From 8ff6be9b69b585645272454e1b85e68f455412fb Mon Sep 17 00:00:00 2001 From: Anna Paskova Date: Tue, 16 Apr 2024 14:46:20 +0100 Subject: [PATCH 1/4] Retrieve default master wrapping key only in rekey bus processor --- .../rest/impl/KeyRotationRestResourceImpl.kt | 2 +- .../impl/bus/CryptoRekeyBusProcessor.kt | 2 + .../impl/bus/CryptoRewrapBusProcessor.kt | 15 ++- .../impl/bus/CryptoRewrapBusProcessorTests.kt | 92 ++++++++++++++++++- .../crypto/internal/CryptoProcessorImpl.kt | 3 - 5 files changed, 103 insertions(+), 11 deletions(-) diff --git a/components/crypto/crypto-rest/src/main/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceImpl.kt b/components/crypto/crypto-rest/src/main/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceImpl.kt index 557d8025326..73bc0a38bc7 100644 --- a/components/crypto/crypto-rest/src/main/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceImpl.kt +++ b/components/crypto/crypto-rest/src/main/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceImpl.kt @@ -221,7 +221,7 @@ class KeyRotationRestResourceImpl @Activate constructor( val deserializedValueOfOneRecord = checkNotNull(unmanagedKeyStatusDeserializer.deserialize(records.first().value)) return KeyRotationStatusResponse( - MASTER_WRAPPING_KEY_ROTATION_IDENTIFIER, + records.first().metadata[KeyRotationMetadataValues.DEFAULT_MASTER_KEY_ALIAS].toString(), rotationStatus, deserializedValueOfOneRecord.createdTimestamp, getLatestTimestamp(records), diff --git a/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRekeyBusProcessor.kt b/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRekeyBusProcessor.kt index d7ac6153541..a8284dc48a7 100644 --- a/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRekeyBusProcessor.kt +++ b/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRekeyBusProcessor.kt @@ -297,6 +297,7 @@ class CryptoRekeyBusProcessor( IndividualKeyRotationRequest( request.requestId, tenantId, + defaultUnmanagedWrappingKeyName, alias, null, // keyUuid not used in unmanaged key rotation KeyType.UNMANAGED @@ -319,6 +320,7 @@ class CryptoRekeyBusProcessor( request.requestId, request.tenantId, null, + null, it.toString(), KeyType.MANAGED ) diff --git a/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessor.kt b/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessor.kt index 2f04fb54665..d3e9dbb5f0b 100644 --- a/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessor.kt +++ b/components/crypto/crypto-service-impl/src/main/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessor.kt @@ -31,7 +31,6 @@ class CryptoRewrapBusProcessor( val cryptoService: CryptoService, private val stateManager: StateManager, private val cordaAvroSerializationFactory: CordaAvroSerializationFactory, - private val defaultUnmanagedWrappingKeyName: String, ) : DurableProcessor { companion object { @@ -74,6 +73,10 @@ class CryptoRewrapBusProcessor( logger.info("targetKeyAlias missing from unmanaged IndividualKeyRotationRequest, ignoring.") return } + if (request.masterWrappingKeyAlias.isNullOrEmpty()) { + logger.info("masterWrappingKeyAlias missing from unmanaged IndividualKeyRotationRequest, ignoring.") + return + } if (request.keyUuid != null) { logger.info("keyUuid provided for unmanaged IndividualKeyRotationRequest, ignoring.") return @@ -83,7 +86,7 @@ class CryptoRewrapBusProcessor( cryptoService.rewrapWrappingKey( request.tenantId, request.targetKeyAlias, - defaultUnmanagedWrappingKeyName + request.masterWrappingKeyAlias, ) } @@ -95,6 +98,10 @@ class CryptoRewrapBusProcessor( logger.info("targetKeyAlias provided for managed IndividualKeyRotationRequest, ignoring.") return } + if (request.masterWrappingKeyAlias != null) { + logger.info("masterWrappingKeyAlias provided for managed IndividualKeyRotationRequest, ignoring.") + return + } if (request.keyUuid.isNullOrEmpty()) { logger.info("keyUuid missing from managed IndividualKeyRotationRequest, ignoring.") return @@ -183,14 +190,14 @@ class CryptoRewrapBusProcessor( stateManager.get( listOf( getKeyRotationStatusRecordKey( - defaultUnmanagedWrappingKeyName, + request.masterWrappingKeyAlias, request.tenantId ) ) ) check(tenantIdWrappingKeysRecords.size == 1) { "Found none or more than 1 ${request.tenantId} record " + - "in the database for new master wrapping key $defaultUnmanagedWrappingKeyName. " + + "in the database for new master wrapping key ${request.masterWrappingKeyAlias}. " + "Found records $tenantIdWrappingKeysRecords." } diff --git a/components/crypto/crypto-service-impl/src/test/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessorTests.kt b/components/crypto/crypto-service-impl/src/test/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessorTests.kt index d67f807ca00..0d08563d587 100644 --- a/components/crypto/crypto-service-impl/src/test/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessorTests.kt +++ b/components/crypto/crypto-service-impl/src/test/kotlin/net/corda/crypto/service/impl/bus/CryptoRewrapBusProcessorTests.kt @@ -48,7 +48,6 @@ class CryptoRewrapBusProcessorTests { companion object { private val tenantId = UUID.randomUUID().toString() - private const val OLD_PARENT_KEY_ALIAS = "alias1" private const val WRAPPING_KEY_ALIAS = "alias" private const val DEFAULT_MASTER_WRAP_KEY_ALIAS = "defaultKeyAlias" } @@ -117,14 +116,12 @@ class CryptoRewrapBusProcessorTests { cryptoService, stateManager, unmanagedCordaAvroSerializationFactory, - DEFAULT_MASTER_WRAP_KEY_ALIAS ) managedCryptoRewrapBusProcessor = CryptoRewrapBusProcessor( cryptoService, stateManager, managedCordaAvroSerializationFactory, - DEFAULT_MASTER_WRAP_KEY_ALIAS ) } @@ -138,6 +135,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), tenantId, + DEFAULT_MASTER_WRAP_KEY_ALIAS, "alias1", null, KeyType.UNMANAGED @@ -160,6 +158,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), null, + DEFAULT_MASTER_WRAP_KEY_ALIAS, "alias1", null, KeyType.UNMANAGED @@ -184,6 +183,57 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), "", + DEFAULT_MASTER_WRAP_KEY_ALIAS, + "alias1", + null, + KeyType.UNMANAGED + ) + ) + ) + ).isEmpty() + ) + + verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any()) + verify(stateManager, never()).update(any()) + } + + @Test + fun `unmanaged rewrap with null master wrapping key should be ignored`() { + assertTrue( + unmanagedCryptoRewrapBusProcessor.onNext( + listOf( + Record( + "TBC", + UUID.randomUUID().toString(), + IndividualKeyRotationRequest( + UUID.randomUUID().toString(), + tenantId, + null, + "alias1", + null, + KeyType.UNMANAGED + ) + ) + ) + ).isEmpty() + ) + + verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any()) + verify(stateManager, never()).update(any()) + } + + @Test + fun `unmanaged rewrap with empty master wrapping key should be ignored`() { + assertTrue( + unmanagedCryptoRewrapBusProcessor.onNext( + listOf( + Record( + "TBC", + UUID.randomUUID().toString(), + IndividualKeyRotationRequest( + UUID.randomUUID().toString(), + tenantId, + "", "alias1", null, KeyType.UNMANAGED @@ -208,6 +258,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), tenantId, + DEFAULT_MASTER_WRAP_KEY_ALIAS, null, null, KeyType.UNMANAGED @@ -232,6 +283,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), tenantId, + DEFAULT_MASTER_WRAP_KEY_ALIAS, "", "", KeyType.UNMANAGED @@ -256,6 +308,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), tenantId, + DEFAULT_MASTER_WRAP_KEY_ALIAS, "alias1", UUID.randomUUID().toString(), KeyType.UNMANAGED @@ -281,6 +334,7 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), tenantId, null, + null, uuid.toString(), KeyType.MANAGED ) @@ -302,6 +356,7 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), null, null, + null, UUID.randomUUID().toString(), KeyType.MANAGED ) @@ -326,6 +381,32 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), "", null, + null, + UUID.randomUUID().toString(), + KeyType.MANAGED + ) + ) + ) + ).isEmpty() + ) + + verify(cryptoService, never()).rewrapWrappingKey(any(), any(), any()) + verify(stateManager, never()).update(any()) + } + + @Test + fun `managed rewrap with master wrapping key set should be ignored`() { + assertTrue( + managedCryptoRewrapBusProcessor.onNext( + listOf( + Record( + "TBC", + UUID.randomUUID().toString(), + IndividualKeyRotationRequest( + UUID.randomUUID().toString(), + tenantId, + DEFAULT_MASTER_WRAP_KEY_ALIAS, + "alias1", UUID.randomUUID().toString(), KeyType.MANAGED ) @@ -349,6 +430,7 @@ class CryptoRewrapBusProcessorTests { IndividualKeyRotationRequest( UUID.randomUUID().toString(), tenantId, + null, "alias1", UUID.randomUUID().toString(), KeyType.MANAGED @@ -375,6 +457,7 @@ class CryptoRewrapBusProcessorTests { tenantId, null, null, + null, KeyType.MANAGED ) ) @@ -398,6 +481,7 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), tenantId, null, + null, "", KeyType.MANAGED ) @@ -422,6 +506,7 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), tenantId, null, + null, "invalid uuid", KeyType.MANAGED ) @@ -446,6 +531,7 @@ class CryptoRewrapBusProcessorTests { UUID.randomUUID().toString(), tenantId, null, + null, uuid.toString(), KeyType.MANAGED ) diff --git a/processors/crypto-processor/src/main/kotlin/net/corda/processors/crypto/internal/CryptoProcessorImpl.kt b/processors/crypto-processor/src/main/kotlin/net/corda/processors/crypto/internal/CryptoProcessorImpl.kt index 6ee1653f52d..f5e642936f9 100644 --- a/processors/crypto-processor/src/main/kotlin/net/corda/processors/crypto/internal/CryptoProcessorImpl.kt +++ b/processors/crypto-processor/src/main/kotlin/net/corda/processors/crypto/internal/CryptoProcessorImpl.kt @@ -407,7 +407,6 @@ class CryptoProcessorImpl @Activate constructor( messagingConfig, stateManager, cordaAvroSerializationFactory, - defaultUnmanagedWrappingKeyName, cryptoService ) createSessionEncryptionSubscription(coordinator, retryingConfig, cryptoService) @@ -468,14 +467,12 @@ class CryptoProcessorImpl @Activate constructor( messagingConfig: SmartConfig, stateManager: StateManager, cordaAvroSerializationFactory: CordaAvroSerializationFactory, - defaultUnmanagedWrappingKeyName: String, cryptoService: CryptoService ) { val rewrapProcessor = CryptoRewrapBusProcessor( cryptoService, stateManager, cordaAvroSerializationFactory, - defaultUnmanagedWrappingKeyName, ) val rewrapGroupName = "crypto.key.rotation.individual" coordinator.createManagedResource(REWRAP_SUBSCRIPTION) { From 65d3df17141fb0eac45618586971405a21ee3eba Mon Sep 17 00:00:00 2001 From: Anna Paskova Date: Tue, 16 Apr 2024 15:41:36 +0100 Subject: [PATCH 2/4] Update test to show default master wrapping key identifier --- .../corda/crypto/rest/impl/KeyRotationRestResourceTest.kt | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/components/crypto/crypto-rest/src/test/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceTest.kt b/components/crypto/crypto-rest/src/test/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceTest.kt index 33597ccece7..5255b4916e4 100644 --- a/components/crypto/crypto-rest/src/test/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceTest.kt +++ b/components/crypto/crypto-rest/src/test/kotlin/net/corda/crypto/rest/impl/KeyRotationRestResourceTest.kt @@ -8,6 +8,7 @@ import net.corda.configuration.read.ConfigChangedEvent import net.corda.configuration.read.ConfigurationReadService import net.corda.crypto.config.impl.CryptoHSMConfig import net.corda.crypto.config.impl.HSM +import net.corda.crypto.core.KeyRotationMetadataValues import net.corda.crypto.core.KeyRotationStatus import net.corda.crypto.core.MASTER_WRAPPING_KEY_ROTATION_IDENTIFIER import net.corda.crypto.rest.KeyRotationRestResource @@ -99,7 +100,12 @@ class KeyRotationRestResourceTest { "random", "random".toByteArray(), 0, - Metadata(mapOf("status" to "In Progress")) + Metadata( + mapOf( + KeyRotationMetadataValues.STATUS to "In Progress", + KeyRotationMetadataValues.DEFAULT_MASTER_KEY_ALIAS to MASTER_WRAPPING_KEY_ROTATION_IDENTIFIER + ) + ) ) ) } From f36cc3b91c3ae94db8789e8ad140b9310108204b Mon Sep 17 00:00:00 2001 From: Anna Paskova Date: Mon, 22 Apr 2024 11:58:09 +0100 Subject: [PATCH 3/4] Bump version to alpha --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 21edca26a11..871d7d65782 100644 --- a/gradle.properties +++ b/gradle.properties @@ -39,7 +39,7 @@ commonsLangVersion = 3.12.0 commonsTextVersion = 1.10.0 # Corda API libs revision (change in 4th digit indicates a breaking change) # Change to 5.3.0.xx-SNAPSHOT to pick up maven local published copy -cordaApiVersion=5.3.0.11-beta+ +cordaApiVersion=5.3.0.12-alpha-1713782925670 disruptorVersion=3.4.4 felixConfigAdminVersion=1.9.26 From 34ffe419759c3f58baa6c5878babf0f2901a2e23 Mon Sep 17 00:00:00 2001 From: Anna Paskova Date: Mon, 22 Apr 2024 16:31:56 +0100 Subject: [PATCH 4/4] Bump api version to next beta --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 871d7d65782..8738d741411 100644 --- a/gradle.properties +++ b/gradle.properties @@ -39,7 +39,7 @@ commonsLangVersion = 3.12.0 commonsTextVersion = 1.10.0 # Corda API libs revision (change in 4th digit indicates a breaking change) # Change to 5.3.0.xx-SNAPSHOT to pick up maven local published copy -cordaApiVersion=5.3.0.12-alpha-1713782925670 +cordaApiVersion=5.3.0.12-beta+ disruptorVersion=3.4.4 felixConfigAdminVersion=1.9.26