fix: wallet - incorrect crypto for EDV with WebKMS profiles

- Part of hyperledger-archives#2433

Signed-off-by: sudesh.shetty <sudesh.shetty@securekey.com>

pkg/wallet/storage.go

@@ -11,8 +11,10 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 
 	"github.com/bluele/gcache"
+	"github.com/hyperledger/aries-framework-go/pkg/crypto/webkms"
 
 	"github.com/hyperledger/aries-framework-go/component/storage/edv"
 
@@ -44,7 +46,7 @@ func (s *storageProvider) OpenStore(auth string, opts *unlockOpts, config storag
 	var err error
 
 	if s.profile.EDVConf != nil {
-		provider, err = createEDVStorageProvider(auth, s.profile.EDVConf, opts)
+		provider, err = createEDVStorageProvider(auth, s.profile, opts)
 		if err != nil {
 			return nil, err
 		}
@@ -72,8 +74,8 @@ func (s *storageProvider) OpenStore(auth string, opts *unlockOpts, config storag
 
 // TODO (#2815): find a way to allow EDV to be used without importing the edv package, since it causes the main Aries
 //               module to depend on edv
-func createEDVStorageProvider(auth string, conf *edvConf, opts *unlockOpts) (storage.Provider, error) {
-	if conf.EncryptionKeyID == "" || conf.MACKeyID == "" {
+func createEDVStorageProvider(auth string, profile *profile, opts *unlockOpts) (storage.Provider, error) {
+	if profile.EDVConf.EncryptionKeyID == "" || profile.EDVConf.MACKeyID == "" {
 		return nil, errors.New("invalid EDV configuration found in wallet profile, key IDs for encryption and MAC operations are missing") //nolint: lll
 	}
 
@@ -88,13 +90,18 @@ func createEDVStorageProvider(auth string, conf *edvConf, opts *unlockOpts) (sto
 	}
 
 	// get crypto
-	cryptoImpl, err := tinkcrypto.New()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create crypto: %w", err)
+	var cryptoImpl crypto.Crypto
+	if profile.KeyServerURL != "" {
+		cryptoImpl = webkms.New(profile.KeyServerURL, http.DefaultClient, opts.webkmsOpts...)
+	} else {
+		cryptoImpl, err = tinkcrypto.New()
+		if err != nil {
+			return nil, fmt.Errorf("failed to create crypto: %w", err)
+		}
 	}
 
 	// get jwe encrypter
-	jweEncrypter, err := getJWSEncrypter(conf.EncryptionKeyID, keyMgr, cryptoImpl)
+	jweEncrypter, err := getJWSEncrypter(profile.EDVConf.EncryptionKeyID, keyMgr, cryptoImpl)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create JWE encrypter: %w", err)
 	}
@@ -103,7 +110,7 @@ func createEDVStorageProvider(auth string, conf *edvConf, opts *unlockOpts) (sto
 	jweDecrypter := jose.NewJWEDecrypt(nil, cryptoImpl, keyMgr)
 
 	// get MAC crypto
-	macCrypto, err := getMacCrypto(conf.MACKeyID, keyMgr, cryptoImpl)
+	macCrypto, err := getMacCrypto(profile.EDVConf.MACKeyID, keyMgr, cryptoImpl)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create mac crypto: %w", err)
 	}
@@ -114,7 +121,7 @@ func createEDVStorageProvider(auth string, conf *edvConf, opts *unlockOpts) (sto
 	}
 
 	// create EDV provider
-	return edv.NewRESTProvider(conf.ServerURL, conf.VaultID,
+	return edv.NewRESTProvider(profile.EDVConf.ServerURL, profile.EDVConf.VaultID,
 		edv.NewEncryptedFormatter(jweEncrypter, jweDecrypter, macCrypto, edv.WithDeterministicDocumentIDs()),
 		edvOpts...), nil
 }

pkg/wallet/storage_test.go

@@ -57,6 +57,7 @@ func TestStorageProvider_OpenStore(t *testing.T) {
 				ServerURL: "sample-server",
 				VaultID:   "sample-vault-ID",
 			},
+			KeyServerURL: sampleKeyServerURL,
 		}
 
 		kmgr, err := keyManager().getKeyManger(token)
@@ -87,7 +88,7 @@ func TestStorageProvider_OpenStore(t *testing.T) {
 		require.NotEmpty(t, store)
 
 		// no edv opts
-		store, err = wsp.OpenStore(token, nil,
+		store, err = wsp.OpenStore(token, &unlockOpts{},
 			storage.StoreConfiguration{TagNames: []string{Credential.Name()}})
 		require.NoError(t, err)
 		require.NotEmpty(t, store)