From a829657472e79b7c4ee9528585d1400745e1d374 Mon Sep 17 00:00:00 2001 From: Stefan Matting Date: Wed, 11 Dec 2024 10:45:41 +0100 Subject: [PATCH 1/3] MLS removal keys: Make missing keys a templating error, update docs --- charts/galley/templates/secret.yaml | 8 ------- docs/src/understand/mls.md | 34 ++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/charts/galley/templates/secret.yaml b/charts/galley/templates/secret.yaml index 84995f51bc5..7224b67c59e 100644 --- a/charts/galley/templates/secret.yaml +++ b/charts/galley/templates/secret.yaml @@ -10,19 +10,11 @@ metadata: type: Opaque data: {{- if .Values.secrets.mlsPrivateKeys }} - {{- if .Values.secrets.mlsPrivateKeys.removal.ed25519 }} removal_ed25519.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ed25519 | b64enc | quote }} - {{- end -}} - {{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp256r1_sha256 }} removal_ecdsa_secp256r1_sha256.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp256r1_sha256 | b64enc | quote }} - {{- end -}} - {{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp384r1_sha384 }} removal_ecdsa_secp384r1_sha384.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp384r1_sha384 | b64enc | quote }} - {{- end -}} - {{- if .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp521r1_sha512 }} removal_ecdsa_secp521r1_sha512.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ecdsa_secp521r1_sha512 | b64enc | quote }} {{- end -}} - {{- end -}} {{- if $.Values.config.enableFederation }} rabbitmqUsername: {{ .Values.secrets.rabbitmq.username | b64enc | quote }} diff --git a/docs/src/understand/mls.md b/docs/src/understand/mls.md index 99e26c2f2dd..3df365b5a86 100644 --- a/docs/src/understand/mls.md +++ b/docs/src/understand/mls.md @@ -9,7 +9,14 @@ enables the server to remove clients from MLS groups, e.g. when users leave conversations or delete their clients. The removal key is configured at path -`galley.secrets.mlsPrivateKeys.removal.ed25519` in the wire-server helm chart. +`galley.secrets.mlsPrivateKeys.removal` in the wire-server helm chart. +You need to provide a variant for each supported ciphersuite: +- `ed25519` +- `ecdsa_secp256r1_sha256` +- `ecdsa_secp384r1_sha384` +- `ecdsa_secp521r1_sha512` + + For example: ```yaml @@ -20,25 +27,32 @@ galley: removal: ed25519: | -----BEGIN PRIVATE KEY----- - MC4CAQA....Z709c - -----END PRIVATE KEY----- + ... + ecdsa_secp256r1_sha256: | + -----BEGIN PRIVATE KEY----- + ... + ecdsa_secp384r1_sha384: | + -----BEGIN PRIVATE KEY----- + ... + ecdsa_secp521r1_sha512: | + -----BEGIN PRIVATE KEY----- + ... ``` -The key is a private ED25519 key in PEM format. It can be created by openssl -with this command: +These private keys can be created with with these commands: ```sh -openssl req -nodes -newkey ed25519 -keyout ed25519.pem -out /dev/null -subj / +openssl genpkey -algorithm ed25519 +openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 +openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-384 +openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 ``` -This will create a `ed25519.pem`. Use the contents of this file as the -configuration value. - This is a sensitive configuration value. Consider using Helm/Helmfile's support for managing secrets instead of putting this value in plaintext in a `values.yaml` file. -Next, MLS needs to be explictly enabled in brig. This can be configured at +In addition to removal keys, MLS needs to be explictly enabled in brig. This can be configured at `brig.config.optSettings.setEnableMLS`, for example: ```yaml From 60eb948c388375e01300766c33cc0013a72571e1 Mon Sep 17 00:00:00 2001 From: Stefan Matting Date: Wed, 11 Dec 2024 10:47:19 +0100 Subject: [PATCH 2/3] Add changelog entry --- changelog.d/5-internal/mls | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5-internal/mls diff --git a/changelog.d/5-internal/mls b/changelog.d/5-internal/mls new file mode 100644 index 00000000000..1e33d7320c6 --- /dev/null +++ b/changelog.d/5-internal/mls @@ -0,0 +1 @@ +Make missing mls keys a templating error. Update MLS docs. From 19369e238498cd9c6c1b87c2b0b1c0f3f6585982 Mon Sep 17 00:00:00 2001 From: Stefan Matting Date: Wed, 11 Dec 2024 10:58:04 +0100 Subject: [PATCH 3/3] Update changelog.d/5-internal/mls Co-authored-by: Akshay Mankar --- changelog.d/5-internal/mls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/5-internal/mls b/changelog.d/5-internal/mls index 1e33d7320c6..dd945421cc5 100644 --- a/changelog.d/5-internal/mls +++ b/changelog.d/5-internal/mls @@ -1 +1 @@ -Make missing mls keys a templating error. Update MLS docs. +charts/galley: Make missing mls keys a templating error. Update MLS docs.