Skip to content
Snippets Groups Projects
Select Git revision
  • renovate/git.autistici.org-id-go-sso-digest
  • renovate/golang.org-x-crypto-0.x
  • renovate/github.com-prometheus-client_golang-1.x
  • renovate/github.com-go-ldap-ldap-v3-3.x
  • renovate/golang.org-x-sync-0.x
  • renovate/github.com-go-sql-driver-mysql-1.x
  • renovate/github.com-mattn-go-sqlite3-1.x
  • master default
  • renovate/github.com-lib-pq-1.x
  • renovate/git.autistici.org-ai3-go-common-digest
  • pass-state
  • integration-test
  • memguard
13 results
Compare
Name Last commit Last update
backend
client
cmd
debian
dovecot
server
userenckey
vendor
.gitlab-ci.yml
README.md
protocol.go
README.md

keystore

KeyStore holds unencrypted secrets on behalf of users in memory for a short time (of the order of a SSO session lifespan). User secrets can be opened with a password (used to decrypt the key, which is stored encrypted in a database), queried by presenting a suitable authentication token, and closed (wiped and forgotten).

The database can provide multiple versions of the encrypted key (to support multiple decryption passwords), in which case we'll try them all sequentially until one of them decrypts successfully with the provided password.

In order to query the KeyStore, you need to present a valid SSO token for the user whose secrets you would like to obtain.

API

The server exports an API over HTTP/HTTPS. All requests should be made using the POST method and a Content-Type of application/json. The request body should contain a JSON-encoded object. Responses will be similarly JSON-encoded.

/api/open (OpenRequest)

Retrieve the encrypted key for a user, decrypt it with the provided password, and store it in memory.

OpenRequest is an object with the following attributes:

  • username
  • password to decrypt the user's key with
  • ttl (seconds) time after which the credentials are automatically forgotten

/api/get (GetRequest) -> GetResponse

Retrieve the key for a user. GetRequest must contain the following attributes:

  • username whose key you wish to retrieve
  • sso_ticket with a valid SSO ticket for the keystore service

If the request is successfully authenticated, GetResponse will contain a single attribute key.

/api/close (CloseRequest)

Forget the key for a given user.

Dovecot integration

The final consumer for user encryption keys is the Dovecot service. The dovecot-keylookupd daemon can read the user public and private keys from LDAP, and serve the unencrypted keys to Dovecot using its dict proxy protocol.

TODO: explain the lookup protocol.