Skip to content

Commit d37a542

Browse files
SecondSkollSecondSkoll
authored
Merge pull request #56 from tong-canonical/reference_cryptography_add_more_info
cryptography.md: add more information about the various cryptographic operations.
2 parents 1d1b3a3 + 71164dd commit d37a542

File tree

2 files changed

+23
-6
lines changed

2 files changed

+23
-6
lines changed

.wordlist.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ LTS
2929
Makefile
3030
Matrix
3131
Mattermost
32+
microk
3233
MyST
3334
namespace
3435
namespaces

en/cryptography.md

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,28 @@
11
# Cryptography
22

33
Various Cryptographic technologies are used to enable secure Snap Store Proxy operation.
4-
Below is an outline of the various functions that use cryptographic technologies,
4+
Below are the functionalities of the Snap Store Proxy that use cryptographic technologies,
55
and the details of the cryptographic technologies used.
66

7+
- **Signing assertions**: the Snap Store Proxy signs various
8+
[assertions](https://ubuntu.com/core/docs/reference/assertions).
9+
The key ID of the signing key is encoded with SHA3-384, and the assertion is signed with RSA.
10+
11+
- **Hash of artefacts**: the Snap Store Proxy generates many hashes of an uploaded artefact
12+
using SHA3-384, SHA256 and SHA512 to ensure the uniqueness and integrity of the artefact.
13+
14+
- **OCI charm resources credentials**: an OCI runtime
15+
(e.g. [microk8s](https://microk8s.io/docs)) must authenticate against the Snap Store Proxy
16+
in order to download the OCI [charm resources](https://juju.is/docs/juju/charm-resource).
17+
The credentials are encoded as JWT that are signed with RSA.
18+
19+
- **Signing nonce**: A nonce is used as additional security for REST API access.
20+
RSA is used to sign and verify the nonce.
21+
22+
723
| Function | Exposed | Technology | Package/Library |
8-
|------------------------------|---------|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
9-
| Signing assertions | Yes | SHA3-384, RSA 4096/8192 | [snapd](https://github.com/canonical/snapd), [lp-signing](https://launchpad.net/lp-signing) |
10-
| Hash of artefacts | Yes | SHA3-384, SHA256, SHA512 | [review-tools](https://launchpad.net/review-tools) |
11-
| OCI charm resources password | Yes | RSA 4096, JWT | [cryptography](https://github.com/pyca/cryptography), [pyjwt](https://github.com/jpadilla/pyjwt), [py-macaroon-bakery](https://github.com/go-macaroon-bakery/py-macaroon-bakery) |
12-
| Nonce signing | Yes | RSA 4096 | [cryptography](https://github.com/pyca/cryptography), [pem](https://github.com/hynek/pem) |
24+
|---------------------------------|---------|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
25+
| Signing assertions | Yes | SHA3-384, RSA 4096/8192 | [snapd](https://github.com/canonical/snapd), [lp-signing](https://launchpad.net/lp-signing) |
26+
| Hash of artefacts | Yes | SHA3-384, SHA256, SHA512 | [review-tools](https://launchpad.net/review-tools) |
27+
| OCI charm resources credentials | Yes | RSA 4096, JWT | [cryptography](https://github.com/pyca/cryptography), [pyjwt](https://github.com/jpadilla/pyjwt), [py-macaroon-bakery](https://github.com/go-macaroon-bakery/py-macaroon-bakery) |
28+
| Signing nonce | Yes | RSA 4096 | [cryptography](https://github.com/pyca/cryptography), [pem](https://github.com/hynek/pem) |

0 commit comments

Comments
 (0)