Provide a good way to manage key sets programattically

wohaph / keyczar

Automatically exported from code.google.com/p/keyczar

0 stars 0 forks source link

Provide a good way to manage key sets programattically #81

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

I think it's by design, but right now in C++ and Java (and, I presume, Python), 
the only way to manage key sets is with the command-line tools.  This leads to 
some rather ugly code in cases where developers really need to dynamically 
create key sets and keys.  I saw some Google Java code which creates a mock 
Keyczar reader, and exploits the mock defined for KeyczarToolTest so it can 
call KeyczarTool.main() directly and create an in-memory keyset.

Nasty!  A refactoring of the test infrastructure could break this non-test 
client code.  But... it's not obvious how else the code could work because all 
of the pieces the client code needs to do it right is non-public.

We need a way for client code to programmatically create key sets, create keys, 
import key sets, etc.

Original issue reported on code.google.com by swillden@google.com on 28 Oct 2011 at 3:16

GoogleCodeExporter commented 9 years ago

Many of the pieces needed to make this feasible (in Java, at least) have been 
done.  We just need to verify that everything is there and then write some unit 
tests that prove it.

Original comment by swillden@google.com on 31 Jan 2012 at 5:04

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Issue 113 has been merged into this issue.

Original comment by jtu...@gmail.com on 2 Mar 2013 at 9:38

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by jtu...@gmail.com on 2 Mar 2013 at 9:39

Added labels: Implementation-Cpp, Implementation-Java, Implementation-Python
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Here's a patch for Java; based on this I was able to implement replace the 
filesystem with Zookeeper, and create keys programatically if they don't exist, 
so this is "real world tested":

https://github.com/justinsb/keyczar/commit/2db47c981b24f504273e2e7a815522d40e177
3ba.diff

(I didn't personally use publicKeyExport or writeEncrypted, but these are 
called from keytool, and are the only two package-protected methods left, so I 
converted these because then I think we're done)

Original comment by jus...@fathomdb.com on 12 Aug 2013 at 7:00

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Just to update for accuracy, the python version, does have a programmatic key 
management api already called `GenericKeyczar`

Original comment by jtu...@gmail.com on 12 Aug 2013 at 7:12

Added labels: ****
Removed labels: Implementation-Python

GoogleCodeExporter commented 9 years ago

Oh this is super interesting! I have a similar patch because I needed to make 
some changes to read/write keys as JSON encoded strings (rather than 
directories in a file system). I just haven't taken the time to figure out the 
best way to make that happen. I'll try to take a look at this patch to verify 
that it does what I needed sometime in the next week. Thanks!

Original comment by e...@evanjones.ca on 14 Aug 2013 at 8:17

Added labels: ****
Removed labels: ****