Closed divergentdave closed 1 year ago
I previously wrote up https://github.com/divviup/janus/issues/528 which addresses one of the use cases you describe here, but I like how your proposal helps with the case of distributing keys to collectors.
Done in #1116, follow-up improvements are tracked in #1182.
I think we should write a small CLI tool to generate HPKE keypairs, and output the HPKE config and private key material in the formats Janus expects them. This would simplify the process of manual task provisioning, especially with regards to the collector keypair. Previously, we have written ad-hoc code to help construct task definitions. Providing a keygen tool allows us to ask early partners to generate their own collector private key, and send us the public key/HPKE config. The
janus_messages
crate would be a good home for this, as another binary alongsidedap_decode
.This should take in command line arguments (via clap) for the algorithm choices and HPKE config ID, and output the resulting
HpkeConfig
andHpkePrivateKey
as both YAML documents, for use in Janus task definition files, and as encoded DAP messages, in base64url, for use with thecollect
CLI. We could write all four representations to standard output, separated by---
YAML document separators, and annotated with comments.