[ https://issues.apache.org/jira/browse/FINERACT-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17133813#comment-17133813 ]
Manoj edited comment on FINERACT-1034 at 6/12/20, 12:40 AM: ------------------------------------------------------------ [~vorburger], First of all, This is a proposal for an infra level change for bringing in the capability of RSA encryption to system, and it is Futuristic. I have encountered some instances where the request body in an API need to be encrypted from the source. (An Example for this is can be a guideline on `Authentication api` to encrypt username and password right from the source). For this the client can request for an RSA public key from the server. Server creates a key pair and stores it, while returning the public key(with a random string named version). The key can be marked to a particular `type`(purpose), as in our case it can be "authentication" or "general". (Other such types can be `biometric` or `transaction`) For each tenant the keyPair is stored in memory with this `type`. Also these key pairs are self expiring. the expire time can be configured in global configuration with a key name `"enc-key-" + type + "-valid-upto-seconds"` or else key will expire automatically only when the server is restarted. Every time when the client request for a public key, Server checks for a valid key in the store, and if not found, creates new. Now when the client has the public key, it can encrypt the request body with this public key and send the encrypted block with the version of the public key. Server retrieves active key from the store and validates the version before decrypting(not included in this PR). The decryption method is added to the PR edit: I am supposed to add a doc on this feature, i know was (Author: fynmanoj): [~vorburger], First of all, This is a proposal for an infra level change for bringing in the capability of RSA encryption to system, and it is Futuristic. I have encountered some instances where the request body in an API need to be encrypted from the source. (An Example for this is can be a guideline on `Authentication api` to encrypt username and password right from the source). For this the client can request for an RSA public key from the server. Server creates a key pair and stores it, while returning the public key(with a random string named version). The key can be marked to a particular `type`(purpose), as in our case it can be "authentication" or "general". (Other such types can be `biometric` or `transaction`) For each tenant the keyPair is stored in memory with this `type`. Also these key pairs are self expiring. the expire time can be configured in global configuration with a key name `"enc-key-" + type + "-valid-upto-seconds"` or else key will expire automatically only when the server is restarted. Every time when the client request for a public key, Server checks for a valid key in the store, and if not found, creates new. Now when the client has the public key, it can encrypt the request body with this public key and send the encrypted block with the version of the public key. Server retrieves active key from the store and validates the version before decrypting(not included in this PR). The decryption method is added to the PR > RSA Encryption > -------------- > > Key: FINERACT-1034 > URL: https://issues.apache.org/jira/browse/FINERACT-1034 > Project: Apache Fineract > Issue Type: Improvement > Reporter: Manoj > Assignee: Manoj > Priority: Minor > Fix For: 1.4.0 > > > Add RSA key generation API and decryption infra for requests that require > encryption from source such as biometric, authentication etc.. Also create a > self expiring keystore -- This message was sent by Atlassian Jira (v8.3.4#803005)