Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypto: work on crypto.Signer instead of concrete private keys for signing #3129

Merged
merged 6 commits into from
May 28, 2024
Merged

Crypto: work on crypto.Signer instead of concrete private keys for signing #3129

merged 6 commits into from
May 28, 2024

Conversation

reinkrul
Copy link
Member

@reinkrul reinkrul commented May 20, 2024
edited
Loading

Initially Crypto was set up to just act on crypto.Signer, to support unexportable keys in a separate key vault at some point (meaning the private keys itself are never in the application memory, cryptographic operations are performed in the key vault). I tried implementing Azure Key Vault using this approach, but found that several functions act on the private key assuming it's always in-memory. This PR fixes that.

Note that this only applies to signing, not to encryption: our encryption algorithm of choice (ECIES) isn't supported by Hashicorp Vault/Azure Key Vault. If encryption is a feature we want to retain in combination with secure key storage, RSA keys could be used instead.

@reinkrul reinkrul changed the title Crypto: don't assume private keys are in memory Crypto: work on crypto.Signer instead of concrete private keys May 20, 2024
@reinkrul reinkrul marked this pull request as ready for review May 20, 2024 06:39
@reinkrul reinkrul changed the title Crypto: work on crypto.Signer instead of concrete private keys Crypto: work on crypto.Signer instead of concrete private keys for signing May 22, 2024
@reinkrul reinkrul mentioned this pull request May 28, 2024
Merged
@reinkrul reinkrul merged commit 2d8762e into master May 28, 2024
8 of 9 checks passed
@reinkrul reinkrul deleted the crypto/external-key-support branch May 28, 2024 10:00
reinkrul added a commit that referenced this pull request May 31, 2024
@reinkrul
Crypto: work on crypto.Signer instead of concrete private keys for si…
966ba44 
…gning (#3129)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gerardsn gerardsn gerardsn approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reinkrul @gerardsn