valitydev/kds
14
0
Fork 0
mirror of https://github.com/valitydev/kds.git synced 2024-11-06 08:15:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
kds/doc/keyring.md

305 lines
15 KiB
Markdown
Raw Permalink Normal View History

CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
# Операции с `Keyring`
## Подготовка
### Устанавливаем Step Cli
https://github.com/smallstep/cli#installation-guide
### Создаем JWK ключ
RSA 4096 ключ для шифрования:
step crypto jwk create rsa-enc.pub.json rsa-enc.json --kty RSA --size 4096 --use enc
EC ключ для криптоподписи:
step crypto jwk create ec.pub.json ec.json --kty EC --crv P-256 --use sig
### Добавляем JWK в конфигурацию
Добавляем публичный ключ из `rsa-enc.pub.json` и `ec.pub.json` в `map` конфигурации `shareholders`:
```
{shareholders, #{
<<"ndiezel">> => #{
owner => <<"ndiezel0@gmail.com">>,
public_keys => #{
enc =>
<<"{
\"use\": \"enc\",
\"kty\": \"RSA\",
\"kid\": \"KUb1fNMc5j9Ei_IV3DguhJh5UOH30uvO7qXq13uevnk\",
\"alg\": \"RSA-OAEP-256\",
\"n\": \"2bxkamUQjD4CN8rcq5BfNLJmRmosb-zY7ajPBJqtiLUTcqym23OkUIA1brBg34clmU2ZQmtd3LWi5kVJk_wr4WsMG_78jHK3wQA-HRhY4WZDZrULTsi4XWpNSwL4dCml4fs536RKy_TyrnpiXg0ug4JVVaEeo7VIZ593mVhCxC8Ev6FK8tZ2HGGOerUXLpgQdhcp9UwaI_l7jgoWNp1f7SuBqv1mfiw4ziC1yvwyXHTKy-37LjLmVB9EVyjqpkwZgzapaOvHc1ABqJpdOrUh-PyOgq-SduqSkMrvqZEdUeR_KbFVxqbxqWJMrqkl2HOJxOla9cHRowg5ObUBjeMoaTJfqie3t6uRUsFEFMzhIyvo6QMYHooxIdOdwpZ4tpzML6jv9o5DPtN375bKzy-UsjeshYbvad1mbrcxc8tYeiQkDZEIM0KeOdHm5C6neEyY6oF4s1vSYBNCnhE5O-R9dmp8Sk5KEseEkOH5u4G2RsIXBA9z1OTDoy6qF21EvRCGzsGfExfkmPAtzbnS-EHHxbMUiio0ZJoZshYo8dwJY6vSN7UsXBgW1v7GvIF9VsfzRmgkl_3rdemYy28DJKC0U2yufePcA3nUJEhtR3UO_tIlHxZvlDSX5eTx4vs5VkFfujNSiPsgH0PEeXABGBFbal7QxU1u0XHXIFwhW5cM8Fs\",
\"e\": \"AQAB\"
}">>,
sig =>
<<"{
\"use\": \"sig\",
\"kty\": \"EC\",
\"kid\": \"03ohMufKvFyAtbaXJO83S4nPkaiiLPF8dSUPtetU_CA\",
\"crv\": \"P-256\",
\"alg\": \"ES256\",
\"x\": \"N3E6i6WabPQg7MVqsjXd81z6dmSVibxLbgYJ1UIvHR4\",
\"y\": \"jDzBx7KDMzesKbpwl5H1J0TtwvOJxPaEC5wH6zZs_r8\"
}">>
}
}
}}
```
## Инициализация
Запуск `kds` из состояния отсутствующего `Keyring`.
Разделен на 2 этапа: Начало и Валидация.
На этапе 'Начало' указывается количество фрагментов ключа, при комбинации которых
мы получим `MasterKey`,
который шифрует `Keyring`. Результат - зашифрованные публичными
ключами из конфигурации фрагменты `MasterKey`, которые отдаются соответствующим
владельцам для прохождения следующего этапа 'Валидация'.
На этапе 'Валидация' каждый владелец ключа передает свой расшифрованный фрагмент
ключа в виде JWS, подписанного личным криптоключом. Процесс инициализации
можно считать завершенным, когда последнему владельцу приходит `struct Success {}`.
В случае передачи владельцем фрагмента ключа с неверной подписью, он
отвергается, а процесс валидации продолжается. В случае передачи владельцем
некорректного или устаревшего фрагмента, он принимается, но после получения последнего фрагмента
вернется ошибка и процесс инициализации будет сброшен с необходимостью начать с этапа
'Начало'.
Этап 'Валидация' необходим для подтверждения того, что все фрагменты `MasterKey` были
доставлены своим адресатам и успешно расшифрованны.
### Начало
Начинаем процесс инициализации:
```bash
$ woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement StartInit '<insert threshold here>'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`threshold` - количество фрагментов мастер-ключа, которое нужно для его востановление
Получаем зашифрованные части мастер-ключа вида:
```json
[
{
"id": "ndiezel",
"owner": "ndiezel0@gmail.com",
"encrypted_share": "<EncryptedMasterKeyShare>"
}
]
```
Отдаем `encrypted_share` соответствующим владельцам
### Валидация
Каждый владелец фрагментов ключа расшифровывает свой фрагмент, подписывает и отдает на
валидацию:
```bash
$ echo "<insert EncryptedMasterKeyShare here>" | \
step crypto jwe decrypt --key rsa-enc.json | \
step crypto jws sign - --key ec.json | \
woorl -s cds_proto/proto/kds.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement ValidateInit '{"id":"<insert id, ex. ndiezel>","signed_share":"'"$(cat -)"'"}'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`EncodedMasterKeyShare` - полученный зашифрованный фрагмент мастер-ключа
`http://kds:8022/v2/keyring` - пример пути до `kds`
## Разблокировка
Расшифровывает зашифрованный `Keyring`, что позволяет производить операции с
хранилищем зашифрованных карточных данных.
Разделен на 2 этапа: Начало и Валидация.
На этапе 'Начало' вызывается метод начала операции.
На этапе 'Валидация' владельцы фрагментов мастер-ключа отправляют фрагменты в виде JWS,
подписанного криптоключом. Собранные фрагменты востанавливают мастер-ключ и
расшифровывают `Keyring`. В случае успеха последнему отправившему фрагмент вернется
`Success` и расшифрованный `Keyring` сохраняется в памяти. Если не удается
востановить `MasterKey` из фрагментов или востановленным ключом не получается
расшифровать `Keyring`, то процесс разблокировки прерывается и необходимо начинать с
этапа 'Начало'.
### Начало
Начинаем процесс разблокировки:
```bash
$ woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement StartUnlock
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
CDS-79: Adds keyring meta (#2) * CDS-79: Add keyring meta * CDS-79: Fix tests and specs * CDS-79: fixes to tests * CDS-79: encode binary in base64 in order to store in json * CDS-79: implement cds_proto Meta methods * CDS-79: Ensure that meta isn't overwritten by FSMs * CDS-79: Add backward compatibility storage tests * CDS-79: Fix dialyzer * CDS-79: Update keyring_path usage in test * CDS-79: Add meta tests * CDS-79: Add rotation meta collision test * CDS-79: Fix exception for update_meta during not_initialized * CDS-79: Move kds_keyring_storage_file specific function to module * CDS-79: spec fix * CDS-79: replace dumb copy with symlink * CDS-89: Add GetKeyring method with SSL (#3) * CDS-89: Add ability to get keyring from storage * CDS-89: replace dumb copy with symlink * CDS-89: Add ssl support for keyring storage api * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-89: Review fix * CDS-89: sys.config update * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Refactor meta validation * CDS-79: Add error if UpdateKeyringMeta doesn't make changes * CDS-79: Fix initializer returning actual keyring instead of diff. * CDS-79: spec fix * CDS-79: fix rotator and kds_keyring specs * CDS-79: remove ability to make meta updates if not_initialized * Update apps/kds/src/kds_keyring_management_thrift_handler.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-79: remove useless slash in string * CDS-79: fix storage file decoding * CDS-79: bump handler version and move same meta check to manager * CDS-79: add format version to keyring storage for decoding * CDS-79: Add version to keyring meta * CDS-79: Remove diffs for keyring * CDS-79: type fix * CDS-79: Move keyring_meta types to it's module * CDS-79: replace string generation with converting Reason to binary * CDS-79: Update encrypted keyring format and rename current_key to max_key_id * CDS-79: Refactor * CDS-79: Update doc * CDS-79: Remove validation failed and bump cds_proto version * CDS-79: Add ability to change current_key_id in meta * CDS-79: Fix missing exceptions in handler
2019-07-03 12:29:48 +00:00
### Подтверждение
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
`Threshold` владельцев фрагментов ключа расшифровывают свою часть, подписывают и отдают
CDS-79: Adds keyring meta (#2) * CDS-79: Add keyring meta * CDS-79: Fix tests and specs * CDS-79: fixes to tests * CDS-79: encode binary in base64 in order to store in json * CDS-79: implement cds_proto Meta methods * CDS-79: Ensure that meta isn't overwritten by FSMs * CDS-79: Add backward compatibility storage tests * CDS-79: Fix dialyzer * CDS-79: Update keyring_path usage in test * CDS-79: Add meta tests * CDS-79: Add rotation meta collision test * CDS-79: Fix exception for update_meta during not_initialized * CDS-79: Move kds_keyring_storage_file specific function to module * CDS-79: spec fix * CDS-79: replace dumb copy with symlink * CDS-89: Add GetKeyring method with SSL (#3) * CDS-89: Add ability to get keyring from storage * CDS-89: replace dumb copy with symlink * CDS-89: Add ssl support for keyring storage api * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-89: Review fix * CDS-89: sys.config update * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Refactor meta validation * CDS-79: Add error if UpdateKeyringMeta doesn't make changes * CDS-79: Fix initializer returning actual keyring instead of diff. * CDS-79: spec fix * CDS-79: fix rotator and kds_keyring specs * CDS-79: remove ability to make meta updates if not_initialized * Update apps/kds/src/kds_keyring_management_thrift_handler.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-79: remove useless slash in string * CDS-79: fix storage file decoding * CDS-79: bump handler version and move same meta check to manager * CDS-79: add format version to keyring storage for decoding * CDS-79: Add version to keyring meta * CDS-79: Remove diffs for keyring * CDS-79: type fix * CDS-79: Move keyring_meta types to it's module * CDS-79: replace string generation with converting Reason to binary * CDS-79: Update encrypted keyring format and rename current_key to max_key_id * CDS-79: Refactor * CDS-79: Update doc * CDS-79: Remove validation failed and bump cds_proto version * CDS-79: Add ability to change current_key_id in meta * CDS-79: Fix missing exceptions in handler
2019-07-03 12:29:48 +00:00
на подтверждение:
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```bash
$ echo "<insert EncryptedMasterKeyShare here>" | \
step crypto jwe decrypt --key rsa-enc.json | \
step crypto jws sign - --key ec.json | \
woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement ConfirmUnlock '{"id":"<insert id, ex. ndiezel>","signed_share":"'"$(cat -)"'"}'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`EncodedMasterKeyShare` - полученный зашифрованный фрагмент мастер-ключа
`http://kds:8022/v2/keyring` - пример пути до `kds`
## Ротация ключа шифрования карточных данных
Создание нового ключа для шифрования карточных данных и добавление его в `Keyring`.
Разделен на 2 этапа: Начало и Валидация.
На этапе 'Начало' вызывается метод начала операции.
На этапе Валидация владельцы фрагментов мастер-ключа отправляют фрагменты в виде JWS,
подписанного криптоключом. Собранные фрагменты востанавливают мастер-ключ и
расшифровывают `Keyring`. В случае успеха последнему отправившему свой фрагмент
держателю вернется `Success` и новый добавленный в `Keyring` ключ будет использоваться
для последующих операций шифрования карточных данных. Если не удается востановить
`MasterKey` из фрагментов или востановленным ключом не получается расшифровать
`Keyring`, то процесс Ротации прерывается и необходимо начинать с этапа 'Начало'.
### Начало
Начинаем процесс ротации:
```bash
$ woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement StartRotate
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
CDS-79: Adds keyring meta (#2) * CDS-79: Add keyring meta * CDS-79: Fix tests and specs * CDS-79: fixes to tests * CDS-79: encode binary in base64 in order to store in json * CDS-79: implement cds_proto Meta methods * CDS-79: Ensure that meta isn't overwritten by FSMs * CDS-79: Add backward compatibility storage tests * CDS-79: Fix dialyzer * CDS-79: Update keyring_path usage in test * CDS-79: Add meta tests * CDS-79: Add rotation meta collision test * CDS-79: Fix exception for update_meta during not_initialized * CDS-79: Move kds_keyring_storage_file specific function to module * CDS-79: spec fix * CDS-79: replace dumb copy with symlink * CDS-89: Add GetKeyring method with SSL (#3) * CDS-89: Add ability to get keyring from storage * CDS-89: replace dumb copy with symlink * CDS-89: Add ssl support for keyring storage api * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-89: Review fix * CDS-89: sys.config update * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Refactor meta validation * CDS-79: Add error if UpdateKeyringMeta doesn't make changes * CDS-79: Fix initializer returning actual keyring instead of diff. * CDS-79: spec fix * CDS-79: fix rotator and kds_keyring specs * CDS-79: remove ability to make meta updates if not_initialized * Update apps/kds/src/kds_keyring_management_thrift_handler.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-79: remove useless slash in string * CDS-79: fix storage file decoding * CDS-79: bump handler version and move same meta check to manager * CDS-79: add format version to keyring storage for decoding * CDS-79: Add version to keyring meta * CDS-79: Remove diffs for keyring * CDS-79: type fix * CDS-79: Move keyring_meta types to it's module * CDS-79: replace string generation with converting Reason to binary * CDS-79: Update encrypted keyring format and rename current_key to max_key_id * CDS-79: Refactor * CDS-79: Update doc * CDS-79: Remove validation failed and bump cds_proto version * CDS-79: Add ability to change current_key_id in meta * CDS-79: Fix missing exceptions in handler
2019-07-03 12:29:48 +00:00
### Подтверждение
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
`Threshold` владельцев фрагментов ключа расшифровывают свою часть, подписывают и отдают
CDS-79: Adds keyring meta (#2) * CDS-79: Add keyring meta * CDS-79: Fix tests and specs * CDS-79: fixes to tests * CDS-79: encode binary in base64 in order to store in json * CDS-79: implement cds_proto Meta methods * CDS-79: Ensure that meta isn't overwritten by FSMs * CDS-79: Add backward compatibility storage tests * CDS-79: Fix dialyzer * CDS-79: Update keyring_path usage in test * CDS-79: Add meta tests * CDS-79: Add rotation meta collision test * CDS-79: Fix exception for update_meta during not_initialized * CDS-79: Move kds_keyring_storage_file specific function to module * CDS-79: spec fix * CDS-79: replace dumb copy with symlink * CDS-89: Add GetKeyring method with SSL (#3) * CDS-89: Add ability to get keyring from storage * CDS-89: replace dumb copy with symlink * CDS-89: Add ssl support for keyring storage api * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_storage_api_tests_SUITE.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * Update apps/kds/test/kds_keyring_client.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-89: Review fix * CDS-89: sys.config update * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Review fix * CDS-79: Refactor meta validation * CDS-79: Add error if UpdateKeyringMeta doesn't make changes * CDS-79: Fix initializer returning actual keyring instead of diff. * CDS-79: spec fix * CDS-79: fix rotator and kds_keyring specs * CDS-79: remove ability to make meta updates if not_initialized * Update apps/kds/src/kds_keyring_management_thrift_handler.erl Co-Authored-By: Sergei Shuvatov <Yozhig@users.noreply.github.com> * CDS-79: remove useless slash in string * CDS-79: fix storage file decoding * CDS-79: bump handler version and move same meta check to manager * CDS-79: add format version to keyring storage for decoding * CDS-79: Add version to keyring meta * CDS-79: Remove diffs for keyring * CDS-79: type fix * CDS-79: Move keyring_meta types to it's module * CDS-79: replace string generation with converting Reason to binary * CDS-79: Update encrypted keyring format and rename current_key to max_key_id * CDS-79: Refactor * CDS-79: Update doc * CDS-79: Remove validation failed and bump cds_proto version * CDS-79: Add ability to change current_key_id in meta * CDS-79: Fix missing exceptions in handler
2019-07-03 12:29:48 +00:00
на подтверждение:
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```bash
$ echo "<insert EncryptedMasterKeyShare here>" | \
step crypto jwe decrypt --key rsa-enc.json | \
step crypto jws sign - --key ec.json | \
woorl -s cds_proto/proto/kds.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement ConfirmRotate '{"id":"<insert id, ex. ndiezel>","signed_share":"'"$(cat -)"'"}'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`EncodedMasterKeyShare` - полученный зашифрованный фрагмент мастер-ключа
`http://kds:8022/v2/keyring` - пример пути до `kds`
## Замена ключа шифрования `Keyring`
Перегенерация `MasterKey`, используемого для шифрования `keyring`, разделение на
количество фрагментов, равное количеству `shareholders`, указанных в файле конфигурации,
и отдача держателям указаным в `shareholders`.
Разделен на 4 этапа: Начало, Подтверждение, Постподтверждение и Валидация
На этапе 'Начало' указывается количество фрагментов ключа, при комбинации которых
получается `MasterKey`, который шифрует `Keyring`.
На этапе 'Подтверждение' владельцы фрагментов мастер-ключа отправляют фрагменты текущего
ключа в виде JWS, подписанного криптоключом. Собранные фрагменты востанавливают мастер-ключ и
расшифровывают `Keyring`. В случае успеха последнему, отправившему фрагмент, вернется
`Success` и осуществится переход на этап 'Постподтверждение'. Если не удается
востановить `MasterKey` из фрагментов или востановленным ключом не получается
расшифровать `Keyring`, то процесс замены ключа прерывается и необходимо начинать с
этапа 'Начало'.
На этапе 'Постподтверждение' получаются зашифрованные публичными ключами из
конфигурации фрагменты `MasterKey`, которые отдаются соответствующим владельцам
для прохождения этапа 'Валидация'.
На этапе 'Валидация' каждый владелец ключа передает свой расшифрованный фрагмент
ключа в виде JWS, подписанного личным криптоключом. Этап 'Замена ключа'
можно считать завершенным, когда последнему владельцу приходит `struct Success {}`.
### Начало
Начинаем процесс замены ключа:
```bash
$ woorl -s cds_proto/proto/kds.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement StartRekey '<insert threshold here>'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`threshold` - количество фрагментов мастер-ключа, которое нужно для его востановление
### Подтверждение
`Threshold` владельцев фрагментов ключа расшифровывают свою часть, подписывают и отдают
на подтверждение:
```bash
$ echo "<insert EncryptedMasterKeyShare here>" | \
step crypto jwe decrypt --key rsa-enc.json | \
step crypto jws sign - --key ec.json | \
woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement ConfirmRekey '{"id":"<insert id, ex. ndiezel>","signed_share":"'"$(cat -)"'"}'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`EncodedMasterKeyShare` - полученный зашифрованный фрагмент мастер-ключа
`http://kds:8022/v2/keyring` - пример пути до `kds`
### Постподтверждение
Получаем зашифрованные фрагменты мастер-ключа.
```bash
$ woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement StartRekeyValidation
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
Пример получаемых фрагментов:
```json
[
{
"id": "ndiezel",
"owner": "ndiezel0@gmail.com",
"encrypted_share": "<EncryptedMasterKeyShare>"
}
]
```
### Валидация
`Threshold` владельцев фрагментов ключа расшифровывают свою часть, подписывают и отдают
на валидацию:
```bash
$ echo "<insert EncryptedMasterKeyShare here>" | \
step crypto jwe decrypt --key rsa-enc.json | \
step crypto jws sign - --key ec.json | \
woorl -s cds_proto/proto/keyring.thrift \
'http://kds:8022/v2/keyring' \
CDS-92: Filter sensitive meta in logs (#7) * CDS-92: Filter logs from sensitive meta * CDS-92: Make filter content dependant * CDS-92: Bump cds_proto and doc * CDS-92: Add GetKeyring filtering * CDS-92: Make filter whitelist instead of whitelist * CDS-92: Move filter_keys to filter * CDS-92: Skip filtering for internal woody errors * CDS-92: Update JOSE regex * CDS-92: Upgrade cds_proto * CDS-92: Add system errors to whitelist * CDS-92: Add try catch to thrift handlers * CDS-92: Review fix * CDS-92: Review fixes
2019-07-16 14:13:26 +00:00
KeyringManagement ValidateRekey '{"id":"<insert id, ex. ndiezel>","signed_share":"'"$(cat -)"'"}'
CDS-65: Move CDS Keyring to it's own service (#1) * CDS-65: Move CDS Keyring to it's own service * CDS-65: Add libdecaf to app.src and recon * CDS-65: remove unneeded deps * CDS-65: fix services order, remove .sp and fix README * CDS-65: change log printing style for stacktrace and remove raising woody error with term() * CDS-65: doc fix * CDS-65: fix rebar.config * CDS-65: review fixes * CDS-65: fix tests * CDS-65: fix format and woody raise error types * CDS-65: move kds_keyring_client to test/ folder and introduce cipher macro * CDS-65: move private keys to files in tests * CDS-65: remove reverse list from tests and make convert_to_map/1 to convert_to_map/2 * CDS-65: Review fixes * CDS-65: Compile fix * CDS-65: Remove keyring storage env * CDS-65: Make kds_keyring_storage_file stateful * CDS-65: Add comments on why we can't catch exact shamir errors * CDS-65: Rename service_code to service_name Co-Authored-By: Andrew Mayorov <encube.ul@gmail.com> * CDS-65: Review fixes * CDS-65: Add stacktrace to keysharing error logging * CDS-65: Lint fix * CDS-65: app start fix * CDS-65: fix dialyzer * CDS-65: Introduce generic keyring_storage_opts in config
2019-06-21 08:46:13 +00:00
```
`EncodedMasterKeyShare` - полученный зашифрованный фрагмент мастер-ключа
`http://kds:8022/v2/keyring` - пример пути до `kds`
Reference in New Issue Copy Permalink