feat(sdk): custom assertion provider #2687
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement pluggable assertion signing and validation providers to enable integration with external signing mechanisms like HSMs, smart cards (CAC/PIV), and cloud KMS services. ## What's New ### Core Interfaces - Add `AssertionSigningProvider` interface for custom signing implementations - Add `AssertionValidationProvider` interface for custom validation logic - Maintain full backward compatibility with existing DEK-based assertions ### Built-in Providers - `DefaultSigningProvider/DefaultValidationProvider`: Existing DEK-based behavior - `X509SigningProvider/X509ValidationProvider`: X.509 certificate support with x5c headers - `PKCS11Provider`: Template for hardware token integration ### SDK Integration - Add `WithAssertionSigningProvider()` option for TDF creation - Add `WithReaderAssertionValidationProvider()` option for TDF reading - Automatically fall back to default providers when none specified ### Examples - Add comprehensive assertion CLI commands (sign, verify, list) - Support reading assertions from TDF files - Add `--x509-verify` flag to decrypt command for X.509 validation ## Technical Details The implementation follows a provider pattern that allows developers to: 1. Supply custom signing logic while maintaining SDK compatibility 2. Integrate with hardware security modules and smart cards 3. Use X.509 certificates for identity-based assertions 4. Maintain complete backward compatibility with existing code All providers use the standard SDK assertion binding (`assertionHash` and `assertionSig` claims) ensuring full interoperability between tools. ## Testing - Added provider interface tests with mock implementations - Added X.509 provider tests with self-signed certificates - Verified interoperability with otdfctl-created TDFs - Tested backward compatibility with existing assertions
github-actions
bot
added
comp:sdk
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Enhance `--magic-word` handling with a more robust assertion provider setup, including default validation using `NoopAssertionValidationProvider` and state-aware `MagicWordAssertionProvider`.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
… command Streamline assertion provider integration: - Remove unnecessary comments and redundant field (`AssertionProvider`) in `MagicWordAssertionProvider`. - Adjust `WithAssertionProviderFactory` to use a pointer for consistency. - Update regex in `decrypt.go` for precise assertion matching.
Streamline SDK by removing unused `assertion_binding.go`, including obsolete legacy binding logic and functions for TDF assertion handling.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…c key signing providers Transition to `PublicKeySigningProvider`, replacing `DefaultSigningProvider` for consistent key-based signing. Introduce `SystemMetadataAssertionProvider` for system metadata handling. Refine assertion provider mechanism in SDK and CLI examples.
Introduce `Verify` method in `Assertion` to validate binding signatures. Update `AssertionProvider` and `Reader` interfaces to support enhanced validation mechanisms. Replace obsolete aggregate hash logic with root signature for assertion binding. Simplify and extend implementation for better clarity and modularity.
…y-based assertions Transition `PayloadKeyProvider` to `PublicKeySigningProvider` for key-based assertions. Introduce `KeyAssertionProvider` for improved assertion setup. Update related interfaces and examples to use RSA keys for signing and validation. Streamline CLI commands for flexible assertion provider setup.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement pluggable assertion signing and validation providers to enable integration with external signing mechanisms like HSMs, smart cards (CAC/PIV), and cloud KMS services.
What's New
Core Interfaces
AssertionSigningProviderinterface for custom signing implementationsAssertionValidationProviderinterface for custom validation logicBuilt-in Providers
DefaultSigningProvider/DefaultValidationProvider: Existing DEK-based behaviorX509SigningProvider/X509ValidationProvider: X.509 certificate support with x5c headersPKCS11Provider: Template for hardware token integrationSDK Integration
WithAssertionSigningProvider()option for TDF creationWithReaderAssertionValidationProvider()option for TDF readingExamples
--x509-verifyflag to decrypt command for X.509 validationTechnical Details
The implementation follows a provider pattern that allows developers to:
All providers use the standard SDK assertion binding (
assertionHashandassertionSigclaims) ensuring full interoperability between tools.Testing
Proposed Changes
Checklist
Testing Instructions