-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Member recovery shares encryption with RSA-OAEP-256 #1841
Conversation
This has been tested manually with AKV and the steps to wrap/unwrap a key are available here: #1720 (comment). The unwrapping operation is performed by the |
rsa_encryption@14965 aka 20201030.15 vs master ewma over 50 builds from 14436 to 14954 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API schema needs to be updated
Resolves #1720
Member recovery shares are now encrypted in the
public:ccf.shares
table with RSA, using (as opposed to NaCl's crypto box).This has the following implications:
submit_recovery_share.sh
script has been updated andstep-cli
is no longer required (openssl
does RSA-OAEP-256 key unwrapping fine).RSAKeyPair
class that can be used for unwrapping and correspondingRSAPublicKey
for unwrapping (seetls/rsa_key_pair.h
).Also:
keyshare
in thepublic:ccf.members
table toencryption_pub_key
, as the previous name was confusing.Next:
js_generic.cpp
to use newtls::RSAPublicKey
to wrap keys.