Retrieve default master wrapping key only in rekey bus processor

Author: anien

components/crypto/crypto-rest/src/main/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceImpl.kt

@@ -221,7 +221,7 @@ class KeyRotationRestResourceImpl @Activate constructor(
                 val deserializedValueOfOneRecord =
                     checkNotNull(unmanagedKeyStatusDeserializer.deserialize(records.first().value))
                 return KeyRotationStatusResponse(
-                    MASTER_WRAPPING_KEY_ROTATION_IDENTIFIER,
+                    records.first().metadata[KeyRotationMetadataValues.DEFAULT_MASTER_KEY_ALIAS].toString(),
                     rotationStatus,
                     deserializedValueOfOneRecord.createdTimestamp,
                     getLatestTimestamp(records),

components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRekeyBusProcessor.kt

@@ -297,6 +297,7 @@ class CryptoRekeyBusProcessor(
                     IndividualKeyRotationRequest(
                         request.requestId,
                         tenantId,
+                        defaultUnmanagedWrappingKeyName,
                         alias,
                         null, // keyUuid not used in unmanaged key rotation
                         KeyType.UNMANAGED
@@ -319,6 +320,7 @@ class CryptoRekeyBusProcessor(
                         request.requestId,
                         request.tenantId,
                         null,
+                        null,
                         it.toString(),
                         KeyType.MANAGED
                     )

components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessor.kt

@@ -31,7 +31,6 @@ class CryptoRewrapBusProcessor(
     val cryptoService: CryptoService,
     private val stateManager: StateManager,
     private val cordaAvroSerializationFactory: CordaAvroSerializationFactory,
-    private val defaultUnmanagedWrappingKeyName: String,
 ) : DurableProcessor<String, IndividualKeyRotationRequest> {
 
     companion object {
@@ -74,6 +73,10 @@ class CryptoRewrapBusProcessor(
                     logger.info("targetKeyAlias missing from unmanaged IndividualKeyRotationRequest, ignoring.")
                     return
                 }
+                if (request.masterWrappingKeyAlias.isNullOrEmpty()) {
+                    logger.info("masterWrappingKeyAlias missing from unmanaged IndividualKeyRotationRequest, ignoring.")
+                    return
+                }
                 if (request.keyUuid != null) {
                     logger.info("keyUuid provided for unmanaged IndividualKeyRotationRequest, ignoring.")
                     return
@@ -83,7 +86,7 @@ class CryptoRewrapBusProcessor(
                     cryptoService.rewrapWrappingKey(
                         request.tenantId,
                         request.targetKeyAlias,
-                        defaultUnmanagedWrappingKeyName
+                        request.masterWrappingKeyAlias,
                     )
                 }
 
@@ -95,6 +98,10 @@ class CryptoRewrapBusProcessor(
                     logger.info("targetKeyAlias provided for managed IndividualKeyRotationRequest, ignoring.")
                     return
                 }
+                if (request.masterWrappingKeyAlias != null) {
+                    logger.info("masterWrappingKeyAlias provided for managed IndividualKeyRotationRequest, ignoring.")
+                    return
+                }
                 if (request.keyUuid.isNullOrEmpty()) {
                     logger.info("keyUuid missing from managed IndividualKeyRotationRequest, ignoring.")
                     return
@@ -183,14 +190,14 @@ class CryptoRewrapBusProcessor(
                 stateManager.get(
                     listOf(
                         getKeyRotationStatusRecordKey(
-                            defaultUnmanagedWrappingKeyName,
+                            request.masterWrappingKeyAlias,
                             request.tenantId
                         )
                     )
                 )
             check(tenantIdWrappingKeysRecords.size == 1) {
                 "Found none or more than 1 ${request.tenantId} record " +
-                        "in the database for new master wrapping key $defaultUnmanagedWrappingKeyName. " +
+                        "in the database for new master wrapping key ${request.masterWrappingKeyAlias}. " +
                         "Found records $tenantIdWrappingKeysRecords."
             }
 

components/crypto/crypto-service-impl/src/test/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessorTests.kt

@@ -48,7 +48,6 @@ class CryptoRewrapBusProcessorTests {
 
     companion object {
         private val tenantId = UUID.randomUUID().toString()
-        private const val OLD_PARENT_KEY_ALIAS = "alias1"
         private const val WRAPPING_KEY_ALIAS = "alias"
         private const val DEFAULT_MASTER_WRAP_KEY_ALIAS = "defaultKeyAlias"
     }
@@ -117,14 +116,12 @@ class CryptoRewrapBusProcessorTests {
             cryptoService,
             stateManager,
             unmanagedCordaAvroSerializationFactory,
-            DEFAULT_MASTER_WRAP_KEY_ALIAS
         )
 
         managedCryptoRewrapBusProcessor = CryptoRewrapBusProcessor(
             cryptoService,
             stateManager,
             managedCordaAvroSerializationFactory,
-            DEFAULT_MASTER_WRAP_KEY_ALIAS
         )
     }
 
@@ -138,6 +135,7 @@ class CryptoRewrapBusProcessorTests {
                     IndividualKeyRotationRequest(
                         UUID.randomUUID().toString(),
                         tenantId,
+                        DEFAULT_MASTER_WRAP_KEY_ALIAS,
                         "alias1",
                         null,
                         KeyType.UNMANAGED
@@ -160,6 +158,7 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             null,
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
                             "alias1",
                             null,
                             KeyType.UNMANAGED
@@ -184,6 +183,57 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             "",
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
+                            "alias1",
+                            null,
+                            KeyType.UNMANAGED
+                        )
+                    )
+                )
+            ).isEmpty()
+        )
+
+        verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any())
+        verify(stateManager, never()).update(any())
+    }
+
+    @Test
+    fun `unmanaged rewrap with null master wrapping key should be ignored`() {
+        assertTrue(
+            unmanagedCryptoRewrapBusProcessor.onNext(
+                listOf(
+                    Record(
+                        "TBC",
+                        UUID.randomUUID().toString(),
+                        IndividualKeyRotationRequest(
+                            UUID.randomUUID().toString(),
+                            tenantId,
+                            null,
+                            "alias1",
+                            null,
+                            KeyType.UNMANAGED
+                        )
+                    )
+                )
+            ).isEmpty()
+        )
+
+        verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any())
+        verify(stateManager, never()).update(any())
+    }
+
+    @Test
+    fun `unmanaged rewrap with empty master wrapping key should be ignored`() {
+        assertTrue(
+            unmanagedCryptoRewrapBusProcessor.onNext(
+                listOf(
+                    Record(
+                        "TBC",
+                        UUID.randomUUID().toString(),
+                        IndividualKeyRotationRequest(
+                            UUID.randomUUID().toString(),
+                            tenantId,
+                            "",
                             "alias1",
                             null,
                             KeyType.UNMANAGED
@@ -208,6 +258,7 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             tenantId,
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
                             null,
                             null,
                             KeyType.UNMANAGED
@@ -232,6 +283,7 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             tenantId,
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
                             "",
                             "",
                             KeyType.UNMANAGED
@@ -256,6 +308,7 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             tenantId,
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
                             "alias1",
                             UUID.randomUUID().toString(),
                             KeyType.UNMANAGED
@@ -281,6 +334,7 @@ class CryptoRewrapBusProcessorTests {
                         UUID.randomUUID().toString(),
                         tenantId,
                         null,
+                        null,
                         uuid.toString(),
                         KeyType.MANAGED
                     )
@@ -302,6 +356,7 @@ class CryptoRewrapBusProcessorTests {
                             UUID.randomUUID().toString(),
                             null,
                             null,
+                            null,
                             UUID.randomUUID().toString(),
                             KeyType.MANAGED
                         )
@@ -326,6 +381,32 @@ class CryptoRewrapBusProcessorTests {
                             UUID.randomUUID().toString(),
                             "",
                             null,
+                            null,
+                            UUID.randomUUID().toString(),
+                            KeyType.MANAGED
+                        )
+                    )
+                )
+            ).isEmpty()
+        )
+
+        verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any())
+        verify(stateManager, never()).update(any())
+    }
+
+    @Test
+    fun `managed rewrap with master wrapping key set should be ignored`() {
+        assertTrue(
+            managedCryptoRewrapBusProcessor.onNext(
+                listOf(
+                    Record(
+                        "TBC",
+                        UUID.randomUUID().toString(),
+                        IndividualKeyRotationRequest(
+                            UUID.randomUUID().toString(),
+                            tenantId,
+                            DEFAULT_MASTER_WRAP_KEY_ALIAS,
+                            "alias1",
                             UUID.randomUUID().toString(),
                             KeyType.MANAGED
                         )
@@ -349,6 +430,7 @@ class CryptoRewrapBusProcessorTests {
                         IndividualKeyRotationRequest(
                             UUID.randomUUID().toString(),
                             tenantId,
+                            null,
                             "alias1",
                             UUID.randomUUID().toString(),
                             KeyType.MANAGED
@@ -375,6 +457,7 @@ class CryptoRewrapBusProcessorTests {
                             tenantId,
                             null,
                             null,
+                            null,
                             KeyType.MANAGED
                         )
                     )
@@ -398,6 +481,7 @@ class CryptoRewrapBusProcessorTests {
                             UUID.randomUUID().toString(),
                             tenantId,
                             null,
+                            null,
                             "",
                             KeyType.MANAGED
                         )
@@ -422,6 +506,7 @@ class CryptoRewrapBusProcessorTests {
                             UUID.randomUUID().toString(),
                             tenantId,
                             null,
+                            null,
                             "invalid uuid",
                             KeyType.MANAGED
                         )
@@ -446,6 +531,7 @@ class CryptoRewrapBusProcessorTests {
                         UUID.randomUUID().toString(),
                         tenantId,
                         null,
+                        null,
                         uuid.toString(),
                         KeyType.MANAGED
                     )

gradle.properties

@@ -39,7 +39,7 @@ commonsLangVersion = 3.12.0
 commonsTextVersion = 1.10.0
 # Corda API libs revision (change in 4th digit indicates a breaking change)
 # Change to 5.3.0.xx-SNAPSHOT to pick up maven local published copy
-cordaApiVersion=5.3.0.9-beta+
+cordaApiVersion=5.3.0.9-alpha-1713274170118
 
 disruptorVersion=3.4.4
 felixConfigAdminVersion=1.9.26

processors/crypto-processor/src/main/kotlin/net/corda/processors/crypto/internal/CryptoProcessorImpl.kt

@@ -407,7 +407,6 @@ class CryptoProcessorImpl @Activate constructor(
             messagingConfig,
             stateManager,
             cordaAvroSerializationFactory,
-            defaultUnmanagedWrappingKeyName,
             cryptoService
         )
         createSessionEncryptionSubscription(coordinator, retryingConfig, cryptoService)
@@ -468,14 +467,12 @@ class CryptoProcessorImpl @Activate constructor(
         messagingConfig: SmartConfig,
         stateManager: StateManager,
         cordaAvroSerializationFactory: CordaAvroSerializationFactory,
-        defaultUnmanagedWrappingKeyName: String,
         cryptoService: CryptoService
     ) {
         val rewrapProcessor = CryptoRewrapBusProcessor(
             cryptoService,
             stateManager,
             cordaAvroSerializationFactory,
-            defaultUnmanagedWrappingKeyName,
         )
         val rewrapGroupName = "crypto.key.rotation.individual"
         coordinator.createManagedResource(REWRAP_SUBSCRIPTION) {