aboutsummaryrefslogtreecommitdiffstats
path: root/security-utils
Commit message (Collapse)AuthorAgeFilesLines
* Enable TLSv1.3 for Vespa mTLSBjørn Christian Seime2023-07-201-10/+7
|
* Defer side channel-safe array checks to existing BC utilsTor Brede Vekterli2023-07-193-24/+13
| | | | Use constant-time array compare for TokenCheckHash equality checks.
* Short-cut re-acquiring ordered locksjonmv2023-06-271-10/+4
|
* Simplify token API by using fixed context for fingerprintsTor Brede Vekterli2023-06-153-40/+51
| | | | | | | | | | Fingerprints are now always derived using the a fixed context of `Vespa token fingerprint`. Enforcement has been added that a `TokenDomain` cannot be initialized with a context equal to the fingerprint context. This changes the fingerprint outputs from their previous values, but that's fine since they are not yet in use anywhere.
* Add factory methods accepting hex stringBjørn Christian Seime2023-06-143-0/+24
|
* Remove trailing commagjoranv2023-06-121-1/+1
|
* Manually add X-JDisc-Non-PublicApi-Export-Package headergjoranv2023-06-091-0/+1
| | | | - Bundle is built with maven-bundle-plugin
* Also include domain when printing tokenTor Brede Vekterli2023-06-063-3/+12
|
* Emit fingerprints with delimiters by defaultTor Brede Vekterli2023-06-063-3/+18
| | | | Uses standard fingerprint `hex:hex:hex:...` format
* Fix some silly typosTor Brede Vekterli2023-06-061-3/+3
|
* Add a simple token primitive to security utilsTor Brede Vekterli2023-06-066-0/+398
| | | | | | | A token is an arbitrary, opaque (secret) string from which a fingerprint and audience-specific access-check hashes can be derived. A CSPRNG-backed token generator that returns random Base62-encoded tokens (with an optional prefix) is included.
* Build with jdk20Jon Bratseth2023-04-172-4/+4
|
* Revert "Enable TLSv1.3 for Vespa mTLS"Henning Baldersheim2023-03-251-7/+10
|
* Enable TLSv1.3 for Vespa mTLSBjørn Christian Seime2023-03-241-10/+7
|
* Implement RFC 9180 HPKE sender asymmetric key authentication modeTor Brede Vekterli2023-03-234-13/+195
| | | | | | | | We already have support for the `base` unauthenticated mode, so this just adds the `auth` mode where the sender's key pair is added to the ECDH shared key derivation mix. This ensures that a message may only be successfully opened if the sender was in possession of the private key (`skS`) corresponding to the expected public key (`pkS`).
* Merge pull request #26168 from ↵Tor Brede Vekterli2023-02-242-2/+4
|\ | | | | | | | | vespa-engine/revert-26152-revert-26139-vekterli/add-content-state-api-capability Reapply: add `vespa.content.state_api` capability"
| * Revert "Revert "Add `vespa.content.state_api` capability" MERGEOK"Tor Brede Vekterli2023-02-232-2/+4
| |
* | Revert "Revert "Store original capability (set) names from JSON config in ↵Bjørn Christian Seime2023-02-236-25/+72
|/ | | | PeerPolicy" MERGEOK"
* Merge pull request #26153 from vespa-engine/revert-26145-bjorncs/capabilitiesBjørn Christian Seime2023-02-236-72/+25
|\ | | | | Revert "Store original capability (set) names from JSON config in PeerPolicy" MERGEOK
| * Revert "Store original capability (set) names from JSON config in PeerPolicy"Bjørn Christian Seime2023-02-236-72/+25
| |
* | Revert "Add `vespa.content.state_api` capability"Bjørn Christian Seime2023-02-232-4/+2
|/
* Merge pull request #26139 from ↵Tor Brede Vekterli2023-02-222-2/+4
|\ | | | | | | | | vespa-engine/vekterli/add-content-state-api-capability Add `vespa.content.state_api` capability
| * Add `vespa.content.state_api` capability to JavaTor Brede Vekterli2023-02-222-2/+4
| | | | | | | | Add new capability to existing `vespa.telemetry` capability set.
* | Store original capability (set) names from JSON config in PeerPolicyBjørn Christian Seime2023-02-226-25/+72
|/ | | | Add additional helper methods to convert `names <=> capabilities`.
* Grant container nodes access to container document apiBjørn Christian Seime2023-02-201-1/+2
|
* Specify that '/logs' requires logserver capabilityBjørn Christian Seime2023-02-171-1/+2
|
* Warn instead of fail for unknown capability (set)Bjørn Christian Seime2023-02-172-9/+10
|
* Improve metric names, fix wiringBjørn Christian Seime2023-02-161-9/+9
|
* Add capability 'vespa.sentinel.inspect_services'Bjørn Christian Seime2023-02-161-0/+1
|
* Add metrics for capability checksBjørn Christian Seime2023-02-162-0/+39
|
* Add capability 'vespa.content.proton_admin_api'Bjørn Christian Seime2023-02-151-0/+1
|
* Add slobrok capability to all application nodesBjørn Christian Seime2023-02-151-2/+2
|
* Add new capabilities to existing capability setsBjørn Christian Seime2023-02-151-6/+10
|
* Use explicit `equals` and `hashCode` to use contents of arrays, not just refsTor Brede Vekterli2023-02-142-0/+55
| | | | Also add a friendlier `toString()` that hex dumps the enc/ciphertext fields.
* Require capabilities for built-in request handlersBjørn Christian Seime2023-02-141-0/+4
|
* Revert "Revert "Bjorncs/capabilities""Henning Baldersheim2023-02-145-21/+34
|
* Revert "Bjorncs/capabilities"Henning Baldersheim2023-02-145-34/+21
|
* Add new capabilities in node specific capability setsBjørn Christian Seime2023-02-133-11/+24
|
* Rename 'from()' to 'of()'Bjørn Christian Seime2023-02-135-10/+10
|
* Define required capabilities for existing JRT RPC methodsBjørn Christian Seime2023-02-091-0/+12
|
* Introduce capbilities for unclassified APIsBjørn Christian Seime2023-02-091-0/+3
| | | | Require 'vespa.rpc.unclassified' by default for all JRT APIs
* Move definition of predefined capability set to parent classBjørn Christian Seime2023-02-094-30/+46
| | | | Introduce functional interface ToCapabilitySet to simplify construction of second order capability sets.
* Add 'vespa.none' capabilityBjørn Christian Seime2023-02-061-0/+1
|
* Add an "interactive" token resealing protocol and basic tooling supportTor Brede Vekterli2023-01-314-10/+197
| | | | | | | | | | | | | | Implements a protocol for delegated access to a shared secret key of a token whose private key we do not possess. This builds directly on top of the existing token resealing mechanisms. The primary benefit of the resealing protocol is that none of the data exchanged can reveal anything about the underlying secret. Security note: neither resealing requests nor responses are explicitly authenticated (this is a property inherited from the sealed shared key tokens themselves). It is assumed that an attacker can observe all requests and responses in transit, but cannot modify them.
* Add y64 encoderBjørn Christian Seime2023-01-302-0/+65
|
* Unify on Streams.toListHenning Baldersheim2023-01-175-10/+5
|
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-092-2/+25
|
* Revert "Ensure that HTTPS clients only use allowed ciphers and protocol ↵Andreas Eriksen2023-01-062-25/+2
| | | | versions" (#25436)
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-062-2/+25
|
* Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based cryptoTor Brede Vekterli2023-01-055-24/+228
| | | | | | | | | | | | | | | | | | | | | This is to get around the limitation where AES GCM can only produce a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before its security properties break down. ChaCha20-Poly1305 does not have any practical limitations here. ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits. A HKDF is used to internally expand the key material to 256 bits. To let token based decryption be fully backwards compatible, introduce a token version 2. V1 tokens will be decrypted with AES-GCM 128, while V2 tokens use ChaCha20-Poly1305. As a bonus, cryptographic operations will generally be _faster_ after this cipher change, as we use BouncyCastle ciphers and these do not use any native AES instructions. ChaCha20-Poly1305 is usually considerably faster when running without specialized hardware support. An ad-hoc experiment with a large ciphertext showed a near 70% performance increase over AES-GCM 128.