Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27768

Implement HMAC key for signing Logical clock's storage & distribution

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.5.4
    • Affects Version/s: 3.5.1
    • Component/s: Sharding
    • None
    • Fully Compatible
    • Sharding 2017-03-06
    • 0

      The key that the mongos and mongod will use to verify the clusterTime will be generated by the config server primary during transition to primary. It will be stored in the admin.system.keys with the following format:

      {
    _id: 'clusterTimeKey',
    key: <20 byte key generated with secure PRNG in BinData>
}

      The mongos or mongod would need to extract this key auth so it would be able to sign or verify the logicalTime metadata when it interacts with the client.

      // POC for TimeProofService that will be owned by LogicalClock to sign and verify signatures.
namespace mongo {
class TimeProofService {
public:
    using TimeProof = SHA1Hash;

    TimeProof getProof(const LogicalTime& time) const {
        auto timeStr = time.toString();
        return hmacSha1(_key.c_str(), _key.size(), timeStr.c_str(), timeStr.length());
    }

    Status checkProof(const LogicalTime& time, const TimeProof& proof) const {
        auto myProof = getProof(time);
        if (myProof != proof) {
             return Error;
        }

        return Status::OK();
    }

private:
    std::string _key;
};
}

      Accessing and storing the key on the config server will be addressed in SERVER-28178

            Assignee:
            jack.mulrow@mongodb.com Jack Mulrow
            Reporter:
            randolph@mongodb.com Randolph Tan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: