2024-01-25 17:28:20 +01:00
|
|
|
package encryption
|
2022-03-14 07:55:09 +01:00
|
|
|
|
|
|
|
import (
|
2024-01-04 17:12:20 +01:00
|
|
|
"context"
|
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2022-03-14 07:55:09 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
defaultKeyIDs = []string{
|
|
|
|
"domainVerificationKey",
|
|
|
|
"idpConfigKey",
|
|
|
|
"oidcKey",
|
2022-09-12 17:18:08 +01:00
|
|
|
"samlKey",
|
2022-03-14 07:55:09 +01:00
|
|
|
"otpKey",
|
|
|
|
"smsKey",
|
|
|
|
"smtpKey",
|
|
|
|
"userKey",
|
|
|
|
"csrfCookieKey",
|
|
|
|
"userAgentCookieKey",
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2024-01-25 17:28:20 +01:00
|
|
|
type EncryptionKeyConfig struct {
|
|
|
|
DomainVerification *crypto.KeyConfig
|
|
|
|
IDPConfig *crypto.KeyConfig
|
|
|
|
OIDC *crypto.KeyConfig
|
|
|
|
SAML *crypto.KeyConfig
|
|
|
|
OTP *crypto.KeyConfig
|
|
|
|
SMS *crypto.KeyConfig
|
|
|
|
SMTP *crypto.KeyConfig
|
|
|
|
User *crypto.KeyConfig
|
|
|
|
CSRFCookieKeyID string
|
|
|
|
UserAgentCookieKeyID string
|
|
|
|
}
|
|
|
|
|
|
|
|
type EncryptionKeys struct {
|
2022-03-14 07:55:09 +01:00
|
|
|
DomainVerification crypto.EncryptionAlgorithm
|
|
|
|
IDPConfig crypto.EncryptionAlgorithm
|
|
|
|
OIDC crypto.EncryptionAlgorithm
|
2022-09-12 17:18:08 +01:00
|
|
|
SAML crypto.EncryptionAlgorithm
|
2022-03-14 07:55:09 +01:00
|
|
|
OTP crypto.EncryptionAlgorithm
|
|
|
|
SMS crypto.EncryptionAlgorithm
|
|
|
|
SMTP crypto.EncryptionAlgorithm
|
|
|
|
User crypto.EncryptionAlgorithm
|
|
|
|
CSRFCookieKey []byte
|
|
|
|
UserAgentCookieKey []byte
|
|
|
|
OIDCKey []byte
|
|
|
|
}
|
|
|
|
|
2024-01-25 17:28:20 +01:00
|
|
|
func EnsureEncryptionKeys(ctx context.Context, keyConfig *EncryptionKeyConfig, keyStorage crypto.KeyStorage) (keys *EncryptionKeys, err error) {
|
|
|
|
if err := VerifyDefaultKeys(ctx, keyStorage); err != nil {
|
2022-03-28 10:05:09 +02:00
|
|
|
return nil, err
|
2022-03-14 07:55:09 +01:00
|
|
|
}
|
2024-01-25 17:28:20 +01:00
|
|
|
keys = new(EncryptionKeys)
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-09-12 17:18:08 +01:00
|
|
|
keys.SAML, err = crypto.NewAESCrypto(keyConfig.SAML, keyStorage)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-03-14 07:55:09 +01:00
|
|
|
key, err := crypto.LoadKey(keyConfig.OIDC.EncryptionKeyID, keyStorage)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.OIDCKey = []byte(key)
|
|
|
|
keys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
|
2022-03-14 07:55:09 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.CSRFCookieKey = []byte(key)
|
2022-03-14 07:55:09 +01:00
|
|
|
key, err = crypto.LoadKey(keyConfig.UserAgentCookieKeyID, keyStorage)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys.UserAgentCookieKey = []byte(key)
|
|
|
|
return keys, nil
|
2022-03-14 07:55:09 +01:00
|
|
|
}
|
|
|
|
|
2024-01-25 17:28:20 +01:00
|
|
|
func VerifyDefaultKeys(ctx context.Context, keyStorage crypto.KeyStorage) (err error) {
|
2022-04-12 16:20:17 +02:00
|
|
|
keys := make([]*crypto.Key, 0, len(defaultKeyIDs))
|
|
|
|
for _, keyID := range defaultKeyIDs {
|
|
|
|
_, err := crypto.LoadKey(keyID, keyStorage)
|
|
|
|
if err == nil {
|
|
|
|
continue
|
|
|
|
}
|
2022-03-14 07:55:09 +01:00
|
|
|
key, err := crypto.NewKey(keyID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-04-12 16:20:17 +02:00
|
|
|
keys = append(keys, key)
|
|
|
|
}
|
|
|
|
if len(keys) == 0 {
|
|
|
|
return nil
|
2022-03-14 07:55:09 +01:00
|
|
|
}
|
2024-01-04 17:12:20 +01:00
|
|
|
if err := keyStorage.CreateKeys(ctx, keys...); err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInternal(err, "START-aGBq2", "cannot create default keys")
|
2022-03-14 07:55:09 +01:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|