[BUG]: Keys for signing credentials are stored publicly in the repository

Sunbird-RC / community

Repo to enable discussions, issue tracking & documentation for the Sunbird-RC projects

MIT License

12 stars 23 forks source link

[BUG]: Keys for signing credentials are stored publicly in the repository #238

Open gamemaker1 opened 2 years ago

gamemaker1 commented 2 years ago

What is the bug related to?

Registry Core

What went wrong?

The public and private keys used to sign the issued credentials are part of the public repo here and here.

What did you expect to see?

Keeping the private key public in the repo can result in its misuse to sign credentials that might not have been actually issued by someone.

Additional Context

To fix the issue, we could follow these steps:

Remove the private keys from the above-linked locations in the repo
Remove or rewrite the offending commits and force-push to the branch to ensure the commits do not exist in history. See this guide by GitHub.
Change the public-private key pair used to sign credentials by default, or force the user to provide them as environment variables when running the certificate-api service.
Add a security.md file to allow further such reports to be first reported privately to an email address before being publicly disclosed.

@dileepbapat @pramodkvarma @tejash-jl

pramodkvarma commented 2 years ago

Very critical to take private keys out and manage it safely. Thanks for bringing this up @gamemaker1.

dileepbapat commented 2 years ago

@gamemaker1 These keys are there for e2e test/demo and actual implementation images are configuring key type and keys separately. However there is card for supporting multiple key and rotation is on the board. With that feature key management will be using secret management tool like vault

pramodkvarma commented 2 years ago

That's good to know @dileepbapat. Thanks.

Yes, it would be nice to have someone take up those pending items.

@parthlawate can you add these items to the feature list doc so that we can ise that to prioritise etc? Ideally use GitHub projects to manage these so that it's openly visible to community. Can you please coordinate with Rajeesh? Thanks.

gamemaker1 commented 2 years ago

These keys are there for e2e test/demo and actual implementation images are configuring key type and keys separately.

That is good to hear. Is it still possible to remove the hard-coded key pairs and randomly generate a new pair every time the tests are run?

Also, in the two Makefiles for the certificate-signer and certificate-api modules, the config/keys.js.sample file is copied to config/keys.js and then published as part of the container image to Docker. If someone does not provide their own keypair, the services will still issue certificates signed with the demo private key. Could we change this to force users to provide their own keys while running these services? I'll be happy to create a PR for the same.

parthlawate commented 2 years ago

@pramodkvarma Yes .. We have Rajeesh now on the Standup calls we have every other day . A lot of these backlog items are being tracked here : https://github.com/orgs/Sunbird-RC/projects/3 (thats the board Dilip mentioned above)

We will use the document I shared the other day & collaborate for the initial few days & then convert it to a Public Roadmap Board on Github