-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #56 from tong-canonical/reference_cryptography_add…
…_more_info cryptography.md: add more information about the various cryptographic operations.
- Loading branch information
Showing
2 changed files
with
23 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,6 +29,7 @@ LTS | |
| Makefile | ||
| Matrix | ||
| Mattermost | ||
| microk | ||
| MyST | ||
| namespace | ||
| namespaces | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,28 @@ | ||
| # Cryptography | ||
|
|
||
| Various Cryptographic technologies are used to enable secure Snap Store Proxy operation. | ||
| Below is an outline of the various functions that use cryptographic technologies, | ||
| Below are the functionalities of the Snap Store Proxy that use cryptographic technologies, | ||
| and the details of the cryptographic technologies used. | ||
|
|
||
| - **Signing assertions**: the Snap Store Proxy signs various | ||
| [assertions](https://ubuntu.com/core/docs/reference/assertions). | ||
| The key ID of the signing key is encoded with SHA3-384, and the assertion is signed with RSA. | ||
|
|
||
| - **Hash of artefacts**: the Snap Store Proxy generates many hashes of an uploaded artefact | ||
| using SHA3-384, SHA256 and SHA512 to ensure the uniqueness and integrity of the artefact. | ||
|
|
||
| - **OCI charm resources credentials**: an OCI runtime | ||
| (e.g. [microk8s](https://microk8s.io/docs)) must authenticate against the Snap Store Proxy | ||
| in order to download the OCI [charm resources](https://juju.is/docs/juju/charm-resource). | ||
| The credentials are encoded as JWT that are signed with RSA. | ||
|
|
||
| - **Signing nonce**: A nonce is used as additional security for REST API access. | ||
| RSA is used to sign and verify the nonce. | ||
|
|
||
|
|
||
| | Function | Exposed | Technology | Package/Library | | ||
| |------------------------------|---------|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | Signing assertions | Yes | SHA3-384, RSA 4096/8192 | [snapd](https://github.com/canonical/snapd), [lp-signing](https://launchpad.net/lp-signing) | | ||
| | Hash of artefacts | Yes | SHA3-384, SHA256, SHA512 | [review-tools](https://launchpad.net/review-tools) | | ||
| | OCI charm resources password | Yes | RSA 4096, JWT | [cryptography](https://github.com/pyca/cryptography), [pyjwt](https://github.com/jpadilla/pyjwt), [py-macaroon-bakery](https://github.com/go-macaroon-bakery/py-macaroon-bakery) | | ||
| | Nonce signing | Yes | RSA 4096 | [cryptography](https://github.com/pyca/cryptography), [pem](https://github.com/hynek/pem) | | ||
| |---------------------------------|---------|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | Signing assertions | Yes | SHA3-384, RSA 4096/8192 | [snapd](https://github.com/canonical/snapd), [lp-signing](https://launchpad.net/lp-signing) | | ||
| | Hash of artefacts | Yes | SHA3-384, SHA256, SHA512 | [review-tools](https://launchpad.net/review-tools) | | ||
| | OCI charm resources credentials | Yes | RSA 4096, JWT | [cryptography](https://github.com/pyca/cryptography), [pyjwt](https://github.com/jpadilla/pyjwt), [py-macaroon-bakery](https://github.com/go-macaroon-bakery/py-macaroon-bakery) | | ||
| | Signing nonce | Yes | RSA 4096 | [cryptography](https://github.com/pyca/cryptography), [pem](https://github.com/hynek/pem) | |