feat(service): use public AES protected key from lib/ocrypto

Update service components to use the newly exposed AESProtectedKey implementation from lib/ocrypto instead of internal implementation.

- Update trust/key_manager.go with type aliases for backward compatibility
- Replace InProcessAESKey usage with ocrypto.NewAESProtectedKey()
- Remove duplicate implementation from security package
- Maintain all existing functionality and interfaces

Author: strantalis

service/internal/security/basic_manager.go

@@ -75,7 +75,7 @@ func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails,
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt with RSA: %w", err)
 		}
-		return NewInProcessAESKey(plaintext), nil
+		return ocrypto.NewAESProtectedKey(plaintext), nil
 	case policy.Algorithm_ALGORITHM_EC_P256.String(), policy.Algorithm_ALGORITHM_EC_P384.String(), policy.Algorithm_ALGORITHM_EC_P521.String():
 		ecPrivKey, err := ocrypto.ECPrivateKeyFromPem(privKey)
 		if err != nil {
@@ -89,7 +89,7 @@ func (b *BasicManager) Decrypt(ctx context.Context, keyDetails trust.KeyDetails,
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt with ephemeral key: %w", err)
 		}
-		return NewInProcessAESKey(plaintext), nil
+		return ocrypto.NewAESProtectedKey(plaintext), nil
 	}
 
 	return nil, fmt.Errorf("unsupported algorithm: %s", keyDetails.Algorithm())
@@ -131,7 +131,7 @@ func (b *BasicManager) DeriveKey(ctx context.Context, keyDetails trust.KeyDetail
 	if err != nil {
 		return nil, fmt.Errorf("failed to calculate HKDF: %w", err)
 	}
-	return NewInProcessAESKey(key), nil
+	return ocrypto.NewAESProtectedKey(key), nil
 }
 
 func (b *BasicManager) GenerateECSessionKey(_ context.Context, ephemeralPublicKey string) (trust.Encapsulator, error) {

service/internal/security/in_process_provider.go

@@ -4,10 +4,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/elliptic"
-	"crypto/hmac"
-	"crypto/sha256"
 	"errors"
-	"fmt"
 	"log/slog"
 
 	"github.com/opentdf/platform/lib/ocrypto"
@@ -17,87 +14,6 @@ import (
 
 const inProcessSystemName = "opentdf.io/in-process"
 
-// InProcessAESKey implements the trust.ProtectedKey interface with an in-memory secret key
-type InProcessAESKey struct {
-	rawKey []byte
-	logger *slog.Logger
-}
-
-var _ trust.ProtectedKey = (*InProcessAESKey)(nil)
-
-// NewInProcessAESKey creates a new instance of StandardUnwrappedKey
-func NewInProcessAESKey(rawKey []byte) *InProcessAESKey {
-	return &InProcessAESKey{
-		rawKey: rawKey,
-		logger: slog.Default(),
-	}
-}
-
-func (k *InProcessAESKey) DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error) {
-	aesGcm, err := ocrypto.NewAESGcm(k.rawKey)
-	if err != nil {
-		return nil, err
-	}
-
-	decryptedData, err := aesGcm.DecryptWithIVAndTagSize(iv, body, tagSize)
-	if err != nil {
-		return nil, err
-	}
-
-	return decryptedData, nil
-}
-
-// Export returns the raw key data, optionally encrypting it with the provided trust.Encapsulator
-func (k *InProcessAESKey) Export(encapsulator trust.Encapsulator) ([]byte, error) {
-	if encapsulator == nil {
-		if k.logger != nil {
-			k.logger.Warn("exporting raw key data without encryption")
-		}
-		return k.rawKey, nil
-	}
-
-	// If an encryptor is provided, encrypt the key data before returning
-	encryptedKey, err := encapsulator.Encrypt(k.rawKey)
-	if err != nil {
-		if k.logger != nil {
-			k.logger.Warn("failed to encrypt key data for export", slog.Any("err", err))
-		}
-		return nil, err
-	}
-
-	return encryptedKey, nil
-}
-
-// VerifyBinding checks if the policy binding matches the given policy data
-func (k *InProcessAESKey) VerifyBinding(ctx context.Context, policy, policyBinding []byte) error {
-	if len(k.rawKey) == 0 {
-		return errors.New("key data is empty")
-	}
-
-	actualHMAC, err := k.generateHMACDigest(ctx, policy)
-	if err != nil {
-		return fmt.Errorf("unable to generate policy hmac: %w", err)
-	}
-
-	if !hmac.Equal(actualHMAC, policyBinding) {
-		return errors.New("policy hmac mismatch")
-	}
-
-	return nil
-}
-
-// generateHMACDigest is a helper to generate an HMAC digest from a message using the key
-func (k *InProcessAESKey) generateHMACDigest(ctx context.Context, msg []byte) ([]byte, error) {
-	mac := hmac.New(sha256.New, k.rawKey)
-	_, err := mac.Write(msg)
-	if err != nil {
-		if k.logger != nil {
-			k.logger.WarnContext(ctx, "failed to compute hmac")
-		}
-		return nil, errors.New("policy hmac")
-	}
-	return mac.Sum(nil), nil
-}
 
 func convertPEMToJWK(_ string) (string, error) {
 	// Implement the conversion logic here or use an external library if available.
@@ -328,16 +244,13 @@ func (a *InProcessProvider) Decrypt(ctx context.Context, keyDetails trust.KeyDet
 		return nil, err
 	}
 
-	return &InProcessAESKey{
-		rawKey: rawKey,
-		logger: a.logger,
-	}, nil
+	return ocrypto.NewAESProtectedKey(rawKey), nil
 }
 
 // DeriveKey generates a symmetric key for NanoTDF
 func (a *InProcessProvider) DeriveKey(_ context.Context, keyDetails trust.KeyDetails, ephemeralPublicKeyBytes []byte, curve elliptic.Curve) (trust.ProtectedKey, error) {
 	k, err := a.cryptoProvider.GenerateNanoTDFSymmetricKey(string(keyDetails.ID()), ephemeralPublicKeyBytes, curve)
-	return NewInProcessAESKey(k), err
+	return ocrypto.NewAESProtectedKey(k), err
 }
 
 // GenerateECSessionKey generates a session key for NanoTDF

service/internal/security/standard_crypto.go

@@ -488,8 +488,5 @@ func (s *StandardCrypto) Decrypt(_ context.Context, keyID trust.KeyIdentifier, c
 		return nil, fmt.Errorf("unsupported key type for key ID [%s]", kid)
 	}
 
-	return &InProcessAESKey{
-		rawKey: rawKey,
-		logger: slog.Default(),
-	}, nil
+	return ocrypto.NewAESProtectedKey(rawKey), nil
 }

service/trust/key_manager.go

@@ -3,31 +3,13 @@ package trust
 import (
 	"context"
 	"crypto/elliptic"
-)
-
-type Encapsulator interface {
-	// Encrypt wraps a secret key with the encapsulation key
-	Encrypt(data []byte) ([]byte, error)
-
-	// PublicKeyInPemFormat Returns public key in pem format, or the empty string if not present
-	PublicKeyInPemFormat() (string, error)
-
-	// For EC schemes, this method returns the public part of the ephemeral key.
-	// Otherwise, it returns nil.
-	EphemeralKey() []byte
-}
-
-// ProtectedKey represents a decrypted key with operations that can be performed on it
-type ProtectedKey interface {
-	// VerifyBinding checks if the policy binding matches the given policy data
-	VerifyBinding(ctx context.Context, policy, binding []byte) error
 
-	// Export returns the raw key data, optionally encrypting it with the provided encryptor
-	Export(encryptor Encapsulator) ([]byte, error)
+	"github.com/opentdf/platform/lib/ocrypto"
+)
 
-	// Used to decrypt encrypted policies and metadata
-	DecryptAESGCM(iv []byte, body []byte, tagSize int) ([]byte, error)
-}
+// Type aliases for backward compatibility - these interfaces are now defined in lib/ocrypto
+type Encapsulator = ocrypto.Encapsulator
+type ProtectedKey = ocrypto.ProtectedKey
 
 // KeyManager combines key lookup functionality with cryptographic operations
 type KeyManager interface {