Separate methods are defined for each specific situation in which the * registry server needs a secret value, like a PGP key or password. */ @ThreadSafe public interface Keyring extends AutoCloseable { /** * Returns the key which should be used to sign RDE deposits being uploaded to a third-party. * *
When we give all our data to the escrow provider, they'll need * a signature to ensure the data is authentic. * *
This keypair should only be known to the domain registry shared * registry system. * * @see google.registry.rde.RdeUploadAction */ PGPKeyPair getRdeSigningKey(); /** * Returns public key for encrypting escrow deposits being staged to cloud storage. * *
This adds an additional layer of security so cloud storage administrators * won't be tempted to go poking around the App Engine Cloud Console and see a * dump of the entire database. * *
This keypair should only be known to the domain registry shared * registry system. * * @see #getRdeStagingDecryptionKey() */ PGPPublicKey getRdeStagingEncryptionKey(); /** * Returns private key for decrypting escrow deposits retrieved from cloud storage. * *
This method may impose restrictions on who can call it. For example, we'd want * to check that the caller isn't an HTTP request attacking a vulnerability in the * admin console. The request should originate from a backend task queue servlet * invocation of the RDE upload thing. * * @see #getRdeStagingEncryptionKey() * @see google.registry.rde.RdeUploadAction */ PGPPrivateKey getRdeStagingDecryptionKey(); /** * Returns public key of escrow agent for encrypting deposits as they're uploaded. * * @see google.registry.rde.RdeUploadAction */ PGPPublicKey getRdeReceiverKey(); /** * Returns the PGP key we use to sign Bulk Registration Data Access (BRDA) deposits. * * @see google.registry.rde.BrdaCopyAction */ PGPKeyPair getBrdaSigningKey(); /** * Returns public key of receiver of Bulk Registration Data Access (BRDA) deposits. * * @see google.registry.rde.BrdaCopyAction */ PGPPublicKey getBrdaReceiverKey(); /** * Returns public key for SSH client connections made by RDE. * *
This is a string containing what would otherwise be the contents of an * {@code ~/.ssh/id_rsa.pub} file. It's usually a single line with the name of * the algorithm, the base64 key, and the email address of the owner. * * @see google.registry.rde.RdeUploadAction */ String getRdeSshClientPublicKey(); /** * Returns private key for SSH client connections made by RDE. * *
This is a string containing what would otherwise be the contents of an * {@code ~/.ssh/id_rsa} file. It's ASCII-armored text. * *
This method may impose restrictions on who can call it. For example, we'd want * to check that the caller isn't an HTTP request attacking a vulnerability in the * admin console. The request should originate from a backend task queue servlet * invocation of the RDE upload thing. * * @see google.registry.rde.RdeUploadAction */ String getRdeSshClientPrivateKey(); /** * Returns password to be used when uploading reports to ICANN. * * @see google.registry.rde.RdeReportAction */ String getIcannReportingPassword(); /** * Returns {@code user:password} login for TMCH MarksDB HTTP server DNL interface. * * @see google.registry.tmch.TmchDnlAction */ String getMarksdbDnlLogin(); /** * Returns password for TMCH MarksDB HTTP server LORDN interface. * * @see "google.registry.tmch.LordnRequestInitializer" */ String getMarksdbLordnPassword(); /** * Returns {@code user:password} login for TMCH MarksDB HTTP server SMDRL interface. * * @see google.registry.tmch.TmchSmdrlAction */ String getMarksdbSmdrlLogin(); /** * Returns the credentials for a service account on the Google AppEngine project downloaded from * the Cloud Console dashboard in JSON format. */ String getJsonCredential(); /** * Returns Braintree API private key for Registry. * *
This is a base32 value copied from the Braintree website. * * @see google.registry.config.ConfigModule#provideBraintreePublicKey */ String getBraintreePrivateKey(); // Don't throw so try-with-resources works better. @Override void close(); }