Package google.registry.keyring.secretmanager

Class SecretManagerKeyring

  • All Implemented Interfaces:
    Keyring, java.lang.AutoCloseable
    public class SecretManagerKeyring
extends java.lang.Object
implements Keyring
    A Keyring implementation which stores sensitive data in the Secret Manager.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void close()
      No persistent resources are maintained for this Keyring implementation.
      org.bouncycastle.openpgp.PGPPublicKey getBrdaReceiverKey()
      Returns public key of receiver of Bulk Registration Data Access (BRDA) deposits.
      org.bouncycastle.openpgp.PGPKeyPair getBrdaSigningKey()
      Returns the PGP key we use to sign Bulk Registration Data Access (BRDA) deposits.
      java.lang.String getIcannReportingPassword()
      Returns password to be used when uploading reports to ICANN.
      java.lang.String getJsonCredential()
      Returns the credentials for a service account on the Google AppEngine project downloaded from the Cloud Console dashboard in JSON format.
      java.lang.String getMarksdbDnlLoginAndPassword()
      Returns user:password login for TMCH MarksDB HTTP server DNL interface.
      java.lang.String getMarksdbLordnPassword()
      Returns password for TMCH MarksDB HTTP server LORDN interface.
      java.lang.String getMarksdbSmdrlLoginAndPassword()
      Returns user:password login for TMCH MarksDB HTTP server SMDRL interface.
      org.bouncycastle.openpgp.PGPPublicKey getRdeReceiverKey()
      Returns public key of escrow agent for encrypting deposits as they're uploaded.
      org.bouncycastle.openpgp.PGPKeyPair getRdeSigningKey()
      Returns the key which should be used to sign RDE deposits being uploaded to a third-party.
      java.lang.String getRdeSshClientPrivateKey()
      Returns private key for SSH client connections made by RDE.
      java.lang.String getRdeSshClientPublicKey()
      Returns public key for SSH client connections made by RDE.
      org.bouncycastle.openpgp.PGPPrivateKey getRdeStagingDecryptionKey()
      Returns private key for decrypting escrow deposits retrieved from cloud storage.
      org.bouncycastle.openpgp.PGPPublicKey getRdeStagingEncryptionKey()
      Returns public key for encrypting escrow deposits being staged to cloud storage.
      java.lang.String getSafeBrowsingAPIKey()
      Returns the API key for accessing the SafeBrowsing API.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • getRdeSigningKey

        public org.bouncycastle.openpgp.PGPKeyPair getRdeSigningKey()
        Description copied from interface: Keyring
        Returns the key which should be used to sign RDE deposits being uploaded to a third-party.

        When we give all our data to the escrow provider, they'll need a signature to ensure the data is authentic.

        This keypair should only be known to the domain registry shared registry system.

        Specified by:
        getRdeSigningKey in interface Keyring
        See Also:
        RdeUploadAction

      • getRdeStagingEncryptionKey

        public org.bouncycastle.openpgp.PGPPublicKey getRdeStagingEncryptionKey()
        Description copied from interface: Keyring
        Returns public key for encrypting escrow deposits being staged to cloud storage.

        This adds an additional layer of security so cloud storage administrators won't be tempted to go poking around the App Engine Cloud Console and see a dump of the entire database.

        This keypair should only be known to the domain registry shared registry system.

        Specified by:
        getRdeStagingEncryptionKey in interface Keyring
        See Also:
        Keyring.getRdeStagingDecryptionKey()

      • getRdeStagingDecryptionKey

        public org.bouncycastle.openpgp.PGPPrivateKey getRdeStagingDecryptionKey()
        Description copied from interface: Keyring
        Returns private key for decrypting escrow deposits retrieved from cloud storage.

        This method may impose restrictions on who can call it. For example, we'd want to check that the caller isn't an HTTP request attacking a vulnerability in the admin console. The request should originate from a backend task queue servlet invocation of the RDE upload thing.

        Specified by:
        getRdeStagingDecryptionKey in interface Keyring
        See Also:
        Keyring.getRdeStagingEncryptionKey(), RdeUploadAction

      • getRdeReceiverKey

        public org.bouncycastle.openpgp.PGPPublicKey getRdeReceiverKey()
        Description copied from interface: Keyring
        Returns public key of escrow agent for encrypting deposits as they're uploaded.
        Specified by:
        getRdeReceiverKey in interface Keyring
        See Also:
        RdeUploadAction

      • getBrdaSigningKey

        public org.bouncycastle.openpgp.PGPKeyPair getBrdaSigningKey()
        Description copied from interface: Keyring
        Returns the PGP key we use to sign Bulk Registration Data Access (BRDA) deposits.
        Specified by:
        getBrdaSigningKey in interface Keyring
        See Also:
        BrdaCopyAction

      • getBrdaReceiverKey

        public org.bouncycastle.openpgp.PGPPublicKey getBrdaReceiverKey()
        Description copied from interface: Keyring
        Returns public key of receiver of Bulk Registration Data Access (BRDA) deposits.
        Specified by:
        getBrdaReceiverKey in interface Keyring
        See Also:
        BrdaCopyAction

      • getRdeSshClientPublicKey

        public java.lang.String getRdeSshClientPublicKey()
        Description copied from interface: Keyring
        Returns public key for SSH client connections made by RDE.

        This is a string containing what would otherwise be the contents of an ~/.ssh/id_rsa.pub file. It's usually a single line with the name of the algorithm, the base64 key, and the email address of the owner.

        Specified by:
        getRdeSshClientPublicKey in interface Keyring
        See Also:
        RdeUploadAction

      • getRdeSshClientPrivateKey

        public java.lang.String getRdeSshClientPrivateKey()
        Description copied from interface: Keyring
        Returns private key for SSH client connections made by RDE.

        This is a string containing what would otherwise be the contents of an ~/.ssh/id_rsa file. It's ASCII-armored text.

        This method may impose restrictions on who can call it. For example, we'd want to check that the caller isn't an HTTP request attacking a vulnerability in the admin console. The request should originate from a backend task queue servlet invocation of the RDE upload thing.

        Specified by:
        getRdeSshClientPrivateKey in interface Keyring
        See Also:
        RdeUploadAction

      • getIcannReportingPassword

        public java.lang.String getIcannReportingPassword()
        Description copied from interface: Keyring
        Returns password to be used when uploading reports to ICANN.
        Specified by:
        getIcannReportingPassword in interface Keyring
        See Also:
        RdeReportAction

      • getMarksdbDnlLoginAndPassword

        public java.lang.String getMarksdbDnlLoginAndPassword()
        Description copied from interface: Keyring
        Returns user:password login for TMCH MarksDB HTTP server DNL interface.
        Specified by:
        getMarksdbDnlLoginAndPassword in interface Keyring
        See Also:
        TmchDnlAction

      • getMarksdbLordnPassword

        public java.lang.String getMarksdbLordnPassword()
        Description copied from interface: Keyring
        Returns password for TMCH MarksDB HTTP server LORDN interface.
        Specified by:
        getMarksdbLordnPassword in interface Keyring
        See Also:
        "google.registry.tmch.LordnRequestInitializer"

      • getMarksdbSmdrlLoginAndPassword

        public java.lang.String getMarksdbSmdrlLoginAndPassword()
        Description copied from interface: Keyring
        Returns user:password login for TMCH MarksDB HTTP server SMDRL interface.
        Specified by:
        getMarksdbSmdrlLoginAndPassword in interface Keyring
        See Also:
        TmchSmdrlAction

      • getJsonCredential

        public java.lang.String getJsonCredential()
        Description copied from interface: Keyring
        Returns the credentials for a service account on the Google AppEngine project downloaded from the Cloud Console dashboard in JSON format.
        Specified by:
        getJsonCredential in interface Keyring

      • close

        public void close()
        No persistent resources are maintained for this Keyring implementation.
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface Keyring