refactor: re enable remote kms bdd-tests with unwrapKey (#3263)

This change updates the webkms server in bdd tests and re enables commented out webkms tests requiring cryptobox's /wrap and /unwrap operations. closes #3262 Signed-off-by: Baha Shaaban <baha.shaaban@securekey.com>
hyperledger-archives · Jun 14, 2022 · 3d817ac · 3d817ac
1 parent 119077b
commit 3d817ac
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 50 deletions.
diff --git a/pkg/kms/webkms/crypto_box.go b/pkg/kms/webkms/crypto_box.go
@@ -14,6 +14,7 @@ import (
 
 	"golang.org/x/crypto/nacl/box"
 
+	"github.com/hyperledger/aries-framework-go/pkg/doc/util/jwkkid"
 	"github.com/hyperledger/aries-framework-go/pkg/internal/cryptoutil"
 	"github.com/hyperledger/aries-framework-go/pkg/kms"
 )
@@ -133,7 +134,11 @@ func (b *CryptoBox) Easy(payload, nonce, theirPub []byte, myKID string) ([]byte,
 // theirPub is the public key used to decrypt directly, while myPub is used to identify the private key to be used.
 func (b *CryptoBox) EasyOpen(cipherText, nonce, theirPub, myPub []byte) ([]byte, error) {
 	easyOpenStart := time.Now()
-	destination := b.km.keystoreURL + unwrapURL
+
+	destination, err := b.buildUnwrapURL(myPub)
+	if err != nil {
+		return nil, err
+	}
 
 	httpReqJSON := &easyOpenReq{
 		Ciphertext: cipherText,
@@ -213,7 +218,11 @@ func (b *CryptoBox) Seal(payload, theirEncPub []byte, randSource io.Reader) ([]b
 // and uses that along with the recipient private key corresponding to myPub to decrypt the message.
 func (b *CryptoBox) SealOpen(cipherText, myPub []byte) ([]byte, error) {
 	sealOpenStart := time.Now()
-	destination := b.km.keystoreURL + unwrapURL
+
+	destination, err := b.buildUnwrapURL(myPub)
+	if err != nil {
+		return nil, err
+	}
 
 	httpReqJSON := &sealOpenReq{
 		Ciphertext: cipherText,
@@ -254,3 +263,15 @@ func (b *CryptoBox) SealOpen(cipherText, myPub []byte) ([]byte, error) {
 
 	return httpResp.Plaintext, nil
 }
+
+func (b *CryptoBox) buildUnwrapURL(myPub []byte) (string, error) {
+	// remote kms requires keyID in the keyURL for unwrapURL.
+	kid, err := jwkkid.CreateKID(myPub, kms.ED25519Type)
+	if err != nil {
+		return "", err
+	}
+
+	keyURL := b.km.buildKIDURL(kid)
+
+	return keyURL + unwrapURL, nil
+}
diff --git a/test/bdd/features/didexchange_e2e_sdk.feature b/test/bdd/features/didexchange_e2e_sdk.feature
@@ -46,23 +46,22 @@ Feature: Decentralized Identifier(DID) exchange between the agents using SDK
     Then   "Alice" retrieves connection record and validates that connection state is "completed"
       And   "Bob" retrieves connection record and validates that connection state is "completed"
 
-  #TODO uncomment below test once KMS server refactors /easy to /wrap URL
-#  @webkms_didexchange_e2e_sdk
-#  Scenario: did exchange e2e flow with agents using webkms
-#    Given "Sudesh" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
-#    And   "Sudesh" creates did exchange client
-#    And   "Sudesh" registers to receive notification for post state event "completed"
-#
-#    Given "Firas" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:firas" controller
-#    And   "Firas" creates did exchange client
-#
-#    When   "Firas" registers to receive notification for post state event "completed"
-#    And   "Sudesh" creates invitation
-#    And   "Firas" receives invitation from "Sudesh"
-#    And   "Firas" approves invitation request
-#    And   "Sudesh" approves did exchange request
-#    And   "Sudesh" waits for post state event "completed"
-#    And   "Firas" waits for post state event "completed"
-#
-#    Then   "Sudesh" retrieves connection record and validates that connection state is "completed"
-#    And   "Firas" retrieves connection record and validates that connection state is "completed"
+  @webkms_didexchange_e2e_sdk
+  Scenario: did exchange e2e flow with agents using webkms
+    Given "Sudesh" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
+    And   "Sudesh" creates did exchange client
+    And   "Sudesh" registers to receive notification for post state event "completed"
+
+    Given "Firas" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:firas" controller
+    And   "Firas" creates did exchange client
+
+    When   "Firas" registers to receive notification for post state event "completed"
+    And   "Sudesh" creates invitation
+    And   "Firas" receives invitation from "Sudesh"
+    And   "Firas" approves invitation request
+    And   "Sudesh" approves did exchange request
+    And   "Sudesh" waits for post state event "completed"
+    And   "Firas" waits for post state event "completed"
+
+    Then   "Sudesh" retrieves connection record and validates that connection state is "completed"
+    And   "Firas" retrieves connection record and validates that connection state is "completed"
diff --git a/test/bdd/features/webkms.feature b/test/bdd/features/webkms.feature
@@ -89,32 +89,31 @@ Feature: Decentralized Identifier(DID) exchange between the agents using SDK
     When  "Baha" unwrap wrapped key from "Andrii" with sender key
     Then  "Baha" gets the same CEK as "Andrii"
 
-    #TODO uncomment and rename easy with wrap and easyOpen with unwrap when kms server switches easy to wrap and easyOpen to unwrap.
-#  Scenario: User A anonymously encrypts ("easy") a payload for User B, User B decrypts ("easy open") it
-#    Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
-#    And   "Andrii" create and export "ED25519" key
-#
-#    Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
-#    And   "Baha" create and export "ED25519" key
-#
-#    When  "Andrii" easy "test payload" for "Baha"
-#    Then  "Andrii" gets non-empty ciphertext
-#
-#    When  "Baha" easyOpen ciphertext from "Andrii"
-#    Then  "Baha" gets plaintext with value "test payload"
-  # TODO uncomment test and rename sealOpen with unwrap when kms server switches sealOpen with unwrap.
-#  Scenario: User B decrypts ("seal open") a payload that was encrypted ("seal") by User A
-#    Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
-#    And   "Andrii" create and export "ED25519" key
-#
-#    Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
-#    And   "Baha" create "ED25519" key
-#
-#    When  "Baha" has sealed "test payload 2" for "Andrii"
-#    Then  "Baha" gets non-empty ciphertext
-#
-#    When  "Andrii" sealOpen ciphertext from "Baha"
-#    Then  "Andrii" gets plaintext with value "test payload 2"
+  Scenario: User A anonymously encrypts ("easy") a payload for User B, User B decrypts ("easy open") it
+    Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
+    And   "Andrii" create and export "ED25519" key
+
+    Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
+    And   "Baha" create and export "ED25519" key
+
+    When  "Andrii" easy "test payload" for "Baha"
+    Then  "Andrii" gets non-empty ciphertext
+
+    When  "Baha" easyOpen ciphertext from "Andrii"
+    Then  "Baha" gets plaintext with value "test payload"
+
+  Scenario: User B decrypts ("seal open") a payload that was encrypted ("seal") by User A
+    Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
+    And   "Andrii" create and export "ED25519" key
+
+    Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller
+    And   "Baha" create "ED25519" key
+
+    When  "Baha" has sealed "test payload 2" for "Andrii"
+    Then  "Baha" gets non-empty ciphertext
+
+    When  "Andrii" sealOpen ciphertext from "Baha"
+    Then  "Andrii" gets plaintext with value "test payload 2"
 
   @webkms_interop_localkms
   Scenario: User A with webkms wraps A256GCM key for User B with localkms, User B successfully unwraps it

diff --git a/test/bdd/fixtures/agent-rest/.env b/test/bdd/fixtures/agent-rest/.env
@@ -115,7 +115,7 @@ COUCHDB_PORT=5984
 
 # KMS
 KMS_REST_IMAGE=ghcr.io/trustbloc-cicd/kms
-KMS_REST_TAG=v0.1.8-snapshot-3f3ef05
+KMS_REST_TAG=v0.1.9-snapshot-9389ad5
 
 # Remote JSON-LD context provider configuration
 CONTEXT_PROVIDER_URL=https://file-server.example.com:9099/agent-startup-contexts.json
diff --git a/test/bdd/fixtures/agent-rest/docker-compose.yml b/test/bdd/fixtures/agent-rest/docker-compose.yml
@@ -313,7 +313,7 @@ services:
       - KMS_CACHE_EXPIRATION=10m
       - KMS_SECRET_LOCK_TYPE=local
       - KMS_SECRET_LOCK_KEY_PATH=/etc/tls/secret-lock.key
-      - KMS_ZCAP_ENABLE=false
+      - KMS_AUTH_DISABLE=true
       - KMS_LOG_LEVEL=debug
     ports:
       - 8076:8076