Edit this page | Blame

Generating Key-Pairs

Tags

  • type: documentation
  • keywords: doc, documentation, gn-auth, key-pair, jwt

Generating the Key-Pair

If openssl is not present on your system, you need to get it. You can either install it with your package manager, or if you are using GNU Guix, you can do something like:

$ guix shell --container --network --share=</path/to/key-pair/storage/directory> openssl

where </path/to/key-pair/storage/directory> is where you will store the key-pairs.

Now we can generate a private key (2048-bit RSA key) with:

[env] $ openssl genrsa -out </path/to/key-pair/storage/directory>/private.pem 2048

and the public key with:

[env] $ openssl rsa \
      -in </path/to/key-pair/storage/directory>/private.pem \
      -outform PEM \
      -pubout \
      -out </path/to/key-pair/storage/directory>/public.pem

**NOTE**: You can store the public key separately from the private key. In that case, you'd have to have something like:

$ guix shell --container --network \
  --share=</path/to/public-key/storage/directory> \
  --share=</path/to/private-key/storage/directory> \
  openssl

and run the generation commands above with the appropriate directories in mind.

Configuring Services

Now we need to configure the various services to make use of the key-pair.

Clients

Each client (e.g. GN2, gn-uploader, etc.) should have its own private key. This private key is used in signing the initial token assertions. These assertions are then sent to the authorisation server to get the authorisation token.

Each client will also need the authorisation server's public key, to verify that the authorisation token(s) received is/are actually from the server and have not been modified.

In that respect, we can, for example have the following example config for GN2

# gn2.conf
︙
AUTH_SERVER_SSL_PUBLIC_KEY "</path/to/auth/server/public-key.pem>"
SSL_PRIVATE_KEY = "</path/to/client/private-key/storage/directory>/private.pem"
︙

Authorization Server

The authorisation server (gn-auth) needs its own private key to sign any authorisation token it generates.

It also needs access to the public keys from all registered clients.

In that respect, we can have a configuration such as:

# gn-auth.conf
︙
CLIENTS_SSL_PUBLIC_KEYS_DIR = "</path/to/clients/public-keys/storage/directory>"
SSL_PRIVATE_KEY = "</path/to/auth/private-key/storage/directory>/private.pem"
︙

The `CLIENTS_SSL_PUBLIC_KEYS_DIR` directory should be writable since that is where the server will put the keys for any registered client.

Exposing the Key-Pairs to Guix shell/container

The generated keys above do not need to be modified within the running application, so we will use the "--expose" option e.g.

$ guix system container \
  ︙
  --expose=</path/to/key-pair/storage/directory> \
  ︙

or if you stored the keys separately:

$ guix system container \
  ︙
  --expose=</path/to/public-key/storage/directory> \
  --expose=</path/to/private-key/storage/directory> \
  ︙

To make this easy, and since each client can (and should) have a different private key, we can put these keys in the same directory as the secrets, and simply allow access to that. Each service within the guix container can then have access to the relevant key(s) as appropriate.

(made with skribilo)