From fca942e9e7469e9dcf4993813cb6213e8f96a36c Mon Sep 17 00:00:00 2001 From: Yevgen Pukhta Date: Mon, 12 Sep 2022 15:33:07 +0300 Subject: [PATCH] refactor: remove EDV support Signed-off-by: Yevgen Pukhta --- Makefile | 1 - README.md | 12 -- cmd/kms-server/go.mod | 1 - cmd/kms-server/go.sum | 2 - cmd/kms-server/startcmd/start.go | 2 - docs/use_cases.md | 44 +---- go.mod | 2 +- go.sum | 3 +- pkg/controller/command/actions.go | 2 - pkg/controller/command/command.go | 168 +++++------------ .../command/command_create_key_store.go | 94 +--------- pkg/controller/command/command_test.go | 170 ------------------ pkg/controller/command/models.go | 9 +- pkg/controller/rest/models.go | 9 - pkg/metrics/metrics.go | 2 +- 15 files changed, 56 insertions(+), 465 deletions(-) diff --git a/Makefile b/Makefile index f343e65b..dae01e3e 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,6 @@ stress-test: KMS_STRESS_KMS_URL=https://ops-oathkeeper-proxy.dev.trustbloc.dev \ KMS_STRESS_AUTH_KMS_URL=https://authz-oathkeeper-proxy.dev.trustbloc.dev \ KMS_STRESS_HUB_AUTH_URL=https://hub-auth.dev.trustbloc.dev \ - KMS_STRESS_EDV_URL=https://edv.dev.trustbloc.dev \ SUBJECT=john.smith23140954@example.com \ ACCESS_TOKEN=m_QNKTLWFgyFEGPf6dHHs3h3f0TOoJ2ZSlD912u_LKw.6xWwAF61vGM5EHxGuQG9nuwAwd_hNKqMMEe4W2V-V1Q \ SECRET_SHARE=dD78WKu9/51CRFVhmzlH7nUYbaZvC5Eb30WNC3rfPjLz \ diff --git a/README.md b/README.md index 728e5ef5..766122d8 100644 --- a/README.md +++ b/README.md @@ -162,18 +162,6 @@ If Shamir secret lock is used, every request that involves User's Key Store is e The following databases are supported for the Server DB: MongoDB, CouchDB, and in-memory. You specify a type of the database in the `KMS_DATABASE_TYPE` environment variable (`--database-type` flag). -User's Key Store can also use EDV for storing working keys. EDV parameters can be set with `create key store` request: - -```json -{ - "controller": "did:example:controller", - "edv": { - "vault_url": "https://edv-host/encrypted-data-vaults/vault-id", - "capability": "eyJAY29udGV4dCI6Imh0dHBzOi8vdzNpZC5v..." - } -} -``` - ## Use Cases Refer [here](docs/use_cases.md) for in-depth description on how lock keys are used in example server's configurations. diff --git a/cmd/kms-server/go.mod b/cmd/kms-server/go.mod index cd3824ba..d90202ac 100644 --- a/cmd/kms-server/go.mod +++ b/cmd/kms-server/go.mod @@ -81,7 +81,6 @@ require ( github.com/google/trillian v1.3.14-0.20210520152752-ceda464a95a3 // indirect github.com/google/uuid v1.3.0 // indirect github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce // indirect - github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/igor-pavlenko/httpsignatures-go v0.0.23 // indirect github.com/imdario/mergo v0.3.12 // indirect diff --git a/cmd/kms-server/go.sum b/cmd/kms-server/go.sum index 42eedb75..760c4d78 100644 --- a/cmd/kms-server/go.sum +++ b/cmd/kms-server/go.sum @@ -688,8 +688,6 @@ github.com/hyperledger/aries-framework-go-ext/component/vdr/orb v1.0.0-rc2.0.202 github.com/hyperledger/aries-framework-go-ext/component/vdr/orb v1.0.0-rc2.0.20220811162145-47649b185a56/go.mod h1:5ZDdDP1oCcjR8T7+uxOs0JF3PsY8h18pMfylqwjieII= github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce h1:COpeqKShWjBJ/hDnnjgQg0MCC1BuV4tMA2ksSKmchRc= github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce/go.mod h1:mmoE3SQsM0WYLweUmBCQJE2abf73iO4LxpP/e0NONYI= -github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 h1:YWww6rlXZprOnBP3LD8RAzbkszmplnLvabtlBZtzLTA= -github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85/go.mod h1:JrwivOOQmuXbV1mFWgBGWnfCorOFdfGkpBsYK8dYrfM= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85 h1:P82lZe6zDjaP2j87nDYQBSBYrB6Nq6nc9MtyNMC3K4A= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8= github.com/hyperledger/aries-framework-go/spi v0.0.0-20220614152730-3d817acfa48b h1:wSUDDrB87VuaxOmyb0CmA3wB8vvgZ3p9Te4Dnsi6NXs= diff --git a/cmd/kms-server/startcmd/start.go b/cmd/kms-server/startcmd/start.go index 13ee9159..84f74c10 100644 --- a/cmd/kms-server/startcmd/start.go +++ b/cmd/kms-server/startcmd/start.go @@ -242,8 +242,6 @@ func startServer(srv server, params *serverParameters) error { //nolint:funlen BaseKeyStoreURL: baseKeyStoreURL, ShamirProvider: shamirProvider, MainKeyType: kms.AES256GCMType, - EDVRecipientKeyType: kms.NISTP256ECDHKW, - EDVMACKeyType: kms.HMACSHA256Tag256, KeyStoreCacheTTL: params.keyStoreCacheTTL, MetricsProvider: metrics.Get(), } diff --git a/docs/use_cases.md b/docs/use_cases.md index 0f47262f..11037718 100644 --- a/docs/use_cases.md +++ b/docs/use_cases.md @@ -1,6 +1,6 @@ # Use Cases -**Scenario 1**: server's lock is based on AWS key, user's lock uses local key, no EDV +**Scenario 1**: server's lock is based on AWS key, user's lock uses local key In this scenario, a key for the user's lock is created when the key store is created. That key is encrypted with an AWS key and stored in the server's DB. When a working key is created for the user, it is encrypted with that stored lock key. @@ -32,45 +32,3 @@ Before using, user's lock key should be decrypted with an AWS key. Storage-->>KMS: {key ID} KMS-->>User: {key URL, public key bytes} ``` - -**Scenario 2**: server's lock is based on local key, user's lock uses Shamir-based key, working keys are stored in EDV - -Key for the server's lock is stored in a local file and the path to it is specified in a startup flag or environment -variable. When a key store is created, helper recipient and MAC keys for the EDV provider are created as well. They are -encrypted with a key from the local file (server's lock) and saved to the server's DB. These keys are associated with -a created key store to support EDV operations. - -User's lock key is created on a fly using HKDF algorithm that expands the combined secret (from shares using Shamir -Secret Sharing) into a symmetric key. That key is used to encrypt/decrypt the user's working keys stored in EDV. - -```mermaid - sequenceDiagram - participant User - participant KMS - participant DB - participant EDV - participant Auth as Auth Server - - User->>KMS: create keystore {controller, EDV vault URL and ZCAPs} - loop for EDV recipient key, EDV MAC key - KMS->>KMS: create key - KMS->>KMS: encrypt key with server's local (master) key - KMS->>DB: save encrypted key - DB-->>KMS: {key ID} - end - KMS-->>User: {keystore URL, root ZCAPs} - - User->>KMS: create key {key type, secret share} - KMS->>KMS: create key - KMS->>Auth: get secret share - Auth-->>KMS: secret share - KMS->>KMS: create lock key on a fly from secret shares - KMS->>KMS: encrypt key with lock key - loop for EDV recipient key, EDV MAC key - KMS->>DB: get key - KMS->>KMS: decrypt key with server's local (master) key - end - KMS->>EDV: save encrypted key - EDV-->>KMS: {key ID} - KMS-->>User: {key URL, public key bytes} -``` diff --git a/go.mod b/go.mod index c31ab577..a463f785 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,6 @@ require ( github.com/google/tink/go v1.6.1 github.com/gorilla/mux v1.8.0 github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02 - github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85 github.com/igor-pavlenko/httpsignatures-go v0.0.23 @@ -39,6 +38,7 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/go-cmp v0.5.6 // indirect github.com/google/uuid v1.3.0 // indirect + github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 // indirect github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect diff --git a/go.sum b/go.sum index 9e04fbd8..2fd60ad9 100644 --- a/go.sum +++ b/go.sum @@ -198,13 +198,12 @@ github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKe github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02 h1:phipjA38PzjN7/h6t+8Vv8XPlW5t+327GD0p9v8wx4Y= github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02/go.mod h1:28aD9QTgVjeAl86vHNFwkOYwQwZiTrrODMpjE2PYz3M= -github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 h1:YWww6rlXZprOnBP3LD8RAzbkszmplnLvabtlBZtzLTA= -github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85/go.mod h1:JrwivOOQmuXbV1mFWgBGWnfCorOFdfGkpBsYK8dYrfM= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85 h1:P82lZe6zDjaP2j87nDYQBSBYrB6Nq6nc9MtyNMC3K4A= github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8= github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85 h1:y+9tj2KusE4tT2iDKdB20GfRY4W7Ftvpp2kB/TEVrGs= github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg= github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 h1:vxZ0DlFNLjgxMdBESLZu895AsI1JWL2SJerphwIn8Po= +github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1/go.mod h1:lykx3N+GX+sAWSxO2Ycc4Dz+ynV9b0Fv4NdP+ms4Alc= github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA= github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= diff --git a/pkg/controller/command/actions.go b/pkg/controller/command/actions.go index 9cbceb8f..4fc294f3 100644 --- a/pkg/controller/command/actions.go +++ b/pkg/controller/command/actions.go @@ -32,7 +32,6 @@ const ( ActionBlind = "blind" ActionCorrectnessProof = "correctnessProof" ActionSignWithSecrets = "signWithSecrets" - ActionStoreCapability = "updateEDVCapability" ) func allActions() []string { @@ -59,6 +58,5 @@ func allActions() []string { ActionBlind, ActionCorrectnessProof, ActionSignWithSecrets, - ActionStoreCapability, } } diff --git a/pkg/controller/command/command.go b/pkg/controller/command/command.go index bfbc5bde..f385f588 100644 --- a/pkg/controller/command/command.go +++ b/pkg/controller/command/command.go @@ -21,9 +21,7 @@ import ( "time" "github.com/google/tink/go/keyset" - "github.com/hyperledger/aries-framework-go/component/storage/edv" "github.com/hyperledger/aries-framework-go/pkg/crypto" - "github.com/hyperledger/aries-framework-go/pkg/doc/jose" "github.com/hyperledger/aries-framework-go/pkg/kms" "github.com/hyperledger/aries-framework-go/pkg/secretlock" "github.com/hyperledger/aries-framework-go/spi/storage" @@ -32,7 +30,6 @@ import ( "github.com/trustbloc/kms/pkg/controller/errors" "github.com/trustbloc/kms/pkg/secretlock/key" - "github.com/trustbloc/kms/pkg/storage/metrics" ) type zcapService interface { @@ -99,8 +96,6 @@ type Config struct { BaseKeyStoreURL string ShamirProvider shamirProvider MainKeyType kms.KeyType - EDVRecipientKeyType kms.KeyType - EDVMACKeyType kms.KeyType MetricsProvider metricsProvider CacheProvider cacheProvider KeyStoreCacheTTL time.Duration @@ -108,27 +103,25 @@ type Config struct { // Command is a controller for commands. type Command struct { - store storage.Store - keyStorageProvider storage.Provider - kms kms.KeyManager // server's key manager - crypto crypto.Crypto - zcap zcapService - enableZCAPs bool - vdr zcapld.VDRResolver - documentLoader ld.DocumentLoader - keyStoreCreator keyStoreCreator // user's key manager creator - cryptoBox cryptoBoxCreator - shamirLock shamirSecretLockCreator - headerSigner headerSigner - tlsConfig *tls.Config - baseKeyStoreURL string - shamirProvider shamirProvider - mainKeyType kms.KeyType - edvRecipientKeyType kms.KeyType - edvMACKeyType kms.KeyType - cacheProvider cacheProvider - keyStoreCacheTTL time.Duration - metrics metricsProvider + store storage.Store + keyStorageProvider storage.Provider + kms kms.KeyManager // server's key manager + crypto crypto.Crypto + zcap zcapService + enableZCAPs bool + vdr zcapld.VDRResolver + documentLoader ld.DocumentLoader + keyStoreCreator keyStoreCreator // user's key manager creator + cryptoBox cryptoBoxCreator + shamirLock shamirSecretLockCreator + headerSigner headerSigner + tlsConfig *tls.Config + baseKeyStoreURL string + shamirProvider shamirProvider + mainKeyType kms.KeyType + cacheProvider cacheProvider + keyStoreCacheTTL time.Duration + metrics metricsProvider } // New returns a new instance of Command. @@ -139,27 +132,25 @@ func New(c *Config) (*Command, error) { } return &Command{ - store: store, - keyStorageProvider: c.KeyStorageProvider, - kms: c.KMS, - crypto: c.Crypto, - zcap: c.ZCAPService, - enableZCAPs: c.EnableZCAPs, - vdr: c.VDRResolver, - documentLoader: c.DocumentLoader, - keyStoreCreator: c.KeyStoreCreator, - shamirLock: c.ShamirSecretLockCreator, - cryptoBox: c.CryptBoxCreator, - headerSigner: c.HeaderSigner, - tlsConfig: c.TLSConfig, - baseKeyStoreURL: c.BaseKeyStoreURL, - shamirProvider: c.ShamirProvider, - mainKeyType: c.MainKeyType, - edvRecipientKeyType: c.EDVRecipientKeyType, - edvMACKeyType: c.EDVMACKeyType, - cacheProvider: c.CacheProvider, - keyStoreCacheTTL: c.KeyStoreCacheTTL, - metrics: c.MetricsProvider, + store: store, + keyStorageProvider: c.KeyStorageProvider, + kms: c.KMS, + crypto: c.Crypto, + zcap: c.ZCAPService, + enableZCAPs: c.EnableZCAPs, + vdr: c.VDRResolver, + documentLoader: c.DocumentLoader, + keyStoreCreator: c.KeyStoreCreator, + shamirLock: c.ShamirSecretLockCreator, + cryptoBox: c.CryptBoxCreator, + headerSigner: c.HeaderSigner, + tlsConfig: c.TLSConfig, + baseKeyStoreURL: c.BaseKeyStoreURL, + shamirProvider: c.ShamirProvider, + mainKeyType: c.MainKeyType, + cacheProvider: c.CacheProvider, + keyStoreCacheTTL: c.KeyStoreCacheTTL, + metrics: c.MetricsProvider, }, nil } @@ -774,10 +765,7 @@ func (c *Command) resolveKeyStore(keyStoreID, user string, secretShare []byte) ( return nil, fmt.Errorf("unmarshal key store meta: %w", err) } - storageProvider, err := c.getStorageProvider(&meta) - if err != nil { - return nil, err - } + storageProvider := c.getStorageProvider() var secretLock secretlock.Service @@ -812,84 +800,12 @@ func (c *Command) resolveKeyStore(keyStoreID, user string, secretShare []byte) ( }) } -func (c *Command) getStorageProvider(meta *keyStoreMeta) (storage.Provider, error) { - var storageProvider storage.Provider - - if meta.EDV.VaultURL != "" { - var err error - - storageProvider, err = c.resolveEDVProvider(meta.EDV.VaultURL, meta.EDV.RecipientKeyID, meta.EDV.MACKeyID, - meta.EDV.Capability) - if err != nil { - return nil, fmt.Errorf("resolve edv provider: %w", err) - } - - storageProvider = metrics.Wrap(storageProvider, "EDV") - } else { - storageProvider = c.keyStorageProvider - } +func (c *Command) getStorageProvider() storage.Provider { + storageProvider := c.keyStorageProvider if c.cacheProvider != nil && c.keyStoreCacheTTL > 0 { storageProvider = c.cacheProvider.Wrap(storageProvider, c.keyStoreCacheTTL) } - return storageProvider, nil -} - -func (c *Command) resolveEDVProvider(vaultURL, recKeyID, macKeyID string, capability []byte) (storage.Provider, error) { - recPubBytes, _, err := c.kms.ExportPubKeyBytes(recKeyID) - if err != nil { - return nil, fmt.Errorf("get edv recipient key: %w", err) - } - - recPub := new(crypto.PublicKey) - recPub.KID = recKeyID - - if err = json.Unmarshal(recPubBytes, recPub); err != nil { - return nil, fmt.Errorf("unmarshal recipient key bytes to public key: %w", err) - } - - macKH, err := c.kms.Get(macKeyID) - if err != nil { - return nil, fmt.Errorf("get edv mac key handle: %w", err) - } - - edvProvider, err := c.createEDVStorageProvider(vaultURL, recPub, macKH, capability) - if err != nil { - return nil, fmt.Errorf("create edv provider: %w", err) - } - - return edvProvider, nil -} - -func (c *Command) createEDVStorageProvider(vaultURL string, recipientPubKey *crypto.PublicKey, - macKeyHandle interface{}, capability []byte) (storage.Provider, error) { - jweEncrypt, err := jose.NewJWEEncrypt(encAlg, encType, "", "", nil, []*crypto.PublicKey{recipientPubKey}, c.crypto) - if err != nil { - return nil, fmt.Errorf("create jwe encrypt: %w", err) - } - - jweDecrypt := jose.NewJWEDecrypt(nil, c.crypto, c.kms) - - encryptedFormatter := edv.NewEncryptedFormatter( - jweEncrypt, - jweDecrypt, - edv.NewMACCrypto(macKeyHandle, c.crypto), - edv.WithDeterministicDocumentIDs(), - ) - - s := strings.Split(vaultURL, "/") - - edvServerURL := strings.Join(s[:len(s)-1], "/") - vaultID := s[len(s)-1] - - return edv.NewRESTProvider( - edvServerURL, - vaultID, - encryptedFormatter, - edv.WithTLSConfig(c.tlsConfig), - edv.WithHeaders(func(req *http.Request) (*http.Header, error) { - return c.headerSigner.SignHeader(req, capability) - }), - ), nil + return storageProvider } diff --git a/pkg/controller/command/command_create_key_store.go b/pkg/controller/command/command_create_key_store.go index 476d308e..317f4e23 100644 --- a/pkg/controller/command/command_create_key_store.go +++ b/pkg/controller/command/command_create_key_store.go @@ -14,7 +14,6 @@ import ( "time" "github.com/hyperledger/aries-framework-go/pkg/crypto" - "github.com/hyperledger/aries-framework-go/pkg/doc/jose" "github.com/hyperledger/aries-framework-go/pkg/kms" "github.com/hyperledger/aries-framework-go/pkg/secretlock" "github.com/hyperledger/aries-framework-go/spi/storage" @@ -33,18 +32,10 @@ const ( // keyStoreMeta is metadata about user's key store saved in the underlying storage. type keyStoreMeta struct { - ID string `json:"id"` - Controller string `json:"controller"` - MainKeyID string `json:"main_key_id"` - EDV edvParameters `json:"edv,omitempty"` - CreatedAt time.Time `json:"created_at"` -} - -type edvParameters struct { - VaultURL string `json:"vault_url"` - RecipientKeyID string `json:"recipient_key_id"` - MACKeyID string `json:"mac_key_id"` - Capability []byte `json:"capability"` + ID string `json:"id"` + Controller string `json:"controller"` + MainKeyID string `json:"main_key_id"` + CreatedAt time.Time `json:"created_at"` } // CreateKeyStore creates a new key store. @@ -60,7 +51,7 @@ func (c *Command) CreateKeyStore(w io.Writer, r io.Reader) error { //nolint:funl return fmt.Errorf("validate request: %w", err) } - kmsStore, edvParams, err := c.createKMSStore(&req) + kmsStore, err := c.createKMSStore() if err != nil { return err } @@ -90,7 +81,6 @@ func (c *Command) CreateKeyStore(w io.Writer, r io.Reader) error { //nolint:funl ID: xid.New().String(), Controller: req.Controller, MainKeyID: mainKeyID, - EDV: edvParams, CreatedAt: time.Now().UTC(), } @@ -127,22 +117,13 @@ func (c *Command) CreateKeyStore(w io.Writer, r io.Reader) error { //nolint:funl }) } -func (c *Command) createKMSStore(req *CreateKeyStoreRequest) (kms.Store, edvParameters, error) { +func (c *Command) createKMSStore() (kms.Store, error) { var ( - edvParams edvParameters storageProvider storage.Provider err error ) - if req.EDV != nil { // use EDV for storing user's operational keys - storageProvider, edvParams, err = c.prepareEDVProvider(req.EDV.VaultURL, req.EDV.Capability) - if err != nil { - return nil, edvParameters{}, fmt.Errorf("prepare edv provider: %w", err) - } - } else { - storageProvider = c.keyStorageProvider - } - + storageProvider = c.keyStorageProvider if c.cacheProvider != nil && c.keyStoreCacheTTL > 0 { storageProvider = c.cacheProvider.Wrap(storageProvider, c.keyStoreCacheTTL) } @@ -151,62 +132,10 @@ func (c *Command) createKMSStore(req *CreateKeyStoreRequest) (kms.Store, edvPara // the Aries storage provider. kmsStore, err := kms.NewAriesProviderWrapper(storageProvider) if err != nil { - return nil, edvParameters{}, err - } - - return kmsStore, edvParams, nil -} - -func (c *Command) prepareEDVProvider(vaultURL string, capability []byte) (storage.Provider, edvParameters, error) { - recKID, pub, err := c.createRecipientKey() - if err != nil { - return nil, edvParameters{}, fmt.Errorf("create edv recipient key: %w", err) - } - - macKID, kh, err := c.createMACKey() - if err != nil { - return nil, edvParameters{}, fmt.Errorf("create edv mac key: %w", err) - } - - edvParams := edvParameters{ - VaultURL: vaultURL, - RecipientKeyID: recKID, - MACKeyID: macKID, - Capability: capability, - } - - edvProvider, err := c.createEDVStorageProvider(edvParams.VaultURL, pub, kh, edvParams.Capability) - if err != nil { - return nil, edvParameters{}, fmt.Errorf("create edv provider: %w", err) - } - - return edvProvider, edvParams, nil -} - -func (c *Command) createRecipientKey() (string, *crypto.PublicKey, error) { - kid, b, err := c.kms.CreateAndExportPubKeyBytes(c.edvRecipientKeyType) - if err != nil { - return "", nil, fmt.Errorf("create key: %w", err) - } - - pub := new(crypto.PublicKey) - pub.KID = kid - - err = json.Unmarshal(b, pub) - if err != nil { - return "", nil, fmt.Errorf("unmarshal key bytes to public key: %w", err) + return nil, err } - return kid, pub, nil -} - -func (c *Command) createMACKey() (string, interface{}, error) { - kid, kh, err := c.kms.Create(c.edvMACKeyType) - if err != nil { - return "", nil, fmt.Errorf("create key: %w", err) - } - - return kid, kh, nil + return kmsStore, nil } func (c *Command) newCompressedZCAP(ctx context.Context, resource, controller string) ([]byte, error) { @@ -228,11 +157,6 @@ func (c *Command) newCompressedZCAP(ctx context.Context, resource, controller st return compressed, nil } -const ( - encAlg = jose.A256GCM - encType = "EDVEncryptedDocument" -) - func (c *Command) createShamirSecretLock(user string, secretShare []byte) (secretlock.Service, error) { if user == "" { return nil, fmt.Errorf("%w: empty user", errors.ErrValidation) diff --git a/pkg/controller/command/command_test.go b/pkg/controller/command/command_test.go index bcee6bfb..ec98acc9 100644 --- a/pkg/controller/command/command_test.go +++ b/pkg/controller/command/command_test.go @@ -33,8 +33,6 @@ import ( mockcrypto "github.com/hyperledger/aries-framework-go/pkg/mock/crypto" mockkms "github.com/hyperledger/aries-framework-go/pkg/mock/kms" mockstorage "github.com/hyperledger/aries-framework-go/pkg/mock/storage" - "github.com/hyperledger/aries-framework-go/pkg/secretlock" - "github.com/hyperledger/aries-framework-go/spi/storage" "github.com/stretchr/testify/require" "github.com/trustbloc/edge-core/pkg/zcapld" @@ -103,59 +101,6 @@ func TestCommand_CreateDID(t *testing.T) { } func TestCommand_CreateKeyStore(t *testing.T) { - t.Run("Success with EDV storage", func(t *testing.T) { - ctrl := gomock.NewController(t) - - cr, err := tinkcrypto.New() - require.NoError(t, err) - - km := &mockkms.KeyManager{ - CrAndExportPubKeyValue: createRecipientPubKey(t), - } - - creator := NewMockKeyStoreCreator(ctrl) - creator.EXPECT().Create(gomock.Any(), gomock.Any()).Return(nil, nil).Times(1) - - zcap := NewMockZCAPService(ctrl) - zcap.EXPECT().NewCapability(context.Background(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()). - Return(&zcapld.Capability{}, nil). - Times(1) - - cache := NewMockCacheProvider(ctrl) - cache.EXPECT().Wrap(gomock.Any(), gomock.Any()).Times(1).Return(mem.NewProvider()) - - cmd, err := New(&Config{ - StorageProvider: mockstorage.NewMockStoreProvider(), - KMS: km, - Crypto: cr, - KeyStoreCreator: creator, - ZCAPService: zcap, - EnableZCAPs: true, - CacheProvider: cache, - KeyStoreCacheTTL: 10 * time.Second, - }) - require.NoError(t, err) - require.NotNil(t, cmd) - - req, err := json.Marshal(CreateKeyStoreRequest{ - Controller: "did:example:test", - EDV: &EDVOptions{ - VaultURL: "https://edv-host/encrypted-data-vaults/vault-id", - }, - }) - require.NoError(t, err) - - wr, err := json.Marshal(WrappedRequest{ - Request: req, - }) - require.NoError(t, err) - - var buf bytes.Buffer - - err = cmd.CreateKeyStore(&buf, bytes.NewBuffer(wr)) - require.NoError(t, err) - }) - t.Run("Success with Shamir secret lock", func(t *testing.T) { ctrl := gomock.NewController(t) defer ctrl.Finish() @@ -245,41 +190,6 @@ func TestCommand_CreateKeyStore(t *testing.T) { require.EqualError(t, err, "validate request: validation failed: controller must be non-empty") }) - t.Run("Fail to prepare EDV provider", func(t *testing.T) { - cr, err := tinkcrypto.New() - require.NoError(t, err) - - km := &mockkms.KeyManager{ - CrAndExportPubKeyErr: errors.New("create pub key error"), - } - - cmd, err := New(&Config{ - StorageProvider: mockstorage.NewMockStoreProvider(), - KMS: km, - Crypto: cr, - }) - require.NoError(t, err) - require.NotNil(t, cmd) - - req, err := json.Marshal(CreateKeyStoreRequest{ - Controller: "did:example:test", - EDV: &EDVOptions{ - VaultURL: "https://edv-host/encrypted-data-vaults/vault-id", - }, - }) - require.NoError(t, err) - - wr, err := json.Marshal(WrappedRequest{ - Request: req, - }) - require.NoError(t, err) - - var buf bytes.Buffer - - err = cmd.CreateKeyStore(&buf, bytes.NewBuffer(wr)) - require.EqualError(t, err, "prepare edv provider: create edv recipient key: create key: create pub key error") - }) - t.Run("Fail to fetch secret share from auth server", func(t *testing.T) { ctrl := gomock.NewController(t) @@ -650,60 +560,6 @@ func TestCommand_CreateKey(t *testing.T) { require.Equal(t, "/key_store_id/keys/key_id", resp.KeyURL) }) - t.Run("Success with EDV storage and Shamir secret lock", func(t *testing.T) { - keyStoreData := []byte(`{ - "id": "key_store_id", - "controller": "controller", - "edv": { - "vault_url": "https://edv-host/encrypted-data-vaults/vault-id" - } - }`) - - p := mockstorage.NewMockStoreProvider() - p.Store.Store["key_store_id"] = mockstorage.DBEntry{Value: keyStoreData} - - km := &mockkms.KeyManager{ - ExportPubKeyBytesValue: createRecipientPubKey(t), - CreateKeyID: "key_id", - } - - ctrl := gomock.NewController(t) - - shamirLockCreator := NewMockShamirSecretLockCreator(ctrl) - shamirLockCreator.EXPECT().Create(gomock.Any()).Return(nil, nil).Times(1) - - shamirProvider := NewMockShamirProvider(ctrl) - shamirProvider.EXPECT().FetchSecretShare(gomock.Any()).Return([]byte("secret share"), nil).Times(1) - - cmd := createCmd(t, ctrl, - withStorageProvider(p), withKeyManager(km), withShamirSecretLockCreator(shamirLockCreator), - withShamirProvider(shamirProvider)) - - req, err := json.Marshal(CreateKeyRequest{ - KeyType: kms.ED25519, - }) - require.NoError(t, err) - - wr, err := json.Marshal(WrappedRequest{ - KeyStoreID: "key_store_id", - User: "user", - SecretShare: []byte("secret share"), - Request: req, - }) - require.NoError(t, err) - - var buf bytes.Buffer - - err = cmd.CreateKey(&buf, bytes.NewBuffer(wr)) - require.NoError(t, err) - - var resp CreateKeyResponse - - err = json.Unmarshal(buf.Bytes(), &resp) - require.NoError(t, err) - require.Equal(t, "/key_store_id/keys/key_id", resp.KeyURL) - }) - t.Run("Fail to decode wrapped request", func(t *testing.T) { cmd, err := New(&Config{ StorageProvider: mockstorage.NewMockStoreProvider(), @@ -2370,12 +2226,6 @@ func createCmd(t *testing.T, ctrl *gomock.Controller, opts ...configOption) *Com type configOption func(c *Config) -func withStorageProvider(p storage.Provider) configOption { - return func(c *Config) { - c.StorageProvider = p - } -} - func withKeyManager(km kms.KeyManager) configOption { return func(c *Config) { c.KMS = km @@ -2398,26 +2248,6 @@ func withCryptoBoxCreator(creator cryptoBoxCreator) configOption { } } -type shamirSecretLockCreator interface { - Create(secretShares [][]byte) (secretlock.Service, error) -} - -func withShamirSecretLockCreator(creator shamirSecretLockCreator) configOption { - return func(c *Config) { - c.ShamirSecretLockCreator = creator - } -} - -type shamirProvider interface { - FetchSecretShare(subject string) ([]byte, error) -} - -func withShamirProvider(provider shamirProvider) configOption { - return func(c *Config) { - c.ShamirProvider = provider - } -} - func createPrivateKey(t *testing.T, kt kms.KeyType) interface{} { t.Helper() diff --git a/pkg/controller/command/models.go b/pkg/controller/command/models.go index 988a5107..f89b48f4 100644 --- a/pkg/controller/command/models.go +++ b/pkg/controller/command/models.go @@ -31,14 +31,7 @@ type CreateDIDResponse struct { // CreateKeyStoreRequest is a request to create user's key store. type CreateKeyStoreRequest struct { - Controller string `json:"controller"` - EDV *EDVOptions `json:"edv"` -} - -// EDVOptions represents options for creating data vault on EDV. -type EDVOptions struct { - VaultURL string `json:"vault_url"` - Capability []byte `json:"capability"` + Controller string `json:"controller"` } // Validate validates CreateKeyStore request. diff --git a/pkg/controller/rest/models.go b/pkg/controller/rest/models.go index 7d1fb63d..ec0d03cb 100644 --- a/pkg/controller/rest/models.go +++ b/pkg/controller/rest/models.go @@ -44,15 +44,6 @@ type createKeyStoreReq struct { //nolint:unused,deadcode // Controller of the key store. // required: true Controller string `json:"controller"` - - // Options for EDV-backed key store. If empty, key store is created in server's storage. - EDV struct { - // Vault URL on EDV server. - VaultURL string `json:"vault_url"` - - // Base64-encoded EDV ZCAPs. - Capability string `json:"capability"` - } `json:"edv"` } } diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go index fa7a3d05..2d0dd6fc 100644 --- a/pkg/metrics/metrics.go +++ b/pkg/metrics/metrics.go @@ -92,7 +92,7 @@ func Get() *Metrics { } func newMetrics() *Metrics { - dbTypes := []string{"CouchDB", "MongoDB", "EDV", "Cache"} + dbTypes := []string{"CouchDB", "MongoDB", "Cache"} m := &Metrics{ cryptoSignTime: newCryptoSignTime(),