[
https://issues.apache.org/jira/browse/FINERACT-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17133813#comment-17133813
]
Manoj edited comment on FINERACT-1034 at 6/12/20, 12:40 AM:
------------------------------------------------------------
[~vorburger], First of all, This is a proposal for an infra level change for
bringing in the capability of RSA encryption to system, and it is Futuristic. I
have encountered some instances where the request body in an API need to be
encrypted from the source. (An Example for this is can be a guideline on
`Authentication api` to encrypt username and password right from the source).
For this the client can request for an RSA public key from the server. Server
creates a key pair and stores it, while returning the public key(with a random
string named version).
The key can be marked to a particular `type`(purpose), as in our case it can be
"authentication" or "general". (Other such types can be `biometric` or
`transaction`)
For each tenant the keyPair is stored in memory with this `type`. Also these
key pairs are self expiring. the expire time can be configured in global
configuration with a key name `"enc-key-" + type + "-valid-upto-seconds"` or
else key will expire automatically only when the server is restarted.
Every time when the client request for a public key, Server checks for a valid
key in the store, and if not found, creates new.
Now when the client has the public key, it can encrypt the request body with
this public key and send the encrypted block with the version of the public
key. Server retrieves active key from the store and validates the version
before decrypting(not included in this PR). The decryption method is added to
the PR
edit: I am supposed to add a doc on this feature, i know
was (Author: fynmanoj):
[~vorburger], First of all, This is a proposal for an infra level change for
bringing in the capability of RSA encryption to system, and it is Futuristic. I
have encountered some instances where the request body in an API need to be
encrypted from the source. (An Example for this is can be a guideline on
`Authentication api` to encrypt username and password right from the source).
For this the client can request for an RSA public key from the server. Server
creates a key pair and stores it, while returning the public key(with a random
string named version).
The key can be marked to a particular `type`(purpose), as in our case it can be
"authentication" or "general". (Other such types can be `biometric` or
`transaction`)
For each tenant the keyPair is stored in memory with this `type`. Also these
key pairs are self expiring. the expire time can be configured in global
configuration with a key name `"enc-key-" + type + "-valid-upto-seconds"` or
else key will expire automatically only when the server is restarted.
Every time when the client request for a public key, Server checks for a valid
key in the store, and if not found, creates new.
Now when the client has the public key, it can encrypt the request body with
this public key and send the encrypted block with the version of the public
key. Server retrieves active key from the store and validates the version
before decrypting(not included in this PR). The decryption method is added to
the PR
> RSA Encryption
> --------------
>
> Key: FINERACT-1034
> URL: https://issues.apache.org/jira/browse/FINERACT-1034
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Manoj
> Assignee: Manoj
> Priority: Minor
> Fix For: 1.4.0
>
>
> Add RSA key generation API and decryption infra for requests that require
> encryption from source such as biometric, authentication etc.. Also create a
> self expiring keystore
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
