fix(mediator): Update the readme and docker with type of key forma… (#…

…267)

* docs(medeiator): Updated the readme and docker with type of key format used for mediator identity

* docs(medeiator): Updated the readme and docker with type of key format used for mediator identity

* fix(mediator): Update application.conf and removed the default identity keys for the mediator Add readme for how to create keys for mediator identity

* fix(mediator): Add restart with envVariables

* fix(mediator): Add restart with envVariables

---------

Signed-off-by: Shailesh Patil <53746241+mineme0110@users.noreply.github.com>

Signed-off-by: Shailesh Patil <shailesh.patil@iohk.io>

README.md

@@ -133,8 +133,13 @@ The default configuration is set up [application.conf](/mediator/src/main/resour
 So in order to configure the mediator for your needs.
 You can either change the default configuration or you can set up environment variables that overrides the defaults:
 
-#### identity
+#### identity  
+> KEY_AGREEMENT, KEY_AUTHENTICATION  use JOSE (JSON Object Signing and Encryption) format, utilizing OKP (Octet Key Pair) type with base64url-safe encoded keys.
+
 To set up the mediator identity:
+
+[How to generate mediator identity](./mediator-identity-key-generation.md)
+
 - `KEY_AGREEMENT_D` - is the key agreement private key (MUST be a X25519 OKP key type).
 - `KEY_AGREEMENT_X` - is the key agreement public key (MUST be a X25519 OKP key type).
 - `KEY_AUTHENTICATION_D` - is the key authentication private key (MUST be an Ed25519 OKP key type).

build.sbt

@@ -99,6 +99,19 @@ lazy val NPM = new {
   val sha256 = Seq("js-sha256" -> "0.9.0")
 }
 
+lazy val ENV = new {
+   val keyAgreementD = "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c"
+   val keyAgreementX = "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw"
+   val keyAuthenticationD = "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug"
+   val keyAuthenticationX = "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA"
+   val envVars = Map(
+      "KEY_AGREEMENT_D" -> keyAgreementD,
+      "KEY_AGREEMENT_X" -> keyAgreementX,
+      "KEY_AUTHENTICATION_D" -> keyAuthenticationD,
+      "KEY_AUTHENTICATION_X" -> keyAuthenticationX
+    )
+}
+
 inThisBuild(
   Seq(
     scalacOptions ++= Seq(
@@ -241,6 +254,8 @@ lazy val mediator = project
     Assets / WebKeys.packagePrefix := "public/",
     Runtime / managedClasspath += (Assets / packageBin).value,
   )
+  .settings(run / fork := true)
+  .settings(envVars ++= ENV.envVars )
   .enablePlugins(WebScalaJSBundlerPlugin)
   .enablePlugins(JavaAppPackaging, DockerPlugin)
 

docker-compose.yml

@@ -19,6 +19,9 @@ services:
       - "8080:8080"
     environment:
       # Creates the identity:
+      # These keys are for demo purpose only for production deployments generate keys
+      # Please follow the README file for guidelines on How to generate JWK format keys
+      # KEY_AGREEMENT KEY_AUTHENTICATION are using format JOSE(JWK) OKP type base64urlsafe encoded keys
       - KEY_AGREEMENT_D=Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c
       - KEY_AGREEMENT_X=Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw
       - KEY_AUTHENTICATION_D=INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug

infrastructure/charts/mediator/templates/deployment.yaml

@@ -27,6 +27,14 @@ spec:
         ports:
         - containerPort: 8080
         env:
+        - name: KEY_AGREEMENT_D
+          value: "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c"
+        - name: KEY_AGREEMENT_X
+          value: "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw"
+        - name: KEY_AUTHENTICATION_D
+          value: "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug"
+        - name: KEY_AUTHENTICATION_X
+          value: "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA"
         - name: MONGODB_USER
           value: "admin"
         - name: MONGODB_PASSWORD

mediator-identity-key-generation.md

@@ -0,0 +1,59 @@
+### Step-by-Step Guide to Generate Keys for the Mediator Identity
+
+1. **Install OpenSSL**:
+   - **Linux**:
+     - If you haven't already, install OpenSSL on your Linux system using your package manager. Here are the commands for various package managers:
+       ```bash
+       sudo apt-get update && sudo apt-get install openssl
+       ```
+       ```bash
+       sudo yum install openssl  # Red Hat-based systems
+       ```
+       ```bash
+       sudo pacman -S openssl    # Arch Linux
+       ```
+   - **macOS**:
+     - OpenSSL is typically pre-installed on macOS. If it's not available or you need a newer version, you can install it using Homebrew:
+       ```bash
+       brew install openssl
+       ```
+
+2. **Install jq**:
+   - **Linux**:
+     - If you haven't already, install jq on your Linux system using your package manager. Here are the commands for various package managers:
+       ```bash
+       sudo apt-get update && sudo apt-get install jq
+       ```
+       ```bash
+       sudo yum install jq       # Red Hat-based systems
+       ```
+       ```bash
+       sudo pacman -S jq         # Arch Linux
+       ```
+   - **macOS**:
+     - If you haven't already, install jq on your macOS system using Homebrew:
+       ```bash
+       brew install jq
+       ```
+
+3. **Generate X25519 Key (for KEY_AGREEMENT)**:
+   - Run the following command to generate the X25519 key:
+    ```bash
+    openssl genpkey -algorithm X25519 -out private_key_x25519.pem
+    ```
+4. **Format X25519 Key into JWK**:
+   - Run the following command to format the X25519 key into JWK format:
+     ```bash
+     jq -nR --arg d "$(openssl pkey -inform pem -in private_key_x25519.pem -noout -text | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" --arg x "$(openssl pkey -inform pem -in private_key_x25519.pem -noout -text | awk '/pub:/{flag=1; next} /priv:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" '{kty: "OKP", crv: "X25519", x: $x, d: $d}'
+     ```
+5. **Generate Ed25519 Key (for KEY_AUTHENTICATION)**:
+   - Run the following command to generate the Ed25519 key:
+     ```bash
+     openssl genpkey -algorithm Ed25519 -out private_key_ed25519.pem
+     ```
+6. **Format Ed25519 Key into JWK**:
+   - Run the following command to format the Ed25519 key into JWK format:
+     ```bash
+     jq -nR --arg d "$(openssl pkey -inform pem -in private_key_ed25519.pem -noout -text | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" --arg x "$(openssl pkey -inform pem -in private_key_ed25519.pem -noout -text | awk '/pub:/{flag=1; next} /priv:/{flag=0} flag' | sed 's/[^0-9A-Fa-f]//g' | xxd -r -p | base64 | tr -d '\n' | tr '+/' '-_' | sed 's/=*$//')" '{kty: "OKP", crv: "Ed25519", x: $x, d: $d}'
+     ```
+These commands will guide you to generate X25519 and Ed25519 keys using OpenSSL and format them into JWK format suitable for use as KEY_AGREEMENT and KEY_AUTHENTICATION keys, respectively.

mediator/src/main/resources/application.conf

@@ -3,17 +3,13 @@ mediator = {
     keyAgreement = {
       kty = "OKP"
       crv = "X25519"
-      d = "Z6D8LduZgZ6LnrOHPrMTS6uU2u5Btsrk1SGs4fn8M7c"
       d = ${?KEY_AGREEMENT_D}
-      x = "Sr4SkIskjN_VdKTn0zkjYbhGTWArdUNE4j_DmUpnQGw"
       x = ${?KEY_AGREEMENT_X}
     }
     keyAuthentication = {
       kty = "OKP"
       crv = "Ed25519"
-      d = "INXCnxFEl0atLIIQYruHzGd5sUivMRyQOzu87qVerug"
       d = ${?KEY_AUTHENTICATION_D}
-      x = "MBjnXZxkMcoQVVL21hahWAw43RuAG-i64ipbeKKqwoA"
       x = ${?KEY_AUTHENTICATION_X}
     }
     endpoints = "http://localhost:8080;ws://localhost:8080/ws"