-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathrelic.yml
257 lines (210 loc) · 9.38 KB
/
relic.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
---
# Tokens on which signing keys can be found. Each configured key refers to a token by name.
tokens:
# Use a PKCS#11 library as a token
mytoken:
# Full path to provider library
provider: /usr/lib64/softhsm/libsofthsm.so
# Optional selectors to pick a token from those the provider offers
label: alpha
serial: 99999
# PIN is optional for command-line use, but required for servers. See also 'pinfile'.
pin: 123456
#pin: "" # blank PIN, without prompting
# If true, try to save the PIN in the system keyring (command-line only)
#usekeyring: false
# Optional login user. Useful values:
# 0 - CKU_SO
# 1 - CKU_USER (default)
# 2 - CKU_CONTEXT_SPECIFIC, SafeNet: CKU_AUDIT
# 0x80000001 - SafeNet: CKU_LIMITED_USER
#user: 1
# Optional parameters for server mode
#timeout: 60 # Terminate each attempt after N seconds (default: 60)
#retries: 5 # Retry failed commands N times (default: 5)
#ratelimit: 10 # Limit token operations per second
#rateburst: 10 # Allow burst of requests before limit kicks in
# Use GnuPG scdaemon as a token
myscd:
type: scdaemon
# Optionally specify the scdaemon socket path. If not provided then the
# default will be used.
provider: /run/myscd/S.scdaemon
# Optional serial number of the expected card.
serial: D99999999999999999999
# PIN is optional for command-line use, but required for servers. See also 'pinfile'.
pin: 123456
# Use private key files as a "token". The path to the key is specified in the key section(s)
file:
type: file
# If the private key is protected with a password, specify it here
pin: password
# Use keys stored in Google Cloud Key Management Service
gcloud:
type: gcloud
# Optionally configure a credential file. If not specified then the default
# environment is used.
#pin: service-account.json
# Use keys stored in Azure Key Vault
azurekv:
type: azure
# Optionally configure a service principal file
#pin: service-principal.auth
# Or use CLI authentication
#pin: ""
# Otherwise the environment will be used
# Use CMKs stored in AWS Key Management Service
aws:
type: aws
# Presently, configuration must be done via the standard SDK env vars
# Keys that can be used for signing
keys:
my_token_key:
# Which token, defined above, to find the key on
token: mytoken
# Optional selectors to pick a key from those in the token
# CKA_LABEL:
label: "label"
# CKA_ID:
id: 00112233
# Path to a PGP certificate, if PGP signing is desired. Can be ascii-armored or binary.
pgpcertificate: ./keys/rsa1.pub
# Path to a X509 certificate, if X509 signing is desired. Can be PEM, DER,
# or PKCS#7 (p7b) format, with optional certificate chain.
x509certificate: ./keys/rsa1.cer
# true if a RFC 3161 timestamp should be attached, see 'timestamp' below
timestamp: false
# Enable RFC 3161 timestamping using a specific named service,
# see `namedurls` below. Implies "timestamp: true".
#timestamper: apple
# Clients with any of these roles can utilize this key
roles: ["somegroup"]
my_scd_key:
token: myscd
# Specify which key to use. For OpenPGP cards this will be either OPENPGP.1 or OPENPGP.3.
id: OPENPGP.1
# Same options as above: pgpcertificate, x509certificate, timestamp, roles
my_file_key:
token: file
# Path to the private key file. The password is specified in the token configuration above.
keyfile: ./keys/rsa1.key
# true if key file contains PKCS#12 key and certificate chain
ispkcs12: false
# Same options as above: pgpcertificate, x509certificate, timestamp, roles
my_gcloud_key:
token: gcloud
# Fully-qualified name of a key version resource. Must point to a key version, not a key.
id: projects/root-opus-123456/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-gloud-key/cryptoKeyVersions/1
# Same options as above: pgpcertificate, x509certificate, timestamp, roles
my_azure_key:
token: azurekv
# URL of key version resource. Must point to a key version, not a key.
id: https://example.vault.azure.net/keys/my-azure-key/00112233445566778899aabbccddeeff
# Alternately, point to a certificate or certificate version. In this case
# x509certificate may be omitted to load the cert from key vault as well.
#id: https://example.vault.azure.net/certificates/my-azure-key
# Same options as above: pgpcertificate, x509certificate, timestamp, roles
my_aws_key:
token: aws
# ID or ARN of an asymmetric CMK
id: arn:aws:kms:us-east-1:111111111111:key/22222222-3333-4444-5555-666666666666
# Same options as above: pgpcertificate, x509certificate, timestamp, roles
aliased_key:
# When alias is set, this key name becomes an alias for the other key.
# Alises cannot override any parameters of the key, including roles.
alias: my_token_key
# Server-specific configuration
server:
# What port to listen on. Defaults to :6300.
# Socket activation via systemd is also supported, in which case this is ignored.
listen: ":6300"
# Listen for non-secure connections. This is useful for health checks and/or
# if clients connect via a trusted reverse proxy. Default is none.
listenhttp: ":6301"
# Private key for server TLS. PEM format, RSA or ECDSA
keyfile: /etc/relic/server/server.key
# X.509 certificate for server TLS. PEM format. If a cert chain is needed it
# should follow the main cert.
certfile: /etc/relic/server/server.key
# Optional logfile for server errors. If not set, then standard error is used
logfile: /var/log/relic/server.log
# How many worker subprocesses to spawn per token. Usually only 1 is required.
#numworkers: 1
# Set the frequency and tolerance of token health checks
#tokencheckinterval: 60 # ping the token every N seconds
#tokenchecktimeout: 30 # fail a ping if it is stuck for N seconds
#tokencheckfailures: 3 # the server will report "not healthy" after N failed pings
#tokencacheseconds: 600 # cache key/cert info from token
# Optional list of URLs that are part of a cluster of servers. If set clients
# will connect directly to one of these servers at random, otherwise they
# will connect to their originally configured URL.
#siblings:
#- https://relic1:6300
#- https://relic2:6300
# Optionally utilize Open Policy Agent to authenticate and authorize requests
# instead of the builtin client certificate verification.
# See [opa.md](./opa.md) for details.
#policyurl: http://127.0.0.1:8181/v1/data/relic
# If policyurl is set, optionally specify an Azure AD tenant which will be
# advertised to clients that wish to perform interactive token authentication.
#azuread:
# authority: https://login.microsoftonline.com/00000000-1111-2222-3333-444444444444
# clientid: 55555555-6666-7777-8888-999999999999
# If fronted by a trusted reverse proxy, list the IP(s) and IP network(s) of
# the proxy here. The X-Forwarded-{For,Proto,Host} and Ssl-Client-Certificate
# headers will be respected when connections come from one of these IPs.
#trustedproxies:
#- 127.0.0.1
#- 10.0.0.0/30
# Instead of including token PINs in this file, you can specify an alternate
# "pin file" which is a YAML file holding key-value pairs where the key is the
# name of the token and the value is the PIN.
#pinfile: /etc/relic/pin.yaml
# Optionally append a log entry for each signature created to this file
#auditfile: /var/log/relic/audit.log
# Configure trusted timestamping servers, used by keys that have timestamping
# enabled when using a signature type that supports it.
timestamp:
# RFC 3161 timestamp server(s). If more than one is provided then they will
# be tried in the order given until one succeeds.
urls:
- http://mytimestamp.server/rfc3161
# Non-RFC3161 timestamp server(s), used for appmanifest only
msurls:
- http://mytimestamp.server
# Optional named timestamp services for specific keys.
namedurls:
apple:
- http://timestamp.apple.com/ts01
# Optional timeout for each timestamp request
timeout: 60
# Optional alternate CA certificate file for contacting timestamp servers
# cacert: /etc/pki/tls/mychain.pem
# Optional memcache servers for memoizing timestamp requests
#memcache:
# - 127.0.0.1:11211
# Optional rate limit for timestamp requests
#ratelimit: 1 # requests per second
#rateburst: 10 # burst capacity
# Authentication to the server is via client certificate. Certificates are
# identified by their fingerprint. Fingerprints can be obtained by using the
# "relic remote register" command on the client to generate the key, or by
# checking the server error log after attempting to connect.
clients:
E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855:
# Display name for this client
nickname: myuser
# List of roles this user possesses. Must contain at least one of the roles
# on a key for the user to access that key.
roles: ["somegroup"]
# Alternately, clients can be authenticated using one or more CA
# certificates. The CA that the client matches determines the roles they have
# access to, and the subject DN of the leaf certificate is logged. This can
# be used to delegate access to a short-lived build process.
#my_root_ca:
# nickname: my_root_ca
# certificate: |
# -----BEGIN CERTIFICATE-----
# asdfasdfasdf
# -----END CERTIFICATE-----
# roles: ['somegroup']