Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow NanoTDFs to be created in 'offline' mode, by passing in fore-knowledge of KAS public (EC) key information #1547

Closed
dmihalcik-virtru opened this issue Sep 18, 2024 · 0 comments · Fixed by #1556
Closed

Allow NanoTDFs to be created in 'offline' mode, by passing in fore-knowledge of KAS public (EC) key information #1547

dmihalcik-virtru opened this issue Sep 18, 2024 · 0 comments · Fixed by #1556
Assignees
@dmihalcik-virtru

Comments

@dmihalcik-virtru
Copy link
Member

dmihalcik-virtru commented Sep 18, 2024
edited
Loading

Currently, we support creating ZTDFs in 'offline' mode with the WithKasInformation (which allows setting a single public key), and via the Cached field in the key access registry, which allows loading KAS public key information from a third party. We should make this work explicit by allowing several options for configuring the KAS public keys.

func (s *SDK) StoreKASKeys(url string, keySet ...*policy.KasPublicKeySet) error: Load the given keys

Follow up work:

Original Proposal:

  1. func WithKASKeys(cached_keys ...*policy.KasPublicKeySet) Option: Configure the SDK's keyCache with the given pre-loaded items.
  2. func WithKASLookup(f ...KASKeyLookup) Option: Replace the KAS key lookup with a function; can be called multiple times.
    a. type KASKeyLookup func{string) (*policy.KasPublicKeySet, err): type used for KAS public key lookup
    b. func KASKeyDirectLookup(url string)(*policy.KasPublicKeySet, err): current behavior (default)
    c. func KASRegistryKeyLookup(url string)(*policy.KasPublicKeySet, err): check a registry for the key in its cache

Optional:

  • Add equivalent options for encrypt (createX) and any tamper check functions, if those exist, to allow finer-grained control over the public key lookup
  • Separate out allowlist behavior explicitly? Or at least describe how to implement it with middleware.
  • deprecate existing methods that don't provide sufficient functionality (nano one just doesn't work; ztdf one doesn't allow multiple keys, and therefore doesn't support algorithm choice)
@dmihalcik-virtru dmihalcik-virtru self-assigned this Sep 18, 2024
@dmihalcik-virtru dmihalcik-virtru mentioned this issue Sep 18, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Oct 3, 2024
@dmihalcik-virtru
feat(sdk): Improve KAS key lookup and caching (#1556)
fb6c47a 
- Adds new method, `sdk.SDK.StoreKASKeys` to load kas key cache
- Use the sdk's `getPublicKey` method from the nanotdf code as expected,
which defers to the cache
- Removes dead or duplicated code that (tried to) do this
- Fixes #1547
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmihalcik-virtru dmihalcik-virtru

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(sdk): Improve KAS key lookup and caching opentdf/platform
1 participant
@dmihalcik-virtru