New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: disable consumer pull transfers if key settings are missing #3820
Conversation
private JWSVerifier createVerifier(JWSHeader header, Key publicKey) throws JOSEException { | ||
return new DefaultJWSVerifierFactory().createJWSVerifier(header, publicKey); | ||
} | ||
|
||
private RSAKey testKey() throws JOSEException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: I would use Ed25519 keys wherever possible, as they seem to emerge as the new quasi-standard. also, they are much faster to generate than RSA keys:
with Nimbus (this is the one we'd need here):
JWK ed25519Key = new OctetKeyPairGenerator(Curve.Ed25519).generate();
with plain Java:
KeyPair kp = KeyPairGenerator.getInstance("Ed25519").generateKeyPair();
using the BouncyCastle provider:
KeyPair kp = KeyPairGenerator.getInstance("Ed25519", new BouncyCastleProvider()).generateKeyPair();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with the first one I get a Export to java.security.PrivateKey not supported
, the second one tells me that the algorithm is not supported...
to be honest I didn't change the code here, just moved the method at the bottom, if you're ok with it I would leave it as it is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah it's fine. we can do that in a housekeeping task somewhere down the road.
Just FYI: the Nimbus one probably fails, because the module doesn't have the Tink library on the (runtime) classpath.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM just a minor nit on logging
context.getMonitor().info("One of these settings is not configured, so the connector won't be able to provide 'consumer-pull' transfers: [%s, %s]" | ||
.formatted(TOKEN_VERIFIER_PUBLIC_KEY_ALIAS, TOKEN_SIGNER_PRIVATE_KEY_ALIAS)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logging i think it should be on the else
branch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
woa, you're right 😅
What this PR changes/adds
Add settings check to
TransferDataPlaneCoreExtension
, if the ones related to the private/public keys are missing, then the "consumer-pull" transfer won't be enabled.Why it does that
avoid weird exceptions when settings are missing
Further notes
JwtGenerationService
to avoid null pointer exceptions there in the case the key is not available.Linked Issue(s)
Closes #3810
Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.