client Issue affecting the OSDF client labels Jan 15, 2025
@bbockelm bbockelm added this to the v7.14 milestone Jan 15, 2025
@bbockelm bbockelm mentioned this issue Jan 22, 2025
Merged
@h2zh h2zh modified the milestones: v7.14, v7.15 Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h2zh h2zh

Labels
client Issue affecting the OSDF client enhancement New feature or request
Projects
None yet
Milestone
v7.15
Development

No branches or pull requests
2 participants
@bbockelm @h2zh