updates

Author: dmihalcik-virtru

sdk/tdf.go

@@ -1164,9 +1164,8 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.Unsigned
 					Hash:      hash,
 					Algorithm: alg,
 				},
-				SplitId:            kao.SplitID,
-				WrappedKey:         key,
-				EphemeralPublicKey: kao.EphemeralPublicKey,
+				SplitId:    kao.SplitID,
+				WrappedKey: key,
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {

sdk/tdf_test.go

@@ -4,14 +4,11 @@ import (
 	"archive/zip"
 	"bytes"
 	"context"
-	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
-	"crypto/x509"
 	"encoding/hex"
 	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -2320,32 +2317,6 @@ func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse
 			var entityWrappedKey []byte
 			switch kaoReq.GetKeyAccessObject().GetKeyType() {
 			case "ec-wrapped":
-				// Get the ephemeral public key in PEM format
-				ephemeralPubKeyPEM := kaoReq.GetKeyAccessObject().GetEphemeralPublicKey()
-
-				// Get EC key size and convert to mode
-				keySize, err := ocrypto.GetECKeySize([]byte(ephemeralPubKeyPEM))
-				f.s.Require().NoError(err, "failed to get EC key size")
-
-				mode, err := ocrypto.ECSizeToMode(keySize)
-				f.s.Require().NoError(err, "failed to convert key size to mode")
-
-				// Parse the PEM public key
-				block, _ := pem.Decode([]byte(ephemeralPubKeyPEM))
-				f.s.Require().NoError(err, "failed to decode PEM block")
-
-				pub, err := x509.ParsePKIXPublicKey(block.Bytes)
-				f.s.Require().NoError(err, "failed to parse public key")
-
-				ecPub, ok := pub.(*ecdsa.PublicKey)
-				if !ok {
-					f.s.Require().Error(err, "not an EC public key")
-				}
-
-				// Compress the public key
-				compressedKey, err := ocrypto.CompressedECPublicKey(mode, *ecPub)
-				f.s.Require().NoError(err, "failed to compress public key")
-
 				kasPrivateKey := strings.ReplaceAll(f.privateKey, "\n\t", "\n")
 				if kao.GetKid() != "" && kao.GetKid() != f.KID {
 					// old kid
@@ -2360,7 +2331,7 @@ func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse
 				ed, err := ocrypto.NewSaltedECDecryptor(privateKey, tdfSalt(), nil)
 				f.s.Require().NoError(err, "failed to create EC decryptor")
 
-				symmetricKey, err := ed.DecryptWithEphemeralKey(wrappedKey, compressedKey)
+				symmetricKey, err := ed.Decrypt(wrappedKey)
 				f.s.Require().NoError(err, "failed to decrypt")
 
 				asymEncrypt, err := ocrypto.FromPublicPEMWithSalt(bodyData.GetClientPublicKey(), tdfSalt(), nil)

service/internal/security/basic_manager.go

@@ -50,7 +50,7 @@ func (b *BasicManager) Name() string {
 	return BasicManagerName
 }
 
-func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (trust.ProtectedKey, error) {
+func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte) (trust.ProtectedKey, error) {
 	// Implementation of Decrypt method
 
 	// Get Private Key
@@ -85,7 +85,7 @@ func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails,
 		if err != nil {
 			return nil, fmt.Errorf("failed to create ECDecryptor: %w", err)
 		}
-		plaintext, err := ecDecryptor.DecryptWithEphemeralKey(ciphertext, ephemeralPublicKey)
+		plaintext, err := ecDecryptor.Decrypt(ciphertext)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt with ephemeral key: %w", err)
 		}

service/internal/security/basic_manager_test.go

@@ -294,7 +294,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		ciphertext, err := rsaEncryptor.Encrypt(samplePayload)
 		require.NoError(t, err)
 
-		protectedKey, err := bm.Decrypt(t.Context(), mockDetails, ciphertext, nil)
+		protectedKey, err := bm.Decrypt(t.Context(), mockDetails, ciphertext)
 		require.NoError(t, err)
 		require.NotNil(t, protectedKey)
 
@@ -318,9 +318,8 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		require.NoError(t, err)
 		ciphertext, err := ecEncryptor.Encrypt(samplePayload)
 		require.NoError(t, err)
-		ephemeralPublicKey := ecEncryptor.EphemeralKey()
 
-		protectedKey, err := bm.Decrypt(t.Context(), mockDetails, ciphertext, ephemeralPublicKey)
+		protectedKey, err := bm.Decrypt(t.Context(), mockDetails, ciphertext)
 		require.NoError(t, err)
 		require.NotNil(t, protectedKey)
 
@@ -334,7 +333,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		mockDetails.On("ID").Return(trust.KeyIdentifier("fail-export"))
 		mockDetails.On("ExportPrivateKey").Return(nil, errors.New("export failed"))
 
-		_, err := bm.Decrypt(t.Context(), mockDetails, []byte("ct"), nil)
+		_, err := bm.Decrypt(t.Context(), mockDetails, []byte("ct"))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "failed to get private key")
 	})
@@ -351,7 +350,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		mockDetails.On("Algorithm").Return(mockDetails.MAlgorithm)
 		mockDetails.On("ExportPrivateKey").Return(&trust.PrivateKey{WrappingKeyID: trust.KeyIdentifier(mockDetails.MPrivateKey.GetKeyId()), WrappedKey: mockDetails.MPrivateKey.GetWrappedKey()}, nil)
 
-		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"), nil)
+		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "failed to unwrap private key")
 	})
@@ -366,7 +365,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		mockDetails.On("ID").Return(trust.KeyIdentifier(mockDetails.MID))
 		mockDetails.On("Algorithm").Return(mockDetails.MAlgorithm)
 		mockDetails.On("ExportPrivateKey").Return(&trust.PrivateKey{WrappingKeyID: trust.KeyIdentifier(mockDetails.MPrivateKey.GetKeyId()), WrappedKey: mockDetails.MPrivateKey.GetWrappedKey()}, nil) // Ensure this mock is correctly set up
-		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"), nil)
+		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "failed to create decryptor from private PEM")
 	})
@@ -380,7 +379,7 @@ func TestBasicManager_Decrypt(t *testing.T) {
 		mockDetails.On("ID").Return(trust.KeyIdentifier(mockDetails.MID))
 		mockDetails.On("Algorithm").Return(mockDetails.MAlgorithm)                                                                                                                                     // Corrected: require.NoError
 		mockDetails.On("ExportPrivateKey").Return(&trust.PrivateKey{WrappingKeyID: trust.KeyIdentifier(mockDetails.MPrivateKey.GetKeyId()), WrappedKey: mockDetails.MPrivateKey.GetWrappedKey()}, nil) // Ensure this mock is correctly set up
-		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"), nil)
+		_, err = bm.Decrypt(t.Context(), mockDetails, []byte("ct"))
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "unsupported algorithm: unknown-algo")
 	})
@@ -479,9 +478,6 @@ func TestBasicManager_GenerateECSessionKey(t *testing.T) {
 		require.NoError(t, err)
 		require.NotNil(t, encapsulator)
 
-		ephemKey := encapsulator.EphemeralKey()
-		assert.NotEmpty(t, ephemKey, "Ephemeral key should be generated")
-
 		sampleData := []byte("test data for encapsulation")
 		encryptedData, err := encapsulator.Encrypt(sampleData)
 		require.NoError(t, err)

service/internal/security/in_process_provider.go

@@ -297,7 +297,7 @@ func (a *InProcessProvider) ListKeys(ctx context.Context) ([]trust.KeyDetails, e
 }
 
 // Decrypt implements the unified decryption method for both RSA and EC
-func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte, ephemeralPublicKey []byte) (trust.ProtectedKey, error) {
+func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDetails, ciphertext []byte) (trust.ProtectedKey, error) {
 	kid := string(keyDetails.ID())
 
 	// Try to determine the key type
@@ -309,16 +309,10 @@ func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDet
 	var rawKey []byte
 	switch keyType {
 	case AlgorithmRSA2048:
-		if len(ephemeralPublicKey) > 0 {
-			return nil, errors.New("ephemeral public key should not be provided for RSA decryption")
-		}
 		rawKey, err = a.cryptoProvider.RSADecrypt(crypto.SHA1, kid, "", ciphertext)
 
 	case AlgorithmECP256R1:
-		if len(ephemeralPublicKey) == 0 {
-			return nil, errors.New("ephemeral public key is required for EC decryption")
-		}
-		rawKey, err = a.cryptoProvider.ECDecrypt(ctx, kid, ephemeralPublicKey, ciphertext)
+		rawKey, err = a.cryptoProvider.ECDecrypt(ctx, kid, ciphertext)
 
 	default:
 		return nil, errors.New("unsupported key algorithm")

service/internal/security/standard_crypto.go

@@ -430,7 +430,7 @@ func NanoVersionSalt() []byte {
 }
 
 // ECDecrypt uses hybrid ECIES to decrypt the data.
-func (s *StandardCrypto) ECDecrypt(keyID string, ciphertext []byte) ([]byte, error) {
+func (s *StandardCrypto) ECDecrypt(_ context.Context, keyID string, ciphertext []byte) ([]byte, error) {
 	ska, ok := s.keysByID[keyID]
 	if !ok {
 		return nil, fmt.Errorf("key [%s] not found", keyID)
@@ -452,7 +452,7 @@ func (s *StandardCrypto) ECDecrypt(keyID string, ciphertext []byte) ([]byte, err
 	if err != nil {
 		return nil, err
 	}
-	return unwrappedKey.Export(nil)
+	return ed.Decrypt(ciphertext)
 }
 
 // Decrypt implements the SecurityProvider Decrypt method

service/kas/access/keyaccess.go

@@ -1,15 +1,14 @@
 package access
 
 type KeyAccess struct {
-	EncryptedMetadata  string      `json:"encryptedMetadata,omitempty"`
-	PolicyBinding      interface{} `json:"policyBinding,omitempty"`
-	Protocol           string      `json:"protocol"`
-	Type               string      `json:"type"`
-	URL                string      `json:"url"`
-	KID                string      `json:"kid,omitempty"`
-	SID                string      `json:"sid,omitempty"`
-	WrappedKey         []byte      `json:"wrappedKey,omitempty"`
-	Header             []byte      `json:"header,omitempty"`
-	Algorithm          string      `json:"algorithm,omitempty"`
-	EphemeralPublicKey string      `json:"ephemeralPublicKey,omitempty"`
+	EncryptedMetadata string      `json:"encryptedMetadata,omitempty"`
+	PolicyBinding     interface{} `json:"policyBinding,omitempty"`
+	Protocol          string      `json:"protocol"`
+	Type              string      `json:"type"`
+	URL               string      `json:"url"`
+	KID               string      `json:"kid,omitempty"`
+	SID               string      `json:"sid,omitempty"`
+	WrappedKey        []byte      `json:"wrappedKey,omitempty"`
+	Header            []byte      `json:"header,omitempty"`
+	Algorithm         string      `json:"algorithm,omitempty"`
 }

service/kas/access/publicKey_test.go

@@ -126,7 +126,7 @@ func (m *MockSecurityProvider) ListKeys(_ context.Context) ([]trust.KeyDetails,
 	return keys, nil
 }
 
-func (m *MockSecurityProvider) Decrypt(_ context.Context, _ trust.KeyDetails, _, _ []byte) (trust.ProtectedKey, error) {
+func (m *MockSecurityProvider) Decrypt(_ context.Context, _ trust.KeyDetails, _ []byte) (trust.ProtectedKey, error) {
 	return nil, errors.New("not implemented for tests")
 }
 

service/kas/access/rewrap.go

@@ -164,16 +164,15 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 				{
 					KeyAccessObjectId: "kao-0",
 					KeyAccessObject: &kaspb.KeyAccess{
-						EncryptedMetadata:  kao.EncryptedMetadata,
-						PolicyBinding:      &kaspb.PolicyBinding{Hash: binding, Algorithm: kao.Algorithm},
-						Protocol:           kao.Protocol,
-						KeyType:            kao.Type,
-						KasUrl:             kao.URL,
-						Kid:                kao.KID,
-						SplitId:            kao.SID,
-						WrappedKey:         kao.WrappedKey,
-						Header:             kao.Header,
-						EphemeralPublicKey: kao.EphemeralPublicKey,
+						EncryptedMetadata: kao.EncryptedMetadata,
+						PolicyBinding:     &kaspb.PolicyBinding{Hash: binding, Algorithm: kao.Algorithm},
+						Protocol:          kao.Protocol,
+						KeyType:           kao.Type,
+						KasUrl:            kao.URL,
+						Kid:               kao.KID,
+						SplitId:           kao.SID,
+						WrappedKey:        kao.WrappedKey,
+						Header:            kao.Header,
 					},
 				},
 			},
@@ -490,34 +489,8 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 				continue
 			}
 
-			pub, err := x509.ParsePKIXPublicKey(block.Bytes)
-			if err != nil {
-				p.Logger.WarnContext(ctx,
-					"failed to parse public key",
-					slog.Any("kao", kao),
-					slog.Any("error", err),
-				)
-				failedKAORewrap(results, kao, err400("bad request"))
-				continue
-			}
-
-			ecPub, ok := pub.(*ecdsa.PublicKey)
-			if !ok {
-				p.Logger.WarnContext(ctx, "not an EC public key", slog.Any("error", err))
-				failedKAORewrap(results, kao, err400("bad request"))
-				continue
-			}
-
-			// Compress the public key
-			compressedKey, err := ocrypto.CompressedECPublicKey(mode, *ecPub)
-			if err != nil {
-				p.Logger.WarnContext(ctx, "failed to compress public key", slog.Any("error", err))
-				failedKAORewrap(results, kao, err400("bad request"))
-				continue
-			}
-
 			kid := trust.KeyIdentifier(kao.GetKeyAccessObject().GetKid())
-			dek, err = p.KeyDelegator.Decrypt(ctx, kid, kao.GetKeyAccessObject().GetWrappedKey(), compressedKey)
+			dek, err = p.KeyDelegator.Decrypt(ctx, kid, kao.GetKeyAccessObject().GetWrappedKey())
 			if err != nil {
 				p.Logger.WarnContext(ctx, "failed to decrypt EC key", slog.Any("error", err))
 				failedKAORewrap(results, kao, err400("bad request"))
@@ -537,13 +510,13 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 				}
 			}
 
-			dek, err = p.KeyDelegator.Decrypt(ctx, kidsToCheck[0], kao.GetKeyAccessObject().GetWrappedKey(), nil)
+			dek, err = p.KeyDelegator.Decrypt(ctx, kidsToCheck[0], kao.GetKeyAccessObject().GetWrappedKey())
 			for _, kid := range kidsToCheck[1:] {
 				p.Logger.WarnContext(ctx, "continue paging through legacy KIDs for kid free kao", slog.Any("error", err))
 				if err == nil {
 					break
 				}
-				dek, err = p.KeyDelegator.Decrypt(ctx, kid, kao.GetKeyAccessObject().GetWrappedKey(), nil)
+				dek, err = p.KeyDelegator.Decrypt(ctx, kid, kao.GetKeyAccessObject().GetWrappedKey())
 			}
 		}
 		if err != nil {
@@ -730,7 +703,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.UnsignedRew
 			}
 
 			// Use the Export method with the asymEncrypt encryptor
-			encryptedKey, err := kaoRes.DEK.Export(asymEncrypt)
+			rewrappedKey, err := kaoRes.DEK.Export(asymEncrypt)
 			if err != nil {
 				//nolint:sloglint // reference to camelcase key is intentional
 				p.Logger.WarnContext(ctx, "rewrap: Export with encryptor failed", slog.String("clientPublicKey", clientPublicKey), slog.Any("error", err))

service/trust/delegating_key_service.go

@@ -83,7 +83,7 @@ func (d *DelegatingKeyService) Name() string {
 	return "DelegatingKeyService"
 }
 
-func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte, ephemeralPublicKey []byte) (ProtectedKey, error) {
+func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier, ciphertext []byte) (ProtectedKey, error) {
 	keyDetails, err := d.index.FindKeyByID(ctx, keyID)
 	if err != nil {
 		return nil, fmt.Errorf("unable to find key by ID '%s': %w", keyID, err)
@@ -94,7 +94,7 @@ func (d *DelegatingKeyService) Decrypt(ctx context.Context, keyID KeyIdentifier,
 		return nil, fmt.Errorf("unable to get key manager for system '%s': %w", keyDetails.System(), err)
 	}
 
-	return manager.Decrypt(ctx, keyDetails, ciphertext, ephemeralPublicKey)
+	return manager.Decrypt(ctx, keyDetails, ciphertext)
 }
 
 func (d *DelegatingKeyService) DeriveKey(ctx context.Context, keyID KeyIdentifier, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (ProtectedKey, error) {