This repository has been archived by the owner on Mar 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 158
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* extended kms API key create/rotate/export with extra options * added CL CredDef and MasterSecret keys to localkms * implemented CredDef pubkey export * refactored keytemplate resolving * added unit tests for CL keys * re-generated kms's mock Signed-off-by: konstantin.goncharov <konstantin.goncharov@avast.com> Signed-off-by: konstantin.goncharov <konstantin.goncharov@avast.com>
- Loading branch information
Konstantin Goncharov
committed
Aug 16, 2022
1 parent
5fa4db1
commit aab94d2
Showing
13 changed files
with
434 additions
and
124 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
/* | ||
Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package kms | ||
|
||
// keyOpts holds options for Create, Rotate and CreateAndExportPubKeyBytes. | ||
type keyOpts struct { | ||
attrs []string | ||
} | ||
|
||
// NewKeyOpt creates a new empty key option. | ||
// Not to be used directly. It's intended for implementations of KeyManager interface | ||
// Use WithAttrs() option function below instead. | ||
func NewKeyOpt() *keyOpts { // nolint | ||
return &keyOpts{} | ||
} | ||
|
||
// Attrs gets the additional attributes to be used for a key creation. | ||
// Not to be used directly. It's intended for implementations of KeyManager interface | ||
// Use WithAttrs() option function below instead. | ||
func (pk *keyOpts) Attrs() []string { | ||
return pk.attrs | ||
} | ||
|
||
// KeyOpts are the create key option. | ||
type KeyOpts func(opts *keyOpts) | ||
|
||
// WithAttrs option is for creating a key that requires extra attributes. | ||
func WithAttrs(attrs []string) KeyOpts { | ||
return func(opts *keyOpts) { | ||
opts.attrs = attrs | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
Copyright Avast Software. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package localkms | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/golang/protobuf/proto" | ||
"github.com/google/tink/go/aead" | ||
"github.com/google/tink/go/mac" | ||
commonpb "github.com/google/tink/go/proto/common_go_proto" | ||
ecdsapb "github.com/google/tink/go/proto/ecdsa_go_proto" | ||
tinkpb "github.com/google/tink/go/proto/tink_go_proto" | ||
"github.com/google/tink/go/signature" | ||
|
||
"github.com/hyperledger/aries-framework-go/pkg/crypto/tinkcrypto/primitive/bbs" | ||
"github.com/hyperledger/aries-framework-go/pkg/crypto/tinkcrypto/primitive/composite/ecdh" | ||
"github.com/hyperledger/aries-framework-go/pkg/kms" | ||
) | ||
|
||
// nolint:gocyclo | ||
func keyTemplate(keyType kms.KeyType, _ ...kms.KeyOpts) (*tinkpb.KeyTemplate, error) { | ||
switch keyType { | ||
case kms.AES128GCMType: | ||
return aead.AES128GCMKeyTemplate(), nil | ||
case kms.AES256GCMNoPrefixType: | ||
// RAW (to support keys not generated by Tink) | ||
return aead.AES256GCMNoPrefixKeyTemplate(), nil | ||
case kms.AES256GCMType: | ||
return aead.AES256GCMKeyTemplate(), nil | ||
case kms.ChaCha20Poly1305Type: | ||
return aead.ChaCha20Poly1305KeyTemplate(), nil | ||
case kms.XChaCha20Poly1305Type: | ||
return aead.XChaCha20Poly1305KeyTemplate(), nil | ||
case kms.ECDSAP256TypeDER: | ||
return signature.ECDSAP256KeyWithoutPrefixTemplate(), nil | ||
case kms.ECDSAP384TypeDER: | ||
// Since Tink's signature.ECDSAP384KeyWithoutPrefixTemplate() uses SHA_512 as the hashing function during | ||
// signature/verification, the kms type must explicitly use SHA_384 just as IEEEP384 key template below. | ||
// For this reason, the KMS cannot use Tink's `signature.ECDSAP384KeyWithoutPrefixTemplate()` template here. | ||
return createECDSAKeyTemplate(ecdsapb.EcdsaSignatureEncoding_DER, commonpb.HashType_SHA384, | ||
commonpb.EllipticCurveType_NIST_P384), nil | ||
case kms.ECDSAP521TypeDER: | ||
return signature.ECDSAP521KeyWithoutPrefixTemplate(), nil | ||
case kms.ECDSAP256TypeIEEEP1363: | ||
// JWS keys should sign using IEEE_P1363 format only (not DER format) | ||
return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA256, commonpb.EllipticCurveType_NIST_P256), nil | ||
case kms.ECDSAP384TypeIEEEP1363: | ||
return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA384, commonpb.EllipticCurveType_NIST_P384), nil | ||
case kms.ECDSAP521TypeIEEEP1363: | ||
return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA512, commonpb.EllipticCurveType_NIST_P521), nil | ||
case kms.ED25519Type: | ||
return signature.ED25519KeyWithoutPrefixTemplate(), nil | ||
case kms.HMACSHA256Tag256Type: | ||
return mac.HMACSHA256Tag256KeyTemplate(), nil | ||
case kms.NISTP256ECDHKWType: | ||
return ecdh.NISTP256ECDHKWKeyTemplate(), nil | ||
case kms.NISTP384ECDHKWType: | ||
return ecdh.NISTP384ECDHKWKeyTemplate(), nil | ||
case kms.NISTP521ECDHKWType: | ||
return ecdh.NISTP521ECDHKWKeyTemplate(), nil | ||
case kms.X25519ECDHKWType: | ||
return ecdh.X25519ECDHKWKeyTemplate(), nil | ||
case kms.BLS12381G2Type: | ||
return bbs.BLS12381G2KeyTemplate(), nil | ||
default: | ||
return nil, fmt.Errorf("getKeyTemplate: key type '%s' unrecognized", keyType) | ||
} | ||
} | ||
|
||
func createECDSAIEEE1363KeyTemplate(hashType commonpb.HashType, curve commonpb.EllipticCurveType) *tinkpb.KeyTemplate { | ||
return createECDSAKeyTemplate(ecdsapb.EcdsaSignatureEncoding_IEEE_P1363, hashType, curve) | ||
} | ||
|
||
func createECDSAKeyTemplate(sigEncoding ecdsapb.EcdsaSignatureEncoding, hashType commonpb.HashType, | ||
curve commonpb.EllipticCurveType) *tinkpb.KeyTemplate { | ||
params := &ecdsapb.EcdsaParams{ | ||
HashType: hashType, | ||
Curve: curve, | ||
Encoding: sigEncoding, | ||
} | ||
format := &ecdsapb.EcdsaKeyFormat{Params: params} | ||
serializedFormat, _ := proto.Marshal(format) //nolint:errcheck | ||
|
||
return &tinkpb.KeyTemplate{ | ||
TypeUrl: ecdsaPrivateKeyTypeURL, | ||
Value: serializedFormat, | ||
OutputPrefixType: tinkpb.OutputPrefixType_RAW, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
//go:build !ursa | ||
// +build !ursa | ||
|
||
/* | ||
Copyright Avast Software. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package localkms | ||
|
||
import ( | ||
tinkpb "github.com/google/tink/go/proto/tink_go_proto" | ||
|
||
"github.com/hyperledger/aries-framework-go/pkg/kms" | ||
) | ||
|
||
// getKeyTemplate returns tink KeyTemplate associated with the provided keyType. | ||
func getKeyTemplate(keyType kms.KeyType, opts ...kms.KeyOpts) (*tinkpb.KeyTemplate, error) { | ||
return keyTemplate(keyType, opts...) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
//go:build ursa | ||
// +build ursa | ||
|
||
/* | ||
Copyright Avast Software. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package localkms | ||
|
||
import ( | ||
tinkpb "github.com/google/tink/go/proto/tink_go_proto" | ||
|
||
clbld "github.com/hyperledger/aries-framework-go/pkg/crypto/tinkcrypto/primitive/cl/blinder" | ||
clsgn "github.com/hyperledger/aries-framework-go/pkg/crypto/tinkcrypto/primitive/cl/signer" | ||
"github.com/hyperledger/aries-framework-go/pkg/kms" | ||
) | ||
|
||
// getKeyTemplate returns tink KeyTemplate associated with the provided keyType. | ||
func getKeyTemplate(keyType kms.KeyType, opts ...kms.KeyOpts) (*tinkpb.KeyTemplate, error) { | ||
switch keyType { | ||
case kms.CLCredDefType: | ||
keyOpts := kms.NewKeyOpt() | ||
|
||
for _, opt := range opts { | ||
opt(keyOpts) | ||
} | ||
|
||
return clsgn.CredDefKeyTemplate(keyOpts.Attrs()), nil | ||
case kms.CLMasterSecretType: | ||
return clbld.MasterSecretKeyTemplate(), nil | ||
default: | ||
return keyTemplate(keyType, opts...) | ||
} | ||
} |
Oops, something went wrong.