feat: Assertion verification #452
Conversation
There was a problem hiding this comment.
Specifying the keys directly as arguments puts the key at more risk of exposure. Arguments will be recorded to disk in the command history, could be exposed on multi-tenant systems, logged, etc. This is particularly concerning since you appear to be supporting not just public keys, but private keys as well.
@elizabethhealy Would it be reasonable to accept a file path or use environment variables instead of specifying the keys as arguments?
This suggestion from @jentfoo aligns with an open issue we have to generally improve CLI security: #417 |
|
@jentfoo @jakedoublev |
@elizabethhealy Could the entire assertion JSON be stored and read into the command from a file instead of just the keys referenced by the assertions? I'm thinking that would be aligned with what the CLI does for client credentials so |
|
@jakedoublev i like that, so --with-assertions, --with-assertions-from-file, --with-assertion-verification-keys, --with-assertion-verificiation-keys-from-file and its up to the user to decide whichever is best for them, it will still support passing in keys directly but also give a safer option |
|
@elizabethhealy and I discussed and we will update |
| return bytes, nil | ||
| } | ||
|
|
||
| func correctKeyType(assertionKey sdk.AssertionKey, public bool) (interface{}, error) { |
There was a problem hiding this comment.
Do you think this functionality could be exposed within provided platform lib/SDK functionality instead of recreated within each Go PEP?
There was a problem hiding this comment.
seems like most go packages that deal with crypto just take in args that are already typed rsa.PrivateKey or rsa.PublicKey, they assume you already have the key and if not they expect you to load it yourself. i think the cli has a bit extra code since the whole assertion object is being passed in as a string which isnt how it would normally be done in a go pep. i assume the pep would just construct the assertion similar to https://github.com/opentdf/platform/blob/7d55a909ac03e5a1234709d9051f906d9efd469e/sdk/tdf_test.go#L400-L425 and would just load the key from pem; also the cli has extra conditions to handle private vs public where as i assume a pep would know if it was a private key or public key they were loading. so TLDR i think the cli is more of an outlier in how its passing in assertions and the extra steps needed to parse them and want to avoid adding specific logic to the sdk just for the cli.
but if its determined that other peps have this need as well we can re-assess
docs/man/encrypt/_index.md
Outdated
| @@ -27,7 +27,7 @@ command: | |||
| default: /kas | |||
| - name: with-assertions | |||
| description: > | |||
| EXPERIMENTAL: JSON string of assertions to bind metadata to the TDF. See examples for more information. | |||
| EXPERIMENTAL: JSON string or path to JSON file of assertions to bind metadata to the TDF. See examples for more information. | |||
There was a problem hiding this comment.
I think we should only support the file method. A user may not be aware of the risks of specifying the key as a command argument.
We could consider adding argument support after #417 is implemented.
There was a problem hiding this comment.
i think keeping the json string options was just to maintain backward compatability, we can add some more documentation here to emphasize that its deprecated and the file path is the more safe option
| @@ -57,6 +81,18 @@ teardown_file(){ | |||
| ./otdfctl decrypt --host $HOST --tls-no-verify $DEBUG_LEVEL $WITH_CREDS $OUTFILE_TXT | grep "$SECRET_TEXT" | |||
| } | |||
|
|
|||
| @test "roundtrip TDF3, assertions with HS265 keys and verificaion, file" { | |||
There was a problem hiding this comment.
| @test "roundtrip TDF3, assertions with HS265 keys and verificaion, file" { | |
| @test "roundtrip TDF3, assertions with HS265 keys and verification, file" { |
| diff $INFILE_GO_MOD $RESULTFILE_GO_MOD | ||
| } | ||
|
|
||
| @test "roundtrip TDF3, assertions with RS256 keys and verificaion, file" { |
There was a problem hiding this comment.
| @test "roundtrip TDF3, assertions with RS256 keys and verificaion, file" { | |
| @test "roundtrip TDF3, assertions with RS256 keys and verification, file" { |
| } | ||
|
|
||
| @test "roundtrip TDF3, assertions with RS256 keys and verificaion, file" { | ||
| ./otdfctl encrypt -o $OUTFILE_GO_MOD --host $HOST --tls-no-verify $DEBUG_LEVEL $WITH_CREDS -a $FQN --with-assertions $SIGNED_ASSERTIONS_RS256 --tdf-type tdf3 $INFILE_GO_MOD |
There was a problem hiding this comment.
Are assertions present in the manifest? If so, can we add a test with ./otdfctl inspect that asserts they were found present in the TDF created?
| } | ||
| } | ||
| for i, config := range assertionConfigs { | ||
| if (config.SigningKey != sdk.AssertionKey{}) { |
There was a problem hiding this comment.
Does this comparison struct equality evaluate as expected? It seems like you'd need to compare struct fields for this equality check?
Adds option to provide assertion verification keys and support for signing keys on assertion input
(supports rs256 and hs256 keys)
Includes bats tests for both key types