add support for Secret Store client keys #392
Conversation
|
@Integralist @awilliams-fastly I don't have write access to this repo so I pushed to a fork. I also can't set reviewers so I'm tagging you in! |
|
Bleh, the linter wants Go 1.19. I'm not entirely sure why the version on Let me know what you want me to do. I can either try to find an older version of the crypto package that works with the older tools package, or we can bump up and require Go 1.19. Even if we go with the older version of the crypto package, we will need to bump the requirement to Go 1.17 because the crypto API requires casting a slice to a pointer of a fixed-size array. |
|
👋🏻 @joeshaw you've been given WRITE access to this repo now. It's been suggested that the API client should be using two versions back from the latest release, so that would suggest 1.18 is fine to bump to here if you want to (or if that helps with finding an older crypto package). |
joeshaw
force-pushed
the
joeshaw/secret-store-client-keys
branch
from
8b1dc59
to
d50d58c
Compare
This lets clients create a client key for local encryption of secrets before uploading to the Fastly API. This bumps the minimum required Go version to 1.18 and introduces `golang.org/x/crypto` as a dependency.
joeshaw
force-pushed
the
joeshaw/secret-store-client-keys
branch
from
d50d58c
to
e2b51cf
Compare
|
Thanks for the review! I've rebased on main, fixed up the module versioning, and made Go 1.18 the minimum required version. The CI seems to be failing with the |
|
Ok, I'm able to reproduce the CI failure if I clear out my module cache with
(Previously the |
From the `go help mod download` docs: > With no arguments, download applies to the modules needed to build and test the packages in the main module: the modules explicitly required by the main module if it is at 'go 1.17' or higher, or all transitively-required modules if at 'go 1.16' or lower. This causes `go mod tidy` to download additional modules not fetched by `go mod download`. The old check errored if there was any output from `go mod tidy -v`. So now we omit "downloading" messages. As a result, it's also no longer necessary to separately run `go mod download`, as any modules that are needed are downloaded by `go mod tidy`.
|
Ok, latest commit fixes the CI error. |
Version 0.3.3 (2022.1.3)
joeshaw
force-pushed
the
joeshaw/secret-store-client-keys
branch
from
2a436d5
to
3861879
Compare
|
Finally CI passes! 😅 staticcheck had to be upgraded to 2022.1.3 support generics (Go 1.18) but couldn't be updated to the latest release (2023.1) because it requires Go 1.19. |
joeshaw
force-pushed
the
joeshaw/secret-store-client-keys
branch
from
f1914ff
to
5a09a2f
Compare
| // https://pkg.go.dev/golang.org/x/crypto/nacl/box#SealAnonymous | ||
| // https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes | ||
| func (ck *ClientKey) Encrypt(plaintext []byte) ([]byte, error) { | ||
| if len(ck.PublicKey) != 32 { |
There was a problem hiding this comment.
Should we use ed25519.PublicKeySize instead of the 'magic number'?
| if len(ck.PublicKey) != 32 { | |
| if len(ck.PublicKey) != ed25519.PublicKeySize { |
There was a problem hiding this comment.
No, because these are actually not the same thing conceptually. The signing key is an Ed25519 public key, and uses the APIs from https://pkg.go.dev/crypto/ed25519. The client key is an X25519 public key, and uses the APIs from https://pkg.go.dev/golang.org/x/crypto/nacl/box. They're derived from similar things but aren't quite the same. This Stack Overflow answer goes into some details on the differences.
Both are 32 bytes long so it would work, but it doesn't feel quite right to use the ed25519 values here. Unfortunately, the nacl/box package hardcodes 32-byte arrays throughout its API and doesn't define a constant for this.
This lets clients create a client key for local encryption of secrets
before uploading to the Fastly API.
This bumps the minimum required Go version to
1.171.18 and introducesgolang.org/x/cryptoas a dependency.