Commit 3a27b01f authored by ale's avatar ale

Update keystore client

parent bcc3b0e8
Pipeline #889 passed with stages
in 1 minute and 8 seconds
This diff is collapsed.
......@@ -27,14 +27,17 @@ similarly JSON-encoded.
Retrieve the encrypted key for a user, decrypt it with the provided
password, and store it in memory.
OpenRequest is an object with the
following attributes:
OpenRequest is an object with the following attributes:
* `username`
* `password` to decrypt the user's key with
* `ttl` (seconds) time after which the credentials are automatically
If the user has no encrypted keys in the database, the request will
still return successfully: no action will be performed, and no errors
will be returned.
`/api/get` (*GetRequest*) -> *GetResponse*
Retrieve the key for a user. GetRequest must contain the following
......@@ -49,3 +52,65 @@ a single attribute *key*.
`/api/close` (*CloseRequest*)
Forget the key for a given user.
# Dovecot integration
The final consumer for user encryption keys is the Dovecot
service. The *dovecot-keylookupd* daemon can read the user public and
private keys from LDAP, and serve the *unencrypted* keys to Dovecot
using its [dict proxy
TODO: explain the lookup protocol.
# Configuration
The *keystored* daemon loads its configuration from a YAML-encoded
file, */etc/keystore/config.yml* by default. It can contain the
following attributes:
* `sso_public_key_file`: path to the SSO Ed25519 public key
* `sso_service`: SSO service for this application
* `sso_domain`: SSO domain
* `ldap`: LDAP backend configuration
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
* `http_server`: HTTP server configuration
* `tls`: contains the server-side TLS configuration:
* `cert`: path to the server certificate
* `key`: path to the server's private key
* `ca`: path to the CA used to validate clients
* `acl`: specifies TLS-based access controls, a list of entries
with the following attributes:
* `path`: regular expression to match the request URL path
* `cn`: regular expression that must match the CommonName part
of the subject of the client certificate
* `max_inflight_requests`: maximum number of in-flight requests to
allow before server-side throttling kicks in
The *dovecot-keylookupd* daemon uses a similar configuration, read by
default from */etc/keystore/dovecot.yml*:
* `ldap`: LDAP backend configuration, see above
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `sharded`: if true, requests to the keystore service will be
partitioned according to the user's *shard* attribute
* `tls_config`: client TLS configuration
* `cert`: path to the client certificate
* `key`: path to the private key
* `ca`: path to the CA used to validate the server
* `shard`: shard identifier for the local host. Must be set if
keystore.sharded is true.
......@@ -45,7 +45,7 @@ func (c *ksClient) Get(ctx context.Context, shard, username, ssoTicket string) (
SSOTicket: ssoTicket,
var resp keystore.GetResponse
err := clientutil.DoJSONHTTPRequest(ctx,,"/api/get", &req, &resp)
err := clientutil.DoJSONHTTPRequest(ctx,,"/api/get_key", &req, &resp)
return resp.Key, err
......@@ -33,16 +33,16 @@
"revisionTime": "2017-12-17T09:15:51Z"
"checksumSHA1": "3alRLG3a43ORlVZyfQc/JsT0KtI=",
"checksumSHA1": "Byt5J619jXGr+VBTp6HlFQybWM4=",
"path": "",
"revision": "b09f1210471f6a60402e8ced4783be3889a4074f",
"revisionTime": "2017-12-15T13:50:57Z"
"revision": "3396b96b8dac3be8ea1718b89d6e6678daa75eb5",
"revisionTime": "2018-02-16T18:04:07Z"
"checksumSHA1": "MgtHklQMI/3fNcZZzkg+fmQUrCQ=",
"checksumSHA1": "VlEW+yMUPGk0Fc5PKfya2kXwHWo=",
"path": "",
"revision": "ae260514708a9eb3e81b554e1b7b2c65ef802584",
"revisionTime": "2017-12-17T21:51:41Z"
"revision": "3396b96b8dac3be8ea1718b89d6e6678daa75eb5",
"revisionTime": "2018-02-16T18:04:07Z"
"checksumSHA1": "usT4LCSQItkFvFOQT7cBlkCuGaE=",
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment