diff --git a/pkg/kms/webkms/crypto_box.go b/pkg/kms/webkms/crypto_box.go index fb3f7ed4e..1d7e6ef96 100644 --- a/pkg/kms/webkms/crypto_box.go +++ b/pkg/kms/webkms/crypto_box.go @@ -14,6 +14,7 @@ import ( "golang.org/x/crypto/nacl/box" + "github.com/hyperledger/aries-framework-go/pkg/doc/util/jwkkid" "github.com/hyperledger/aries-framework-go/pkg/internal/cryptoutil" "github.com/hyperledger/aries-framework-go/pkg/kms" ) @@ -133,7 +134,11 @@ func (b *CryptoBox) Easy(payload, nonce, theirPub []byte, myKID string) ([]byte, // theirPub is the public key used to decrypt directly, while myPub is used to identify the private key to be used. func (b *CryptoBox) EasyOpen(cipherText, nonce, theirPub, myPub []byte) ([]byte, error) { easyOpenStart := time.Now() - destination := b.km.keystoreURL + unwrapURL + + destination, err := b.buildUnwrapURL(myPub) + if err != nil { + return nil, err + } httpReqJSON := &easyOpenReq{ Ciphertext: cipherText, @@ -213,7 +218,11 @@ func (b *CryptoBox) Seal(payload, theirEncPub []byte, randSource io.Reader) ([]b // and uses that along with the recipient private key corresponding to myPub to decrypt the message. func (b *CryptoBox) SealOpen(cipherText, myPub []byte) ([]byte, error) { sealOpenStart := time.Now() - destination := b.km.keystoreURL + unwrapURL + + destination, err := b.buildUnwrapURL(myPub) + if err != nil { + return nil, err + } httpReqJSON := &sealOpenReq{ Ciphertext: cipherText, @@ -254,3 +263,15 @@ func (b *CryptoBox) SealOpen(cipherText, myPub []byte) ([]byte, error) { return httpResp.Plaintext, nil } + +func (b *CryptoBox) buildUnwrapURL(myPub []byte) (string, error) { + // remote kms requires keyID in the keyURL for unwrapURL. + kid, err := jwkkid.CreateKID(myPub, kms.ED25519Type) + if err != nil { + return "", err + } + + keyURL := b.km.buildKIDURL(kid) + + return keyURL + unwrapURL, nil +} diff --git a/test/bdd/features/didexchange_e2e_sdk.feature b/test/bdd/features/didexchange_e2e_sdk.feature index 5fc8a411e..ad033b30a 100644 --- a/test/bdd/features/didexchange_e2e_sdk.feature +++ b/test/bdd/features/didexchange_e2e_sdk.feature @@ -46,23 +46,22 @@ Feature: Decentralized Identifier(DID) exchange between the agents using SDK Then "Alice" retrieves connection record and validates that connection state is "completed" And "Bob" retrieves connection record and validates that connection state is "completed" - #TODO uncomment below test once KMS server refactors /easy to /wrap URL -# @webkms_didexchange_e2e_sdk -# Scenario: did exchange e2e flow with agents using webkms -# Given "Sudesh" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller -# And "Sudesh" creates did exchange client -# And "Sudesh" registers to receive notification for post state event "completed" -# -# Given "Firas" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:firas" controller -# And "Firas" creates did exchange client -# -# When "Firas" registers to receive notification for post state event "completed" -# And "Sudesh" creates invitation -# And "Firas" receives invitation from "Sudesh" -# And "Firas" approves invitation request -# And "Sudesh" approves did exchange request -# And "Sudesh" waits for post state event "completed" -# And "Firas" waits for post state event "completed" -# -# Then "Sudesh" retrieves connection record and validates that connection state is "completed" -# And "Firas" retrieves connection record and validates that connection state is "completed" + @webkms_didexchange_e2e_sdk + Scenario: did exchange e2e flow with agents using webkms + Given "Sudesh" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller + And "Sudesh" creates did exchange client + And "Sudesh" registers to receive notification for post state event "completed" + + Given "Firas" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:firas" controller + And "Firas" creates did exchange client + + When "Firas" registers to receive notification for post state event "completed" + And "Sudesh" creates invitation + And "Firas" receives invitation from "Sudesh" + And "Firas" approves invitation request + And "Sudesh" approves did exchange request + And "Sudesh" waits for post state event "completed" + And "Firas" waits for post state event "completed" + + Then "Sudesh" retrieves connection record and validates that connection state is "completed" + And "Firas" retrieves connection record and validates that connection state is "completed" diff --git a/test/bdd/features/webkms.feature b/test/bdd/features/webkms.feature index f5bcf7a72..ab57778f8 100644 --- a/test/bdd/features/webkms.feature +++ b/test/bdd/features/webkms.feature @@ -89,32 +89,31 @@ Feature: Decentralized Identifier(DID) exchange between the agents using SDK When "Baha" unwrap wrapped key from "Andrii" with sender key Then "Baha" gets the same CEK as "Andrii" - #TODO uncomment and rename easy with wrap and easyOpen with unwrap when kms server switches easy to wrap and easyOpen to unwrap. -# Scenario: User A anonymously encrypts ("easy") a payload for User B, User B decrypts ("easy open") it -# Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller -# And "Andrii" create and export "ED25519" key -# -# Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller -# And "Baha" create and export "ED25519" key -# -# When "Andrii" easy "test payload" for "Baha" -# Then "Andrii" gets non-empty ciphertext -# -# When "Baha" easyOpen ciphertext from "Andrii" -# Then "Baha" gets plaintext with value "test payload" - # TODO uncomment test and rename sealOpen with unwrap when kms server switches sealOpen with unwrap. -# Scenario: User B decrypts ("seal open") a payload that was encrypted ("seal") by User A -# Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller -# And "Andrii" create and export "ED25519" key -# -# Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller -# And "Baha" create "ED25519" key -# -# When "Baha" has sealed "test payload 2" for "Andrii" -# Then "Baha" gets non-empty ciphertext -# -# When "Andrii" sealOpen ciphertext from "Baha" -# Then "Andrii" gets plaintext with value "test payload 2" + Scenario: User A anonymously encrypts ("easy") a payload for User B, User B decrypts ("easy open") it + Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller + And "Andrii" create and export "ED25519" key + + Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller + And "Baha" create and export "ED25519" key + + When "Andrii" easy "test payload" for "Baha" + Then "Andrii" gets non-empty ciphertext + + When "Baha" easyOpen ciphertext from "Andrii" + Then "Baha" gets plaintext with value "test payload" + + Scenario: User B decrypts ("seal open") a payload that was encrypted ("seal") by User A + Given "Andrii" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller + And "Andrii" create and export "ED25519" key + + Given "Baha" agent is running on "localhost" port "random" with "http" as the transport provider using webkms with key server at "https://localhost:8076" URL, using "did:key:dummy-sample:sudesh" controller + And "Baha" create "ED25519" key + + When "Baha" has sealed "test payload 2" for "Andrii" + Then "Baha" gets non-empty ciphertext + + When "Andrii" sealOpen ciphertext from "Baha" + Then "Andrii" gets plaintext with value "test payload 2" @webkms_interop_localkms Scenario: User A with webkms wraps A256GCM key for User B with localkms, User B successfully unwraps it diff --git a/test/bdd/fixtures/agent-rest/.env b/test/bdd/fixtures/agent-rest/.env index 0f5e46400..77176566b 100644 --- a/test/bdd/fixtures/agent-rest/.env +++ b/test/bdd/fixtures/agent-rest/.env @@ -115,7 +115,7 @@ COUCHDB_PORT=5984 # KMS KMS_REST_IMAGE=ghcr.io/trustbloc-cicd/kms -KMS_REST_TAG=v0.1.8-snapshot-3f3ef05 +KMS_REST_TAG=v0.1.9-snapshot-9389ad5 # Remote JSON-LD context provider configuration CONTEXT_PROVIDER_URL=https://file-server.example.com:9099/agent-startup-contexts.json diff --git a/test/bdd/fixtures/agent-rest/docker-compose.yml b/test/bdd/fixtures/agent-rest/docker-compose.yml index d4c1d1ff7..58881f9ac 100644 --- a/test/bdd/fixtures/agent-rest/docker-compose.yml +++ b/test/bdd/fixtures/agent-rest/docker-compose.yml @@ -313,7 +313,7 @@ services: - KMS_CACHE_EXPIRATION=10m - KMS_SECRET_LOCK_TYPE=local - KMS_SECRET_LOCK_KEY_PATH=/etc/tls/secret-lock.key - - KMS_ZCAP_ENABLE=false + - KMS_AUTH_DISABLE=true - KMS_LOG_LEVEL=debug ports: - 8076:8076