Generate separate signing key pair for digital signatures

Author: Copilot

backend/cmd/server/repository/conf/deployment.yaml

@@ -35,6 +35,13 @@ database:
 crypto:
   encryption:
     key: "file://repository/resources/security/crypto.key"
+  keys:
+    - id: "default-key"
+      cert_file: "repository/resources/security/signing.cert"
+      key_file: "repository/resources/security/signing.key"
+
+jwt:
+    preferred_key_id: "default-key"
 
 cors:
   allowed_origins:

backend/cmd/server/repository/resources/conf/default.json

@@ -124,8 +124,8 @@
     "keys": [
       {
         "id": "default-key",
-        "cert_file": "repository/resources/security/server.cert",
-        "key_file": "repository/resources/security/server.key"
+        "cert_file": "repository/resources/security/signing.cert",
+        "key_file": "repository/resources/security/signing.key"
       }
     ]
   }

build.ps1

@@ -515,7 +515,8 @@ function Prepare-Backend-For-Packaging {
     Copy-Item -Path (Join-Path $BACKEND_DIR "bootstrap") -Destination $package_folder -Recurse -Force
 
     Write-Host "=== Ensuring server certificates exist in the distribution ==="
-    Ensure-Certificates -cert_dir $security_dir
+    Ensure-Certificates -cert_dir $security_dir -cert_name_prefix "server"
+    Ensure-Certificates -cert_dir $security_dir -cert_name_prefix "signing"
     Write-Host "================================================================"
 
     Write-Host "=== Ensuring crypto file exists in the distribution ==="
@@ -601,7 +602,7 @@ function Build-Sample-App {
     # Build React Vanilla sample
     Write-Host "=== Building React Vanilla sample app ==="
     Write-Host "=== Ensuring React Vanilla sample app certificates exist ==="
-    Ensure-Certificates -cert_dir $VANILLA_SAMPLE_APP_DIR
+    Ensure-Certificates -cert_dir $VANILLA_SAMPLE_APP_DIR -cert_name_prefix "server"
 
     Push-Location $VANILLA_SAMPLE_APP_DIR
     try {
@@ -668,7 +669,7 @@ function Build-Sample-App {
 
     # Ensure certificates exist for React SDK sample
     Write-Host "=== Ensuring React SDK sample app certificates exist ==="
-    Ensure-Certificates -cert_dir $REACT_SDK_SAMPLE_APP_DIR
+    Ensure-Certificates -cert_dir $REACT_SDK_SAMPLE_APP_DIR -cert_name_prefix "server"
 
     Push-Location $REACT_SDK_SAMPLE_APP_DIR
     try {
@@ -794,7 +795,7 @@ function Package-Vanilla-Sample {
 
     # Ensure the certificates exist in the sample app directory
     Write-Host "=== Ensuring certificates exist in the React Vanilla sample distribution ==="
-    Ensure-Certificates -cert_dir $vanilla_sample_app_folder
+    Ensure-Certificates -cert_dir $vanilla_sample_app_folder -cert_name_prefix "server"
 
     # Copy the appropriate startup script based on the target OS
     if ($SAMPLE_DIST_OS -eq "win") {
@@ -1215,10 +1216,10 @@ function Export-CertificateAndKeyToPem {
 
 function Ensure-Certificates {
     param(
-        [string]$cert_dir
+        [string]$cert_dir,
+        [string]$cert_name_prefix = "server"  # Default to "server" if not specified
     )
 
-    $cert_name_prefix = "server"
     $cert_file_name = "${cert_name_prefix}.cert"
     $key_file_name = "${cert_name_prefix}.key"
 
@@ -1229,7 +1230,8 @@ function Ensure-Certificates {
     if (-not (Test-Path $local_cert_file) -or -not (Test-Path $local_key_file)) {
         New-Item -Path $LOCAL_CERT_DIR -ItemType Directory -Force | Out-Null
 
-        Write-Host "Generating SSL certificates in $LOCAL_CERT_DIR..."
+        Write-Host "Generating certificates ($cert_name_prefix) in $LOCAL_CERT_DIR..."
+        
         try {
             $openssl = Get-Command openssl -ErrorAction SilentlyContinue
             if ($openssl) {
@@ -1238,12 +1240,12 @@ function Ensure-Certificates {
                     -out $local_cert_file `
                     -subj "/O=WSO2/OU=Thunder/CN=localhost" 2>$null
                 if ($LASTEXITCODE -ne 0) {
-                    throw "Error generating SSL certificates: OpenSSL failed with exit code $LASTEXITCODE"
+                    throw "Error generating certificates: OpenSSL failed with exit code $LASTEXITCODE"
                 }
                 Write-Host "Certificates generated successfully in $LOCAL_CERT_DIR using OpenSSL."
             }
             else {
-                Write-Host "OpenSSL not found - generating self-signed cert using .NET CertificateRequest (no UI)."
+                Write-Host "OpenSSL not found - generating certificates using .NET CertificateRequest (no UI)."
                 # Use .NET CertificateRequest to avoid CertEnroll / smartcard enrollment UI issues.
                 try {
                     $rsa = [System.Security.Cryptography.RSA]::Create(2048)
@@ -1302,17 +1304,17 @@ function Ensure-Certificates {
                     Write-Host "Certificates generated successfully in $LOCAL_CERT_DIR using .NET CertificateRequest." 
                 }
                 catch {
-                    throw "Error creating self-signed certificate using .NET APIs: $_"
+                    throw "Error creating certificates using .NET APIs: $_"
                 }
             }
         }
         catch {
-            Write-Error "Error generating SSL certificates: $_"
+            Write-Error "Error generating certificates: $_"
             exit 1
         }
     }
     else {
-        Write-Host "Certificates already exist in $LOCAL_CERT_DIR."
+        Write-Host "Certificates ($cert_name_prefix) already exist in $LOCAL_CERT_DIR."
     }
 
     # Copy the generated certificates to the specified directory
@@ -1322,13 +1324,13 @@ function Ensure-Certificates {
     if (-not (Test-Path $cert_file) -or -not (Test-Path $key_file)) {
         New-Item -Path $cert_dir -ItemType Directory -Force | Out-Null
 
-        Write-Host "Copying certificates to $cert_dir..."
+        Write-Host "Copying certificates ($cert_name_prefix) to $cert_dir..."
         Copy-Item -Path $local_cert_file -Destination $cert_file -Force
         Copy-Item -Path $local_key_file -Destination $key_file -Force
         Write-Host "Certificates copied successfully to $cert_dir."
     }
     else {
-        Write-Host "Certificates already exist in $cert_dir."
+        Write-Host "Certificates ($cert_name_prefix) already exist in $cert_dir."
     }
 }
 
@@ -1523,10 +1525,11 @@ function Run-Backend {
     )
 
     Write-Host "=== Ensuring server certificates exist ==="
-    Ensure-Certificates -cert_dir (Join-Path $BACKEND_DIR $SECURITY_DIR)
+    Ensure-Certificates -cert_dir (Join-Path $BACKEND_DIR $SECURITY_DIR) -cert_name_prefix "server"
+    Ensure-Certificates -cert_dir (Join-Path $BACKEND_DIR $SECURITY_DIR) -cert_name_prefix "signing"
 
     Write-Host "=== Ensuring React Vanilla sample app certificates exist ==="
-    Ensure-Certificates -cert_dir $VANILLA_SAMPLE_APP_DIR
+    Ensure-Certificates -cert_dir $VANILLA_SAMPLE_APP_DIR -cert_name_prefix "server"
 
     Write-Host "=== Ensuring crypto file exists for run ==="
     Ensure-Crypto-File -conf_dir (Join-Path $BACKEND_DIR "repository/conf")

build.sh

@@ -375,7 +375,8 @@ function prepare_backend_for_packaging() {
     chmod +x "$DIST_DIR/$PRODUCT_FOLDER/bootstrap/"*.sh 2>/dev/null || true
 
     echo "=== Ensuring server certificates exist in the distribution ==="
-    ensure_certificates "$DIST_DIR/$PRODUCT_FOLDER/$SECURITY_DIR"
+    ensure_certificates "$DIST_DIR/$PRODUCT_FOLDER/$SECURITY_DIR" "server"
+    ensure_certificates "$DIST_DIR/$PRODUCT_FOLDER/$SECURITY_DIR" "signing"
     echo "================================================================"
 
     echo "=== Ensuring crypto file exists in the distribution ==="
@@ -449,7 +450,7 @@ function build_sample_app() {
     # Build React Vanilla sample
     echo "=== Building React Vanilla sample app ==="
     echo "=== Ensuring React Vanilla sample app certificates exist ==="
-    ensure_certificates "$VANILLA_SAMPLE_APP_DIR"
+    ensure_certificates "$VANILLA_SAMPLE_APP_DIR" "server"
 
     cd "$VANILLA_SAMPLE_APP_DIR" || exit 1
     echo "Installing React Vanilla sample dependencies..."
@@ -466,7 +467,7 @@ function build_sample_app() {
 
     # Ensure certificates exist for React SDK sample
     echo "=== Ensuring React SDK sample app certificates exist ==="
-    ensure_certificates "$REACT_SDK_SAMPLE_APP_DIR"
+    ensure_certificates "$REACT_SDK_SAMPLE_APP_DIR" "server"
 
     cd "$REACT_SDK_SAMPLE_APP_DIR" || exit 1
     echo "Installing React SDK sample dependencies..."
@@ -483,7 +484,7 @@ function build_sample_app() {
 
     # Ensure certificates exist for React API-based sample
     echo "=== Ensuring React API-based sample app certificates exist ==="
-    ensure_certificates "$REACT_API_SAMPLE_APP_DIR"
+    ensure_certificates "$REACT_API_SAMPLE_APP_DIR" "server"
 
     cd "$REACT_API_SAMPLE_APP_DIR" || exit 1
     echo "Installing React API-based sample dependencies..."
@@ -553,7 +554,7 @@ function package_vanilla_sample() {
 
     # Ensure the certificates exist in the sample app directory
     echo "=== Ensuring certificates exist in the React Vanilla sample distribution ==="
-    ensure_certificates "$DIST_DIR/$VANILLA_SAMPLE_APP_FOLDER"
+    ensure_certificates "$DIST_DIR/$VANILLA_SAMPLE_APP_FOLDER" "server"
 
     # Copy the appropriate startup script based on the target OS
     if [ "$SAMPLE_DIST_OS" = "win" ]; then
@@ -627,7 +628,7 @@ function package_react_api_based_sample() {
 
     # Ensure the certificates exist in the sample app dist directory
     echo "=== Ensuring certificates exist in the React API-based sample distribution ==="
-    ensure_certificates "$DIST_DIR/$REACT_API_SAMPLE_APP_FOLDER/dist"
+    ensure_certificates "$DIST_DIR/$REACT_API_SAMPLE_APP_FOLDER/dist" "server"
 
     # Copy the appropriate startup script based on the target OS
     if [ "$SAMPLE_DIST_OS" = "win" ]; then
@@ -826,16 +827,16 @@ function merge_coverage() {
 
 function ensure_certificates() {
     local cert_dir=$1
-    local cert_name_prefix="server"
+    local cert_name_prefix=${2:-"server"}  # Default to "server" if not specified
     local cert_file_name="${cert_name_prefix}.cert"
     local key_file_name="${cert_name_prefix}.key"
 
-    # Generate certificate and key file if don't exists in the cert directory
+    # Generate certificate and key file if they don't exist in the cert directory
     local local_cert_file="${LOCAL_CERT_DIR}/${cert_file_name}"
     local local_key_file="${LOCAL_CERT_DIR}/${key_file_name}"
     if [[ ! -f "$local_cert_file" || ! -f "$local_key_file" ]]; then
         mkdir -p "$LOCAL_CERT_DIR"
-        echo "Generating SSL certificates in $LOCAL_CERT_DIR..."
+        echo "Generating certificates (${cert_name_prefix}) in $LOCAL_CERT_DIR..."
         OPENSSL_ERR=$(
             openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
                 -keyout "$local_key_file" \
@@ -844,12 +845,12 @@ function ensure_certificates() {
                 > /dev/null 2>&1
         )
         if [[ $? -ne 0 ]]; then
-            echo "Error generating SSL certificates: $OPENSSL_ERR"
+            echo "Error generating certificates: $OPENSSL_ERR"
             exit 1
         fi
         echo "Certificates generated successfully in $LOCAL_CERT_DIR."
     else
-        echo "Certificates already exist in $LOCAL_CERT_DIR."
+        echo "Certificates (${cert_name_prefix}) already exist in $LOCAL_CERT_DIR."
     fi
 
     # Copy the generated certificates to the specified directory
@@ -858,12 +859,12 @@ function ensure_certificates() {
 
     if [[ ! -f "$cert_file" || ! -f "$key_file" ]]; then
         mkdir -p "$cert_dir"
-        echo "Copying certificates to $cert_dir..."
+        echo "Copying certificates (${cert_name_prefix}) to $cert_dir..."
         cp "$local_cert_file" "$cert_file"
         cp "$local_key_file" "$key_file"
         echo "Certificates copied successfully to $cert_dir."
     else
-        echo "Certificates already exist in $cert_dir."
+        echo "Certificates (${cert_name_prefix}) already exist in $cert_dir."
     fi
 }
 
@@ -1005,11 +1006,12 @@ function run_backend() {
     local show_final_output=${1:-true}
 
     echo "=== Ensuring server certificates exist ==="
-    ensure_certificates "$BACKEND_DIR/$SECURITY_DIR"
+    ensure_certificates "$BACKEND_DIR/$SECURITY_DIR" "server"
+    ensure_certificates "$BACKEND_DIR/$SECURITY_DIR" "signing"
 
     echo "=== Ensuring sample app certificates exist ==="
-    ensure_certificates "$VANILLA_SAMPLE_APP_DIR"
-    ensure_certificates "$REACT_API_SAMPLE_APP_DIR"
+    ensure_certificates "$VANILLA_SAMPLE_APP_DIR" "server"
+    ensure_certificates "$REACT_API_SAMPLE_APP_DIR" "server"
 
     ensure_crypto_file "$BACKEND_DIR/$SECURITY_DIR"
 

install/helm/README.md

@@ -216,9 +216,17 @@ The following table lists the configurable parameters of the Thunder chart and t
 | `configuration.developerClient.path`              | Developer client base path                                                                            | `/develop`                 |
 | `configuration.developerClient.clientId`          | Developer client ID                                                                                   | `DEVELOP`   |
 | `configuration.developerClient.scopes`            | Developer client scopes                                                                               | `['openid', 'profile', 'email', 'system']` |
-| `configuration.security.certFile`                 | Server certificate file path                                                                          | `repository/resources/security/server.cert` |
-| `configuration.security.keyFile`                  | Server key file path                                                                                  | `repository/resources/security/server.key`  |
+| `configuration.tls.minVersion`                    | Minimum TLS version                                                                                   | `1.3`                        |
+| `configuration.tls.certFile`                      | Server TLS certificate file path                                                                          | `repository/resources/security/server.cert` |
+| `configuration.tls.keyFile`                       | Server TLS key file path                                                                                  | `repository/resources/security/server.key`  |
 | `configuration.crypto.encryption.key`             | Crypto encryption key (change the default key with a 32-byte (64 character) hex string in production) | `file://repository/resources/security/crypto.key` |
+| `configuration.crypto.passwordHashing.algorithm`  | Password hashing algorithm                                                                            | `PBKDF2`                     |
+| `configuration.crypto.passwordHashing.parameters.iterations` | Password hashing iterations                                                                | `600000`                     |
+| `configuration.crypto.passwordHashing.parameters.keySize`    | Password hashing key size                                                                  | `32`                         |
+| `configuration.crypto.passwordHashing.parameters.saltSize`   | Password hashing salt size                                                                 | `16`                         |
+| `configuration.crypto.keys[].id`                  | Signing key identifier                                                                                | `default-key`                |
+| `configuration.crypto.keys[].certFile`            | Signing certificate file path                                                                         | `repository/resources/security/signing.cert` |
+| `configuration.crypto.keys[].keyFile`             | Signing key file path                                                                                 | `repository/resources/security/signing.key`  |
 | `configuration.database.identity.type`            | Identity database type (postgres or sqlite)                                                           | `postgres`                   |
 | `configuration.database.identity.sqlitePath`      | SQLite database path (for sqlite only)                                                                | `repository/database/thunderdb.db` |
 | `configuration.database.identity.sqliteOptions`   | SQLite options (for sqlite only)                                                                      | `_journal_mode=WAL&_busy_timeout=5000` |
@@ -255,6 +263,7 @@ The following table lists the configurable parameters of the Thunder chart and t
 | `configuration.jwt.issuer`                        | JWT issuer (derived from server.publicUrl if not set)                                                 | derived                      |
 | `configuration.jwt.validityPeriod`                | JWT validity period in seconds                                                                        | `3600`                       |
 | `configuration.jwt.audience`                      | Default audience for auth assertions                                                                  | `application`                |
+| `configuration.jwt.preferredKeyId`                | Preferred key ID for signing JWTs (must match a key in configuration.crypto.keys)                     | `default-key`                |
 | `configuration.oauth.refreshToken.renewOnGrant`   | Renew refresh token on grant                                                                          | `false`                      |
 | `configuration.oauth.refreshToken.validityPeriod` | Refresh token validity period in seconds                                                              | `86400`                      |
 | `configuration.flow.defaultAuthFlowHandle`        | Default authentication flow handle                                                                    | `default-basic-flow`         |

install/helm/conf/deployment.yaml

@@ -35,6 +35,18 @@ tls:
 crypto:
   encryption:
     key: {{ .Values.configuration.crypto.encryption.key | quote }}
+  password_hashing:
+    algorithm: {{ .Values.configuration.crypto.passwordHashing.algorithm | quote }}
+    parameters:
+      iterations: {{ .Values.configuration.crypto.passwordHashing.parameters.iterations }}
+      key_size: {{ .Values.configuration.crypto.passwordHashing.parameters.keySize }}
+      salt_size: {{ .Values.configuration.crypto.passwordHashing.parameters.saltSize }}
+  keys:
+  {{- range .Values.configuration.crypto.keys }}
+    - id: {{ .id | quote }}
+      cert_file: {{ .certFile | quote }}
+      key_file: {{ .keyFile | quote }}
+  {{- end }}
 
 database:
   identity:
@@ -89,6 +101,7 @@ jwt:
   issuer: {{ .Values.configuration.jwt.issuer | quote }}
   validity_period: {{ .Values.configuration.jwt.validityPeriod }}
   audience: {{ .Values.configuration.jwt.audience | quote }}
+  preferred_key_id: {{ .Values.configuration.jwt.preferredKeyId | quote }}
 
 oauth:
   refresh_token:

install/helm/values.yaml

@@ -142,6 +142,16 @@ configuration:
     encryption:
       # WARNING: Replace the default key with a 32-byte (64 character) hex string in production deployments
       key: "file://repository/resources/security/crypto.key"
+    passwordHashing:
+      algorithm: "PBKDF2"
+      parameters:
+        iterations: 600000
+        keySize: 32
+        saltSize: 16
+    keys:
+      - id: "default-key"
+        certFile: "repository/resources/security/signing.cert"
+        keyFile: "repository/resources/security/signing.key"
 
   # Database configuration
   database:
@@ -208,6 +218,8 @@ configuration:
   jwt:
     validityPeriod: 3600
     audience: "application"
+    # This must match the key ID defined in the crypto.keys section
+    preferredKeyId: "default-key"
 
   # OAuth configuration
   oauth: