Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Key rotation policy. #194

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions governance/policies/settings-policy.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@
"description": "Key Management Service",
"version": "1.0.0",
"debug": true
},
"keyRotation": {
"gracePeriodDays": 2,
MohamedSalah9972 marked this conversation as resolved.
Show resolved Hide resolved
MohamedSalah9972 marked this conversation as resolved.
Show resolved Hide resolved
"ttlDays": 7
}
}
}
Expand Down
2 changes: 2 additions & 0 deletions src/endpoints/IKeyItem.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ export interface IKeyItem extends JsonWebKeyEdDSAPublic {
receipt?: string;
id?: number;
d?: string;
creationDate?: string;
expiryDate?: string;
MohamedSalah9972 marked this conversation as resolved.
Show resolved Hide resolved
MohamedSalah9972 marked this conversation as resolved.
Show resolved Hide resolved
}

// Define an interface for a wrap key
Expand Down
26 changes: 26 additions & 0 deletions src/endpoints/keyEndpoint.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import { validateAttestation } from "../attestation/AttestationValidation";
import { hpkeKeyIdMap, hpkeKeysMap } from "../repositories/Maps";
import { ServiceRequest } from "../utils/ServiceRequest";
import { Logger } from "../utils/Logger";
import { Settings } from "../policies/Settings";
import { TrustedTime } from "../utils/TrustedTime";

// Enable the endpoint
enableEndpoint();
Expand Down Expand Up @@ -164,6 +166,30 @@ export const key = (
404,
);
}

const settings = Settings.loadSettings().settings;
const gracePeriodDays = settings.keyRotation.gracePeriodDays;

// Get the current time using TrustedTime
const currentTime = TrustedTime.getCurrentTime();
const currentDate = new Date(currentTime);

// Get the expiry date of the key
const expiryDate = new Date(keyItem.expiryDate!);

// Calculate the grace period start date by subtracting the grace period days from the expiry date
const gracePeriodMillis = gracePeriodDays * 24 * 60 * 60 * 1000;
const gracePeriodStartDate = new Date(expiryDate.getTime() - gracePeriodMillis);

if (currentDate > expiryDate) {
return ServiceResult.Failed<string>(
{ errorMessage: `${name}: Key has expired and is no longer valid` },
400,
);
} else if (currentDate > gracePeriodStartDate) {
Logger.warn(`${name}: Key is deprecated and will expire soon`);
}

const receipt = hpkeKeysMap.receipt(kid);

if (validateAttestationResult.statusCode === 202) {
Expand Down
9 changes: 9 additions & 0 deletions src/endpoints/refreshEndpoint.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { KeyGeneration } from "./KeyGeneration";
import { enableEndpoint } from "../utils/Tooling";
import { ServiceRequest } from "../utils/ServiceRequest";
import { Logger } from "../utils/Logger";
import { Settings } from "../policies/Settings";

// Enable the endpoint
enableEndpoint();
Expand Down Expand Up @@ -37,8 +38,16 @@ export const refresh = (
// So the current logic is to have ids rotate from 10 to 99
const keyItem = KeyGeneration.generateKeyItem(id % 90 + 10);

const settings = Settings.loadSettings().settings;
const ttlDays = settings.keyRotation.ttlDays;
const creationDate = new Date();
const expiryDate = new Date(creationDate);
expiryDate.setDate(creationDate.getDate() + ttlDays);

// Store HPKE key pair kid
keyItem.kid = `${keyItem.kid!}_${id}`;
keyItem.creationDate = creationDate.toISOString();
keyItem.expiryDate = expiryDate.toISOString();
hpkeKeyIdMap.storeItem(id, keyItem.kid);

// Store HPKE key pair
Expand Down
11 changes: 11 additions & 0 deletions src/policies/Settings.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,16 @@ export interface IService {
debug: boolean;
}

export interface IKeyRotation {
gracePeriodDays: number;
ttlDays: number;
}


// Define the ISettings interface
export interface ISettings {
service: IService;
keyRotation: IKeyRotation;
}

export class Settings {
Expand All @@ -34,6 +41,10 @@ export class Settings {
version: "1.0.0",
debug: false,
},
keyRotation: {
gracePeriodDays: 2,
ttlDays: 7,
},
};
}

Expand Down
12 changes: 12 additions & 0 deletions src/utils/TrustedTime.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
export class TrustedTime {
private static lastTimestamp: number = 0;

public static getCurrentTime(): number {
const currentTime = Date.now();
if (currentTime <= this.lastTimestamp) {
throw new Error("System time moved backwards.");
}
this.lastTimestamp = currentTime;
return currentTime;
}
}