fix(service): eccertid

arkavo-org · May 11, 2024 · c744a88 · c744a88
1 parent ff6d12a
commit c744a88
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 16 deletions.
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
@@ -13,7 +13,7 @@ const (
 	ErrNanoTdfRead = Error("nanotdf read error")
 )
 
-type nanoTdf struct {
+type NanoTdf struct {
 	magicNumber        [3]byte
 	kasUrl             *resourceLocator
 	binding            *bindingCfg
@@ -166,8 +166,8 @@ func readEphemeralPublicKey(reader io.Reader, curve ocrypto.ECCMode) (*eccKey, e
 	return &eccKey{Key: buffer}, nil
 }
 
-func ReadNanoTDFHeader(reader io.Reader) (*nanoTdf, error) {
-	var nanoTDF nanoTdf
+func ReadNanoTDFHeader(reader io.Reader) (*NanoTdf, error) {
+	var nanoTDF NanoTdf
 
 	if err := binary.Read(reader, binary.BigEndian, &nanoTDF.magicNumber); err != nil {
 		return nil, errors.Join(ErrNanoTdfRead, err)

diff --git a/sdk/nanotdf_test.go b/sdk/nanotdf_test.go
@@ -9,8 +9,8 @@ import (
 	"github.com/arkavo-org/opentdf-platform/lib/ocrypto"
 )
 
-// nanotdfEqual compares two nanoTdf structures for equality.
-func nanoTDFEqual(a, b *nanoTdf) bool {
+// nanotdfEqual compares two NanoTdf structures for equality.
+func nanoTDFEqual(a, b *NanoTdf) bool {
 	// Compare magicNumber field
 	if a.magicNumber != b.magicNumber {
 		return false
@@ -95,7 +95,7 @@ func init() {
 
 func TestReadNanoTDFHeader(t *testing.T) {
 	// Prepare a sample nanoTdf structure
-	nanoTDF := nanoTdf{
+	nanoTDF := NanoTdf{
 		magicNumber: [3]byte{'L', '1', 'L'},
 		kasUrl: &resourceLocator{
 			protocol:   urlProtocolHttps,

diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go
@@ -148,13 +148,18 @@ func (s StandardCrypto) RSAPublicKey(keyID string) (string, error) {
 	return pem, nil
 }
 
-func (s StandardCrypto) ECCertificate(string) (string, error) {
+func (s StandardCrypto) ECCertificate(identifier string) (string, error) {
 	if len(s.ecKeys) == 0 {
 		return "", ErrCertNotFound
 	}
 	// this endpoint returns certificate
-	ecKey := s.ecKeys[0]
-	return ecKey.ecCertificatePEM, nil
+	for _, ecKey := range s.ecKeys {
+		slog.Debug("ecKey", "id", ecKey.Identifier)
+		if ecKey.Identifier == identifier {
+			return ecKey.ecCertificatePEM, nil
+		}
+	}
+	return "", fmt.Errorf("no EC Key found with the given identifier: %s", identifier)
 }
 
 func (s StandardCrypto) ECPublicKey(string) (string, error) {

diff --git a/service/kas/access/provider.go b/service/kas/access/provider.go
@@ -6,6 +6,7 @@ import (
 	kaspb "github.com/arkavo-org/opentdf-platform/protocol/go/kas"
 	otdf "github.com/arkavo-org/opentdf-platform/sdk"
 	"github.com/arkavo-org/opentdf-platform/service/internal/security"
+	"github.com/arkavo-org/opentdf-platform/service/pkg/serviceregistry"
 	"github.com/coreos/go-oidc/v3/oidc"
 )
 
@@ -21,4 +22,5 @@ type Provider struct {
 	AttributeSvc   *url.URL
 	CryptoProvider security.CryptoProvider
 	OIDCVerifier   *oidc.IDTokenVerifier
+	Config         *serviceregistry.ServiceConfig
 }
diff --git a/service/kas/access/publicKey.go b/service/kas/access/publicKey.go
@@ -29,7 +29,12 @@ func (p *Provider) LegacyPublicKey(ctx context.Context, in *kaspb.LegacyPublicKe
 		return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))
 	}
 	if algorithm == algorithmEc256 {
-		cert, err = p.CryptoProvider.ECCertificate("unknown")
+		ecCertIDInf := p.Config.ExtraProps["eccertid"]
+		ecCertID, ok := ecCertIDInf.(string)
+		if !ok {
+			return nil, errors.New("services.kas.eccertid is not a string")
+		}
+		cert, err = p.CryptoProvider.ECCertificate(ecCertID)
 		if err != nil {
 			slog.ErrorContext(ctx, "CryptoProvider.ECPublicKey failed", "err", err)
 			return nil, errors.Join(ErrConfig, status.Error(codes.Internal, "configuration error"))

diff --git a/service/kas/kas.go b/service/kas/kas.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net/url"
-	"strings"
 
 	kaspb "github.com/arkavo-org/opentdf-platform/protocol/go/kas"
 	"github.com/arkavo-org/opentdf-platform/service/kas/access"
@@ -17,12 +16,8 @@ func NewRegistration() serviceregistry.Registration {
 		Namespace:   "kas",
 		ServiceDesc: &kaspb.AccessService_ServiceDesc,
 		RegisterFunc: func(srp serviceregistry.RegistrationParams) (any, serviceregistry.HandlerServer) {
-			// FIXME msg="mismatched key access url" keyAccessURL=http://localhost:9000 kasURL=https://:9000
 			hostWithPort := srp.OTDF.HTTPServer.Addr
-			if strings.HasPrefix(hostWithPort, ":") {
-				hostWithPort = "localhost" + hostWithPort
-			}
-			kasURLString := "http://" + hostWithPort
+			kasURLString := "https://" + hostWithPort
 			kasURI, err := url.Parse(kasURLString)
 			if err != nil {
 				panic(fmt.Errorf("invalid kas address [%s] %w", kasURLString, err))
@@ -33,6 +28,7 @@ func NewRegistration() serviceregistry.Registration {
 				AttributeSvc:   nil,
 				CryptoProvider: srp.OTDF.CryptoProvider,
 				SDK:            srp.SDK,
+				Config:         &srp.Config,
 			}
 			return &p, func(ctx context.Context, mux *runtime.ServeMux, server any) error {
 				kas, ok := server.(*access.Provider)