Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for optional encryption of RSA key at rest #13

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for optional encryption of RSA key at rest #13

wants to merge 2 commits into from
+98 −13

Conversation

bendavis78
Copy link

@bendavis78 bendavis78 commented Apr 5, 2024
edited by mcohoon
Loading

This adds support for the encryption of private RSA keys stored in the database. It's written in such a way that it's backward compatible, and should not change anything for existing installations.

To enable encryption of RSA keys, you must create functions for encryption & decryption, and define the following hooks in settings.py:

OIDC_RSA_ENCRYPT_HOOK='djtest.encryption.encrypt'
OIDC_RSA_DECRYPT_HOOK='djtest.encryption.decrypt'

The RSAKey model provides a new field called encrypted. When encrypted is True and the model is saved, the value of key will be encrypted when saved. The .pem attribute should be used to retrieve the key PEM, regardless of whether or not it is encrypted. If the RSAKey instance is encrypted, .pem will return the raw value from the database.

Once this is enabled, RSAKey instances with encrypt=True will be encrypted & decrypted using the given encryption hook.

This is split into two versions so that dependent services can deploy the migration separately from the code changes:

  • 0.8.4+orm.migration: migration only
  • 0.8.4+orm: code changes w/ optional encryption

@bendavis78 bendavis78 requested a review from a team as a code owner April 5, 2024 21:24
mcohoon
mcohoon reviewed Apr 5, 2024
View reviewed changes
oidc_provider/management/commands/creatersakey.py
encrypted=options.get('encrypted', False),
)
rsakey.save()
self.stdout.write(u'RSA key successfully created with kid: {0}'.format(rsakey.kid))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.stdout.write(u'RSA key successfully created with kid: {0}'.format(rsakey.kid))
self.stdout.write(f'RSA key successfully created with kid: {rsakey.kid}')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcohoon mcohoon mcohoon left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bendavis78 @mcohoon