Add callback-based custom private keys. #322
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Lukasa
force-pushed
the
cb-custom-callback-based-keys
branch
from
dc8796f
to
a849681
Compare
fabianfett
reviewed
Sep 20, 2021
agnosticdev
reviewed
Sep 20, 2021
| /// - customPrivateKey: The custom private key to use with the TLS certificate. | ||
| @inlinable | ||
| public init<CustomKey: NIOSSLCustomPrivateKey & Hashable>(customPrivateKey: CustomKey) { | ||
| self.representation = .custom(AnyNIOSSLCustomPrivateKey(customPrivateKey)) |
There was a problem hiding this comment.
Just a question; would this be the entry point for any key that is created outside the context of BoringSSL's EVP_PKEY type?
Motivation: NIOSSL traditionally handles private keys be requiring that they can be decoded into a BoringSSL EVP_PKEY structure. This requires the key to have an in-memory representation that BoringSSL understands, and ultimately forces the bytes of the private key into memory. In many cases, however, this is either undesirable or not possible. For security reasons it is common to want to offload a private key into secure storage, such as the iPhone's Secure Enclave or a portable smart card. In other circumstances it may be useful to put the private key on an entirely different machine and have the signing operations occur over an RPC mechanism. In all of these cases it is necessary to have a programmatic interface to the private key that can be implemented in an essentially arbitrary manner. Modifications: - Defined a new protocol, `NIOSSLCustomPrivateKey`, that allows users to implement the private key operations needed for TLS. - Plumbed support for this interface through `NIOSSLPrivateKey`. - Added support for the BoringSSL interface to `SSLConnection`. Result: Custom TLS private keys backed by function calls can now be provided to NIOSSL.
Lukasa
force-pushed
the
cb-custom-callback-based-keys
branch
from
a849681
to
5e6c20f
Compare
fabianfett
approved these changes
Sep 21, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
NIOSSL traditionally handles private keys be requiring that they can be
decoded into a BoringSSL EVP_PKEY structure. This requires the key to
have an in-memory representation that BoringSSL understands, and
ultimately forces the bytes of the private key into memory.
In many cases, however, this is either undesirable or not possible.
For security reasons it is common to want to offload a private key into
secure storage, such as the iPhone's Secure Enclave or a portable smart
card. In other circumstances it may be useful to put the private key on
an entirely different machine and have the signing operations occur over
an RPC mechanism.
In all of these cases it is necessary to have a programmatic interface
to the private key that can be implemented in an essentially arbitrary
manner.
Modifications:
NIOSSLCustomPrivateKey, that allows users toimplement the private key operations needed for TLS.
NIOSSLPrivateKey.SSLConnection.Result:
Custom TLS private keys backed by function calls can now be provided to
NIOSSL.