Feat/azure_ekm_proxy_api_version=0.1-preview#601
Conversation
HatemMn
added
the
Blocked
|
Needs a rebase Otherwise this will stop at this stage until an azure prod env is available to test |
I believe you can rebase from now since #658 has been merged to develop |
HatemMn
force-pushed
the
feat/ekm_proxy_api
branch
from
06af9e2 to
7cb2714
Compare
|
Just rebased |
HatemMn
removed
the
Blocked
HatemMn
force-pushed
the
feat/ekm_proxy_api
branch
2 times, most recently
from
0d7c643 to
641d677
Compare
.cargo/config.toml
Outdated
| # "target_cpu=native", | ||
| # ] | ||
|
|
||
| # can increase build time for system that support mold |
There was a problem hiding this comment.
this was added intentionally
There was a problem hiding this comment.
Could you please remove this? If needed, add an internal README with specific build instructions
.vscode/settings.json
Outdated
| "non-fips" | ||
| ] | ||
| ], | ||
| "rust-analyzer.cargo.extraEnv": { |
There was a problem hiding this comment.
this was also added intentionally
There was a problem hiding this comment.
Same here, remove it and add it to an internal README. IMHO, .vscode/settings.json should be removed completely.
HatemMn
force-pushed
the
feat/ekm_proxy_api
branch
from
2b05b39 to
ac1d664
Compare
feat: DONE rfc5649 fix: fix problematic test feat: finish up fix: major bugé feat: add a lot of things fis: add back provider for ci tests fix:clip fix: a lot more stuff fix: a lot more stuff2 fix: some fixes fix: finish up feat: reviews fixes + ui fixes + migrate fixes + a test feat: missing file fix: ui fix: review fixes fix: grammar fixes feat: add azure ekm configs feat: wip on errors feat: finish start file feat: big advance on metadata endpoint feat: finish metadata but the code is ugly refactor: HUGE refactoring of that huge nested code induced by the errors (I used handlers) feat: more advance feat: finish the api and fix compiler problems feat: multiple improvements for endpoints feat: more improvements feat: auth OK feat: auth seems ok ...? feat: first refactor fix: improve fix: add missing files fix: commit first files fix: add the rest fix: rfc algorithms Revert "fix: rfc algorithms" This reverts commit e5d9737. fix: add rfc algos feat: rfc3394 algo postfixes feat: post review fixes and some new feats to AES habndlers feat: final commits that got lost before finish fix: test fixes
feat: finish docs and fix some more todos2
HatemMn
force-pushed
the
feat/ekm_proxy_api
branch
from
64fe211 to
be8da0c
Compare
.cargo/config.toml
Outdated
|
|
||
| # [target.x86_64-unknown-linux-gnu] # TODO: uncomment this after dev is finished | ||
| # linker = "clang" | ||
| # rustflags = ["-C", "link-arg=-fuse-ld=mold"] |
There was a problem hiding this comment.
Just a comment to remember to revert this changes
.vscode/settings.json
Outdated
| "rust-analyzer.cargo.features": [ | ||
| "non-fips" | ||
| ] | ||
| ], |
There was a problem hiding this comment.
Revert (and make it a user only configuration)
| Ok(plaintext) | ||
| } | ||
|
|
||
| // // Encrypt block using AES with ECB mode i.e. raw AES as specified in |
.cargo/config.toml
Outdated
| # "target_cpu=native", | ||
| # ] | ||
|
|
||
| # can increase build time for system that support mold |
There was a problem hiding this comment.
Could you please remove this? If needed, add an internal README with specific build instructions
.vscode/settings.json
Outdated
| "non-fips" | ||
| ] | ||
| ], | ||
| "rust-analyzer.cargo.extraEnv": { |
There was a problem hiding this comment.
Same here, remove it and add it to an internal README. IMHO, .vscode/settings.json should be removed completely.
| /// WARNING: This bypasses mTLS authentication entirely. Only use for testing! | ||
| #[clap( | ||
| long, | ||
| env = "KMS_AZURE_EKM_DISABLE_CLIENT_AUTH", | ||
| default_value = "false" | ||
| )] | ||
| // serde does not support skipping booleans out of the box so a custom function is used | ||
| #[serde(skip_serializing_if = "is_false")] | ||
| pub azure_ekm_disable_client_auth: bool, |
There was a problem hiding this comment.
Is this parameter really required?
If during testing, mTLS must be disabled, I would advise to disable this TLS configuration:
[tls]
# Your server certificate and private key (PKCS#12 format)
tls_p12_file = "/etc/cosmian/server-cert.p12"
tls_p12_password = "your-secure-password"
# The certificate downloaded in the previous section
# This validates the client certificate presented by Azure MHSM
clients_ca_cert_file = "/etc/cosmian/mhsm-root-ca.pem"
Isn't it enough?
| let status_code = e.status_code().as_u16(); | ||
|
|
||
| // Mapping non-internal errors status numeric code to an error code string | ||
| let code = match status_code { |
There was a problem hiding this comment.
Do not convert to u16 and match directly on e.status_code()?
| // Check algorithm and build response | ||
| match algorithm { | ||
| CryptographicAlgorithm::AES => { | ||
| if key_length == 256 { |
There was a problem hiding this comment.
Add a const variable for this 256-value and mention on it that is a Azure ProxyEKM restriction.
| ) | ||
| })?; | ||
| let (modulus, public_exponent) = | ||
| get_rsa_key_metadata_from_public_key(kms, key_id, &user).await?; |
There was a problem hiding this comment.
Watch out here.
Even your changes seem to be correct, there are currently no tests to validate if MS DKE encryption is broken or not.
2 participants
Issue #653
Overview :
Basically an implementation of Azure EKM API as following in a loyal manner the specifications. This is version 0.1-preview, the code is flexible for future versions
What's done :
Otherwise :
Closes #653
Appendix
Following are the docs diagrams
