Support creating keystores for users

[kwin]

Proposal

Support adding x private/public keys pairs to a user's keystore in PKCS#8 format (encrypted, PEM)

The user config object would allow one more complex key named keys. Each key consists out of a name = alias and two fields called key and passphrase. key will contain the BEM encoded PKCS#8 encrypted key and passphrase the passphrase to decode the encrypted key. The passphrase itself is encrypted with the AEM master key.

Implementation

When installing such a user

1. a keystore is implicitly created (if it is not yet there) via https://helpx.adobe.com/experience-manager/6-2/sites/developing/using/reference-materials/javadoc/com/adobe/granite/keystore/KeyStoreService.html#createKeyStore(org.apache.sling.api.resource.ResourceResolver,%20java.lang.String,%20char[]) (with a random password)
2. the keys from the YAML are installed in that keystore leveraging the password that is also set in the YAML in encrypted form (encrypted with the master key of that instance). This should be achievable with Java JRE classes only: https://stackoverflow.com/a/32397843.

Private keys are as sensitive as passwords and should therefore never be stored in an unencrypted form in some source code management. PKCS#8 supports multiple encryptions (https://tools.ietf.org/html/rfc5208#page-4).

Background

Right now creating keystores for (system) users is complicated as they are encrypted with a password. This password is stored in an encrypted form in the property <user>/keystore/keystorePassword. When leveraging regular content packages, each instance having a dedicated Crypto master key requires a dedicated property. Therefore it would be nice if the run mode support from the actool could be leveraged to ease creating keystores for e.g. system users. This is relevant for the AEM SAML Authentication handler as well as for the Adobe Launch AEM Integration and probably others in the future.

[ghenzler]

@kwin would you like to propose a syntax for this feature?

[kwin]

The proposal documentation is outlined in https://github.com/Netcentric/accesscontroltool/pull/401/files#diff-7b182d5ba2fea830f66aca8de9366067. What is still missing is support for PKCS#10 Certificate Requests (https://tools.ietf.org/html/rfc7468#section-7)) which can be used instead of public keys and are used together with Adobe IO (https://docs.adobe.com/content/help/en/experience-manager-learn/foundation/authentication/set-up-public-private-keys-for-use-with-aem-and-adobe-io.html)

[ghenzler]

@kwin So PR is merged, INHO it would be good to add more documentation to [1]:

• A sequence of commands/actions to generate a key pair for a particular user
• A hint on how to deal best with different master keys per env

[1] https://github.com/Netcentric/accesscontroltool/blob/develop/docs/Configuration.md#configuration-of-keys

[kwin]

@ghenzler The approach on how keys are generated depends on the system for which the keys are used. This is documented for Adobe Launch/IO in https://docs.adobe.com/content/help/en/experience-manager-learn/foundation/authentication/set-up-public-private-keys-for-use-with-aem-and-adobe-io.html. For SAML the approach usually is that you receive a private key from the SAML server administrator (https://helpx.adobe.com/experience-manager/6-5/sites/administering/using/saml-2-0-authenticationhandler.html#AddtheServiceProviderkeyandcertificatechaintotheAEMkeystore). Different master keys per env requires relying on run mode specific configs. But this is not specific to the keystore. The same is true e.g. for regular users with passwords.

[ghenzler]

@kwin Thanks for improving the documentation via 54179b6aa0ce and 6e69159ce390