From 60aa1b721ee56e304481872237d537f6e49500f5 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Tue, 2 Jul 2024 19:31:14 -0700 Subject: [PATCH] separate key algorithm setting for instance provider Signed-off-by: Henry Avetisyan --- servers/zts/conf/zts.properties | 5 +++++ .../zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java | 1 + servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java | 4 +++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/servers/zts/conf/zts.properties b/servers/zts/conf/zts.properties index 82e7a48a3ad..09e4957ed14 100644 --- a/servers/zts/conf/zts.properties +++ b/servers/zts/conf/zts.properties @@ -708,6 +708,11 @@ athenz.zts.cert_signer_factory_class=com.yahoo.athenz.zts.cert.impl.SelfCertSign # to the plugins if they require the server's private key #athenz.zts.key_algo_plugins=EC +# If the ZTS has both EC and RSA private keys defined, then this setting +# specifies the preferred algorithm for the private key to be passed +# to the instance provider plugins if they require the server's private key +#athenz.zts.key_instance_providers=EC + # this property specifies the audience field to be used while requesting id token from the OIDC provider # id_token has to be specifically requested for the below-mentioned audience #athenz.zts.k8s_provider_attestation_expected_audience= diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java index 86c3209590f..aca63631156 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java @@ -270,6 +270,7 @@ public final class ZTSConsts { public static final String ZTS_PROP_KEY_ALGO_JSON_WEB_OBJECTS = "athenz.zts.key_algo_json_web_objects"; public static final String ZTS_PROP_KEY_ALGO_PROPRIETARY_OBJECTS = "athenz.zts.key_algo_proprietary_objects"; public static final String ZTS_PROP_KEY_ALGO_PLUGINS = "athenz.zts.key_algo_plugins"; + public static final String ZTS_PROP_KEY_ALGO_INSTANCE_PROVIDERS = "athenz.zts.key_algo_instance_providers"; public static final String ZTS_PROP_GCP_WORKLOAD_POOL_NAME = "athenz.zts.gcp_workload_pool_name"; public static final String ZTS_PROP_GCP_WORKLOAD_PROVIDER_NAME = "athenz.zts.gcp_workload_provider_name"; diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java index 677b374ee43..f636dd9b7de 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java @@ -126,6 +126,7 @@ public class ZTSImpl implements KeyStore, ZTSHandler { protected String keyAlgoForJsonWebObjects; protected String keyAlgoForProprietaryObjects; protected String keyAlgoForPlugins; + protected String keyAlgoForInstanceProviders; protected PrivateKeyStore privateKeyStore = null; protected HostnameResolver hostnameResolver = null; protected int roleTokenDefaultTimeout; @@ -361,7 +362,7 @@ public ZTSImpl(CloudStore implCloudStore, DataStore implDataStore) { instanceProviderManager = new InstanceProviderManager(dataStore, ZTSUtils.getAthenzServerSSLContext(privateKeyStore), ZTSUtils.getAthenzProviderClientSSLContext(privateKeyStore), - getServerPrivateKey(keyAlgoForPlugins), this, authorizer, this); + getServerPrivateKey(keyAlgoForInstanceProviders), this, authorizer, this); // make sure to set the keystore for any instance that requires it @@ -558,6 +559,7 @@ void loadConfigurationSettings() { keyAlgoForJsonWebObjects = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_JSON_WEB_OBJECTS, ZTSConsts.EC).toUpperCase(); keyAlgoForProprietaryObjects = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_PROPRIETARY_OBJECTS, ZTSConsts.EC).toUpperCase(); keyAlgoForPlugins = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_PLUGINS, ZTSConsts.EC).toUpperCase(); + keyAlgoForInstanceProviders = System.getProperty(ZTSConsts.ZTS_PROP_KEY_ALGO_INSTANCE_PROVIDERS, keyAlgoForPlugins).toUpperCase(); // check to see if we want to disable allowing clients to ask for role // tokens without role name thus violating the least privilege principle