refactor: extract root-key custody into a seismic-key-custodian crate#202
Merged
Conversation
Move KeyManager out of enclave-server into a new seismic-key-custodian crate (renamed Custodian) that owns root_key and everything derived from it. The crate never sees remote attestation evidence, JSON-RPC, or any network input: releasing root_key to a peer requires a VerifiedPeerAuthorization, built by the caller at the point where it has just verified the peer's evidence. The verified transcript digest (root_key_request_binding) rides along and becomes the AEAD AAD, so a wrapped key cannot be lifted onto a different handshake. enclave-server keeps the untrusted-input surface (evidence verification, RPC) and calls into the custodian through this typed API. Beyond the code motion, the custody boundary is now enforced by the API: - KeyManager::get_root_key() is gone. Raw root-key bytes are unreachable outside the crate; root_key only leaves AEAD-wrapped via wrap_root_key_for_peer. - The Clone derive is gone: exactly one Custodian per process, zeroized on drop. - The responder-side ephemeral ECDH keypair is now generated inside wrap_root_key_for_peer, so its secret also never exists outside the custodian. - answer_root_key_request takes &Custodian instead of &[u8; 32]: bootstrap.rs orchestrates verify -> authorize -> attest without ever holding key material. The crate's modules are organized by how key material can leave the process: custodian.rs (it doesn't — RAM-only derivation of root_key and purpose keys), luks_keyfile.rs (ephemeral tmpfs handoff to setup-persistent-luks), root_key_wrap.rs (over the network, AEAD-wrapped to an attested peer). No behavior change: the wire format (nonce || ciphertext+tag, request-binding AAD), HKDF derivations (salts, domain separators), and epoch handling are byte-identical to before. This is groundwork for splitting enclave-server into a network-facing attestation service and a minimal key-custodian process with no network listener.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move KeyManager out of enclave-server into a new seismic-key-custodian crate (renamed Custodian) that owns root_key and everything derived from it. The crate never sees remote attestation evidence, JSON-RPC, or any network input: releasing root_key to a peer requires a VerifiedPeerAuthorization, built by the caller at the point where it has just verified the peer's evidence. The verified transcript digest (root_key_request_binding) rides along and becomes the AEAD AAD, so a wrapped key cannot be lifted onto a different handshake. enclave-server keeps the untrusted-input surface (evidence verification, RPC) and calls into the custodian through this typed API.
Beyond the code motion, the custody boundary is now enforced by the API:
The crate's modules are organized by how key material can leave the process: custodian.rs (it doesn't — RAM-only derivation of root_key and purpose keys), luks_keyfile.rs (ephemeral tmpfs handoff to setup-persistent-luks), root_key_wrap.rs (over the network, AEAD-wrapped to an attested peer).
No behavior change: the wire format (nonce || ciphertext+tag, request-binding AAD), HKDF derivations (salts, domain separators), and epoch handling are byte-identical to before.
This is groundwork for splitting enclave-server into a network-facing attestation service and a minimal key-custodian process with no network listener.