CryptoMb private key provider (proto)¶
This extension has the qualified name
This extension is only available in contrib images.
This extension is functional but has not had substantial production burn time, use only with this caveat.
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
This extension extends and can be used with the following extension category:
A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private
key provider is configured. The private key provider provides
processing for RSA sign and decrypt operations (ECDSA signing uses regular
BoringSSL functions). The provider works by gathering the operations into a
worker-thread specific queue, and processing the queue using
library when the queue is full or when a timer expires.
The following extensions are available in contrib images only:
(config.core.v3.DataSource) Private key to use in the private key provider. If set to inline_bytes or inline_string, the value needs to be the private key in PEM format.
(Duration, REQUIRED) How long to wait until the per-thread processing queue should be processed. If the processing queue gets full (eight sign or decrypt requests are received) it is processed immediately. However, if the queue is not filled before the delay has expired, the requests already in the queue are processed, even if the queue is not full. In effect, this value controls the balance between latency and throughput. The duration needs to be set to a value greater than or equal to 1 millisecond.