From 3cb3e5e1e19d89b002347dd3e54efb8bc5c29e12 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Tue, 2 Apr 2024 17:49:46 -0400 Subject: [PATCH 01/34] feat(kas): support HSM and standard crypto --- internal/security/crypto_provider.go | 26 ++++++ internal/security/hsm.go | 131 ++++++++++++++++++++++----- internal/security/hsm_test.go | 8 +- internal/security/standard_crypto.go | 114 +++++++++++++++++++++++ internal/server/server.go | 32 ++++--- lib/crypto/asym_decryption.go | 6 +- lib/crypto/asym_encryption.go | 27 +++++- opentdf-example.yaml | 29 ++++-- services/kas/access/provider.go | 12 +-- services/kas/access/publicKey.go | 76 +++++----------- services/kas/access/rewrap.go | 11 ++- services/kas/kas.go | 13 +-- 12 files changed, 354 insertions(+), 131 deletions(-) create mode 100644 internal/security/crypto_provider.go create mode 100644 internal/security/standard_crypto.go diff --git a/internal/security/crypto_provider.go b/internal/security/crypto_provider.go new file mode 100644 index 0000000000..f392106ed1 --- /dev/null +++ b/internal/security/crypto_provider.go @@ -0,0 +1,26 @@ +package security + +type Config struct { + Type string `yaml:"type" default:"standard"` + // HSMConfig is the configuration for the HSM + HSMConfig HSMConfig `yaml:"hsm,omitempty" mapstructure:"hsm"` + // StandardConfig is the configuration for the standard key provider + StandardConfig StandardConfig `yaml:"standard,omitempty" mapstructure:"standard"` +} + +type CryptoProvider interface { + RSAPublicKey(keyId string) (string, error) + ECPublicKey(keyId string) (string, error) + RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) +} + +func NewCryptoProvider(cfg Config) (CryptoProvider, error) { + switch cfg.Type { + case "hsm": + return New(&cfg.HSMConfig) + case "standard": + return NewStandardCrypto(cfg.StandardConfig) + default: + return NewStandardCrypto(cfg.StandardConfig) + } +} diff --git a/internal/security/hsm.go b/internal/security/hsm.go index 0b7589210c..dc09e04961 100644 --- a/internal/security/hsm.go +++ b/internal/security/hsm.go @@ -6,6 +6,7 @@ import ( "crypto/rsa" "crypto/sha256" "crypto/x509" + "encoding/pem" "errors" "fmt" "io" @@ -19,10 +20,13 @@ import ( ) const ( - ErrHSMUnexpected = Error("hsm unexpected") - ErrHSMDecrypt = Error("hsm decrypt error") - ErrHSMNotFound = Error("hsm unavailable") - ErrKeyConfig = Error("key configuration error") + ErrCertificateEncode = Error("certificate encode error") + ErrPublicKeyMarshal = Error("public key marshal error") + ErrHSMUnexpected = Error("hsm unexpected") + ErrHSMDecrypt = Error("hsm decrypt error") + ErrHSMNotFound = Error("hsm unavailable") + ErrKeyConfig = Error("key configuration error") + ErrUnknownHashFunction = Error("unknown hash function") ) const keyLength = 32 @@ -493,25 +497,6 @@ func (h *HSMSession) LoadECKey(info KeyInfo) (*ECKeyPair, error) { return &pair, nil } -func (session *HSMSession) DecryptOAEP(key *PrivateKeyRSA, ciphertext []byte, hashFunction crypto.Hash, label []byte) ([]byte, error) { - hashAlg, mgfAlg, _, err := hashToPKCS11(hashFunction) - if err != nil { - return nil, errors.Join(ErrHSMDecrypt, err) - } - - mech := pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_OAEP, pkcs11.NewOAEPParams(hashAlg, mgfAlg, pkcs11.CKZ_DATA_SPECIFIED, label)) - - err = session.ctx.DecryptInit(session.sh, []*pkcs11.Mechanism{mech}, pkcs11.ObjectHandle(*key)) - if err != nil { - return nil, errors.Join(ErrHSMDecrypt, err) - } - decrypt, err := session.ctx.Decrypt(session.sh, ciphertext) - if err != nil { - return nil, errors.Join(ErrHSMDecrypt, err) - } - return decrypt, nil -} - func hashToPKCS11(hashFunction crypto.Hash) (hashAlg uint, mgfAlg uint, hashLen uint, err error) { switch hashFunction { case crypto.SHA1: @@ -660,8 +645,108 @@ func (h *HSMSession) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) { return PrivateKeyEC(prvHandle), publicKeyBytes, nil } +func (h *HSMSession) RSAPublicKey(keyId string) (string, error) { + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + pubkeyBytes, err := x509.MarshalPKIXPublicKey(h.RSA.PublicKey) + if err != nil { + return "", errors.Join(ErrPublicKeyMarshal, err) + } + + certPem := pem.EncodeToMemory( + &pem.Block{ + Type: "PUBLIC KEY", + Headers: nil, + Bytes: pubkeyBytes, + }, + ) + if certPem == nil { + return "", ErrCertificateEncode + } + return string(certPem), nil +} + +func (h *HSMSession) ECPublicKey(keyId string) (string, error) { + return "", nil +} + +func (h *HSMSession) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { + + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + hash, err := stringToHashFunction(hashFunction) + if err != nil { + return nil, errors.Join(ErrHSMDecrypt, err) + } + + hashAlg, mgfAlg, _, err := hashToPKCS11(hash) + if err != nil { + return nil, errors.Join(ErrHSMDecrypt, err) + } + + mech := pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS_OAEP, + pkcs11.NewOAEPParams(hashAlg, mgfAlg, pkcs11.CKZ_DATA_SPECIFIED, + []byte(keyLabel))) + + err = h.ctx.DecryptInit(h.sh, []*pkcs11.Mechanism{mech}, pkcs11.ObjectHandle(h.RSA.PrivateKey)) + if err != nil { + return nil, errors.Join(ErrHSMDecrypt, err) + } + decrypt, err := h.ctx.Decrypt(h.sh, ciphertext) + if err != nil { + return nil, errors.Join(ErrHSMDecrypt, err) + } + return decrypt, nil +} + func versionSalt() []byte { digest := sha256.New() digest.Write([]byte("L1L")) return digest.Sum(nil) } + +// StringToHashFunction String to crypto hash function name +func stringToHashFunction(hashFunction string) (crypto.Hash, error) { + switch hashFunction { + case "MD4": + return crypto.MD4, nil + case "MD5": + return crypto.MD5, nil + case "SHA1": + return crypto.SHA1, nil + case "SHA224": + return crypto.SHA224, nil + case "SHA256": + return crypto.SHA256, nil + case "SHA384": + return crypto.SHA384, nil + case "SHA512": + return crypto.SHA512, nil + case "MD5SHA1": + return crypto.MD5SHA1, nil + case "SHA3_224": + return crypto.SHA3_224, nil + case "SHA3_256": + return crypto.SHA3_256, nil + case "SHA3_384": + return crypto.SHA3_384, nil + case "SHA3_512": + return crypto.SHA3_512, nil + case "SHA512_224": + return crypto.SHA512_224, nil + case "SHA512_256": + return crypto.SHA512_256, nil + case "BLAKE2s_256": + return crypto.BLAKE2s_256, nil + case "BLAKE2b_256": + return crypto.BLAKE2b_256, nil + case "BLAKE2b_384": + return crypto.BLAKE2b_384, nil + case "BLAKE2b_512": + return crypto.BLAKE2b_512, nil + default: + return 0, ErrUnknownHashFunction + } +} diff --git a/internal/security/hsm_test.go b/internal/security/hsm_test.go index d66b984199..0bc208e42e 100644 --- a/internal/security/hsm_test.go +++ b/internal/security/hsm_test.go @@ -99,18 +99,14 @@ func TestHashToPKCS11Success(t *testing.T) { } func TestDecryptOAEPUnsupportedRSAFailure(t *testing.T) { - objectHandle := pkcs11.ObjectHandle(2) sessionHandle := pkcs11.SessionHandle(1) - session := &HSMSession{ ctx: pkcs11.Ctx{}, sh: sessionHandle, } - key := PrivateKeyRSA(objectHandle) - unsupportedRSA := crypto.BLAKE2b_384 - - decrypted, err := session.DecryptOAEP(&key, []byte("sample ciphertext"), unsupportedRSA, []byte("sample label")) + unsupportedRSA := "BLAKE2b_384" + decrypted, err := session.RSADecrypt(unsupportedRSA, "unknown", "sample label", []byte("sample ciphertext")) t.Log(err) t.Log(decrypted) diff --git a/internal/security/standard_crypto.go b/internal/security/standard_crypto.go new file mode 100644 index 0000000000..efb2af4471 --- /dev/null +++ b/internal/security/standard_crypto.go @@ -0,0 +1,114 @@ +package security + +import ( + "crypto/ecdh" + "errors" + "fmt" + "github.com/opentdf/platform/lib/crypto" + "log/slog" + "os" +) + +var ( + errStandardCryptoNotEnabled = errors.New("standard crypto flag is enabled in the config") + errStandardCryptoObjIsInvalid = errors.New("standard crypto object is invalid") +) + +type StandardConfig struct { + RSAKeys map[string]StandardKeyInfo `yaml:"rsa,omitempty" mapstructure:"rsa"` + ECKeys map[string]StandardKeyInfo `yaml:"ec,omitempty" mapstructure:"ec"` +} + +type StandardKeyInfo struct { + PrivateKeyPath string `yaml:"privateKeyPath" mapstructure:"privateKeyPath"` + PublicKeyPath string `yaml:"publicKeyPath" mapstructure:"publicKeyPath"` +} + +type StandardRSACrypto struct { + Identifier string + asymDecryption crypto.AsymDecryption + asymEncryption crypto.AsymEncryption +} + +type StandardECCrypto struct { + Identifier string + ecPublicKey *ecdh.PublicKey + ecPrivateKey *ecdh.PrivateKey +} + +type StandardCrypto struct { + rsaKeys []StandardRSACrypto + ecKeys []StandardECCrypto +} + +// NewStandardCrypto Create a new instance of standard crypto +func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { + standardCrypto := &StandardCrypto{} + for id, kasInfo := range cfg.RSAKeys { + privatePemData, err := os.ReadFile(kasInfo.PrivateKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to rsa private key file: %w", err) + } + + asymDecryption, err := crypto.NewAsymDecryption(string(privatePemData)) + if err != nil { + return nil, fmt.Errorf("crypto.NewAsymDecryption failed: %w", err) + } + + publicPemData, err := os.ReadFile(kasInfo.PublicKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to rsa public key file: %w", err) + } + + asymEncryption, err := crypto.NewAsymEncryption(string(publicPemData)) + if err != nil { + return nil, fmt.Errorf("crypto.NewAsymEncryption failed: %w", err) + } + + standardCrypto.rsaKeys = append(standardCrypto.rsaKeys, StandardRSACrypto{ + Identifier: id, + asymDecryption: asymDecryption, + asymEncryption: asymEncryption, + }) + } + + return standardCrypto, nil +} + +func (s StandardCrypto) RSAPublicKey(keyId string) (string, error) { + + if len(s.rsaKeys) == 0 { + return "", errStandardCryptoObjIsInvalid + } + + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + pem, err := s.rsaKeys[0].asymEncryption.PublicKeyInPemFormat() + if err != nil { + return "", fmt.Errorf("failed to retrive rsa public key file: %w", err) + } + + return pem, nil +} + +func (s StandardCrypto) ECPublicKey(keyId string) (string, error) { + return "", nil +} + +func (s StandardCrypto) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { + + if len(s.rsaKeys) == 0 { + return nil, errStandardCryptoObjIsInvalid + } + + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + data, err := s.rsaKeys[0].asymDecryption.Decrypt(ciphertext) + if err != nil { + return nil, fmt.Errorf("error decrypting data: %w", err) + } + + return data, nil +} diff --git a/internal/server/server.go b/internal/server/server.go index 25556ac1ce..f0e6926f05 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -43,10 +43,10 @@ func (e Error) Error() string { } type Config struct { - Auth auth.Config `yaml:"auth"` - GRPC GRPCConfig `yaml:"grpc"` - HSM security.HSMConfig `yaml:"hsm"` - TLS TLSConfig `yaml:"tls"` + Auth auth.Config `yaml:"auth"` + GRPC GRPCConfig `yaml:"grpc"` + CryptoProvider security.Config `yaml:"cryptoProvider"` + TLS TLSConfig `yaml:"tls"` WellKnownConfigRegister func(namespace string, config any) error Port int `yaml:"port" default:"8080"` Host string `yaml:"host,omitempty"` @@ -63,11 +63,11 @@ type TLSConfig struct { } type OpenTDFServer struct { - Mux *runtime.ServeMux - HTTPServer *http.Server - GRPCServer *grpc.Server - GRPCInProcess *inProcessServer - HSM *security.HSMSession + Mux *runtime.ServeMux + HTTPServer *http.Server + GRPCServer *grpc.Server + GRPCInProcess *inProcessServer + CryptoProvider security.CryptoProvider } /* @@ -128,11 +128,15 @@ func NewOpenTDFServer(config Config, d *db.Client) (*OpenTDFServer, error) { GRPCInProcess: grpcIPCServer, } - if config.HSM.Enabled { - o.HSM, err = security.New(&config.HSM) - if err != nil { - return nil, fmt.Errorf("failed to initialize hsm: %w", err) - } + if config.CryptoProvider.HSMConfig.Enabled { + config.CryptoProvider.Type = "hsm" + o.CryptoProvider, err = security.NewCryptoProvider(config.CryptoProvider) + slog.Info("✅crypto provider: HSM") + + } else { + config.CryptoProvider.Type = "standard" + o.CryptoProvider, err = security.NewCryptoProvider(config.CryptoProvider) + slog.Info("✅ crypto provider: standard") } return &o, nil diff --git a/lib/crypto/asym_decryption.go b/lib/crypto/asym_decryption.go index e817b157b7..18b57a0ebc 100644 --- a/lib/crypto/asym_decryption.go +++ b/lib/crypto/asym_decryption.go @@ -10,7 +10,7 @@ import ( ) type AsymDecryption struct { - privateKey *rsa.PrivateKey + PrivateKey *rsa.PrivateKey } // NewAsymDecryption creates and returns a new AsymDecryption. @@ -37,11 +37,11 @@ func NewAsymDecryption(privateKeyInPem string) (AsymDecryption, error) { // Decrypt decrypts ciphertext with private key. func (asymDecryption AsymDecryption) Decrypt(data []byte) ([]byte, error) { - if asymDecryption.privateKey == nil { + if asymDecryption.PrivateKey == nil { return nil, errors.New("failed to decrypt, private key is empty") } - bytes, err := asymDecryption.privateKey.Decrypt(nil, + bytes, err := asymDecryption.PrivateKey.Decrypt(nil, data, &rsa.OAEPOptions{Hash: crypto.SHA1}) if err != nil { diff --git a/lib/crypto/asym_encryption.go b/lib/crypto/asym_encryption.go index ce064e3279..76c820fc09 100644 --- a/lib/crypto/asym_encryption.go +++ b/lib/crypto/asym_encryption.go @@ -12,7 +12,7 @@ import ( ) type AsymEncryption struct { - publicKey *rsa.PublicKey + PublicKey *rsa.PublicKey } // NewAsymEncryption creates and returns a new AsymEncryption. @@ -53,14 +53,35 @@ func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error) { // Encrypt encrypts data with public key. func (asymEncryption AsymEncryption) Encrypt(data []byte) ([]byte, error) { - if asymEncryption.publicKey == nil { + if asymEncryption.PublicKey == nil { return nil, errors.New("failed to encrypt, public key is empty") } - bytes, err := rsa.EncryptOAEP(sha1.New(), rand.Reader, asymEncryption.publicKey, data, nil) //nolint:gosec // used for padding which is safe + bytes, err := rsa.EncryptOAEP(sha1.New(), rand.Reader, asymEncryption.PublicKey, data, nil) //nolint:gosec // used for padding which is safe if err != nil { return nil, fmt.Errorf("rsa.EncryptOAEP failed: %w", err) } return bytes, nil } + +// PublicKeyInPemFormat Returns public key in pem format. +func (asymEncryption AsymEncryption) PublicKeyInPemFormat() (string, error) { + if asymEncryption.PublicKey == nil { + return "", errors.New("failed to generate PEM formatted public key") + } + + publicKeyBytes, err := x509.MarshalPKIXPublicKey(asymEncryption.PublicKey) + if err != nil { + return "", fmt.Errorf("x509.MarshalPKIXPublicKey failed: %w", err) + } + + publicKeyPem := pem.EncodeToMemory( + &pem.Block{ + Type: "PUBLIC KEY", + Bytes: publicKeyBytes, + }, + ) + + return string(publicKeyPem), nil +} diff --git a/opentdf-example.yaml b/opentdf-example.yaml index 29cbfa6fe0..3adf885c98 100644 --- a/opentdf-example.yaml +++ b/opentdf-example.yaml @@ -93,16 +93,29 @@ server: grpc: reflectionEnabled: true # Default is false - hsm: - enabled: true - # As configured by hsm-init-temporary-keys.sh - pin: "12345" - slotlabel: "dev-token" - keys: + cryptoProvider: + hsm: + enabled: true + # As configured by hsm-init-temporary-keys.sh + pin: "12345" + slotlabel: "dev-token" + keys: + rsa: + label: development-rsa-kas + ec: + label: development-ec-kas + standard: rsa: - label: development-rsa-kas + 123: + privateKeyPath: kas-private.pem + publicKeyPath: kas-cert.pem + 456: + privateKeyPath: kas-private.pem + publicKeyPath: kas-cert.pem ec: - label: development-ec-kas + 123: + privateKeyPath: kas-ec-private.pem + publicKeyPath: kas-ec-cert.pem port: 8080 opa: embedded: true # Only for local development diff --git a/services/kas/access/provider.go b/services/kas/access/provider.go index 279f523f17..d9841a9b8d 100644 --- a/services/kas/access/provider.go +++ b/services/kas/access/provider.go @@ -1,11 +1,10 @@ package access import ( + "github.com/opentdf/platform/internal/security" otdf "github.com/opentdf/platform/sdk" "net/url" - "github.com/opentdf/platform/internal/security" - "github.com/coreos/go-oidc/v3/oidc" kaspb "github.com/opentdf/platform/protocol/go/kas" ) @@ -17,8 +16,9 @@ const ( type Provider struct { kaspb.AccessServiceServer - URI url.URL `json:"uri"` - SDK *otdf.SDK - Session security.HSMSession - OIDCVerifier *oidc.IDTokenVerifier + URI url.URL `json:"uri"` + SDK *otdf.SDK + AttributeSvc *url.URL + CryptoProvider security.CryptoProvider + OIDCVerifier *oidc.IDTokenVerifier } diff --git a/services/kas/access/publicKey.go b/services/kas/access/publicKey.go index 736a6ba7e9..2adb040409 100644 --- a/services/kas/access/publicKey.go +++ b/services/kas/access/publicKey.go @@ -3,14 +3,11 @@ package access import ( "context" "crypto/ecdsa" - "crypto/rsa" "crypto/x509" - "encoding/json" "encoding/pem" "errors" "log/slog" - "github.com/lestrrat-go/jwx/v2/jwk" kaspb "github.com/opentdf/platform/protocol/go/kas" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -28,17 +25,17 @@ func (p *Provider) LegacyPublicKey(ctx context.Context, in *kaspb.LegacyPublicKe var pem string var err error if algorithm == algorithmEc256 { - if p.Session.EC == nil || p.Session.EC.Certificate == nil { - return nil, err404("not found") + pem, err = p.CryptoProvider.ECPublicKey("unknown") + if err != nil { + slog.ErrorContext(ctx, "CryptoProvider.ECPublicKey failed", "err", err) + return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - pem, err = exportCertificateAsPemStr(p.Session.EC.Certificate) - slog.DebugContext(ctx, "Legacy EC Public Key Handler found", "cert", pem) } else { - if p.Session.RSA == nil || p.Session.RSA.Certificate == nil { - return nil, err404("not found") + pem, err = p.CryptoProvider.RSAPublicKey("unknown") + if err != nil { + slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) + return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - pem, err = exportCertificateAsPemStr(p.Session.RSA.Certificate) - slog.DebugContext(ctx, "Legacy RSA CERT Handler found", "cert", pem) } if err != nil { slog.ErrorContext(ctx, "unable to generate PEM", "err", err) @@ -50,70 +47,41 @@ func (p *Provider) LegacyPublicKey(ctx context.Context, in *kaspb.LegacyPublicKe func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (*kaspb.PublicKeyResponse, error) { algorithm := in.Algorithm if algorithm == algorithmEc256 { - if p.Session.EC == nil { - return nil, err404("not found") - } - ecPublicKeyPem, err := exportEcPublicKeyAsPemStr(p.Session.EC.PublicKey) + ecPublicKeyPem, err := p.CryptoProvider.ECPublicKey("unknown") if err != nil { - slog.ErrorContext(ctx, "EC public key from PKCS11", "err", err) + slog.ErrorContext(ctx, "CryptoProvider.ECPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - slog.DebugContext(ctx, "EC Public Key Handler found", "cert", ecPublicKeyPem) - return &kaspb.PublicKeyResponse{PublicKey: ecPublicKeyPem}, nil - } - if p.Session.RSA == nil { - return nil, err404("not found") + return &kaspb.PublicKeyResponse{PublicKey: string(ecPublicKeyPem)}, nil } + if in.Fmt == "jwk" { - rsaPublicKeyJwk, err := jwk.FromRaw(p.Session.RSA.PublicKey) + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") if err != nil { - slog.ErrorContext(ctx, "failed to parse JWK", "err", err) + slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - // Keys can be serialized back to JSON - jsonPublicKey, err := json.Marshal(rsaPublicKeyJwk) - if err != nil { - slog.ErrorContext(ctx, "failed to marshal JWK", "err", err) - return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) - } - slog.DebugContext(ctx, "JWK Public Key Handler found", "cert", jsonPublicKey) - return &kaspb.PublicKeyResponse{PublicKey: string(jsonPublicKey)}, nil + + return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil } if in.Fmt == "pkcs8" { - certificatePem, err := exportCertificateAsPemStr(p.Session.RSA.Certificate) + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") if err != nil { - slog.ErrorContext(ctx, "RSA public key from PKCS11", "err", err) + slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - slog.DebugContext(ctx, "RSA Cert Handler found", "cert", certificatePem) - return &kaspb.PublicKeyResponse{PublicKey: certificatePem}, nil + return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil } - rsaPublicKeyPem, err := exportRsaPublicKeyAsPemStr(p.Session.RSA.PublicKey) + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") if err != nil { - slog.ErrorContext(ctx, "RSA public key export fail", "err", err) + slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - slog.DebugContext(ctx, "RSA Public Key Handler found", "cert", rsaPublicKeyPem) - return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil -} -func exportRsaPublicKeyAsPemStr(pubkey *rsa.PublicKey) (string, error) { - pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey) - if err != nil { - return "", errors.Join(ErrPublicKeyMarshal, err) - } - pubkeyPem := pem.EncodeToMemory( - &pem.Block{ - Type: "PUBLIC KEY", - Headers: nil, - Bytes: pubkeyBytes, - }, - ) - - return string(pubkeyPem), nil + return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil } func exportEcPublicKeyAsPemStr(pubkey *ecdsa.PublicKey) (string, error) { diff --git a/services/kas/access/rewrap.go b/services/kas/access/rewrap.go index d72095a55a..c681042c18 100644 --- a/services/kas/access/rewrap.go +++ b/services/kas/access/rewrap.go @@ -59,8 +59,9 @@ type customClaimsHeader struct { } const ( - ErrUser = Error("request error") - ErrInternal = Error("internal error") + ErrUser = Error("request error") + ErrInternal = Error("internal error") + DefaultShaFunctionForDecrypt = "SHA1" ) func err400(s string) error { @@ -263,14 +264,14 @@ func (p *Provider) Rewrap(ctx context.Context, in *kaspb.RewrapRequest) (*kaspb. } if body.requestBody.Algorithm == "ec:secp256r1" { - return nanoTDFRewrap(*body, &p.Session, p.Session.EC.PrivateKey) + //return nanoTDFRewrap(*body, &p.Session, p.Session.EC.PrivateKey) + return nil, fmt.Errorf("BUG: NanoTDF is disabled") } return p.tdf3Rewrap(ctx, body) } func (p *Provider) tdf3Rewrap(ctx context.Context, body *verifiedRequest) (*kaspb.RewrapResponse, error) { - symmetricKey, err := p.Session.DecryptOAEP( - &p.Session.RSA.PrivateKey, body.requestBody.KeyAccess.WrappedKey, crypto.SHA1, nil) + symmetricKey, err := p.CryptoProvider.RSADecrypt(DefaultShaFunctionForDecrypt, "UnKnown", "", body.requestBody.KeyAccess.WrappedKey) if err != nil { slog.WarnContext(ctx, "failure to decrypt dek", "err", err) return nil, err400("bad request") diff --git a/services/kas/kas.go b/services/kas/kas.go index 27ff89cb28..ef826cf1f9 100644 --- a/services/kas/kas.go +++ b/services/kas/kas.go @@ -57,11 +57,6 @@ func NewRegistration() serviceregistry.Registration { Namespace: "kas", ServiceDesc: &kaspb.AccessService_ServiceDesc, RegisterFunc: func(srp serviceregistry.RegistrationParams) (any, serviceregistry.HandlerServer) { - hsm := srp.OTDF.HSM - if hsm == nil { - slog.Error("hsm not enabled") - panic(fmt.Errorf("hsm not enabled")) - } // FIXME msg="mismatched key access url" keyAccessURL=http://localhost:9000 kasURL=https://:9000 kasURLString := "https://" + srp.OTDF.HTTPServer.Addr kasURI, err := url.Parse(kasURLString) @@ -70,10 +65,10 @@ func NewRegistration() serviceregistry.Registration { } p := access.Provider{ - URI: *kasURI, - SDK: srp.SDK, - Session: *hsm, - OIDCVerifier: loadIdentityProvider(), + URI: *kasURI, + AttributeSvc: nil, + CryptoProvider: srp.OTDF.CryptoProvider, + OIDCVerifier: loadIdentityProvider(), } return &p, func(ctx context.Context, mux *runtime.ServeMux, server any) error { kas, ok := server.(*access.Provider) From b993e3c778128fc127a5ec35c14b49482d6ae159 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Tue, 2 Apr 2024 19:03:40 -0400 Subject: [PATCH 02/34] fix the integeration test --- internal/security/crypto_provider.go | 1 + internal/security/hsm.go | 19 +++++++++++++++++++ internal/security/standard_crypto.go | 23 +++++++++++++++++++++++ services/kas/access/publicKey.go | 2 +- 4 files changed, 44 insertions(+), 1 deletion(-) diff --git a/internal/security/crypto_provider.go b/internal/security/crypto_provider.go index f392106ed1..83d0f00963 100644 --- a/internal/security/crypto_provider.go +++ b/internal/security/crypto_provider.go @@ -10,6 +10,7 @@ type Config struct { type CryptoProvider interface { RSAPublicKey(keyId string) (string, error) + RSAPublicKeyAsJson(keyId string) (string, error) ECPublicKey(keyId string) (string, error) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) } diff --git a/internal/security/hsm.go b/internal/security/hsm.go index dc09e04961..82b8d157ba 100644 --- a/internal/security/hsm.go +++ b/internal/security/hsm.go @@ -6,9 +6,11 @@ import ( "crypto/rsa" "crypto/sha256" "crypto/x509" + "encoding/json" "encoding/pem" "errors" "fmt" + "github.com/lestrrat-go/jwx/v2/jwk" "io" "log/slog" "os" @@ -667,6 +669,23 @@ func (h *HSMSession) RSAPublicKey(keyId string) (string, error) { return string(certPem), nil } +func (h *HSMSession) RSAPublicKeyAsJson(keyId string) (string, error) { + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + rsaPublicKeyJwk, err := jwk.FromRaw(h.RSA.PublicKey) + if err != nil { + return "", fmt.Errorf("jwk.FromRaw: %w", err) + } + + jsonPublicKey, err := json.Marshal(rsaPublicKeyJwk) + if err != nil { + return "", fmt.Errorf("jwk.FromRaw: %w", err) + } + + return string(jsonPublicKey), nil +} + func (h *HSMSession) ECPublicKey(keyId string) (string, error) { return "", nil } diff --git a/internal/security/standard_crypto.go b/internal/security/standard_crypto.go index efb2af4471..f1d2126435 100644 --- a/internal/security/standard_crypto.go +++ b/internal/security/standard_crypto.go @@ -2,8 +2,10 @@ package security import ( "crypto/ecdh" + "encoding/json" "errors" "fmt" + "github.com/lestrrat-go/jwx/v2/jwk" "github.com/opentdf/platform/lib/crypto" "log/slog" "os" @@ -112,3 +114,24 @@ func (s StandardCrypto) RSADecrypt(hashFunction string, keyId string, keyLabel s return data, nil } + +func (s StandardCrypto) RSAPublicKeyAsJson(keyId string) (string, error) { + if len(s.rsaKeys) == 0 { + return "", errStandardCryptoObjIsInvalid + } + + // TODO: For now ignore the key id + slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + + rsaPublicKeyJwk, err := jwk.FromRaw(s.rsaKeys[0].asymEncryption.PublicKey) + if err != nil { + return "", fmt.Errorf("jwk.FromRaw: %w", err) + } + + jsonPublicKey, err := json.Marshal(rsaPublicKeyJwk) + if err != nil { + return "", fmt.Errorf("jwk.FromRaw: %w", err) + } + + return string(jsonPublicKey), nil +} diff --git a/services/kas/access/publicKey.go b/services/kas/access/publicKey.go index 2adb040409..c6fe2277e2 100644 --- a/services/kas/access/publicKey.go +++ b/services/kas/access/publicKey.go @@ -57,7 +57,7 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* } if in.Fmt == "jwk" { - rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKeyAsJson("unknown") if err != nil { slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) From d6e0600941332c172158818acf34bd2f4b2e4e41 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Tue, 2 Apr 2024 19:34:17 -0400 Subject: [PATCH 03/34] fix test --- internal/security/hsm.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/internal/security/hsm.go b/internal/security/hsm.go index 82b8d157ba..c373069a17 100644 --- a/internal/security/hsm.go +++ b/internal/security/hsm.go @@ -687,7 +687,19 @@ func (h *HSMSession) RSAPublicKeyAsJson(keyId string) (string, error) { } func (h *HSMSession) ECPublicKey(keyId string) (string, error) { - return "", nil + pubkeyBytes, err := x509.MarshalPKIXPublicKey(h.EC.PublicKey) + if err != nil { + return "", errors.Join(ErrPublicKeyMarshal, err) + } + pubkeyPem := pem.EncodeToMemory( + &pem.Block{ + Type: "PUBLIC KEY", + Headers: nil, + Bytes: pubkeyBytes, + }, + ) + + return string(pubkeyPem), nil } func (h *HSMSession) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { From ddd1b94457f4d9e9ce4268b5dea288a672067795 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 13:39:09 -0400 Subject: [PATCH 04/34] rename lib/crypto to lib/ocrypto --- .github/workflows/checks.yaml | 2 +- .github/workflows/lint-all.yaml | 2 +- Makefile | 2 +- go.mod | 4 +- internal/security/crypto_provider.go | 4 +- internal/security/hsm.go | 51 +----------- internal/security/standard_crypto.go | 17 ++-- lib/crypto/go.mod | 3 - lib/{crypto => ocrypto}/aes_gcm.go | 0 lib/{crypto => ocrypto}/aes_gcm_test.go | 0 lib/{crypto => ocrypto}/asym_decryption.go | 0 .../asym_encrypt_decrypt_test.go | 0 lib/{crypto => ocrypto}/asym_encryption.go | 0 lib/{crypto => ocrypto}/crypto_utils.go | 0 lib/{crypto => ocrypto}/crypto_utils_test.go | 0 lib/ocrypto/go.mod | 3 + lib/{crypto => ocrypto}/rsa_key_pair.go | 0 lib/{crypto => ocrypto}/rsa_key_pair_test.go | 0 sdk/auth_config.go | 25 +++--- sdk/go.mod | 4 +- sdk/idp_access_token_source.go | 8 +- sdk/kas_client.go | 16 ++-- sdk/kas_client_test.go | 10 +-- sdk/tdf.go | 82 +++++++++---------- sdk/tdf_config.go | 11 ++- sdk/tdf_test.go | 32 ++++---- services/kas/access/publicKey.go | 17 ++++ services/kas/access/publicKey_test.go | 68 ++++++++------- services/kas/access/rewrap.go | 41 ++++------ services/kas/access/rewrap_test.go | 21 +++-- 30 files changed, 197 insertions(+), 226 deletions(-) delete mode 100644 lib/crypto/go.mod rename lib/{crypto => ocrypto}/aes_gcm.go (100%) rename lib/{crypto => ocrypto}/aes_gcm_test.go (100%) rename lib/{crypto => ocrypto}/asym_decryption.go (100%) rename lib/{crypto => ocrypto}/asym_encrypt_decrypt_test.go (100%) rename lib/{crypto => ocrypto}/asym_encryption.go (100%) rename lib/{crypto => ocrypto}/crypto_utils.go (100%) rename lib/{crypto => ocrypto}/crypto_utils_test.go (100%) create mode 100644 lib/ocrypto/go.mod rename lib/{crypto => ocrypto}/rsa_key_pair.go (100%) rename lib/{crypto => ocrypto}/rsa_key_pair_test.go (100%) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 12e9b70fb4..ddf2203e3c 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -36,7 +36,7 @@ jobs: directory: - "." - sdk - - lib/crypto + - lib/ocrypto - examples steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 diff --git a/.github/workflows/lint-all.yaml b/.github/workflows/lint-all.yaml index d8dd09f501..98fcf89556 100644 --- a/.github/workflows/lint-all.yaml +++ b/.github/workflows/lint-all.yaml @@ -16,7 +16,7 @@ jobs: directory: - "." - sdk - - lib/crypto + - lib/ocrypto - examples steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 diff --git a/Makefile b/Makefile index cc9b87f807..16bc726a91 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ .PHONY: all build clean docker-build fix go-lint lint proto-generate proto-lint sdk/sdk test toolcheck -MODS=protocol/go lib/crypto sdk . examples +MODS=protocol/go lib/ocrypto sdk . examples EXCLUDE_OPENAPI=./services/authorization/idp_plugin.proto diff --git a/go.mod b/go.mod index 57cc1626c3..2988905f2c 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/miekg/pkcs11 v1.1.1 github.com/open-policy-agent/opa v0.62.1 github.com/opentdf/platform/protocol/go v0.0.0-00010101000000-000000000000 - github.com/opentdf/platform/lib/crypto v0.0.0-00010101000000-000000000000 + github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 github.com/opentdf/platform/sdk v0.0.0-00010101000000-000000000000 github.com/pressly/goose/v3 v3.19.1 github.com/spf13/cobra v1.8.0 @@ -38,7 +38,7 @@ require ( replace ( github.com/opentdf/platform/protocol/go => ./protocol/go - github.com/opentdf/platform/lib/crypto => ./lib/crypto + github.com/opentdf/platform/lib/ocrypto => ./lib/ocrypto github.com/opentdf/platform/sdk => ./sdk ) diff --git a/internal/security/crypto_provider.go b/internal/security/crypto_provider.go index 83d0f00963..360a176713 100644 --- a/internal/security/crypto_provider.go +++ b/internal/security/crypto_provider.go @@ -1,5 +1,7 @@ package security +import "crypto" + type Config struct { Type string `yaml:"type" default:"standard"` // HSMConfig is the configuration for the HSM @@ -12,7 +14,7 @@ type CryptoProvider interface { RSAPublicKey(keyId string) (string, error) RSAPublicKeyAsJson(keyId string) (string, error) ECPublicKey(keyId string) (string, error) - RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) + RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) } func NewCryptoProvider(cfg Config) (CryptoProvider, error) { diff --git a/internal/security/hsm.go b/internal/security/hsm.go index c373069a17..bb5b34cd10 100644 --- a/internal/security/hsm.go +++ b/internal/security/hsm.go @@ -702,16 +702,11 @@ func (h *HSMSession) ECPublicKey(keyId string) (string, error) { return string(pubkeyPem), nil } -func (h *HSMSession) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { +func (h *HSMSession) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { // TODO: For now ignore the key id slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) - hash, err := stringToHashFunction(hashFunction) - if err != nil { - return nil, errors.Join(ErrHSMDecrypt, err) - } - hashAlg, mgfAlg, _, err := hashToPKCS11(hash) if err != nil { return nil, errors.Join(ErrHSMDecrypt, err) @@ -737,47 +732,3 @@ func versionSalt() []byte { digest.Write([]byte("L1L")) return digest.Sum(nil) } - -// StringToHashFunction String to crypto hash function name -func stringToHashFunction(hashFunction string) (crypto.Hash, error) { - switch hashFunction { - case "MD4": - return crypto.MD4, nil - case "MD5": - return crypto.MD5, nil - case "SHA1": - return crypto.SHA1, nil - case "SHA224": - return crypto.SHA224, nil - case "SHA256": - return crypto.SHA256, nil - case "SHA384": - return crypto.SHA384, nil - case "SHA512": - return crypto.SHA512, nil - case "MD5SHA1": - return crypto.MD5SHA1, nil - case "SHA3_224": - return crypto.SHA3_224, nil - case "SHA3_256": - return crypto.SHA3_256, nil - case "SHA3_384": - return crypto.SHA3_384, nil - case "SHA3_512": - return crypto.SHA3_512, nil - case "SHA512_224": - return crypto.SHA512_224, nil - case "SHA512_256": - return crypto.SHA512_256, nil - case "BLAKE2s_256": - return crypto.BLAKE2s_256, nil - case "BLAKE2b_256": - return crypto.BLAKE2b_256, nil - case "BLAKE2b_384": - return crypto.BLAKE2b_384, nil - case "BLAKE2b_512": - return crypto.BLAKE2b_512, nil - default: - return 0, ErrUnknownHashFunction - } -} diff --git a/internal/security/standard_crypto.go b/internal/security/standard_crypto.go index f1d2126435..0546e55050 100644 --- a/internal/security/standard_crypto.go +++ b/internal/security/standard_crypto.go @@ -1,12 +1,13 @@ package security import ( + "crypto" "crypto/ecdh" "encoding/json" "errors" "fmt" "github.com/lestrrat-go/jwx/v2/jwk" - "github.com/opentdf/platform/lib/crypto" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "log/slog" "os" ) @@ -28,8 +29,8 @@ type StandardKeyInfo struct { type StandardRSACrypto struct { Identifier string - asymDecryption crypto.AsymDecryption - asymEncryption crypto.AsymEncryption + asymDecryption ocrypto.AsymDecryption + asymEncryption ocrypto.AsymEncryption } type StandardECCrypto struct { @@ -52,9 +53,9 @@ func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { return nil, fmt.Errorf("failed to rsa private key file: %w", err) } - asymDecryption, err := crypto.NewAsymDecryption(string(privatePemData)) + asymDecryption, err := ocrypto.NewAsymDecryption(string(privatePemData)) if err != nil { - return nil, fmt.Errorf("crypto.NewAsymDecryption failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewAsymDecryption failed: %w", err) } publicPemData, err := os.ReadFile(kasInfo.PublicKeyPath) @@ -62,9 +63,9 @@ func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { return nil, fmt.Errorf("failed to rsa public key file: %w", err) } - asymEncryption, err := crypto.NewAsymEncryption(string(publicPemData)) + asymEncryption, err := ocrypto.NewAsymEncryption(string(publicPemData)) if err != nil { - return nil, fmt.Errorf("crypto.NewAsymEncryption failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewAsymEncryption failed: %w", err) } standardCrypto.rsaKeys = append(standardCrypto.rsaKeys, StandardRSACrypto{ @@ -98,7 +99,7 @@ func (s StandardCrypto) ECPublicKey(keyId string) (string, error) { return "", nil } -func (s StandardCrypto) RSADecrypt(hashFunction string, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { +func (s StandardCrypto) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { if len(s.rsaKeys) == 0 { return nil, errStandardCryptoObjIsInvalid diff --git a/lib/crypto/go.mod b/lib/crypto/go.mod deleted file mode 100644 index 5a452ad3f2..0000000000 --- a/lib/crypto/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module github.com/opentdf/platform/lib/crypto - -go 1.21.8 diff --git a/lib/crypto/aes_gcm.go b/lib/ocrypto/aes_gcm.go similarity index 100% rename from lib/crypto/aes_gcm.go rename to lib/ocrypto/aes_gcm.go diff --git a/lib/crypto/aes_gcm_test.go b/lib/ocrypto/aes_gcm_test.go similarity index 100% rename from lib/crypto/aes_gcm_test.go rename to lib/ocrypto/aes_gcm_test.go diff --git a/lib/crypto/asym_decryption.go b/lib/ocrypto/asym_decryption.go similarity index 100% rename from lib/crypto/asym_decryption.go rename to lib/ocrypto/asym_decryption.go diff --git a/lib/crypto/asym_encrypt_decrypt_test.go b/lib/ocrypto/asym_encrypt_decrypt_test.go similarity index 100% rename from lib/crypto/asym_encrypt_decrypt_test.go rename to lib/ocrypto/asym_encrypt_decrypt_test.go diff --git a/lib/crypto/asym_encryption.go b/lib/ocrypto/asym_encryption.go similarity index 100% rename from lib/crypto/asym_encryption.go rename to lib/ocrypto/asym_encryption.go diff --git a/lib/crypto/crypto_utils.go b/lib/ocrypto/crypto_utils.go similarity index 100% rename from lib/crypto/crypto_utils.go rename to lib/ocrypto/crypto_utils.go diff --git a/lib/crypto/crypto_utils_test.go b/lib/ocrypto/crypto_utils_test.go similarity index 100% rename from lib/crypto/crypto_utils_test.go rename to lib/ocrypto/crypto_utils_test.go diff --git a/lib/ocrypto/go.mod b/lib/ocrypto/go.mod new file mode 100644 index 0000000000..f2fb40de4f --- /dev/null +++ b/lib/ocrypto/go.mod @@ -0,0 +1,3 @@ +module github.com/opentdf/platform/lib/ocrypto + +go 1.21.8 diff --git a/lib/crypto/rsa_key_pair.go b/lib/ocrypto/rsa_key_pair.go similarity index 100% rename from lib/crypto/rsa_key_pair.go rename to lib/ocrypto/rsa_key_pair.go diff --git a/lib/crypto/rsa_key_pair_test.go b/lib/ocrypto/rsa_key_pair_test.go similarity index 100% rename from lib/crypto/rsa_key_pair_test.go rename to lib/ocrypto/rsa_key_pair_test.go diff --git a/sdk/auth_config.go b/sdk/auth_config.go index 97440ceb48..f99ab4b467 100644 --- a/sdk/auth_config.go +++ b/sdk/auth_config.go @@ -5,15 +5,14 @@ import ( "context" "encoding/json" "fmt" + "github.com/golang-jwt/jwt/v4" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "log/slog" "net/http" "net/url" "strings" "time" - - "github.com/golang-jwt/jwt/v4" - "github.com/opentdf/platform/lib/crypto" ) type AuthConfig struct { @@ -35,19 +34,19 @@ type rewrapJWTClaims struct { // NewAuthConfig Create a new instance of authConfig func NewAuthConfig() (*AuthConfig, error) { - rsaKeyPair, err := crypto.NewRSAKeyPair(tdf3KeySize) + rsaKeyPair, err := ocrypto.NewRSAKeyPair(tdf3KeySize) if err != nil { - return nil, fmt.Errorf("crypto.NewRSAKeyPair failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewRSAKeyPair failed: %w", err) } publicKey, err := rsaKeyPair.PublicKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PublicKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PublicKeyInPemFormat failed: %w", err) } privateKey, err := rsaKeyPair.PrivateKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PrivateKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PrivateKeyInPemFormat failed: %w", err) } return &AuthConfig{dpopPublicKeyPEM: publicKey, dpopPrivateKeyPEM: privateKey}, nil @@ -77,7 +76,7 @@ func (a *AuthConfig) fetchOIDCAccessToken(ctx context.Context, host, realm, clie } req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - certB64 := crypto.Base64Encode([]byte(a.dpopPublicKeyPEM)) + certB64 := ocrypto.Base64Encode([]byte(a.dpopPublicKeyPEM)) req.Header.Set("X-VirtruPubKey", string(certB64)) client := &http.Client{} @@ -211,19 +210,19 @@ func getWrappedKey(rewrapResponseBody []byte, clientPrivateKey string) ([]byte, return nil, fmt.Errorf("entityWrappedKey is missing in key access object") } - asymDecrypt, err := crypto.NewAsymDecryption(clientPrivateKey) + asymDecrypt, err := ocrypto.NewAsymDecryption(clientPrivateKey) if err != nil { - return nil, fmt.Errorf("crypto.NewAsymDecryption failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewAsymDecryption failed: %w", err) } - entityWrappedKeyDecoded, err := crypto.Base64Decode([]byte(fmt.Sprintf("%v", entityWrappedKey))) + entityWrappedKeyDecoded, err := ocrypto.Base64Decode([]byte(fmt.Sprintf("%v", entityWrappedKey))) if err != nil { - return nil, fmt.Errorf("crypto.Base64Decode failed: %w", err) + return nil, fmt.Errorf("ocrypto.Base64Decode failed: %w", err) } key, err := asymDecrypt.Decrypt(entityWrappedKeyDecoded) if err != nil { - return nil, fmt.Errorf("crypto.Decrypt failed: %w", err) + return nil, fmt.Errorf("ocrypto.Decrypt failed: %w", err) } return key, nil diff --git a/sdk/go.mod b/sdk/go.mod index a69fe5c19d..1c6590c9fc 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -7,7 +7,7 @@ require ( github.com/golang-jwt/jwt/v4 v4.5.0 github.com/google/uuid v1.6.0 github.com/lestrrat-go/jwx/v2 v2.0.21 - github.com/opentdf/platform/lib/crypto v0.0.0-00010101000000-000000000000 + github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 github.com/opentdf/platform/protocol/go v0.0.0-00010101000000-000000000000 github.com/stretchr/testify v1.9.0 github.com/testcontainers/testcontainers-go v0.28.0 @@ -16,7 +16,7 @@ require ( ) replace ( - github.com/opentdf/platform/lib/crypto => ../lib/crypto + github.com/opentdf/platform/lib/ocrypto => ../lib/ocrypto github.com/opentdf/platform/protocol/go => ../protocol/go ) diff --git a/sdk/idp_access_token_source.go b/sdk/idp_access_token_source.go index 5dc9f23e13..d1ed53553a 100644 --- a/sdk/idp_access_token_source.go +++ b/sdk/idp_access_token_source.go @@ -6,6 +6,7 @@ import ( "crypto/x509" "encoding/pem" "fmt" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "log/slog" "net/url" "strings" @@ -13,7 +14,6 @@ import ( "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" - "github.com/opentdf/platform/lib/crypto" "github.com/opentdf/platform/sdk/auth" "github.com/opentdf/platform/sdk/internal/oauth" ) @@ -22,7 +22,7 @@ const ( dpopKeySize = 2048 ) -func getNewDPoPKey() (string, jwk.Key, *crypto.AsymDecryption, error) { //nolint:ireturn // this is only internal +func getNewDPoPKey() (string, jwk.Key, *ocrypto.AsymDecryption, error) { //nolint:ireturn // this is only internal dpopPrivate, err := rsa.GenerateKey(rand.Reader, dpopKeySize) if err != nil { return "", nil, nil, fmt.Errorf("error creating DPoP keypair: %w", err) @@ -66,7 +66,7 @@ func getNewDPoPKey() (string, jwk.Key, *crypto.AsymDecryption, error) { //nolint return "", nil, nil, fmt.Errorf("error encoding public key to PEM") } - asymDecryption, err := crypto.NewAsymDecryption(dpopPrivatePEM.String()) + asymDecryption, err := ocrypto.NewAsymDecryption(dpopPrivatePEM.String()) if err != nil { return "", nil, nil, fmt.Errorf("error creating asymmetric decryptor: %w", err) } @@ -84,7 +84,7 @@ type IDPAccessTokenSource struct { token *oauth.Token scopes []string dpopKey jwk.Key - asymDecryption crypto.AsymDecryption + asymDecryption ocrypto.AsymDecryption dpopPEM string tokenMutex *sync.Mutex } diff --git a/sdk/kas_client.go b/sdk/kas_client.go index 151ce3f6dd..c03eb9d47b 100644 --- a/sdk/kas_client.go +++ b/sdk/kas_client.go @@ -4,12 +4,12 @@ import ( "context" "encoding/json" "fmt" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "net/url" "time" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" - "github.com/opentdf/platform/lib/crypto" kas "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/sdk/auth" "google.golang.org/grpc" @@ -23,7 +23,7 @@ type KASClient struct { accessTokenSource auth.AccessTokenSource dialOptions []grpc.DialOption clientPublicKeyPEM string - asymDecryption crypto.AsymDecryption + asymDecryption ocrypto.AsymDecryption } // once the backend moves over we should use the same type that the golang backend uses here @@ -36,24 +36,24 @@ type rewrapRequestBody struct { } func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTokenSource) (*KASClient, error) { - rsaKeyPair, err := crypto.NewRSAKeyPair(tdf3KeySize) + rsaKeyPair, err := ocrypto.NewRSAKeyPair(tdf3KeySize) if err != nil { - return nil, fmt.Errorf("crypto.NewRSAKeyPair failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewRSAKeyPair failed: %w", err) } clientPublicKey, err := rsaKeyPair.PublicKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PublicKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PublicKeyInPemFormat failed: %w", err) } clientPrivateKey, err := rsaKeyPair.PrivateKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PrivateKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PrivateKeyInPemFormat failed: %w", err) } - asymDecryption, err := crypto.NewAsymDecryption(clientPrivateKey) + asymDecryption, err := ocrypto.NewAsymDecryption(clientPrivateKey) if err != nil { - return nil, fmt.Errorf("crypto.NewAsymDecryption failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewAsymDecryption failed: %w", err) } return &KASClient{ diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go index d655caccbf..4756ea1ed8 100644 --- a/sdk/kas_client_test.go +++ b/sdk/kas_client_test.go @@ -2,6 +2,7 @@ package sdk import ( "encoding/json" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "testing" "google.golang.org/grpc" @@ -9,13 +10,12 @@ import ( "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" - "github.com/opentdf/platform/lib/crypto" "github.com/opentdf/platform/sdk/auth" ) type FakeAccessTokenSource struct { dpopKey jwk.Key - asymDecryption crypto.AsymDecryption + asymDecryption ocrypto.AsymDecryption accessToken string } @@ -27,9 +27,9 @@ func (fake FakeAccessTokenSource) MakeToken(tokenMaker func(jwk.Key) ([]byte, er } func getTokenSource(t *testing.T) FakeAccessTokenSource { - dpopKey, _ := crypto.NewRSAKeyPair(2048) + dpopKey, _ := ocrypto.NewRSAKeyPair(2048) dpopPEM, _ := dpopKey.PrivateKeyInPemFormat() - decryption, _ := crypto.NewAsymDecryption(dpopPEM) + decryption, _ := ocrypto.NewAsymDecryption(dpopPEM) dpopJWK, err := jwk.ParseKey([]byte(dpopPEM), jwk.WithPEM(true)) if err != nil { t.Fatalf("error creating JWK: %v", err) @@ -91,7 +91,7 @@ func TestCreatingRequest(t *testing.T) { t.Fatalf("error unmarshaling request body: %v", err) } - _, err = crypto.NewAsymEncryption(requestBody["clientPublicKey"].(string)) + _, err = ocrypto.NewAsymEncryption(requestBody["clientPublicKey"].(string)) if err != nil { t.Fatalf("NewAsymEncryption failed, incorrect public key include: %v", err) } diff --git a/sdk/tdf.go b/sdk/tdf.go index 13d423db9d..1cc39a17d6 100644 --- a/sdk/tdf.go +++ b/sdk/tdf.go @@ -6,12 +6,12 @@ import ( "encoding/json" "errors" "fmt" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "math" "strings" "github.com/google/uuid" - "github.com/opentdf/platform/lib/crypto" "github.com/opentdf/platform/sdk/internal/archive" ) @@ -63,7 +63,7 @@ type Reader struct { tdfReader archive.TDFReader unwrapper Unwrapper cursor int64 - aesGcm crypto.AesGcm + aesGcm ocrypto.AesGcm payloadSize int64 payloadKey []byte } @@ -71,7 +71,7 @@ type Reader struct { type TDFObject struct { manifest Manifest size int64 - aesGcm crypto.AesGcm + aesGcm ocrypto.AesGcm payloadKey [kKeySize]byte } @@ -167,7 +167,7 @@ func (s SDK) CreateTDF(writer io.Writer, reader io.ReadSeeker, opts ...TDFOption aggregateHash += segmentSig segmentInfo := Segment{ - Hash: string(crypto.Base64Encode([]byte(segmentSig))), + Hash: string(ocrypto.Base64Encode([]byte(segmentSig))), Size: readSize, EncryptedSize: int64(len(cipherData)), } @@ -184,7 +184,7 @@ func (s SDK) CreateTDF(writer io.Writer, reader io.ReadSeeker, opts ...TDFOption return nil, fmt.Errorf("splitKey.GetSignaturefailed: %w", err) } - sig := string(crypto.Base64Encode([]byte(rootSignature))) + sig := string(ocrypto.Base64Encode([]byte(rootSignature))) tdfObject.manifest.EncryptionInformation.IntegrityInformation.RootSignature.Signature = sig integrityAlgStr := gmacIntegrityAlgorithm @@ -256,16 +256,16 @@ func (t *TDFObject) prepareManifest(tdfConfig TDFConfig) error { //nolint:funlen return fmt.Errorf("json.Marshal failed:%w", err) } - base64PolicyObject := crypto.Base64Encode(policyObjectAsStr) + base64PolicyObject := ocrypto.Base64Encode(policyObjectAsStr) symKeys := make([][]byte, 0, len(tdfConfig.kasInfoList)) for _, kasInfo := range tdfConfig.kasInfoList { if len(kasInfo.PublicKey) == 0 { return errKasPubKeyMissing } - symKey, err := crypto.RandomBytes(kKeySize) + symKey, err := ocrypto.RandomBytes(kKeySize) if err != nil { - return fmt.Errorf("crypto.RandomBytes failed:%w", err) + return fmt.Errorf("ocrypto.RandomBytes failed:%w", err) } keyAccess := KeyAccess{} @@ -274,37 +274,37 @@ func (t *TDFObject) prepareManifest(tdfConfig TDFConfig) error { //nolint:funlen keyAccess.Protocol = kKasProtocol // add policyBinding - policyBinding := hex.EncodeToString(crypto.CalculateSHA256Hmac(symKey, base64PolicyObject)) - keyAccess.PolicyBinding = string(crypto.Base64Encode([]byte(policyBinding))) + policyBinding := hex.EncodeToString(ocrypto.CalculateSHA256Hmac(symKey, base64PolicyObject)) + keyAccess.PolicyBinding = string(ocrypto.Base64Encode([]byte(policyBinding))) // wrap the key with kas public key - asymEncrypt, err := crypto.NewAsymEncryption(kasInfo.PublicKey) + asymEncrypt, err := ocrypto.NewAsymEncryption(kasInfo.PublicKey) if err != nil { - return fmt.Errorf("crypto.NewAsymEncryption failed:%w", err) + return fmt.Errorf("ocrypto.NewAsymEncryption failed:%w", err) } wrappedKey, err := asymEncrypt.Encrypt(symKey) if err != nil { - return fmt.Errorf("crypto.AsymEncryption.encrypt failed:%w", err) + return fmt.Errorf("ocrypto.AsymEncryption.encrypt failed:%w", err) } - keyAccess.WrappedKey = string(crypto.Base64Encode(wrappedKey)) + keyAccess.WrappedKey = string(ocrypto.Base64Encode(wrappedKey)) // add meta data if len(tdfConfig.metaData) > 0 { - gcm, err := crypto.NewAESGcm(symKey) + gcm, err := ocrypto.NewAESGcm(symKey) if err != nil { - return fmt.Errorf("crypto.NewAESGcm failed:%w", err) + return fmt.Errorf("ocrypto.NewAESGcm failed:%w", err) } encryptedMetaData, err := gcm.Encrypt([]byte(tdfConfig.metaData)) if err != nil { - return fmt.Errorf("crypto.AesGcm.encrypt failed:%w", err) + return fmt.Errorf("ocrypto.AesGcm.encrypt failed:%w", err) } - iv := encryptedMetaData[:crypto.GcmStandardNonceSize] + iv := encryptedMetaData[:ocrypto.GcmStandardNonceSize] metadata := EncryptedMetadata{ - Cipher: string(crypto.Base64Encode(encryptedMetaData)), - Iv: string(crypto.Base64Encode(iv)), + Cipher: string(ocrypto.Base64Encode(encryptedMetaData)), + Iv: string(ocrypto.Base64Encode(iv)), } metadataJSON, err := json.Marshal(metadata) @@ -312,7 +312,7 @@ func (t *TDFObject) prepareManifest(tdfConfig TDFConfig) error { //nolint:funlen return fmt.Errorf(" json.Marshal failed:%w", err) } - keyAccess.EncryptedMetadata = string(crypto.Base64Encode(metadataJSON)) + keyAccess.EncryptedMetadata = string(ocrypto.Base64Encode(metadataJSON)) } symKeys = append(symKeys, symKey) @@ -329,9 +329,9 @@ func (t *TDFObject) prepareManifest(tdfConfig TDFConfig) error { //nolint:funlen } } - gcm, err := crypto.NewAESGcm(t.payloadKey[:]) + gcm, err := ocrypto.NewAESGcm(t.payloadKey[:]) if err != nil { - return fmt.Errorf(" crypto.NewAESGcm failed:%w", err) + return fmt.Errorf(" ocrypto.NewAESGcm failed:%w", err) } t.manifest = manifest @@ -434,7 +434,7 @@ func (r *Reader) WriteTo(writer io.Writer) (int64, error) { return totalBytes, fmt.Errorf("splitKey.GetSignaturefailed: %w", err) } - if seg.Hash != string(crypto.Base64Encode([]byte(payloadSig))) { + if seg.Hash != string(ocrypto.Base64Encode([]byte(payloadSig))) { return totalBytes, errSegSigValidation } @@ -520,7 +520,7 @@ func (r *Reader) ReadAt(buf []byte, offset int64) (int, error) { //nolint:funlen return 0, fmt.Errorf("splitKey.GetSignaturefailed: %w", err) } - if seg.Hash != string(crypto.Base64Encode([]byte(payloadSig))) { + if seg.Hash != string(ocrypto.Base64Encode([]byte(payloadSig))) { return 0, errSegSigValidation } @@ -574,9 +574,9 @@ func (r *Reader) UnencryptedMetadata() ([]byte, error) { // Otherwise, returns an error. func (r *Reader) Policy() (PolicyObject, error) { policyObj := PolicyObject{} - policy, err := crypto.Base64Decode([]byte(r.manifest.Policy)) + policy, err := ocrypto.Base64Decode([]byte(r.manifest.Policy)) if err != nil { - return policyObj, fmt.Errorf("crypto.Base64Decode failed:%w", err) + return policyObj, fmt.Errorf("ocrypto.Base64Decode failed:%w", err) } err = json.Unmarshal(policy, &policyObj) @@ -589,9 +589,9 @@ func (r *Reader) Policy() (PolicyObject, error) { // DataAttributes return the data attributes present in tdf. func (r *Reader) DataAttributes() ([]string, error) { - policy, err := crypto.Base64Decode([]byte(r.manifest.Policy)) + policy, err := ocrypto.Base64Decode([]byte(r.manifest.Policy)) if err != nil { - return nil, fmt.Errorf("crypto.Base64Decode failed:%w", err) + return nil, fmt.Errorf("ocrypto.Base64Decode failed:%w", err) } policyObj := PolicyObject{} @@ -624,14 +624,14 @@ func (r *Reader) doPayloadKeyUnwrap() error { //nolint:gocognit } if len(keyAccessObj.EncryptedMetadata) != 0 { - gcm, err := crypto.NewAESGcm(wrappedKey) + gcm, err := ocrypto.NewAESGcm(wrappedKey) if err != nil { - return fmt.Errorf("crypto.NewAESGcm failed:%w", err) + return fmt.Errorf("ocrypto.NewAESGcm failed:%w", err) } - decodedMetaData, err := crypto.Base64Decode([]byte(keyAccessObj.EncryptedMetadata)) + decodedMetaData, err := ocrypto.Base64Decode([]byte(keyAccessObj.EncryptedMetadata)) if err != nil { - return fmt.Errorf("crypto.Base64Decode failed:%w", err) + return fmt.Errorf("ocrypto.Base64Decode failed:%w", err) } metadata := EncryptedMetadata{} @@ -641,10 +641,10 @@ func (r *Reader) doPayloadKeyUnwrap() error { //nolint:gocognit } encodedCipherText := metadata.Cipher - cipherText, _ := crypto.Base64Decode([]byte(encodedCipherText)) + cipherText, _ := ocrypto.Base64Decode([]byte(encodedCipherText)) metaData, err := gcm.Decrypt(cipherText) if err != nil { - return fmt.Errorf("crypto.AesGcm.encrypt failed:%w", err) + return fmt.Errorf("ocrypto.AesGcm.encrypt failed:%w", err) } unencryptedMetadata = metaData @@ -672,9 +672,9 @@ func (r *Reader) doPayloadKeyUnwrap() error { //nolint:gocognit payloadSize += seg.Size } - gcm, err := crypto.NewAESGcm(payloadKey[:]) + gcm, err := ocrypto.NewAESGcm(payloadKey[:]) if err != nil { - return fmt.Errorf(" crypto.NewAESGcm failed:%w", err) + return fmt.Errorf("ocrypto.NewAESGcm failed:%w", err) } r.payloadSize = payloadSize @@ -688,7 +688,7 @@ func (r *Reader) doPayloadKeyUnwrap() error { //nolint:gocognit // calculateSignature calculate signature of data of the given algorithm. func calculateSignature(data []byte, secret []byte, alg IntegrityAlgorithm) (string, error) { if alg == HS256 { - hmac := crypto.CalculateSHA256Hmac(secret, data) + hmac := ocrypto.CalculateSHA256Hmac(secret, data) return hex.EncodeToString(hmac), nil } if kGMACPayloadLength > len(data) { @@ -705,9 +705,9 @@ func validateRootSignature(manifest Manifest, secret []byte) (bool, error) { aggregateHash := &bytes.Buffer{} for _, segment := range manifest.EncryptionInformation.IntegrityInformation.Segments { - decodedHash, err := crypto.Base64Decode([]byte(segment.Hash)) + decodedHash, err := ocrypto.Base64Decode([]byte(segment.Hash)) if err != nil { - return false, fmt.Errorf("crypto.Base64Decode failed:%w", err) + return false, fmt.Errorf("ocrypto.Base64Decode failed:%w", err) } aggregateHash.Write(decodedHash) @@ -723,7 +723,7 @@ func validateRootSignature(manifest Manifest, secret []byte) (bool, error) { return false, fmt.Errorf("splitkey.getSignature failed:%w", err) } - if rootSigValue == string(crypto.Base64Encode([]byte(sig))) { + if rootSigValue == string(ocrypto.Base64Encode([]byte(sig))) { return true, nil } diff --git a/sdk/tdf_config.go b/sdk/tdf_config.go index 67ec7b2ca4..aa178ab3b3 100644 --- a/sdk/tdf_config.go +++ b/sdk/tdf_config.go @@ -2,8 +2,7 @@ package sdk import ( "fmt" - - "github.com/opentdf/platform/lib/crypto" + ocrypto "github.com/opentdf/platform/lib/ocrypto" ) const ( @@ -55,19 +54,19 @@ type TDFConfig struct { // NewTDFConfig CreateTDF a new instance of tdf config. func NewTDFConfig(opt ...TDFOption) (*TDFConfig, error) { - rsaKeyPair, err := crypto.NewRSAKeyPair(tdf3KeySize) + rsaKeyPair, err := ocrypto.NewRSAKeyPair(tdf3KeySize) if err != nil { - return nil, fmt.Errorf("crypto.NewRSAKeyPair failed: %w", err) + return nil, fmt.Errorf("ocrypto.NewRSAKeyPair failed: %w", err) } publicKey, err := rsaKeyPair.PublicKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PublicKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PublicKeyInPemFormat failed: %w", err) } privateKey, err := rsaKeyPair.PublicKeyInPemFormat() if err != nil { - return nil, fmt.Errorf("crypto.PublicKeyInPemFormat failed: %w", err) + return nil, fmt.Errorf("ocrypto.PublicKeyInPemFormat failed: %w", err) } c := &TDFConfig{ diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go index 7e7b0bdc03..f69fcd0b43 100644 --- a/sdk/tdf_test.go +++ b/sdk/tdf_test.go @@ -7,6 +7,8 @@ import ( "encoding/json" "errors" "fmt" + "github.com/golang-jwt/jwt/v4" + ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "math" "net/http" @@ -17,8 +19,6 @@ import ( "strings" "testing" - "github.com/golang-jwt/jwt/v4" - "github.com/opentdf/platform/lib/crypto" "github.com/stretchr/testify/assert" ) @@ -709,26 +709,26 @@ func runKas() (string, func(), *SDK) { return "grpc://localhost:8080", func() {}, sdk } - signingKeyPair, err := crypto.NewRSAKeyPair(tdf3KeySize) + signingKeyPair, err := ocrypto.NewRSAKeyPair(tdf3KeySize) if err != nil { - panic(fmt.Sprintf("crypto.NewRSAKeyPair: %v", err)) + panic(fmt.Sprintf("ocrypto.NewRSAKeyPair: %v", err)) } signingPubKey, err := signingKeyPair.PublicKeyInPemFormat() if err != nil { - panic(fmt.Sprintf("crypto.PublicKeyInPemFormat failed: %v", err)) + panic(fmt.Sprintf("ocrypto.PublicKeyInPemFormat failed: %v", err)) } signingPrivateKey, err := signingKeyPair.PrivateKeyInPemFormat() if err != nil { - panic(fmt.Sprintf("crypto.PrivateKeyInPemFormat failed: %v", err)) + panic(fmt.Sprintf("ocrypto.PrivateKeyInPemFormat failed: %v", err)) } accessTokenBytes := make([]byte, 10) if _, err := rand.Read(accessTokenBytes); err != nil { panic("failed to create random access token") } - accessToken := crypto.Base64Encode(accessTokenBytes) + accessToken := ocrypto.Base64Encode(accessTokenBytes) server := httptest.NewServer(http.HandlerFunc(getKASRequestHandler(string(accessToken), signingPubKey))) @@ -790,7 +790,7 @@ func getKASRequestHandler(expectedAccessToken, //nolint:gocognit // KAS is prett entityWrappedKey := getRewrappedKey(rewrapRequest) response, err := json.Marshal(map[string]string{ - kEntityWrappedKey: string(crypto.Base64Encode(entityWrappedKey)), + kEntityWrappedKey: string(ocrypto.Base64Encode(entityWrappedKey)), }) if err != nil { panic(fmt.Sprintf("json.Marshal failed: %v", err)) @@ -812,26 +812,26 @@ func getRewrappedKey(rewrapRequest string) []byte { if err != nil { panic(fmt.Sprintf("json.Unmarshal failed: %v", err)) } - wrappedKey, err := crypto.Base64Decode([]byte(bodyData.WrappedKey)) + wrappedKey, err := ocrypto.Base64Decode([]byte(bodyData.WrappedKey)) if err != nil { - panic(fmt.Sprintf("crypto.Base64Decode failed: %v", err)) + panic(fmt.Sprintf("ocrypto.Base64Decode failed: %v", err)) } kasPrivateKey := strings.ReplaceAll(mockKasPrivateKey, "\n\t", "\n") - asymDecrypt, err := crypto.NewAsymDecryption(kasPrivateKey) + asymDecrypt, err := ocrypto.NewAsymDecryption(kasPrivateKey) if err != nil { - panic(fmt.Sprintf("crypto.NewAsymDecryption failed: %v", err)) + panic(fmt.Sprintf("ocrypto.NewAsymDecryption failed: %v", err)) } symmetricKey, err := asymDecrypt.Decrypt(wrappedKey) if err != nil { - panic(fmt.Sprintf("crypto.Decrypt failed: %v", err)) + panic(fmt.Sprintf("ocrypto.Decrypt failed: %v", err)) } - asymEncrypt, err := crypto.NewAsymEncryption(bodyData.ClientPublicKey) + asymEncrypt, err := ocrypto.NewAsymEncryption(bodyData.ClientPublicKey) if err != nil { - panic(fmt.Sprintf("crypto.NewAsymEncryption failed: %v", err)) + panic(fmt.Sprintf("ocrypto.NewAsymEncryption failed: %v", err)) } entityWrappedKey, err := asymEncrypt.Encrypt(symmetricKey) if err != nil { - panic(fmt.Sprintf("crypto.encrypt failed: %v", err)) + panic(fmt.Sprintf("ocrypto.encrypt failed: %v", err)) } return entityWrappedKey } diff --git a/services/kas/access/publicKey.go b/services/kas/access/publicKey.go index c6fe2277e2..e5b04741ad 100644 --- a/services/kas/access/publicKey.go +++ b/services/kas/access/publicKey.go @@ -3,6 +3,7 @@ package access import ( "context" "crypto/ecdsa" + "crypto/rsa" "crypto/x509" "encoding/pem" "errors" @@ -84,6 +85,22 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil } +func exportRsaPublicKeyAsPemStr(pubkey *rsa.PublicKey) (string, error) { + pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey) + if err != nil { + return "", errors.Join(ErrPublicKeyMarshal, err) + } + pubkeyPem := pem.EncodeToMemory( + &pem.Block{ + Type: "PUBLIC KEY", + Headers: nil, + Bytes: pubkeyBytes, + }, + ) + + return string(pubkeyPem), nil +} + func exportEcPublicKeyAsPemStr(pubkey *ecdsa.PublicKey) (string, error) { pubkeyBytes, err := x509.MarshalPKIXPublicKey(pubkey) if err != nil { diff --git a/services/kas/access/publicKey_test.go b/services/kas/access/publicKey_test.go index 4c9f788678..97f7d39e1d 100644 --- a/services/kas/access/publicKey_test.go +++ b/services/kas/access/publicKey_test.go @@ -134,11 +134,13 @@ func TestError(t *testing.T) { const hostname = "localhost" func TestCertificateHandlerEmpty(t *testing.T) { + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") + kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Fmt: "pkcs8"}) @@ -153,13 +155,14 @@ func TestCertificateHandlerWithEc256(t *testing.T) { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, Certificate: &x509.Certificate{}, } @@ -180,13 +183,14 @@ func TestPublicKeyHandlerWithEc256(t *testing.T) { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, } @@ -211,16 +215,17 @@ func TestPublicKeyHandlerV2(t *testing.T) { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, } - kas.Session.RSA = &security.RSAKeyPair{ + hsmSession.RSA = &security.RSAKeyPair{ Certificate: &x509.Certificate{}, PublicKey: &mockPublicKeyRsa, } @@ -241,13 +246,14 @@ func TestPublicKeyHandlerV2Failure(t *testing.T) { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, } @@ -268,16 +274,17 @@ func TestPublicKeyHandlerV2WithEc256(t *testing.T) { if err != nil { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, } - kas.Session.RSA = &security.RSAKeyPair{ + hsmSession.RSA = &security.RSAKeyPair{ Certificate: &x509.Certificate{}, PublicKey: &mockPublicKeyRsa, } @@ -303,16 +310,17 @@ func TestPublicKeyHandlerV2WithJwk(t *testing.T) { if err != nil { t.Errorf("Failed to generate a private key: %v", err) } + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } - kas.Session.EC = &security.ECKeyPair{ + hsmSession.EC = &security.ECKeyPair{ PublicKey: &privateKey.PublicKey, } - kas.Session.RSA = &security.RSAKeyPair{ + hsmSession.RSA = &security.RSAKeyPair{ Certificate: &x509.Certificate{}, PublicKey: &mockPublicKeyRsa, } diff --git a/services/kas/access/rewrap.go b/services/kas/access/rewrap.go index c681042c18..2c279f7d70 100644 --- a/services/kas/access/rewrap.go +++ b/services/kas/access/rewrap.go @@ -4,12 +4,9 @@ import ( "bytes" "context" "crypto" - "crypto/aes" - "crypto/cipher" "crypto/ecdh" "crypto/ecdsa" "crypto/hmac" - "crypto/rand" "crypto/rsa" "crypto/sha256" "crypto/x509" @@ -20,13 +17,12 @@ import ( "errors" "fmt" "github.com/opentdf/platform/protocol/go/authorization" - "io" "log/slog" "strings" "github.com/opentdf/platform/internal/auth" "github.com/opentdf/platform/internal/security" - + ocrypto "github.com/opentdf/platform/lib/ocrypto" kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/services/kas/nanotdf" "github.com/opentdf/platform/services/kas/tdf3" @@ -36,9 +32,6 @@ import ( "gopkg.in/go-jose/go-jose.v2/jwt" ) -const ivSize = 12 -const tagSize = 12 - type RequestBody struct { AuthToken string `json:"authToken"` KeyAccess tdf3.KeyAccess `json:"keyAccess"` @@ -59,9 +52,8 @@ type customClaimsHeader struct { } const ( - ErrUser = Error("request error") - ErrInternal = Error("internal error") - DefaultShaFunctionForDecrypt = "SHA1" + ErrUser = Error("request error") + ErrInternal = Error("internal error") ) func err400(s string) error { @@ -126,7 +118,7 @@ func generateHMACDigest(ctx context.Context, msg, key []byte) ([]byte, error) { } type verifiedRequest struct { - publicKey crypto.PublicKey + publicKey crypto.PublicKey // TODO: Remove this requestBody *RequestBody cl *customClaimsHeader bearerToken string @@ -271,7 +263,7 @@ func (p *Provider) Rewrap(ctx context.Context, in *kaspb.RewrapRequest) (*kaspb. } func (p *Provider) tdf3Rewrap(ctx context.Context, body *verifiedRequest) (*kaspb.RewrapResponse, error) { - symmetricKey, err := p.CryptoProvider.RSADecrypt(DefaultShaFunctionForDecrypt, "UnKnown", "", body.requestBody.KeyAccess.WrappedKey) + symmetricKey, err := p.CryptoProvider.RSADecrypt(crypto.SHA1, "UnKnown", "", body.requestBody.KeyAccess.WrappedKey) if err != nil { slog.WarnContext(ctx, "failure to decrypt dek", "err", err) return nil, err400("bad request") @@ -309,9 +301,14 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, body *verifiedRequest) (*kasp return nil, err403("forbidden") } - rewrappedKey, err := tdf3.EncryptWithPublicKey(symmetricKey, body.publicKey.(*rsa.PublicKey)) + asymEncrypt, err := ocrypto.NewAsymEncryption(body.requestBody.ClientPublicKey) if err != nil { - slog.WarnContext(ctx, "rewrap: encryptWithPublicKey failed", "err", err, "clientPublicKey", &body.publicKey) + slog.WarnContext(ctx, "ocrypto.NewAsymEncryption:", "err", err) + } + + rewrappedKey, err := asymEncrypt.Encrypt(symmetricKey) + if err != nil { + slog.WarnContext(ctx, "rewrap: ocrypto.AsymEncryption.encrypt failed", "err", err, "clientPublicKey", &body.publicKey) return nil, err400("bad key for rewrap") } @@ -391,21 +388,15 @@ func nanoTDFRewrap( } func wrapKeyAES(sessionKey, dek []byte) ([]byte, error) { - block, err := aes.NewCipher(sessionKey) + gcm, err := ocrypto.NewAESGcm(sessionKey) if err != nil { - return nil, fmt.Errorf("failed to create cipher block: %w", err) + return nil, fmt.Errorf("crypto.NewAESGcm:%w", err) } - aesGcm, err := cipher.NewGCMWithTagSize(block, tagSize) + cipherText, err := gcm.Encrypt(dek) if err != nil { - return nil, fmt.Errorf("failed to create NewGCMWithTagSize: %w", err) - } - - iv := make([]byte, ivSize) - if _, err = io.ReadFull(rand.Reader, iv); err != nil { - return nil, fmt.Errorf("failed to generate IV: %w", err) + return nil, fmt.Errorf("crypto.AsymEncryption.encrypt:%w", err) } - cipherText := aesGcm.Seal(iv, iv, dek, nil) return cipherText, nil } diff --git a/services/kas/access/rewrap_test.go b/services/kas/access/rewrap_test.go index 64ae675a8f..4f4543e0c0 100644 --- a/services/kas/access/rewrap_test.go +++ b/services/kas/access/rewrap_test.go @@ -494,11 +494,12 @@ func TestLegacyBearerTokenEtc(t *testing.T) { } func TestHandlerAuthFailure0(t *testing.T) { + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } body := `{"mock": "value"}` @@ -510,11 +511,12 @@ func TestHandlerAuthFailure0(t *testing.T) { } func TestHandlerAuthFailure1(t *testing.T) { + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } body := `{"mock": "value"}` @@ -530,11 +532,12 @@ func TestHandlerAuthFailure1(t *testing.T) { } func TestHandlerAuthFailure2(t *testing.T) { + hsmSession, _ := security.New(&security.HSMConfig{}) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ - URI: *kasURI, - Session: security.HSMSession{}, - OIDCVerifier: nil, + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, } body := `{"mock": "value"}` From f7955dd87270d1aa36052e38fec2f22563a97b3a Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 13:53:25 -0400 Subject: [PATCH 05/34] Fix Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c7ef36cc67..45df89dc0d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ WORKDIR /app # dependencies, add local,dependant package here COPY protocol/ protocol/ COPY sdk/ sdk/ -COPY lib/crypto lib/crypto +COPY lib/ocrypto lib/ocrypto COPY services/ services/ COPY examples/ examples/ COPY Makefile ./ From b40a49e94c31da23d04400516b044ac68a44ef67 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 13:56:11 -0400 Subject: [PATCH 06/34] Fix build --- examples/go.mod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/go.mod b/examples/go.mod index 50659bb787..95661e3f76 100644 --- a/examples/go.mod +++ b/examples/go.mod @@ -11,7 +11,7 @@ require ( ) replace ( - github.com/opentdf/platform/lib/crypto => ../lib/crypto + github.com/opentdf/platform/lib/ocrypto => ../lib/ocrypto github.com/opentdf/platform/protocol/go => ../protocol/go github.com/opentdf/platform/sdk => ../sdk ) @@ -32,7 +32,7 @@ require ( github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/jwx/v2 v2.0.21 // indirect github.com/lestrrat-go/option v1.0.1 // indirect - github.com/opentdf/platform/lib/crypto v0.0.0-00010101000000-000000000000 // indirect + github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/segmentio/asm v1.2.0 // indirect From b920593c8786d335629ae1eb821536f2ed280e5e Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 14:17:38 -0400 Subject: [PATCH 07/34] fix the build --- services/kas/access/provider.go | 4 +--- services/kas/access/rewrap.go | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/services/kas/access/provider.go b/services/kas/access/provider.go index 564d3be00e..5b62d1cbd4 100644 --- a/services/kas/access/provider.go +++ b/services/kas/access/provider.go @@ -1,12 +1,10 @@ package access import ( - "github.com/opentdf/platform/internal/security" otdf "github.com/opentdf/platform/sdk" + "github.com/opentdf/platform/services/internal/security" "net/url" - - "github.com/opentdf/platform/services/internal/security" "github.com/coreos/go-oidc/v3/oidc" kaspb "github.com/opentdf/platform/protocol/go/kas" ) diff --git a/services/kas/access/rewrap.go b/services/kas/access/rewrap.go index 2c279f7d70..a2f88b6007 100644 --- a/services/kas/access/rewrap.go +++ b/services/kas/access/rewrap.go @@ -17,11 +17,11 @@ import ( "errors" "fmt" "github.com/opentdf/platform/protocol/go/authorization" + "github.com/opentdf/platform/services/internal/auth" + "github.com/opentdf/platform/services/internal/security" "log/slog" "strings" - "github.com/opentdf/platform/internal/auth" - "github.com/opentdf/platform/internal/security" ocrypto "github.com/opentdf/platform/lib/ocrypto" kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/services/kas/nanotdf" From eb94914de18d929025da6bf2670f3e03f7343ebe Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 15:56:13 -0400 Subject: [PATCH 08/34] go lint fix --- sdk/auth_config.go | 5 +++-- sdk/idp_access_token_source.go | 3 ++- sdk/kas_client.go | 3 ++- sdk/kas_client_test.go | 3 ++- sdk/tdf.go | 3 ++- sdk/tdf_config.go | 1 + sdk/tdf_test.go | 5 +++-- 7 files changed, 15 insertions(+), 8 deletions(-) diff --git a/sdk/auth_config.go b/sdk/auth_config.go index f99ab4b467..b5eaeee80a 100644 --- a/sdk/auth_config.go +++ b/sdk/auth_config.go @@ -5,14 +5,15 @@ import ( "context" "encoding/json" "fmt" - "github.com/golang-jwt/jwt/v4" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "log/slog" "net/http" "net/url" "strings" "time" + + "github.com/golang-jwt/jwt/v4" + ocrypto "github.com/opentdf/platform/lib/ocrypto" ) type AuthConfig struct { diff --git a/sdk/idp_access_token_source.go b/sdk/idp_access_token_source.go index d1ed53553a..acc78ce6df 100644 --- a/sdk/idp_access_token_source.go +++ b/sdk/idp_access_token_source.go @@ -6,12 +6,13 @@ import ( "crypto/x509" "encoding/pem" "fmt" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "log/slog" "net/url" "strings" "sync" + ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/opentdf/platform/sdk/auth" diff --git a/sdk/kas_client.go b/sdk/kas_client.go index c03eb9d47b..354648cefd 100644 --- a/sdk/kas_client.go +++ b/sdk/kas_client.go @@ -4,10 +4,11 @@ import ( "context" "encoding/json" "fmt" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "net/url" "time" + ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" kas "github.com/opentdf/platform/protocol/go/kas" diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go index 4756ea1ed8..c90dc6df10 100644 --- a/sdk/kas_client_test.go +++ b/sdk/kas_client_test.go @@ -2,9 +2,10 @@ package sdk import ( "encoding/json" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "testing" + ocrypto "github.com/opentdf/platform/lib/ocrypto" + "google.golang.org/grpc" "github.com/lestrrat-go/jwx/v2/jwa" diff --git a/sdk/tdf.go b/sdk/tdf.go index 1cc39a17d6..6d36a40076 100644 --- a/sdk/tdf.go +++ b/sdk/tdf.go @@ -6,11 +6,12 @@ import ( "encoding/json" "errors" "fmt" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "math" "strings" + ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/google/uuid" "github.com/opentdf/platform/sdk/internal/archive" ) diff --git a/sdk/tdf_config.go b/sdk/tdf_config.go index aa178ab3b3..a5311a1bd5 100644 --- a/sdk/tdf_config.go +++ b/sdk/tdf_config.go @@ -2,6 +2,7 @@ package sdk import ( "fmt" + ocrypto "github.com/opentdf/platform/lib/ocrypto" ) diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go index f69fcd0b43..6e94794c6e 100644 --- a/sdk/tdf_test.go +++ b/sdk/tdf_test.go @@ -7,8 +7,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/golang-jwt/jwt/v4" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "io" "math" "net/http" @@ -19,6 +17,9 @@ import ( "strings" "testing" + "github.com/golang-jwt/jwt/v4" + ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/stretchr/testify/assert" ) From 4ab185f2377c27c9b566671a5d23a3f35c147d21 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 16:22:41 -0400 Subject: [PATCH 09/34] fix lint errors --- services/internal/security/crypto_provider.go | 6 +++- services/internal/security/hsm.go | 4 +-- services/internal/security/standard_crypto.go | 13 ++++++++ services/internal/server/server.go | 9 ++++- services/kas/access/rewrap.go | 33 ++++++++----------- 5 files changed, 42 insertions(+), 23 deletions(-) diff --git a/services/internal/security/crypto_provider.go b/services/internal/security/crypto_provider.go index 360a176713..d11681c650 100644 --- a/services/internal/security/crypto_provider.go +++ b/services/internal/security/crypto_provider.go @@ -13,8 +13,12 @@ type Config struct { type CryptoProvider interface { RSAPublicKey(keyId string) (string, error) RSAPublicKeyAsJson(keyId string) (string, error) - ECPublicKey(keyId string) (string, error) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) + + ECPublicKey(keyId string) (string, error) + GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) + GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) + GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error) } func NewCryptoProvider(cfg Config) (CryptoProvider, error) { diff --git a/services/internal/security/hsm.go b/services/internal/security/hsm.go index 8effd5c315..93f7171a43 100644 --- a/services/internal/security/hsm.go +++ b/services/internal/security/hsm.go @@ -516,7 +516,7 @@ func hashToPKCS11(hashFunction crypto.Hash) (hashAlg uint, mgfAlg uint, hashLen } } -func (h *HSMSession) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte, key PrivateKeyEC) ([]byte, error) { +func (h *HSMSession) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) { template := []*pkcs11.Attribute{ pkcs11.NewAttribute(pkcs11.CKA_TOKEN, false), pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_SECRET_KEY), @@ -535,7 +535,7 @@ func (h *HSMSession) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte, pkcs11.NewMechanism(pkcs11.CKM_ECDH1_DERIVE, ¶ms), } - handle, err := h.ctx.DeriveKey(h.sh, mech, pkcs11.ObjectHandle(key), template) + handle, err := h.ctx.DeriveKey(h.sh, mech, pkcs11.ObjectHandle(h.EC.PrivateKey), template) if err != nil { return nil, fmt.Errorf("failed to derive symmetric key: %w", err) } diff --git a/services/internal/security/standard_crypto.go b/services/internal/security/standard_crypto.go index 0546e55050..2e08cef5d5 100644 --- a/services/internal/security/standard_crypto.go +++ b/services/internal/security/standard_crypto.go @@ -13,6 +13,7 @@ import ( ) var ( + errNotImplemented = errors.New("standard crypto for nano not implemented") errStandardCryptoNotEnabled = errors.New("standard crypto flag is enabled in the config") errStandardCryptoObjIsInvalid = errors.New("standard crypto object is invalid") ) @@ -136,3 +137,15 @@ func (s StandardCrypto) RSAPublicKeyAsJson(keyId string) (string, error) { return string(jsonPublicKey), nil } + +func (s StandardCrypto) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) { + return nil, errNotImplemented +} + +func (s StandardCrypto) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) { + return 0, nil, errNotImplemented +} + +func (s StandardCrypto) GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error) { + return nil, errNotImplemented +} diff --git a/services/internal/server/server.go b/services/internal/server/server.go index a98d59ac7e..28f4ed95e3 100644 --- a/services/internal/server/server.go +++ b/services/internal/server/server.go @@ -131,11 +131,18 @@ func NewOpenTDFServer(config Config, d *db.Client) (*OpenTDFServer, error) { if config.CryptoProvider.HSMConfig.Enabled { config.CryptoProvider.Type = "hsm" o.CryptoProvider, err = security.NewCryptoProvider(config.CryptoProvider) - slog.Info("✅crypto provider: HSM") + if err != nil { + return nil, fmt.Errorf("HSM security.NewCryptoProvider: %w", err) + } + slog.Info("✅crypto provider: HSM") } else { config.CryptoProvider.Type = "standard" o.CryptoProvider, err = security.NewCryptoProvider(config.CryptoProvider) + if err != nil { + return nil, fmt.Errorf("standard security.NewCryptoProvider: %w", err) + } + slog.Info("✅ crypto provider: standard") } diff --git a/services/kas/access/rewrap.go b/services/kas/access/rewrap.go index a2f88b6007..ff5bf658cc 100644 --- a/services/kas/access/rewrap.go +++ b/services/kas/access/rewrap.go @@ -16,12 +16,12 @@ import ( "encoding/pem" "errors" "fmt" - "github.com/opentdf/platform/protocol/go/authorization" - "github.com/opentdf/platform/services/internal/auth" - "github.com/opentdf/platform/services/internal/security" "log/slog" "strings" + "github.com/opentdf/platform/protocol/go/authorization" + "github.com/opentdf/platform/services/internal/auth" + ocrypto "github.com/opentdf/platform/lib/ocrypto" kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/services/kas/nanotdf" @@ -125,9 +125,9 @@ type verifiedRequest struct { } func (p *Provider) verifyBearerAndParseRequestBody(ctx context.Context, in *kaspb.RewrapRequest) (*verifiedRequest, error) { - idToken, err := p.OIDCVerifier.Verify(ctx, in.Bearer) + idToken, err := p.OIDCVerifier.Verify(ctx, in.GetBearer()) if err != nil { - slog.WarnContext(ctx, "unable verify bearer token", "err", err, "bearer", in.Bearer, "oidc", p.OIDCVerifier) + slog.WarnContext(ctx, "unable verify bearer token", "err", err, "bearer", in.GetBearer(), "oidc", p.OIDCVerifier) return nil, err403("403") } @@ -139,7 +139,7 @@ func (p *Provider) verifyBearerAndParseRequestBody(ctx context.Context, in *kasp } slog.DebugContext(ctx, "verified", "claims", cl) - requestToken, err := jwt.ParseSigned(in.SignedRequestToken) + requestToken, err := jwt.ParseSigned(in.GetSignedRequestToken()) if err != nil { slog.WarnContext(ctx, "unable parse request", "err", err) return nil, err400("bad request") @@ -190,9 +190,9 @@ func (p *Provider) verifyBearerAndParseRequestBody(ctx context.Context, in *kasp } switch clientPublicKey.(type) { case *rsa.PublicKey: - return &verifiedRequest{clientPublicKey, &requestBody, &cl, in.Bearer}, nil + return &verifiedRequest{clientPublicKey, &requestBody, &cl, in.GetBearer()}, nil case *ecdsa.PublicKey: - return &verifiedRequest{clientPublicKey, &requestBody, &cl, in.Bearer}, nil + return &verifiedRequest{clientPublicKey, &requestBody, &cl, in.GetBearer()}, nil } slog.WarnContext(ctx, fmt.Sprintf("clientPublicKey not a supported key, was [%T]", clientPublicKey)) return nil, err400("clientPublicKey unsupported type") @@ -235,7 +235,7 @@ func (p *Provider) verifyAndParsePolicy(ctx context.Context, requestBody *Reques func (p *Provider) Rewrap(ctx context.Context, in *kaspb.RewrapRequest) (*kaspb.RewrapResponse, error) { slog.DebugContext(ctx, "REWRAP") - bearer, err := legacyBearerToken(ctx, in.Bearer) + bearer, err := legacyBearerToken(ctx, in.GetBearer()) if err != nil { return nil, err } @@ -256,8 +256,7 @@ func (p *Provider) Rewrap(ctx context.Context, in *kaspb.RewrapRequest) (*kaspb. } if body.requestBody.Algorithm == "ec:secp256r1" { - //return nanoTDFRewrap(*body, &p.Session, p.Session.EC.PrivateKey) - return nil, fmt.Errorf("BUG: NanoTDF is disabled") + return p.nanoTDFRewrap(*body) } return p.tdf3Rewrap(ctx, body) } @@ -319,11 +318,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, body *verifiedRequest) (*kasp }, nil } -func nanoTDFRewrap( - body verifiedRequest, - session *security.HSMSession, - key security.PrivateKeyEC, -) (*kaspb.RewrapResponse, error) { +func (p *Provider) nanoTDFRewrap(body verifiedRequest) (*kaspb.RewrapResponse, error) { headerReader := bytes.NewReader(body.requestBody.KeyAccess.Header) header, err := nanotdf.ReadNanoTDFHeader(headerReader) @@ -331,7 +326,7 @@ func nanoTDFRewrap( return nil, fmt.Errorf("failed to parse NanoTDF header: %w", err) } - symmetricKey, err := session.GenerateNanoTDFSymmetricKey(header.EphemeralPublicKey.Key, key) + symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(header.EphemeralPublicKey.Key) if err != nil { return nil, fmt.Errorf("failed to generate symmetric key: %w", err) } @@ -348,11 +343,11 @@ func nanoTDFRewrap( return nil, fmt.Errorf("failed to serialize keypair: %v", pub) } - privateKeyHandle, publicKeyHandle, err := session.GenerateEphemeralKasKeys() + privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys() if err != nil { return nil, fmt.Errorf("failed to generate keypair: %w", err) } - sessionKey, err := session.GenerateNanoTDFSessionKey(privateKeyHandle, pubKeyBytes) + sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, pubKeyBytes) if err != nil { return nil, fmt.Errorf("failed to generate session key: %w", err) } From 8214acdfffe984e6820eab0e2e406867aa2d47a7 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 16:29:44 -0400 Subject: [PATCH 10/34] fix lint errors --- services/internal/security/hsm_test.go | 3 +-- services/kas/access/publicKey.go | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/services/internal/security/hsm_test.go b/services/internal/security/hsm_test.go index 0bc208e42e..a9b4c73aaa 100644 --- a/services/internal/security/hsm_test.go +++ b/services/internal/security/hsm_test.go @@ -105,8 +105,7 @@ func TestDecryptOAEPUnsupportedRSAFailure(t *testing.T) { sh: sessionHandle, } - unsupportedRSA := "BLAKE2b_384" - decrypted, err := session.RSADecrypt(unsupportedRSA, "unknown", "sample label", []byte("sample ciphertext")) + decrypted, err := session.RSADecrypt(crypto.BLAKE2b_384, "unknown", "sample label", []byte("sample ciphertext")) t.Log(err) t.Log(decrypted) diff --git a/services/kas/access/publicKey.go b/services/kas/access/publicKey.go index e5b04741ad..c4203e33f9 100644 --- a/services/kas/access/publicKey.go +++ b/services/kas/access/publicKey.go @@ -54,7 +54,7 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) } - return &kaspb.PublicKeyResponse{PublicKey: string(ecPublicKeyPem)}, nil + return &kaspb.PublicKeyResponse{PublicKey: ecPublicKeyPem}, nil } if in.Fmt == "jwk" { From dcc1435d22cf6c99f8eee003cd0884dc9cdc33bd Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 16:38:48 -0400 Subject: [PATCH 11/34] Fix lint error --- services/internal/security/hsm.go | 4 ++-- services/internal/security/standard_crypto.go | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/services/internal/security/hsm.go b/services/internal/security/hsm.go index 93f7171a43..55c0d8a12d 100644 --- a/services/internal/security/hsm.go +++ b/services/internal/security/hsm.go @@ -10,13 +10,14 @@ import ( "encoding/pem" "errors" "fmt" - "github.com/lestrrat-go/jwx/v2/jwk" "io" "log/slog" "os" "os/exec" "strings" + "github.com/lestrrat-go/jwx/v2/jwk" + "github.com/miekg/pkcs11" "golang.org/x/crypto/hkdf" ) @@ -702,7 +703,6 @@ func (h *HSMSession) ECPublicKey(keyId string) (string, error) { } func (h *HSMSession) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { - // TODO: For now ignore the key id slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) diff --git a/services/internal/security/standard_crypto.go b/services/internal/security/standard_crypto.go index 2e08cef5d5..059859a28b 100644 --- a/services/internal/security/standard_crypto.go +++ b/services/internal/security/standard_crypto.go @@ -6,10 +6,11 @@ import ( "encoding/json" "errors" "fmt" - "github.com/lestrrat-go/jwx/v2/jwk" - ocrypto "github.com/opentdf/platform/lib/ocrypto" "log/slog" "os" + + "github.com/lestrrat-go/jwx/v2/jwk" + ocrypto "github.com/opentdf/platform/lib/ocrypto" ) var ( @@ -80,7 +81,6 @@ func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { } func (s StandardCrypto) RSAPublicKey(keyId string) (string, error) { - if len(s.rsaKeys) == 0 { return "", errStandardCryptoObjIsInvalid } @@ -101,7 +101,6 @@ func (s StandardCrypto) ECPublicKey(keyId string) (string, error) { } func (s StandardCrypto) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { - if len(s.rsaKeys) == 0 { return nil, errStandardCryptoObjIsInvalid } From 34839907110781a32cb81d65446646f6e6d1fa45 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:09:32 -0400 Subject: [PATCH 12/34] Fix lint errors --- Makefile | 4 ++-- service/kas/access/publicKey.go | 17 ++--------------- service/kas/access/rewrap.go | 5 +---- 3 files changed, 5 insertions(+), 21 deletions(-) diff --git a/Makefile b/Makefile index 88f7ddc47d..f9e451e458 100644 --- a/Makefile +++ b/Makefile @@ -3,8 +3,8 @@ .PHONY: all build clean docker-build fix go-lint lint proto-generate proto-lint sdk/sdk test toolcheck -MODS=protocol/go lib/ocrypto sdk services examples -HAND_MODS=lib/ocrypto sdk services examples +MODS=protocol/go lib/ocrypto sdk service examples +HAND_MODS=lib/ocrypto sdk service examples EXCLUDE_OPENAPI=./service/authorization/idp_plugin.proto diff --git a/service/kas/access/publicKey.go b/service/kas/access/publicKey.go index 43c7cd7bc4..9e96af28b8 100644 --- a/service/kas/access/publicKey.go +++ b/service/kas/access/publicKey.go @@ -57,16 +57,8 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* return &kaspb.PublicKeyResponse{PublicKey: ecPublicKeyPem}, nil } -<<<<<<< HEAD:services/kas/access/publicKey.go - if in.Fmt == "jwk" { - rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKeyAsJson("unknown") -======= - if p.Session.RSA == nil { - return nil, err404("not found") - } if in.GetFmt() == "jwk" { - rsaPublicKeyJwk, err := jwk.FromRaw(p.Session.RSA.PublicKey) ->>>>>>> main:service/kas/access/publicKey.go + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKeyAsJson("unknown") if err != nil { slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) @@ -75,13 +67,8 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* return &kaspb.PublicKeyResponse{PublicKey: rsaPublicKeyPem}, nil } -<<<<<<< HEAD:services/kas/access/publicKey.go - if in.Fmt == "pkcs8" { - rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") -======= if in.GetFmt() == "pkcs8" { - certificatePem, err := exportCertificateAsPemStr(p.Session.RSA.Certificate) ->>>>>>> main:service/kas/access/publicKey.go + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKey("unknown") if err != nil { slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go index 81c8b68aef..afc421f429 100644 --- a/service/kas/access/rewrap.go +++ b/service/kas/access/rewrap.go @@ -16,16 +16,13 @@ import ( "encoding/pem" "errors" "fmt" - "io" "log/slog" "strings" - "github.com/opentdf/platform/protocol/go/authorization" - "github.com/opentdf/platform/services/internal/auth" ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/protocol/go/authorization" kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/service/internal/auth" - "github.com/opentdf/platform/service/internal/security" "github.com/opentdf/platform/service/kas/nanotdf" "github.com/opentdf/platform/service/kas/tdf3" "google.golang.org/grpc/codes" From 98307e22e0c81def7fcf6b6f373bb731f27eeeba Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:14:21 -0400 Subject: [PATCH 13/34] github flow fixes --- .github/workflows/checks.yaml | 2 +- .github/workflows/lint-all.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 0593d2ffcc..c1bd33f3c0 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -36,7 +36,7 @@ jobs: directory: - examples - sdk - - services + - service - lib/ocrypto steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 diff --git a/.github/workflows/lint-all.yaml b/.github/workflows/lint-all.yaml index 1d25082874..4fd9a31304 100644 --- a/.github/workflows/lint-all.yaml +++ b/.github/workflows/lint-all.yaml @@ -14,9 +14,9 @@ jobs: strategy: matrix: directory: - - "." - sdk - lib/ocrypto + - service - examples steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 @@ -27,6 +27,7 @@ jobs: ./go.sum sdk/go.sum examples/go.sum + service/go.sum - run: make go.work - name: golangci-lint # uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc From 1d200d45a1879b8db90423b1d5fbc276d24ddfff Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:16:38 -0400 Subject: [PATCH 14/34] fix the build --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7d83989ea2..8e5047aaed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /app COPY protocol/ protocol/ COPY sdk/ sdk/ COPY lib/ocrypto lib/ocrypto -COPY services/ services/ +COPY service/ service/ COPY examples/ examples/ COPY Makefile ./ RUN cd service \ From d4c4a1064f01537f23486af56ab8e9bf76a24013 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:24:43 -0400 Subject: [PATCH 15/34] Fix lint error --- .github/workflows/lint-all.yaml | 1 - service/internal/security/crypto_provider.go | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint-all.yaml b/.github/workflows/lint-all.yaml index 4fd9a31304..cf239c4d52 100644 --- a/.github/workflows/lint-all.yaml +++ b/.github/workflows/lint-all.yaml @@ -24,7 +24,6 @@ jobs: with: go-version: "1.21" cache-dependency-path: | - ./go.sum sdk/go.sum examples/go.sum service/go.sum diff --git a/service/internal/security/crypto_provider.go b/service/internal/security/crypto_provider.go index d11681c650..e002bf7c58 100644 --- a/service/internal/security/crypto_provider.go +++ b/service/internal/security/crypto_provider.go @@ -11,11 +11,11 @@ type Config struct { } type CryptoProvider interface { - RSAPublicKey(keyId string) (string, error) - RSAPublicKeyAsJson(keyId string) (string, error) - RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) + RSAPublicKey(keyID string) (string, error) + RSAPublicKeyAsJson(keyID string) (string, error) + RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error) - ECPublicKey(keyId string) (string, error) + ECPublicKey(keyID string) (string, error) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error) From 9a13e7989aa3b2b9cf122c5255b45f75ea35b653 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:33:05 -0400 Subject: [PATCH 16/34] Fixed lint errors --- service/internal/security/hsm.go | 14 +++++++------- service/internal/security/standard_crypto.go | 19 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/service/internal/security/hsm.go b/service/internal/security/hsm.go index 55c0d8a12d..5b7301426d 100644 --- a/service/internal/security/hsm.go +++ b/service/internal/security/hsm.go @@ -647,9 +647,9 @@ func (h *HSMSession) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) { return PrivateKeyEC(prvHandle), publicKeyBytes, nil } -func (h *HSMSession) RSAPublicKey(keyId string) (string, error) { +func (h *HSMSession) RSAPublicKey(keyID string) (string, error) { // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) pubkeyBytes, err := x509.MarshalPKIXPublicKey(h.RSA.PublicKey) if err != nil { @@ -669,9 +669,9 @@ func (h *HSMSession) RSAPublicKey(keyId string) (string, error) { return string(certPem), nil } -func (h *HSMSession) RSAPublicKeyAsJson(keyId string) (string, error) { +func (h *HSMSession) RSAPublicKeyAsJSON(keyID string) (string, error) { // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) rsaPublicKeyJwk, err := jwk.FromRaw(h.RSA.PublicKey) if err != nil { @@ -686,7 +686,7 @@ func (h *HSMSession) RSAPublicKeyAsJson(keyId string) (string, error) { return string(jsonPublicKey), nil } -func (h *HSMSession) ECPublicKey(keyId string) (string, error) { +func (h *HSMSession) ECPublicKey(string) (string, error) { pubkeyBytes, err := x509.MarshalPKIXPublicKey(h.EC.PublicKey) if err != nil { return "", errors.Join(ErrPublicKeyMarshal, err) @@ -702,9 +702,9 @@ func (h *HSMSession) ECPublicKey(keyId string) (string, error) { return string(pubkeyPem), nil } -func (h *HSMSession) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { +func (h *HSMSession) RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error) { // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) hashAlg, mgfAlg, _, err := hashToPKCS11(hash) if err != nil { diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 059859a28b..4a5ca5d5ad 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -15,7 +15,6 @@ import ( var ( errNotImplemented = errors.New("standard crypto for nano not implemented") - errStandardCryptoNotEnabled = errors.New("standard crypto flag is enabled in the config") errStandardCryptoObjIsInvalid = errors.New("standard crypto object is invalid") ) @@ -80,13 +79,13 @@ func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { return standardCrypto, nil } -func (s StandardCrypto) RSAPublicKey(keyId string) (string, error) { +func (s StandardCrypto) RSAPublicKey(keyID string) (string, error) { if len(s.rsaKeys) == 0 { return "", errStandardCryptoObjIsInvalid } // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) pem, err := s.rsaKeys[0].asymEncryption.PublicKeyInPemFormat() if err != nil { @@ -96,17 +95,17 @@ func (s StandardCrypto) RSAPublicKey(keyId string) (string, error) { return pem, nil } -func (s StandardCrypto) ECPublicKey(keyId string) (string, error) { +func (s StandardCrypto) ECPublicKey(string) (string, error) { return "", nil } -func (s StandardCrypto) RSADecrypt(hash crypto.Hash, keyId string, keyLabel string, ciphertext []byte) ([]byte, error) { +func (s StandardCrypto) RSADecrypt(_ crypto.Hash, keyID string, _ string, ciphertext []byte) ([]byte, error) { if len(s.rsaKeys) == 0 { return nil, errStandardCryptoObjIsInvalid } // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) data, err := s.rsaKeys[0].asymDecryption.Decrypt(ciphertext) if err != nil { @@ -116,13 +115,13 @@ func (s StandardCrypto) RSADecrypt(hash crypto.Hash, keyId string, keyLabel stri return data, nil } -func (s StandardCrypto) RSAPublicKeyAsJson(keyId string) (string, error) { +func (s StandardCrypto) RSAPublicKeyAsJson(keyID string) (string, error) { if len(s.rsaKeys) == 0 { return "", errStandardCryptoObjIsInvalid } // TODO: For now ignore the key id - slog.Info("⚠️ Ignoring the", slog.String("key id", keyId)) + slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) rsaPublicKeyJwk, err := jwk.FromRaw(s.rsaKeys[0].asymEncryption.PublicKey) if err != nil { @@ -137,7 +136,7 @@ func (s StandardCrypto) RSAPublicKeyAsJson(keyId string) (string, error) { return string(jsonPublicKey), nil } -func (s StandardCrypto) GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) { +func (s StandardCrypto) GenerateNanoTDFSymmetricKey([]byte) ([]byte, error) { return nil, errNotImplemented } @@ -145,6 +144,6 @@ func (s StandardCrypto) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) return 0, nil, errNotImplemented } -func (s StandardCrypto) GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error) { +func (s StandardCrypto) GenerateNanoTDFSessionKey(PrivateKeyEC, []byte) ([]byte, error) { return nil, errNotImplemented } From 9a5987e7df356a5b541ae2ee6539da5e910dd1e0 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:39:15 -0400 Subject: [PATCH 17/34] Fix the integeration test --- .github/workflows/checks.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index c1bd33f3c0..ab64564d65 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -99,7 +99,6 @@ jobs: echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf echo "log.level = DEBUG" >> softhsm2.conf echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" - echo "OPENTDF_SERVER_HSM_PIN=$(openssl rand -hex 4)" >> "$GITHUB_ENV" - run: .github/scripts/hsm-init-temporary-keys.sh - run: docker compose up -d --wait --wait-timeout 240 - run: cp opentdf-example.yaml opentdf.yaml From 30deedadebbf26d7084db2a8a13b06057e5e83a0 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:42:18 -0400 Subject: [PATCH 18/34] Fix lint errors --- service/internal/security/crypto_provider.go | 2 +- service/internal/security/standard_crypto.go | 2 +- service/kas/access/publicKey.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/service/internal/security/crypto_provider.go b/service/internal/security/crypto_provider.go index e002bf7c58..245fb5c126 100644 --- a/service/internal/security/crypto_provider.go +++ b/service/internal/security/crypto_provider.go @@ -12,7 +12,7 @@ type Config struct { type CryptoProvider interface { RSAPublicKey(keyID string) (string, error) - RSAPublicKeyAsJson(keyID string) (string, error) + RSAPublicKeyAsJSON(keyID string) (string, error) RSADecrypt(hash crypto.Hash, keyID string, keyLabel string, ciphertext []byte) ([]byte, error) ECPublicKey(keyID string) (string, error) diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 4a5ca5d5ad..da8854dcc4 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -115,7 +115,7 @@ func (s StandardCrypto) RSADecrypt(_ crypto.Hash, keyID string, _ string, cipher return data, nil } -func (s StandardCrypto) RSAPublicKeyAsJson(keyID string) (string, error) { +func (s StandardCrypto) RSAPublicKeyAsJSON(keyID string) (string, error) { if len(s.rsaKeys) == 0 { return "", errStandardCryptoObjIsInvalid } diff --git a/service/kas/access/publicKey.go b/service/kas/access/publicKey.go index 9e96af28b8..8f63df8e2f 100644 --- a/service/kas/access/publicKey.go +++ b/service/kas/access/publicKey.go @@ -58,7 +58,7 @@ func (p *Provider) PublicKey(ctx context.Context, in *kaspb.PublicKeyRequest) (* } if in.GetFmt() == "jwk" { - rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKeyAsJson("unknown") + rsaPublicKeyPem, err := p.CryptoProvider.RSAPublicKeyAsJSON("unknown") if err != nil { slog.ErrorContext(ctx, "CryptoProvider.RSAPublicKey failed", "err", err) return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error")) From a4c210dacd15303f7efd6d0570d0e153df01a210 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:46:55 -0400 Subject: [PATCH 19/34] fix the lint error --- service/internal/security/standard_crypto.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index da8854dcc4..4668663629 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -2,7 +2,6 @@ package security import ( "crypto" - "crypto/ecdh" "encoding/json" "errors" "fmt" @@ -35,14 +34,14 @@ type StandardRSACrypto struct { } type StandardECCrypto struct { - Identifier string - ecPublicKey *ecdh.PublicKey - ecPrivateKey *ecdh.PrivateKey + Identifier string + //ecPublicKey *ecdh.PublicKey + //ecPrivateKey *ecdh.PrivateKey } type StandardCrypto struct { rsaKeys []StandardRSACrypto - ecKeys []StandardECCrypto + //ecKeys []StandardECCrypto } // NewStandardCrypto Create a new instance of standard crypto From b69212a6e701cba0516a96d68822007ee795dcc7 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 17:50:42 -0400 Subject: [PATCH 20/34] fix the lint error --- service/internal/security/standard_crypto.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 4668663629..37d8d29d2c 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -35,13 +35,13 @@ type StandardRSACrypto struct { type StandardECCrypto struct { Identifier string - //ecPublicKey *ecdh.PublicKey - //ecPrivateKey *ecdh.PrivateKey + // ecPublicKey *ecdh.PublicKey + // ecPrivateKey *ecdh.PrivateKey } type StandardCrypto struct { rsaKeys []StandardRSACrypto - //ecKeys []StandardECCrypto + // ecKeys []StandardECCrypto } // NewStandardCrypto Create a new instance of standard crypto From 70d18be713c38fa6598c3d20ee712b50798e1146 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 18:14:04 -0400 Subject: [PATCH 21/34] fix the test --- service/internal/security/hsm.go | 5 +++++ service/kas/access/publicKey_test.go | 15 --------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/service/internal/security/hsm.go b/service/internal/security/hsm.go index 5b7301426d..2a1bd2f3a5 100644 --- a/service/internal/security/hsm.go +++ b/service/internal/security/hsm.go @@ -23,6 +23,7 @@ import ( ) const ( + ErrCertNotFound = Error("not found") ErrCertificateEncode = Error("certificate encode error") ErrPublicKeyMarshal = Error("public key marshal error") ErrHSMUnexpected = Error("hsm unexpected") @@ -651,6 +652,10 @@ func (h *HSMSession) RSAPublicKey(keyID string) (string, error) { // TODO: For now ignore the key id slog.Info("⚠️ Ignoring the", slog.String("key id", keyID)) + if h.RSA == nil { + return "", ErrCertNotFound + } + pubkeyBytes, err := x509.MarshalPKIXPublicKey(h.RSA.PublicKey) if err != nil { return "", errors.Join(ErrPublicKeyMarshal, err) diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index 8895912d36..a4bd07b00a 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -134,21 +134,6 @@ func TestError(t *testing.T) { const hostname = "localhost" -func TestCertificateHandlerEmpty(t *testing.T) { - hsmSession, _ := security.New(&security.HSMConfig{}) - kasURI, _ := url.Parse("https://" + hostname + ":5000") - - kas := Provider{ - URI: *kasURI, - CryptoProvider: hsmSession, - OIDCVerifier: nil, - } - - result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Fmt: "pkcs8"}) - assert.Error(t, err, "not found") - assert.Nil(t, result) -} - func TestCertificateHandlerWithEc256(t *testing.T) { curve := elliptic.P256() privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) From 00844d108187e362256fc4fb0a76ab176bcf921d Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 21:09:07 -0400 Subject: [PATCH 22/34] Fix services tests --- service/kas/access/publicKey_test.go | 140 +++++++++++++-------------- 1 file changed, 65 insertions(+), 75 deletions(-) diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index a4bd07b00a..d6fbd832f3 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -22,6 +22,43 @@ import ( "github.com/stretchr/testify/assert" ) +var ( + config = security.Config{ + Type: "hsm", + HSMConfig: security.HSMConfig{ + Enabled: true, + ModulePath: "", + PIN: "12345", + SlotID: 0, + SlotLabel: "dev-token", + Keys: map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + }, + }, + StandardConfig: security.StandardConfig{ + RSAKeys: map[string]security.StandardKeyInfo{ + "rsa": { + "kas-private.pem", + "kas-cert.pem", + }, + }, + ECKeys: map[string]security.StandardKeyInfo{ + "ec": { + "kas-ec-private.pem", + "kas-ec-cert.pem", + }, + }, + }, + } +) + func TestExportRsaPublicKeyAsPemStrSuccess(t *testing.T) { mockKey := &rsa.PublicKey{ N: big.NewInt(123), @@ -134,6 +171,25 @@ func TestError(t *testing.T) { const hostname = "localhost" +func TestCertificateHandlerEmpty(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": {}, + "ec": {}, + } + hsmSession, _ := security.NewCryptoProvider(config) + kasURI, _ := url.Parse("https://" + hostname + ":5000") + + kas := Provider{ + URI: *kasURI, + CryptoProvider: hsmSession, + OIDCVerifier: nil, + } + + result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Fmt: "pkcs8"}) + assert.Error(t, err, "not found") + assert.Nil(t, result) +} + func TestCertificateHandlerWithEc256(t *testing.T) { curve := elliptic.P256() privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) @@ -163,22 +219,13 @@ func TestCertificateHandlerWithEc256(t *testing.T) { } func TestPublicKeyHandlerWithEc256(t *testing.T) { - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) - } - - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Algorithm: "ec:secp256r1"}) if err != nil { @@ -190,31 +237,13 @@ func TestPublicKeyHandlerWithEc256(t *testing.T) { } func TestPublicKeyHandlerV2(t *testing.T) { - mockPublicKeyRsa := rsa.PublicKey{ - N: big.NewInt(123), - E: 65537, - } - - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) - } - - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - } - hsmSession.RSA = &security.RSAKeyPair{ - Certificate: &x509.Certificate{}, - PublicKey: &mockPublicKeyRsa, - } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Algorithm: "rsa"}) if err != nil { @@ -226,54 +255,32 @@ func TestPublicKeyHandlerV2(t *testing.T) { } func TestPublicKeyHandlerV2Failure(t *testing.T) { - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": {}, + "ec": {}, } - - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - } - _, err = kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Algorithm: "rsa"}) + _, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Algorithm: "rsa"}) if err == nil { t.Errorf("got nil error") } } func TestPublicKeyHandlerV2WithEc256(t *testing.T) { - mockPublicKeyRsa := rsa.PublicKey{ - N: big.NewInt(123), - E: 65537, - } - - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) - } - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - } - hsmSession.RSA = &security.RSAKeyPair{ - Certificate: &x509.Certificate{}, - PublicKey: &mockPublicKeyRsa, - } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Algorithm: "ec:secp256r1", V: "2"}) @@ -286,30 +293,13 @@ func TestPublicKeyHandlerV2WithEc256(t *testing.T) { } func TestPublicKeyHandlerV2WithJwk(t *testing.T) { - mockPublicKeyRsa := rsa.PublicKey{ - N: big.NewInt(123), - E: 65537, - } - - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) - } - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - } - hsmSession.RSA = &security.RSAKeyPair{ - Certificate: &x509.Certificate{}, - PublicKey: &mockPublicKeyRsa, - } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{ Algorithm: "rsa", From 6ed2fd800f960759d6a617c2733e6c8869c646b9 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 21:17:49 -0400 Subject: [PATCH 23/34] Fix lint error --- service/kas/access/publicKey_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index d6fbd832f3..5ce01a0466 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -45,14 +45,14 @@ var ( StandardConfig: security.StandardConfig{ RSAKeys: map[string]security.StandardKeyInfo{ "rsa": { - "kas-private.pem", - "kas-cert.pem", + PrivateKeyPath: "kas-private.pem", + PublicKeyPath: "kas-cert.pem", }, }, ECKeys: map[string]security.StandardKeyInfo{ "ec": { - "kas-ec-private.pem", - "kas-ec-cert.pem", + PrivateKeyPath: "kas-ec-private.pem", + PublicKeyPath: "kas-ec-cert.pem", }, }, }, From acdbccfca2ed314f30665eaca6a8674eb8920189 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Thu, 4 Apr 2024 21:26:37 -0400 Subject: [PATCH 24/34] Fix test --- service/kas/access/publicKey_test.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index 5ce01a0466..d04b7f98a7 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -191,29 +191,19 @@ func TestCertificateHandlerEmpty(t *testing.T) { } func TestCertificateHandlerWithEc256(t *testing.T) { - curve := elliptic.P256() - privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) - if err != nil { - t.Errorf("Failed to generate a private key: %v", err) - } - - hsmSession, _ := security.New(&security.HSMConfig{}) + hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, CryptoProvider: hsmSession, OIDCVerifier: nil, } - hsmSession.EC = &security.ECKeyPair{ - PublicKey: &privateKey.PublicKey, - Certificate: &x509.Certificate{}, - } result, err := kas.LegacyPublicKey(context.Background(), &kaspb.LegacyPublicKeyRequest{Algorithm: "ec:secp256r1"}) if err != nil { t.Errorf("got %s, but should be nil", err) } - if result == nil || !strings.Contains(result.GetValue(), "BEGIN CERTIFICATE") { + if result == nil || !strings.Contains(result.GetValue(), "BEGIN PUBLIC KEY") { t.Errorf("got %s, but should be cert", result) } } From 299cd9863674618dc00ab81442e982325cc0afa4 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 09:31:41 -0400 Subject: [PATCH 25/34] Fix service tests --- .github/workflows/checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index ab64564d65..61f208524a 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -70,6 +70,7 @@ jobs: echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf echo "log.level = DEBUG" >> softhsm2.conf echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" + - run: .github/scripts/hsm-init-temporary-keys.sh - run: go test ./... -short working-directory: ${{ matrix.directory }} From 955c1f851367c57f394a91e24e86026c84d65553 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 09:37:00 -0400 Subject: [PATCH 26/34] Fix service tests --- .github/workflows/checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 61f208524a..36d003bffb 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -70,7 +70,7 @@ jobs: echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf echo "log.level = DEBUG" >> softhsm2.conf echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" - - run: .github/scripts/hsm-init-temporary-keys.sh + .github/scripts/hsm-init-temporary-keys.sh - run: go test ./... -short working-directory: ${{ matrix.directory }} From 2e29d88d34a876f6face69a4f4f94d3f669c5dd5 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:10:27 -0400 Subject: [PATCH 27/34] Fix service test --- .github/scripts/hsm-init-temporary-keys.sh | 24 +++++------ README.md | 24 +++++------ service/kas/access/publicKey_test.go | 50 ++++++++++++++++++++++ 3 files changed, 74 insertions(+), 24 deletions(-) diff --git a/.github/scripts/hsm-init-temporary-keys.sh b/.github/scripts/hsm-init-temporary-keys.sh index ec00765ee6..0412b84857 100755 --- a/.github/scripts/hsm-init-temporary-keys.sh +++ b/.github/scripts/hsm-init-temporary-keys.sh @@ -4,15 +4,15 @@ set -ex -: "${OPENTDF_SERVER_HSM_PIN:=12345}" -: "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL:=development-ec-kas}" -: "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL:=development-rsa-kas}" +: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN:=12345}" +: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL:=development-ec-kas}" +: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL:=development-rsa-kas}" -if [ -z "${OPENTDF_SERVER_HSM_MODULEPATH}" ]; then +if [ -z "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" ]; then if which brew; then - OPENTDF_SERVER_HSM_MODULEPATH=$(brew --prefix)/lib/softhsm/libsofthsm2.so + OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=$(brew --prefix)/lib/softhsm/libsofthsm2.so else - OPENTDF_SERVER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so + OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so fi fi @@ -21,13 +21,13 @@ if softhsm2-util --show-slots | grep dev-token; then exit 0 fi -softhsm2-util --init-token --free --label "dev-token" --pin "${OPENTDF_SERVER_HSM_PIN}" --so-pin "${OPENTDF_SERVER_HSM_PIN}" -pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --show-info --list-objects --pin "${OPENTDF_SERVER_HSM_PIN}" +softhsm2-util --init-token --free --label "dev-token" --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --so-pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" +pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --show-info --list-objects --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=kas" -keyout kas-private.pem -out kas-cert.pem -days 365 openssl ecparam -name prime256v1 >ecparams.tmp openssl req -x509 -nodes -newkey ec:ecparams.tmp -subj "/CN=kas" -keyout kas-ec-private.pem -out kas-ec-cert.pem -days 365 -pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-private.pem --type privkey --label "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL}" -pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-cert.pem --type cert --label "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL}" +pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-private.pem --type privkey --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL}" +pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-cert.pem --type cert --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL}" # https://manpages.ubuntu.com/manpages/jammy/man1/pkcs11-tool.1.html --usage-derive -pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-ec-private.pem --type privkey --label "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL}" --usage-derive -pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-ec-cert.pem --type cert --label "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL}" +pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-ec-private.pem --type privkey --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL}" --usage-derive +pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-ec-cert.pem --type cert --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL}" diff --git a/README.md b/README.md index 1883543d57..17f4903736 100644 --- a/README.md +++ b/README.md @@ -137,26 +137,26 @@ For development, we use [the SoftHSM library](https://www.softhsm.org/), which presents a `PKCS #11` interface to on CPU cryptography libraries. ``` -export OPENTDF_SERVER_HSM_PIN=12345 -export OPENTDF_SERVER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so -export OPENTDF_SERVER_HSM_KEYS_EC_LABEL=kas-ec -export OPENTDF_SERVER_HSM_KEYS_RSA_LABEL=kas-rsa +export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN=12345 +export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so +export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL=kas-ec +export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL=kas-rsa -pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \ - --login --pin ${OPENTDF_SERVER_HSM_PIN} \ +pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \ + --login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \ --write-object kas-private.pem --type privkey \ --label kas-rsa -pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \ - --login --pin ${OPENTDF_SERVER_HSM_PIN} \ +pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \ + --login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \ --write-object kas-cert.pem --type cert \ --label kas-rsa -pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \ - --login --pin ${OPENTDF_SERVER_HSM_PIN} \ +pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \ + --login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \ --write-object ec-private.pem --type privkey \ --label kas-ec -pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \ - --login --pin ${OPENTDF_SERVER_HSM_PIN} \ +pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \ + --login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \ --write-object ec-cert.pem --type cert \ --label kas-ec ``` diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index d04b7f98a7..08929d0d2e 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -191,6 +191,16 @@ func TestCertificateHandlerEmpty(t *testing.T) { } func TestCertificateHandlerWithEc256(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + } hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ @@ -209,6 +219,16 @@ func TestCertificateHandlerWithEc256(t *testing.T) { } func TestPublicKeyHandlerWithEc256(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + } hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ @@ -227,6 +247,16 @@ func TestPublicKeyHandlerWithEc256(t *testing.T) { } func TestPublicKeyHandlerV2(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + } hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ @@ -264,6 +294,16 @@ func TestPublicKeyHandlerV2Failure(t *testing.T) { } func TestPublicKeyHandlerV2WithEc256(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + } hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ @@ -283,6 +323,16 @@ func TestPublicKeyHandlerV2WithEc256(t *testing.T) { } func TestPublicKeyHandlerV2WithJwk(t *testing.T) { + config.HSMConfig.Keys = map[string]security.KeyInfo{ + "rsa": { + Name: "rsa", + Label: "development-rsa-kas", + }, + "ec": { + Name: "ec", + Label: "development-ec-kas", + }, + } hsmSession, _ := security.NewCryptoProvider(config) kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ From 49185c83724cee0d4411cfcdfebc0ddffebb8603 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:22:27 -0400 Subject: [PATCH 28/34] Fix service test --- .github/workflows/checks.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 36d003bffb..4d16261e76 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -70,7 +70,8 @@ jobs: echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf echo "log.level = DEBUG" >> softhsm2.conf echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV" - .github/scripts/hsm-init-temporary-keys.sh + - if: matrix.directory == 'service' + run: .github/scripts/hsm-init-temporary-keys.sh - run: go test ./... -short working-directory: ${{ matrix.directory }} From 199987d6b23173393770b266ee171775012a1fdd Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:40:46 -0400 Subject: [PATCH 29/34] Fix service tests --- service/internal/security/crypto_provider.go | 1 + service/internal/security/hsm.go | 2 +- service/internal/security/standard_crypto.go | 3 +++ service/kas/access/publicKey_test.go | 10 +++++++++- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/service/internal/security/crypto_provider.go b/service/internal/security/crypto_provider.go index 245fb5c126..519c1068bd 100644 --- a/service/internal/security/crypto_provider.go +++ b/service/internal/security/crypto_provider.go @@ -19,6 +19,7 @@ type CryptoProvider interface { GenerateNanoTDFSymmetricKey(ephemeralPublicKeyBytes []byte) ([]byte, error) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) GenerateNanoTDFSessionKey(privateKeyHandle PrivateKeyEC, ephemeralPublicKey []byte) ([]byte, error) + Close() } func NewCryptoProvider(cfg Config) (CryptoProvider, error) { diff --git a/service/internal/security/hsm.go b/service/internal/security/hsm.go index 2a1bd2f3a5..cb95debace 100644 --- a/service/internal/security/hsm.go +++ b/service/internal/security/hsm.go @@ -331,7 +331,7 @@ func (h *HSMSession) loadKeys(keys map[string]KeyInfo) error { return nil } -func (s *HSMSession) Destroy() { +func (s *HSMSession) Close() { if s == nil { return } diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 37d8d29d2c..74876effbe 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -146,3 +146,6 @@ func (s StandardCrypto) GenerateEphemeralKasKeys() (PrivateKeyEC, []byte, error) func (s StandardCrypto) GenerateNanoTDFSessionKey(PrivateKeyEC, []byte) ([]byte, error) { return nil, errNotImplemented } + +func (s StandardCrypto) Close() { +} diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index 08929d0d2e..1af1596e89 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -9,6 +9,7 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" + "github.com/stretchr/testify/require" "math/big" "net/url" "os" @@ -177,6 +178,7 @@ func TestCertificateHandlerEmpty(t *testing.T) { "ec": {}, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ @@ -186,7 +188,7 @@ func TestCertificateHandlerEmpty(t *testing.T) { } result, err := kas.PublicKey(context.Background(), &kaspb.PublicKeyRequest{Fmt: "pkcs8"}) - assert.Error(t, err, "not found") + require.Error(t, err, "not found") assert.Nil(t, result) } @@ -202,6 +204,7 @@ func TestCertificateHandlerWithEc256(t *testing.T) { }, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, @@ -230,6 +233,7 @@ func TestPublicKeyHandlerWithEc256(t *testing.T) { }, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, @@ -258,6 +262,7 @@ func TestPublicKeyHandlerV2(t *testing.T) { }, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, @@ -280,6 +285,7 @@ func TestPublicKeyHandlerV2Failure(t *testing.T) { "ec": {}, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, @@ -305,6 +311,7 @@ func TestPublicKeyHandlerV2WithEc256(t *testing.T) { }, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, @@ -334,6 +341,7 @@ func TestPublicKeyHandlerV2WithJwk(t *testing.T) { }, } hsmSession, _ := security.NewCryptoProvider(config) + defer hsmSession.Close() kasURI, _ := url.Parse("https://" + hostname + ":5000") kas := Provider{ URI: *kasURI, From 342432a88d4362f3246c82ecc2ccf0c2532b5202 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:46:09 -0400 Subject: [PATCH 30/34] Fix service tests --- service/internal/security/hsm.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/service/internal/security/hsm.go b/service/internal/security/hsm.go index cb95debace..bddc7589d5 100644 --- a/service/internal/security/hsm.go +++ b/service/internal/security/hsm.go @@ -331,17 +331,16 @@ func (h *HSMSession) loadKeys(keys map[string]KeyInfo) error { return nil } -func (s *HSMSession) Close() { - if s == nil { +func (h *HSMSession) Close() { + if h == nil { return } - ctx := s.ctx - sh := s.sh + ctx := h.ctx + sh := h.sh if err := ctx.Logout(sh); err != nil { slog.Error("pkcs11 error logging out", "err", err) } - s.destroy() - s = nil + h.destroy() } func (h *HSMSession) findKey(class uint, label string) (pkcs11.ObjectHandle, error) { From cdcc223122f183f25849955db1ea5d0970ecfc96 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:51:54 -0400 Subject: [PATCH 31/34] Fix service tests --- service/kas/access/publicKey_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index 1af1596e89..ee1a3c028b 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -9,7 +9,6 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - "github.com/stretchr/testify/require" "math/big" "net/url" "os" @@ -18,7 +17,8 @@ import ( "testing" "github.com/opentdf/platform/service/internal/security" - + "github.com/stretchr/testify/require" + kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/stretchr/testify/assert" ) From 373a137610e2614fe7694d134c885672c52c4aaa Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 10:57:58 -0400 Subject: [PATCH 32/34] Fix service test --- service/go.mod | 2 +- service/kas/access/publicKey_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/service/go.mod b/service/go.mod index 40c522c54f..9e3517a720 100644 --- a/service/go.mod +++ b/service/go.mod @@ -19,6 +19,7 @@ require ( github.com/lestrrat-go/jwx/v2 v2.0.21 github.com/miekg/pkcs11 v1.1.1 github.com/open-policy-agent/opa v0.62.1 + github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 github.com/opentdf/platform/protocol/go v0.0.0-00010101000000-000000000000 github.com/opentdf/platform/sdk v0.0.0-00010101000000-000000000000 github.com/pressly/goose/v3 v3.19.1 @@ -55,7 +56,6 @@ require ( github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 // indirect ) replace ( diff --git a/service/kas/access/publicKey_test.go b/service/kas/access/publicKey_test.go index ee1a3c028b..c1a9bb25a8 100644 --- a/service/kas/access/publicKey_test.go +++ b/service/kas/access/publicKey_test.go @@ -18,7 +18,7 @@ import ( "github.com/opentdf/platform/service/internal/security" "github.com/stretchr/testify/require" - + kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/stretchr/testify/assert" ) From c7d192d6c916143b140fcbf59dcefe63bbd656d0 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 11:09:39 -0400 Subject: [PATCH 33/34] Disable HSM --- opentdf-example.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opentdf-example.yaml b/opentdf-example.yaml index bfad40de78..e94ed605c7 100644 --- a/opentdf-example.yaml +++ b/opentdf-example.yaml @@ -69,7 +69,7 @@ server: reflectionEnabled: true # Default is false cryptoProvider: hsm: - enabled: true + enabled: false # As configured by hsm-init-temporary-keys.sh pin: "12345" slotlabel: "dev-token" From a48949ba16d4196d0b50751ca3823ad000364204 Mon Sep 17 00:00:00 2001 From: sujan kota Date: Fri, 5 Apr 2024 11:52:02 -0400 Subject: [PATCH 34/34] Fix the ocrypto package --- lib/ocrypto/aes_gcm.go | 2 +- lib/ocrypto/aes_gcm_test.go | 2 +- lib/ocrypto/asym_decryption.go | 2 +- lib/ocrypto/asym_encrypt_decrypt_test.go | 2 +- lib/ocrypto/asym_encryption.go | 2 +- lib/ocrypto/crypto_utils.go | 2 +- lib/ocrypto/crypto_utils_test.go | 2 +- lib/ocrypto/rsa_key_pair.go | 2 +- lib/ocrypto/rsa_key_pair_test.go | 2 +- sdk/auth_config.go | 2 +- sdk/idp_access_token_source.go | 3 +-- sdk/kas_client.go | 5 ++--- sdk/kas_client_test.go | 3 +-- sdk/tdf.go | 3 +-- sdk/tdf_config.go | 2 +- sdk/tdf_test.go | 2 +- service/internal/security/standard_crypto.go | 2 +- service/kas/access/rewrap.go | 2 +- 18 files changed, 19 insertions(+), 23 deletions(-) diff --git a/lib/ocrypto/aes_gcm.go b/lib/ocrypto/aes_gcm.go index 2a1b34aff7..c6e5a0285b 100644 --- a/lib/ocrypto/aes_gcm.go +++ b/lib/ocrypto/aes_gcm.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "crypto/aes" diff --git a/lib/ocrypto/aes_gcm_test.go b/lib/ocrypto/aes_gcm_test.go index 23364c2dca..186a00f761 100644 --- a/lib/ocrypto/aes_gcm_test.go +++ b/lib/ocrypto/aes_gcm_test.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "encoding/hex" diff --git a/lib/ocrypto/asym_decryption.go b/lib/ocrypto/asym_decryption.go index 18b57a0ebc..ff71eef734 100644 --- a/lib/ocrypto/asym_decryption.go +++ b/lib/ocrypto/asym_decryption.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "crypto" diff --git a/lib/ocrypto/asym_encrypt_decrypt_test.go b/lib/ocrypto/asym_encrypt_decrypt_test.go index 026f77982c..a40e938348 100644 --- a/lib/ocrypto/asym_encrypt_decrypt_test.go +++ b/lib/ocrypto/asym_encrypt_decrypt_test.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "testing" diff --git a/lib/ocrypto/asym_encryption.go b/lib/ocrypto/asym_encryption.go index 76c820fc09..65ef5a115d 100644 --- a/lib/ocrypto/asym_encryption.go +++ b/lib/ocrypto/asym_encryption.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "crypto/rand" diff --git a/lib/ocrypto/crypto_utils.go b/lib/ocrypto/crypto_utils.go index 0b280b64b0..3fb100847e 100644 --- a/lib/ocrypto/crypto_utils.go +++ b/lib/ocrypto/crypto_utils.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "crypto/hmac" diff --git a/lib/ocrypto/crypto_utils_test.go b/lib/ocrypto/crypto_utils_test.go index d233822e0f..a5ebedf24b 100644 --- a/lib/ocrypto/crypto_utils_test.go +++ b/lib/ocrypto/crypto_utils_test.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "testing" diff --git a/lib/ocrypto/rsa_key_pair.go b/lib/ocrypto/rsa_key_pair.go index 4586384dc3..b2b6d6b7f9 100644 --- a/lib/ocrypto/rsa_key_pair.go +++ b/lib/ocrypto/rsa_key_pair.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "crypto/rand" diff --git a/lib/ocrypto/rsa_key_pair_test.go b/lib/ocrypto/rsa_key_pair_test.go index 92d5ba8241..425527b51d 100644 --- a/lib/ocrypto/rsa_key_pair_test.go +++ b/lib/ocrypto/rsa_key_pair_test.go @@ -1,4 +1,4 @@ -package crypto +package ocrypto import ( "testing" diff --git a/sdk/auth_config.go b/sdk/auth_config.go index 1d25f63fec..c258937634 100644 --- a/sdk/auth_config.go +++ b/sdk/auth_config.go @@ -13,7 +13,7 @@ import ( "time" "github.com/golang-jwt/jwt/v4" - ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/lib/ocrypto" ) type AuthConfig struct { diff --git a/sdk/idp_access_token_source.go b/sdk/idp_access_token_source.go index acc78ce6df..fac0135db7 100644 --- a/sdk/idp_access_token_source.go +++ b/sdk/idp_access_token_source.go @@ -11,10 +11,9 @@ import ( "strings" "sync" - ocrypto "github.com/opentdf/platform/lib/ocrypto" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" + "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/sdk/auth" "github.com/opentdf/platform/sdk/internal/oauth" ) diff --git a/sdk/kas_client.go b/sdk/kas_client.go index 354648cefd..95fcd19b9f 100644 --- a/sdk/kas_client.go +++ b/sdk/kas_client.go @@ -7,11 +7,10 @@ import ( "net/url" "time" - ocrypto "github.com/opentdf/platform/lib/ocrypto" - "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" - kas "github.com/opentdf/platform/protocol/go/kas" + "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/sdk/auth" "google.golang.org/grpc" ) diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go index c90dc6df10..8ab9192919 100644 --- a/sdk/kas_client_test.go +++ b/sdk/kas_client_test.go @@ -4,13 +4,12 @@ import ( "encoding/json" "testing" - ocrypto "github.com/opentdf/platform/lib/ocrypto" - "google.golang.org/grpc" "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" + "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/sdk/auth" ) diff --git a/sdk/tdf.go b/sdk/tdf.go index 6d36a40076..5894aa02aa 100644 --- a/sdk/tdf.go +++ b/sdk/tdf.go @@ -10,9 +10,8 @@ import ( "math" "strings" - ocrypto "github.com/opentdf/platform/lib/ocrypto" - "github.com/google/uuid" + "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/sdk/internal/archive" ) diff --git a/sdk/tdf_config.go b/sdk/tdf_config.go index a5311a1bd5..b98ee506d9 100644 --- a/sdk/tdf_config.go +++ b/sdk/tdf_config.go @@ -3,7 +3,7 @@ package sdk import ( "fmt" - ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/lib/ocrypto" ) const ( diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go index 6e94794c6e..788750a987 100644 --- a/sdk/tdf_test.go +++ b/sdk/tdf_test.go @@ -18,7 +18,7 @@ import ( "testing" "github.com/golang-jwt/jwt/v4" - ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/lib/ocrypto" "github.com/stretchr/testify/assert" ) diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 74876effbe..8f4d310c02 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -9,7 +9,7 @@ import ( "os" "github.com/lestrrat-go/jwx/v2/jwk" - ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/lib/ocrypto" ) var ( diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go index afc421f429..dbe1c0a935 100644 --- a/service/kas/access/rewrap.go +++ b/service/kas/access/rewrap.go @@ -19,7 +19,7 @@ import ( "log/slog" "strings" - ocrypto "github.com/opentdf/platform/lib/ocrypto" + "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/protocol/go/authorization" kaspb "github.com/opentdf/platform/protocol/go/kas" "github.com/opentdf/platform/service/internal/auth"