RFE: private key reference scheme #447
Labels
Comments
This was referenced Oct 28, 2022
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. With 447, the usage pattern nwould be signer = Signer( "gcpkms://projects/openssf/locations/global/keyRings/securesystemslib-test-keyring/cryptoKeys/securesystemslib-test-key/cryptoKeyVersions/1", pubkey ) so all GCP specific details are in the private key URI. Key creation is not supported at this point.
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. With 447, the usage pattern nwould be signer = Signer( "gcpkms://projects/openssf/locations/global/keyRings/securesystemslib-test-keyring/cryptoKeys/securesystemslib-test-key/cryptoKeyVersions/1", pubkey ) so all GCP specific details are in the private key URI. Key creation is not supported at this point.
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. Key creation is not supported at this point. A test is added with a few caveats: * dependencies are not added to requirements.txt: this would more than triple the size of requirements-pinnex.txt... Not sure what the best path her is * Test only works on GitHub (because of the authentication) * There's a separate tox env, meaning the test only runs once per test run: this allows testing separate requirements but also makes it easier to set very low usage quotas on GCP
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. Key creation is not supported at this point. A test is added with a few caveats: * dependencies are not added to requirements.txt: this would more than triple the size of requirements-pinnex.txt... Not sure what the best path her is * Test only works on GitHub (because of the authentication) * There's a separate tox env, meaning the test only runs once per test run: this allows testing separate requirements but also makes it easier to set very low usage quotas on GCP
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. Key creation is not supported at this point. A test is added with a few caveats: * dependencies are not added to requirements.txt: this would more than triple the size of requirements-pinnex.txt... Not sure what the best path her is * Test only works on GitHub (because of the authentication) * There's a separate tox env, meaning the test only runs once per test run: this allows testing separate requirements but also makes it easier to set very low usage quotas on GCP
jku
added a commit
to jku/securesystemslib
that referenced
this issue
Nov 2, 2022
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payloading hash happens in Signer). This is not super usable without issue secure-systems-lab#447 but demonstrates the simplicity. Key creation is not supported at this point. A test is added with a few caveats: * dependencies are not added to requirements.txt: this would more than triple the size of requirements-pinnex.txt... Not sure what the best path her is * Test only works on GitHub (because of the authentication) * There's a separate tox env, meaning the test only runs once per test run: this allows testing separate requirements but also makes it easier to set very low usage quotas on GCP
|
Almost complete proposal https://docs.google.com/document/d/1KQY5v1ASXpZM5GhfATV_WJf7GaMJrfBOXr06dtxc-ps -- still debating myself if I should propose a Key class as well but overall this is definitely ready for review |
FYI: There's new |
|
@kairoaraujo would love your input on the design here, especially:
|
I swear I wrote about it somewhere, but can't hurt to do it here too:
This fits at least the KMS use case and I think it should fit yubikeys as well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Taking this out of #445 as I think it makes sense in general, not just in KMS:
Idea
Let's define an identification scheme for private key materials in Signer:
sigstore ReferenceScheme
sigstore has a
ReferenceSchemefor their KMS abstraction: I think that would work for private keys in generalhttps://github.com/sigstore/sigstore/tree/main/pkg/signature/kms. There's no requirement to be 1:1 compatible with sigstore, just showing this as a reference of something we could copy.
Proposal
https://docs.google.com/document/d/1KQY5v1ASXpZM5GhfATV_WJf7GaMJrfBOXr06dtxc-ps
Review welcome here or in the doc!
The text was updated successfully, but these errors were encountered: