CryptographyΒΆ

Various Cryptographic technologies are used to enable secure Snap Store Proxy operation. Below are the functionalities of the Snap Store Proxy that use cryptographic technologies, and the details of the cryptographic technologies used.

  • Signing assertions: the Snap Store Proxy signs various assertions. The key ID of the signing key is encoded with SHA3-384, and the assertion is signed with RSA.

  • Hash of artefacts: the Snap Store Proxy generates many hashes of an uploaded artefact using SHA3-384, SHA256 and SHA512 to ensure the uniqueness and integrity of the artefact.

  • OCI charm resources credentials: an OCI runtime (e.g. microk8s) must authenticate against the Snap Store Proxy in order to download the OCI charm resources. The credentials are encoded as JWT that are signed with RSA.

  • Signing nonce: A nonce is used as additional security for REST API access. RSA is used to sign and verify the nonce.

Function

Exposed

Technology

Package/Library

Signing assertions

Yes

SHA3-384, RSA 4096/8192

snapd, lp-signing

Hash of artefacts

Yes

SHA3-384, SHA256, SHA512

review-tools

OCI charm resources credentials

Yes

RSA 4096, JWT

cryptography, pyjwt, py-macaroon-bakery

Signing nonce

Yes

RSA 4096

cryptography, pem