TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-12 11:04:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
zitadel/cmd/encryption/encryption_keys.go
Stefan Benz 7caa43ab23
feat: action v2 signing (#8779) 
# Which Problems Are Solved

The action v2 messages were didn't contain anything providing security
for the sent content.

# How the Problems Are Solved

Each Target now has a SigningKey, which can also be newly generated
through the API and returned at creation and through the Get-Endpoints.
There is now a HTTP header "Zitadel-Signature", which is generated with
the SigningKey and Payload, and also contains a timestamp to check with
a tolerance if the message took to long to sent.

# Additional Changes

The functionality to create and check the signature is provided in the
pkg/actions package, and can be reused in the SDK.

# Additional Context

Closes #7924

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-11-28 10:06:52 +00:00

135 lines
3.5 KiB
Go
Raw Permalink Blame History

package encryption
import (
"context"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/zerrors"
)
var (
defaultKeyIDs = []string{
"domainVerificationKey",
"idpConfigKey",
"oidcKey",
"samlKey",
"otpKey",
"smsKey",
"smtpKey",
"userKey",
"targetKey",
"csrfCookieKey",
"userAgentCookieKey",
}
)
type EncryptionKeyConfig struct {
DomainVerification *crypto.KeyConfig
IDPConfig *crypto.KeyConfig
OIDC *crypto.KeyConfig
SAML *crypto.KeyConfig
OTP *crypto.KeyConfig
SMS *crypto.KeyConfig
SMTP *crypto.KeyConfig
User *crypto.KeyConfig
Target *crypto.KeyConfig
CSRFCookieKeyID string
UserAgentCookieKeyID string
}
type EncryptionKeys struct {
DomainVerification crypto.EncryptionAlgorithm
IDPConfig crypto.EncryptionAlgorithm
OIDC crypto.EncryptionAlgorithm
SAML crypto.EncryptionAlgorithm
OTP crypto.EncryptionAlgorithm
SMS crypto.EncryptionAlgorithm
SMTP crypto.EncryptionAlgorithm
User crypto.EncryptionAlgorithm
Target crypto.EncryptionAlgorithm
CSRFCookieKey []byte
UserAgentCookieKey []byte
OIDCKey []byte
}
func EnsureEncryptionKeys(ctx context.Context, keyConfig *EncryptionKeyConfig, keyStorage crypto.KeyStorage) (keys *EncryptionKeys, err error) {
if err := VerifyDefaultKeys(ctx, keyStorage); err != nil {
return nil, err
}
keys = new(EncryptionKeys)
keys.DomainVerification, err = crypto.NewAESCrypto(keyConfig.DomainVerification, keyStorage)
if err != nil {
return nil, err
}
keys.IDPConfig, err = crypto.NewAESCrypto(keyConfig.IDPConfig, keyStorage)
if err != nil {
return nil, err
}
keys.OIDC, err = crypto.NewAESCrypto(keyConfig.OIDC, keyStorage)
if err != nil {
return nil, err
}
keys.SAML, err = crypto.NewAESCrypto(keyConfig.SAML, keyStorage)
if err != nil {
return nil, err
}
key, err := crypto.LoadKey(keyConfig.OIDC.EncryptionKeyID, keyStorage)
if err != nil {
return nil, err
}
keys.OIDCKey = []byte(key)
keys.OTP, err = crypto.NewAESCrypto(keyConfig.OTP, keyStorage)
if err != nil {
return nil, err
}
keys.SMS, err = crypto.NewAESCrypto(keyConfig.SMS, keyStorage)
if err != nil {
return nil, err
}
keys.SMTP, err = crypto.NewAESCrypto(keyConfig.SMTP, keyStorage)
if err != nil {
return nil, err
}
keys.User, err = crypto.NewAESCrypto(keyConfig.User, keyStorage)
if err != nil {
return nil, err
}
keys.Target, err = crypto.NewAESCrypto(keyConfig.Target, keyStorage)
if err != nil {
return nil, err
}
key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
if err != nil {
return nil, err
}
keys.CSRFCookieKey = []byte(key)
key, err = crypto.LoadKey(keyConfig.UserAgentCookieKeyID, keyStorage)
if err != nil {
return nil, err
}
keys.UserAgentCookieKey = []byte(key)
return keys, nil
}
func VerifyDefaultKeys(ctx context.Context, keyStorage crypto.KeyStorage) (err error) {
keys := make([]*crypto.Key, 0, len(defaultKeyIDs))
for _, keyID := range defaultKeyIDs {
_, err := crypto.LoadKey(keyID, keyStorage)
if err == nil {
continue
}
key, err := crypto.NewKey(keyID)
if err != nil {
return err
}
keys = append(keys, key)
}
if len(keys) == 0 {
return nil
}
if err := keyStorage.CreateKeys(ctx, keys...); err != nil {
return zerrors.ThrowInternal(err, "START-aGBq2", "cannot create default keys")
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink