Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move computation of ShouldGenerateNewKey to KeyRingProvider #54264

Merged
merged 5 commits into from
Mar 1, 2024
Merged

Move computation of ShouldGenerateNewKey to KeyRingProvider #54264

merged 5 commits into from
Mar 1, 2024

Conversation

amcasey
Copy link
Member

@amcasey amcasey commented Feb 28, 2024

It used to be the case that part of IDefaultKeyResolver.ResolveDefaultKeyPolicy's job was to determine whether the current default key was close enough to expiration that a new one ought to be generated. This didn't make sense as the definition of "too close" depended upon the refresh period and propagation time of the ICacheableKeyRingProvider. That is, the IDefaultKeyResolver had to make assumptions about how often it would be polled for changed.

The old logic was also very subtle and, as far as I was able to determine, slightly incorrect. Formerly, the presence of any key activated prior to the current default key's expiration date and not expiring during the next propagation cycle was considered an acceptable replacement. Several things seem strange about this:

  1. The logic for finding a successor key is not the same as the logic for finding a preferred key (e.g. CanCreateAuthenticatedEncryptor is not checked)
  2. The propagation window is counted forward from the current time, rather than backward from the expiration time
  3. It's not immediately clear what happens if the successor key is unexpired at the end of the propagation window but expired before the default key's expiration time (maybe that's impossible or maybe that would be caught next refresh?)
  4. As mentioned above, it doesn't seem like the resolver should know about the refresh period or make assumptions about how often it's called

Now, the ICacheableKeyRingProvider is responsible for determining whether the returned default key is close enough to expiration that a new key should be generated. It checks whether the current time is within one propagation cycle of the expiration time, padding by an extra refresh period to account for the fact that we don't know where in the refresh cycle expiration will fall (i.e. so that we never generate a new key less than a full propagation cycle ahead of when it's needed).

Part of #53654

@amcasey
Move computation of ShouldGenerateNewKey to KeyRingProvider
6edf002 
It used to be the case that part of IDefaultKeyResolver.ResolveDefaultKeyPolicy's job was to determine whether the current default key was close enough to expiration that a new one ought to be generated.  This didn't make sense as the definition of "too close" depended upon the refresh period and propagation time of the ICacheableKeyRingProvider.  That is, the IDefaultKeyResolver had to make assumptions about how often it would be polled for changed.

The old logic was also very subtle and, as far as I was able to determine, slightly incorrect.  Formerly, the presence of any key activated prior to the current default key's expiration date and not expiring during the next propagation cycle was considered an acceptable replacement.  Several things seem strange about this:

1. The logic for finding a successor key is not the same as the logic for finding a preferred key (e.g. CanCreateAuthenticatedEncryptor is not checked)
2. The propagation window is counted forward from the current time, rather than backward from the expiration time
3. It's not immediately clear what happens if the successor key is unexpired at the end of the propagation window but expired before the default key's expiration time (maybe that's impossible or maybe that would be caught next refresh?)
4. As mentioned above, it doesn't seem like the resolver should know about the refresh period or make assumptions about how often it's called

Now, the ICacheableKeyRingProvider is responsible for determining whether the returned default key is close enough to expiration that a new key should be generated.  It checks whether the current time is within one propagation cycle of the expiration time, padding by an extra refresh period to account for the fact that we don't know where in the refresh cycle expiration will fall (i.e. so that we never generate a new key _less_ than a full propagation cycle ahead of when it's needed).

Part of dotnet#53654
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-dataprotection Includes: DataProtection label Feb 28, 2024
captainsafia
captainsafia approved these changes Mar 1, 2024
View reviewed changes
Copy link
Member

@captainsafia captainsafia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a small inline comment. Also worthwhile to document the change in meaning for DefaultKeyResolution.ShouldGenerateNewKey.

src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs Show resolved Hide resolved
@amcasey amcasey enabled auto-merge (squash) March 1, 2024 01:08
@amcasey
Copy link
Member Author

amcasey commented Mar 1, 2024

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@amcasey amcasey merged commit 726835d into dotnet:main Mar 1, 2024
26 checks passed
@amcasey amcasey deleted the ShouldGenerate branch March 1, 2024 19:42
@amcasey amcasey mentioned this pull request Mar 11, 2024
Open
3 tasks
@amcasey amcasey added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Mar 11, 2024
@dotnet-policy-service dotnet-policy-service bot added the needs-breaking-change-announcement Indicates that breaking change announcement shuold be posted and linked to this PR label Mar 11, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

dotnet-policy-service bot commented Mar 11, 2024
edited by amcasey
Loading

Thanks for identifying a breaking change.

no assignees, after you commit this PR please take the following actions, as part of the breaking changes announcement process:

  • Create an announcement issue by using the ASP.NET Core breaking change issue template.
  • Link the breaking change announcement issue from this PR.
  • Remove the needs-breaking-change-announcement label.

@amcasey amcasey removed the needs-breaking-change-announcement Indicates that breaking change announcement shuold be posted and linked to this PR label Mar 11, 2024
@danroth27 danroth27 added this to the 9.0-preview3 milestone Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@captainsafia captainsafia captainsafia approved these changes

Assignees
No one assigned
Labels
area-dataprotection Includes: DataProtection breaking-change This issue / pr will introduce a breaking change, when resolved / merged.
Projects
None yet
Milestone
9.0-preview3
Development

Successfully merging this pull request may close these issues.
3 participants
@amcasey @captainsafia @danroth27