Skip to content

Add support for Tink keyset signer #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for Tink keyset signer #563

wants to merge 1 commit into from

Conversation

@haydentherapper
Copy link

@haydentherapper haydentherapper commented Sep 18, 2025

This PR adds support for in-memory signing using a Tink keyset. The keyset is encrypted with a key-encryption-key stored in GCP KMS. The key is decrypted on startup and loaded into memory. This uses a utility to unpack the keyset into a crypto.Signer so that it can be used to sign certificates. This also validates that the key is an ECDSA P-256 key as per RFC 6962, since Tink supports many key types.

@haydentherapper
Add support for Tink keyset signer
9286b5a 
This PR adds support for in-memory signing using a Tink keyset. The
keyset is encrypted with a key-encryption-key stored in GCP KMS. The key
is decrypted on startup and loaded into memory. This uses a utility to
unpack the keyset into a crypto.Signer so that it can be used to sign
certificates. This also validates that the key is an ECDSA P-256 key as
per RFC 6962, since Tink supports many key types.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
@haydentherapper haydentherapper requested a review from a team as a code owner September 18, 2025 17:12
@haydentherapper haydentherapper requested review from roger2hk and removed request for a team September 18, 2025 17:12
@haydentherapper
Copy link
Author

haydentherapper commented Sep 18, 2025

Reopening, ref to #282 for the previous discussion.

@phbnf phbnf self-requested a review September 22, 2025 09:48
@phbnf phbnf self-assigned this Sep 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roger2hk roger2hk Awaiting requested review from roger2hk roger2hk is a code owner automatically assigned from transparency-dev/core-team

@phbnf phbnf Awaiting requested review from phbnf

At least 1 approving review is required to merge this pull request.

Assignees

@phbnf phbnf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haydentherapper @phbnf