summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Add `vespa.content.state_api` capability"Bjørn Christian Seime2023-02-232-4/+2
|
* Merge pull request #26139 from ↵Tor Brede Vekterli2023-02-222-2/+4
|\ | | | | | | | | vespa-engine/vekterli/add-content-state-api-capability Add `vespa.content.state_api` capability
| * Add `vespa.content.state_api` capability to JavaTor Brede Vekterli2023-02-222-2/+4
| | | | | | | | Add new capability to existing `vespa.telemetry` capability set.
* | Store original capability (set) names from JSON config in PeerPolicyBjørn Christian Seime2023-02-225-20/+69
|/ | | | Add additional helper methods to convert `names <=> capabilities`.
* Grant container nodes access to container document apiBjørn Christian Seime2023-02-201-1/+2
|
* Specify that '/logs' requires logserver capabilityBjørn Christian Seime2023-02-171-1/+2
|
* Warn instead of fail for unknown capability (set)Bjørn Christian Seime2023-02-172-9/+10
|
* Improve metric names, fix wiringBjørn Christian Seime2023-02-161-9/+9
|
* Add capability 'vespa.sentinel.inspect_services'Bjørn Christian Seime2023-02-161-0/+1
|
* Add metrics for capability checksBjørn Christian Seime2023-02-162-0/+39
|
* Add capability 'vespa.content.proton_admin_api'Bjørn Christian Seime2023-02-151-0/+1
|
* Add slobrok capability to all application nodesBjørn Christian Seime2023-02-151-2/+2
|
* Add new capabilities to existing capability setsBjørn Christian Seime2023-02-151-6/+10
|
* Use explicit `equals` and `hashCode` to use contents of arrays, not just refsTor Brede Vekterli2023-02-141-0/+35
| | | | Also add a friendlier `toString()` that hex dumps the enc/ciphertext fields.
* Require capabilities for built-in request handlersBjørn Christian Seime2023-02-141-0/+4
|
* Revert "Revert "Bjorncs/capabilities""Henning Baldersheim2023-02-142-14/+28
|
* Revert "Bjorncs/capabilities"Henning Baldersheim2023-02-142-28/+14
|
* Add new capabilities in node specific capability setsBjørn Christian Seime2023-02-132-8/+22
|
* Rename 'from()' to 'of()'Bjørn Christian Seime2023-02-132-6/+6
|
* Define required capabilities for existing JRT RPC methodsBjørn Christian Seime2023-02-091-0/+12
|
* Introduce capbilities for unclassified APIsBjørn Christian Seime2023-02-091-0/+3
| | | | Require 'vespa.rpc.unclassified' by default for all JRT APIs
* Move definition of predefined capability set to parent classBjørn Christian Seime2023-02-093-29/+45
| | | | Introduce functional interface ToCapabilitySet to simplify construction of second order capability sets.
* Add 'vespa.none' capabilityBjørn Christian Seime2023-02-061-0/+1
|
* Add an "interactive" token resealing protocol and basic tooling supportTor Brede Vekterli2023-01-313-9/+173
| | | | | | | | | | | | | | Implements a protocol for delegated access to a shared secret key of a token whose private key we do not possess. This builds directly on top of the existing token resealing mechanisms. The primary benefit of the resealing protocol is that none of the data exchanged can reveal anything about the underlying secret. Security note: neither resealing requests nor responses are explicitly authenticated (this is a property inherited from the sealed shared key tokens themselves). It is assumed that an attacker can observe all requests and responses in transit, but cannot modify them.
* Add y64 encoderBjørn Christian Seime2023-01-301-0/+38
|
* Unify on Streams.toListHenning Baldersheim2023-01-175-10/+5
|
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-092-2/+25
|
* Revert "Ensure that HTTPS clients only use allowed ciphers and protocol ↵Andreas Eriksen2023-01-062-25/+2
| | | | versions" (#25436)
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-062-2/+25
|
* Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based cryptoTor Brede Vekterli2023-01-054-17/+167
| | | | | | | | | | | | | | | | | | | | | This is to get around the limitation where AES GCM can only produce a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before its security properties break down. ChaCha20-Poly1305 does not have any practical limitations here. ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits. A HKDF is used to internally expand the key material to 256 bits. To let token based decryption be fully backwards compatible, introduce a token version 2. V1 tokens will be decrypted with AES-GCM 128, while V2 tokens use ChaCha20-Poly1305. As a bonus, cryptographic operations will generally be _faster_ after this cipher change, as we use BouncyCastle ciphers and these do not use any native AES instructions. ChaCha20-Poly1305 is usually considerably faster when running without specialized hardware support. An ad-hoc experiment with a large ciphertext showed a near 70% performance increase over AES-GCM 128.
* Correct class name to reflect actual cipher name orderTor Brede Vekterli2022-12-014-7/+7
| | | | No functional changes, just bugged me to have used the wrong order.
* Use BouncyCastle AES GCM cipher and I/O streams instead of JCATor Brede Vekterli2022-11-162-21/+60
| | | | | | | | | | | | | | | | | | This resolves two issues: * `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions when the stream is closed, which means that corruptions (intentional or not) are not caught. This is documented behavior, but still very surprising and a rather questionable default. BC's interchangeable `CipherOutputStream` throws as expected. To avoid regressions, add an explicit test that both ciphertext and MAC tag corruptions are propagated. * The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit decrypted plaintext per `update()` chunk, but buffer everything until `doFinal()` is invoked when the stream is closed. This means that decrypting very large ciphertexts can blow up memory usage since internal output buffers are reallocated and increased per iteration...! Instead use an explicit BC `GCMBlockCipher` which has the expected behavior (and actually lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to avoid leaking BC APIs outside the security module.
* Add support for token resealingTor Brede Vekterli2022-11-111-4/+12
| | | | | | | | | Adds underlying support--and tooling--for resealing a token for another recipient. This allows for delegating decryption to another party without having to reveal the private key of the original recipient (or having to send the raw underlying secret key over a potentially insecure channel). Key ID can/should change as part of this operation.
* Use Base62 for tokens and Base58 for keysTor Brede Vekterli2022-11-092-7/+40
| | | | | | | | * Base62 minimizes extra size overhead relative to Base64. * Base58 removes ambiguous characters from key encodings. Common for both bases is that they do not emit any characters that interfer with easily selecting them on web pages or in the CLI.
* Add a codec that enables conversion to and from a base N representationTor Brede Vekterli2022-11-083-0/+194
| | | | | | | | | | | | | Adds a codec that enables easy conversion from an array of bytes to any numeric base in [2, 256) and back again, using a supplied custom alphabet. Implemented by treating the input byte sequence to encode verbatim as a big-endian `BigInteger` and iteratively doing a `divmod` operation until the quotient is zero, emitting the modulus mapped onto the alphabet for each iteration. Decoding reverses this process, ending up with the same `BigInteger` as in the initial encoding step.
* Array clone() -> Arrays.copyOf()Tor Brede Vekterli2022-11-021-1/+1
|
* Encapsulate key identifier in own objectTor Brede Vekterli2022-11-023-25/+100
| | | | Enforces invariants and avoids having to pass raw byte arrays around.
* Let token key IDs be UTF-8 byte strings instead of just an integerTor Brede Vekterli2022-11-012-27/+48
| | | | | | | | | | | | | | This makes key IDs vastly more expressive. Max size is 255 bytes, and UTF-8 form is enforced by checking that the byte sequence can be identity-transformed to and from a string with UTF-8 encoding. In addition, we now protect the integrity of the key ID by supplying it as the AAD parameter to the key sealing and opening operations. Reduce v1 token max length of `enc` part to 255, since this is always an X25519 public key, which is never bigger than 32 bytes (but may be _less_ if the random `BigInteger` is small enough, so we still have to encode the length).
* Use JDK17's own hex utilities instead of BouncyCastle'sTor Brede Vekterli2022-10-251-4/+3
|
* Use HPKE instead of ECIES for shared single-use keysTor Brede Vekterli2022-10-202-56/+51
| | | | | Also use AES-128 instead of AES-256 for the one-time key since the underlying HPKE AEAD cipher protecting the key itself is AES-128.
* Add X25519 private to public key extraction and use for HPKE openingTor Brede Vekterli2022-10-194-16/+18
| | | | | | | Avoids the need to pass the full key pair when opening a sealed piece of ciphertext, since we can just extract the public key on-demand. Uses BouncyCastle X25519 utils under the hood.
* Minimal implementation of RFC 9180 Hybrid Public Key Encryption (HPKE)Tor Brede Vekterli2022-10-1813-1/+1040
| | | | | | | | | | | | | | | | | | | | | | | | | HPKE is a hybrid encryption scheme that builds around three primitives: * A key encapsulation mechanism (KEM) * A key derivation function (KDF) * An "authenticated encryption with associated data" (AEAD) algorithm The 3-tuple (KEM, KDF, AEAD) is known as the HPKE _ciphersuite_. This implementation has certain (intentional) limitations: * Only the `DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM` ciphersuite is implemented. This is expected to be a good default choice for any internal use of this class. * Only the "base mode" (unauthenticated sender) is supported, i.e. no PSK support and no secret exporting. This implementation is only expected to be used for anonymous one-way encryption. * The API only offers single-shot encryption to keep anyone from being tempted to use it to build their own multi-message protocol on top. This entirely avoids the risk of nonce reuse caused by accidentally repeating sequence numbers. **Deprecation notice:** once BouncyCastle (or the Java crypto API) supports HPKE, this particular implementation can safely be deprecated and sent off to live on a farm.
* Add some utilities for comparing arrays without data-dependent branchesTor Brede Vekterli2022-10-171-0/+54
| | | | | Lets arrays be compared without leaking information about their contents caused by early exits etc.
* Implement RFC-5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF)Tor Brede Vekterli2022-10-131-0/+221
| | | | | | | | | | | | | | | | | | | The HKDF is initialized ("extracted") from a (non-secret) salt and a secret key. From this, any number of secret keys can be derived ("expanded") deterministically. When multiple keys are to be derived from the same initial keying/salting material, each separate key should use a distinct "context". This ensures that there exists a domain separation between the keys. Using the same context as another key on a HKDF initialized with the same salt+key results in the exact same derived key material as that key. This implementation only offers HMAC-SHA256-based key derivation. Tested with all HMAC-SHA256 test vectors in RFC-5869, with added edge case tests. Analogous to BouncyCastle's `HKDFBytesGenerator`, but with a simpler API that tries to be very explicit in its operation, as well as fully thread safe due to not storing intermediate calculations in member fields.
* Enforce SHA-256 and AES-CBC for ECIES key wrappingTor Brede Vekterli2022-10-132-18/+35
| | | | | | | For some reason requires passing in and keeping an explicit IV. Not sure why this is the case, since symmetric keys used in the context of a hybrid crypto scheme are generally derived via a KDF from the shared secret. This stuff is practically entirely undocumented... :I
* Merge pull request #24403 from vespa-engine/bjorncs/upgrade-bcBjørn Christian Seime2022-10-121-2/+2
|\ | | | | Upgrade BouncyCastle to 1.72 [run-systemtest]
| * Upgrade BouncyCastle to 1.72Bjørn Christian Seime2022-10-121-2/+2
| | | | | | | | Migrate to artifact names used by 1.71+
* | Address PR commentsTor Brede Vekterli2022-10-121-3/+5
| | | | | | | | | | * Make `SecureRandom` a shared static field * Just take in `PrivateKey` instead of `KeyPair` for key unsealing
* | Add utilities for secure one-way single-use key exchange tokens using ECIESTor Brede Vekterli2022-10-113-0/+207
|/ | | | | | | | | | | | | | | | | | | | | | Lets a sender generate a random, single-use symmetric key and securely share this with a receiver, with the sender only knowing the public key of the receiver. The shared key is exchanged via an opaque token that can only be decoded by having the private key corresponding to the public key used for encoding it. This is implemented using ECIES, a hybrid encryption scheme using Elliptic Curve Diffie-Hellman (ECDH) for ephemeral key exchange combined with a symmetric cipher using the ephemeral key for actual plaintext encryption/decryption. In addition to the key exchange itself, utilities for creating encryption and decryption ciphers for AES-GCM-256 from the shared keys are included. **Security note**: since the key is intended to be used for producing a single piece of ciphertext, a fixed Initialization Vector (IV) is used. The key MUST NOT be used to produce more than one ciphertext, lest the entire security model breaks down entirely.
* Ignore calls to SystemTlsContext.close()Bjørn Christian Seime2022-08-301-2/+1
|