From 00c554762d3100a1f4eee1b265eaee8394ac9597 Mon Sep 17 00:00:00 2001
From: David Mihalcik <dmihalcik@virtru.com>
Date: Tue, 25 Feb 2025 13:32:20 -0500
Subject: [PATCH] fix(core): Fixes protoJSON parse bug on ec rewrap

- protoJSON encodes/decodes `bytes` types as base64 for us. So good for the wrapped key (ciphertext value), but bad or at least not right for PEM encoded string values.
---
 docs/grpc/index.html         |   5 +++--
 protocol/go/kas/kas.pb.go    |  11 ++++++-----
 sample.tdf                   | Bin 0 -> 1529 bytes
 sdk/tdf.go                   |   2 +-
 service/kas/access/rewrap.go |   6 +++---
 service/kas/kas.proto        |   5 +++--
 6 files changed, 16 insertions(+), 13 deletions(-)
 create mode 100644 sample.tdf

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 99bd9b661b..bffbf1f5d3 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -3559,9 +3559,10 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
               
                 <tr>
                   <td>ephemeral_public_key</td>
-                  <td><a href="#bytes">bytes</a></td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p>For wrapping with an ECDH derived key, when type=ec-wrapped </p></td>
+                  <td><p>For wrapping with an ECDH derived key, when type=ec-wrapped.
+Should be a PEM-encoded PKCS#8 (asn.1) value. </p></td>
                 </tr>
               
             </tbody>
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index c1052bf362..cd41a7c299 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -227,8 +227,9 @@ type KeyAccess struct {
 	WrappedKey        []byte         `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
 	// header is only used for NanoTDFs
 	Header []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
-	// For wrapping with an ECDH derived key, when type=ec-wrapped
-	EphemeralPublicKey []byte `protobuf:"bytes,10,opt,name=ephemeral_public_key,json=ephemeralPublicKey,proto3" json:"ephemeral_public_key,omitempty"`
+	// For wrapping with an ECDH derived key, when type=ec-wrapped.
+	// Should be a PEM-encoded PKCS#8 (asn.1) value.
+	EphemeralPublicKey string `protobuf:"bytes,10,opt,name=ephemeral_public_key,json=ephemeralPublicKey,proto3" json:"ephemeral_public_key,omitempty"`
 }
 
 func (x *KeyAccess) Reset() {
@@ -326,11 +327,11 @@ func (x *KeyAccess) GetHeader() []byte {
 	return nil
 }
 
-func (x *KeyAccess) GetEphemeralPublicKey() []byte {
+func (x *KeyAccess) GetEphemeralPublicKey() string {
 	if x != nil {
 		return x.EphemeralPublicKey
 	}
-	return nil
+	return ""
 }
 
 type UnsignedRewrapRequest struct {
@@ -1051,7 +1052,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65,
 	0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64,
 	0x65, 0x72, 0x12, 0x30, 0x0a, 0x14, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0c,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x12, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c, 0x50, 0x75, 0x62, 0x6c, 0x69,
 	0x63, 0x4b, 0x65, 0x79, 0x22, 0x86, 0x05, 0x0a, 0x15, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65,
 	0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2a,
diff --git a/sample.tdf b/sample.tdf
new file mode 100644
index 0000000000000000000000000000000000000000..556f6c0adc6ade1e978ee9dbffc5741ce5a260b6
GIT binary patch
literal 1529
zcmZ`(y^rHW6c5K89HO8@NHmM-ZZ{j-n`AdZE8$JDUMCwTvEw-Q?G=tai6`+Fo^cZU
zv>gr5@lPPylPGCuDCw`^8YEf}2+{GJEV;df8_SyU^PBhad++`Foj30n3l9s0!uMaN
zJZ!u54xHG-$V$D?a{hj-eZ&~g{&@Cz@+kgz`9b}g7vKK!>GOLpzWPl-?|!NL_<rrz
z=bwG}-QLf?|JCoj{qT!Fe=rZgK>qe$>*BqQ3*QRx6cKtjCt>iEL4h5o5yfF31=BG0
zt^CN;pE5L!5L0JJ<YCGjFj44XI|Tts+nl3&3uzu=dFXn*robD#M$NhG$|}3=>LdSB
zZ<WotKu!I8(G>?PnU~h4sI4Wu!iHa4AXTb@orN)0+`(93ZQsMrSn=#ss!oCtnKV||
z6ur#mM^u_eiKDN{bj+SY91D~Rwv7m3>W_CpBD=VXttdhcXe6-*VY-w?^-{?TZOd~*
zLhC2&37h8;hcvXqTxDSq5Zqkspgg&yp0Y`DOd2#UpBZP3PFnFi&ft_Fk`y6cQQV%C
zYQ)T}c@||$Wh&|<8_l}fnmC+zo)UG?9BAUcqVjERNM^ai4RB{TaBwiofwer?m<yG!
zRN=R45f?s<Y{7S%2H(v9$IRyBrpC%mfis3iMIJf}Ba_O;u$9W9xsb(k-)w3rpvuX9
z+wJLq<h+edzk6h40xxGmYUph&uTD>yYk&+p-~n;qjo2>otr3dJrpgR=m}7z>kfPY~
z`pE>UyoI8eud|jY$$Ne6>{4p%by~(ocolTd7pvCFxafqYl+D?OFfgQ>b5j`D&B07)
zEiOw^N$E|L<*~vhYT#9LPFYu5_=4c8AR{yG$gwA+*FG|vN6S{PZI71~x94(vwIS8C
zpc;k!Oq0?JB_o5W?dXGbW#64bPFKMujF#N|Z)D8%lLN*_)D0o$4c1|dsp|s(LQ5?I
z=0&m5g`DvcMEOos8Y9cMCLXjqjS~cj;eetU+)MAwL>z`x#k0VoNetR|Ye{fk*%7`p
zhP6qwN_!qzjX9-_LX$NS+xN6!d0Cq6R~*l(so_N0l!u_1j{<rDjUa4VL+lETyjEMe
ziZj$iQ!DW(Q|H;*F<0TCWZSVtj`}*S6Lx1}J1aMxW)6~$Mr^%@=9aA_oFtdhTHYx;
z_1q&<=c@njg{haz*H5kir5m!kMHVrdq8LI$U~D^vJ4yq|t<lSH1OgxXXt<>r7+&bS
z4f&Kpn<82yo3elwCar&y-4*C=AD0i0pp&n2F8oAKAN_Q{P{`kY=Z$;C!b`%v&67Fd
mzPfg?-o19)WKN<lmkmeu@D)n!cOJZzE8K&J!X7@zzy1Lqs@k^z

literal 0
HcmV?d00001

diff --git a/sdk/tdf.go b/sdk/tdf.go
index 08be44591e..87d853a46f 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -975,7 +975,7 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.Unsigned
 				},
 				SplitId:            kao.SplitID,
 				WrappedKey:         key,
-				EphemeralPublicKey: []byte(kao.EphemeralPublicKey),
+				EphemeralPublicKey: kao.EphemeralPublicKey,
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 195872012b..7b7fd2e9d3 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -170,7 +170,7 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 						SplitId:            kao.SID,
 						WrappedKey:         kao.WrappedKey,
 						Header:             kao.Header,
-						EphemeralPublicKey: []byte(kao.EphemeralPublicKey),
+						EphemeralPublicKey: kao.EphemeralPublicKey,
 					},
 				},
 			},
@@ -467,7 +467,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 			ephemeralPubKeyPEM := kao.GetKeyAccessObject().GetEphemeralPublicKey()
 
 			// Get EC key size and convert to mode
-			keySize, err := ocrypto.GetECKeySize(ephemeralPubKeyPEM)
+			keySize, err := ocrypto.GetECKeySize([]byte(ephemeralPubKeyPEM))
 			if err != nil {
 				return nil, results, fmt.Errorf("failed to get EC key size: %w", err)
 			}
@@ -478,7 +478,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 			}
 
 			// Parse the PEM public key
-			block, _ := pem.Decode(ephemeralPubKeyPEM)
+			block, _ := pem.Decode([]byte(ephemeralPubKeyPEM))
 			if block == nil {
 				return nil, results, fmt.Errorf("failed to decode PEM block")
 			}
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 79642387d7..72b8913e7f 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -48,8 +48,9 @@ message KeyAccess {
   // header is only used for NanoTDFs
   bytes header = 9;
 
-  // For wrapping with an ECDH derived key, when type=ec-wrapped
-  bytes ephemeral_public_key = 10;
+  // For wrapping with an ECDH derived key, when type=ec-wrapped.
+  // Should be a PEM-encoded PKCS#8 (asn.1) value.
+  string ephemeral_public_key = 10;
 }
 
 message UnsignedRewrapRequest {