add encryption caps, expand keystore to alias storage :(

moar cleanup

cryptography/src/main/java/com/salesforce/apollo/cryptography/EdDSAOperations.java

@@ -72,7 +72,7 @@ public EdDSAOperations(SignatureAlgorithm signatureAlgorithm) {
         }
     }
 
-    private static void reverse(byte[] arr) {
+    public static void reverse(byte[] arr) {
         var i = 0;
         var j = arr.length - 1;
 
@@ -83,7 +83,7 @@ private static void reverse(byte[] arr) {
         }
     }
 
-    private static void swap(byte[] arr, int i, int j) {
+    public static void swap(byte[] arr, int i, int j) {
         var tmp = arr[i];
         arr[i] = arr[j];
         arr[j] = tmp;

cryptography/src/main/java/com/salesforce/apollo/cryptography/EncryptionAlgorithm.java

@@ -0,0 +1,116 @@
+package com.salesforce.apollo.cryptography;
+
+import java.math.BigInteger;
+import java.security.*;
+import java.security.interfaces.EdECPrivateKey;
+import java.security.interfaces.EdECPublicKey;
+import java.security.interfaces.XECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.NamedParameterSpec;
+import java.security.spec.XECPublicKeySpec;
+
+public enum EncryptionAlgorithm {
+    X_25519 {
+        @Override
+        public String algorithmName() {
+            return "X25519";
+        }
+
+        @Override
+        public String curveName() {
+            return "Curve25519";
+        }
+
+        @Override
+        public int publicKeyLength() {
+            return 32;
+        }
+    }, X_448 {
+        @Override
+        public String algorithmName() {
+            return "X448";
+        }
+
+        @Override
+        public String curveName() {
+            return "Curve448";
+        }
+
+        @Override
+        public int publicKeyLength() {
+            return 57;
+        }
+    };
+
+    public static EncryptionAlgorithm lookup(PrivateKey privateKey) {
+        return switch (privateKey.getAlgorithm()) {
+            case "XDH" -> lookupX(((EdECPrivateKey) privateKey).getParams());
+            case "x25519" -> X_25519;
+            case "x448" -> X_448;
+            default -> throw new IllegalArgumentException("Unknown algorithm: " + privateKey.getAlgorithm());
+        };
+    }
+
+    public static EncryptionAlgorithm lookup(PublicKey publicKey) {
+        return switch (publicKey.getAlgorithm()) {
+            case "XDH" -> lookupX(((EdECPublicKey) publicKey).getParams());
+            case "X25519" -> X_25519;
+            case "X448" -> X_448;
+            default -> throw new IllegalArgumentException("Unknown algorithm: " + publicKey.getAlgorithm());
+        };
+    }
+
+    private static EncryptionAlgorithm lookupX(NamedParameterSpec params) {
+        var curveName = params.getName();
+        return switch (curveName.toLowerCase()) {
+            case "x25519" -> X_25519;
+            case "x448" -> X_448;
+            default -> throw new IllegalArgumentException("Unknown edwards curve: " + curveName);
+        };
+    }
+
+    abstract public String algorithmName();
+
+    abstract public String curveName();
+
+    final public byte[] encode(PublicKey publicKey) {
+        return ((XECPublicKey) publicKey).getU().toByteArray();
+    }
+
+    final public KeyPair generateKeyPair() {
+        try {
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("XDH");
+            kpg.initialize(getParamSpec());
+            return kpg.generateKeyPair();
+        } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
+            throw new IllegalArgumentException("Cannot generate key pair", e);
+        }
+    }
+
+    final public KeyPair generateKeyPair(SecureRandom secureRandom) {
+        try {
+            KeyPairGenerator kpg = KeyPairGenerator.getInstance("XDH");
+            kpg.initialize(getParamSpec(), secureRandom);
+            return kpg.generateKeyPair();
+        } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
+            throw new IllegalArgumentException("Cannot generate key pair", e);
+        }
+    }
+
+    final public PublicKey publicKey(byte[] bytes) {
+        try {
+            KeyFactory kf = KeyFactory.getInstance("XDH");
+            BigInteger u = new BigInteger(bytes);
+            XECPublicKeySpec pubSpec = new XECPublicKeySpec(getParamSpec(), u);
+            return kf.generatePublic(pubSpec);
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            throw new IllegalArgumentException("Cannot create public key", e);
+        }
+    }
+
+    abstract public int publicKeyLength();
+
+    private NamedParameterSpec getParamSpec() {
+        return new NamedParameterSpec(algorithmName());
+    }
+}

cryptography/src/main/java/com/salesforce/apollo/cryptography/SignatureAlgorithm.java

@@ -56,16 +56,6 @@ public KeyPair generateKeyPair(SecureRandom secureRandom) {
             return ops.generateKeyPair(secureRandom);
         }
 
-        @Override
-        public PrivateKey privateKey(byte[] bytes) {
-            return ops.privateKey(bytes);
-        }
-
-        @Override
-        public int privateKeyLength() {
-            return 32;
-        }
-
         @Override
         public PublicKey publicKey(byte[] bytes) {
             return ops.publicKey(bytes);
@@ -141,16 +131,6 @@ public KeyPair generateKeyPair(SecureRandom secureRandom) {
             return ops.generateKeyPair(secureRandom);
         }
 
-        @Override
-        public PrivateKey privateKey(byte[] bytes) {
-            return ops.privateKey(bytes);
-        }
-
-        @Override
-        public int privateKeyLength() {
-            return 56;
-        }
-
         @Override
         public PublicKey publicKey(byte[] bytes) {
             return ops.publicKey(bytes);
@@ -222,16 +202,6 @@ public KeyPair generateKeyPair(SecureRandom secureRandom) {
             return null;
         }
 
-        @Override
-        public PrivateKey privateKey(byte[] bytes) {
-            return null;
-        }
-
-        @Override
-        public int privateKeyLength() {
-            return 0;
-        }
-
         @Override
         public PublicKey publicKey(byte[] bytes) {
             return null;
@@ -330,14 +300,6 @@ private static SignatureAlgorithm lookupEd(NamedParameterSpec params) {
 
     abstract public KeyPair generateKeyPair(SecureRandom secureRandom);
 
-    public KeyPair keyPair(byte[] bytes, byte[] publicKey) {
-        return new KeyPair(publicKey(publicKey), privateKey(bytes));
-    }
-
-    abstract public PrivateKey privateKey(byte[] bytes);
-
-    abstract public int privateKeyLength();
-
     abstract public PublicKey publicKey(byte[] bytes);
 
     abstract public int publicKeyLength();
@@ -374,12 +336,12 @@ final public boolean verify(PublicKey publicKey, JohnHancock signature, ByteStri
         return verify(publicKey, signature, BbBackedInputStream.aggregate(message));
     }
 
-    abstract protected boolean verify(PublicKey publicKey, byte[] signature, InputStream message);
-
     abstract JohnHancock sign(ULong sequenceNumber, PrivateKey[] privateKeys, InputStream message);
 
     final boolean verify(PublicKey publicKey, JohnHancock signature, InputStream message) {
         return new DefaultVerifier(new PublicKey[] { publicKey }).verify(SigningThreshold.unweighted(1), signature,
                                                                          message);
     }
+
+    abstract protected boolean verify(PublicKey publicKey, byte[] signature, InputStream message);
 }

cryptography/src/test/java/com/salesforce/apollo/cryptography/XTest.java

@@ -0,0 +1,56 @@
+package com.salesforce.apollo.cryptography;
+
+import org.junit.jupiter.api.Test;
+
+import javax.crypto.KeyAgreement;
+import java.security.SecureRandom;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author hal.hildebrand
+ **/
+public class XTest {
+    @Test
+    public void testEncoding() throws Exception {
+        var entropy = SecureRandom.getInstance("SHA1PRNG");
+        entropy.setSeed(new byte[] { 6, 6, 6 });
+
+        var algorithm = EncryptionAlgorithm.X_25519;
+        var pair = algorithm.generateKeyPair(entropy);
+        assertNotNull(pair);
+        var encodedPublic = algorithm.encode(pair.getPublic());
+        assertNotNull(encodedPublic);
+        var decodedPublic = algorithm.publicKey(encodedPublic);
+        assertNotNull(decodedPublic);
+        assertEquals(pair.getPublic(), decodedPublic);
+    }
+
+    @Test
+    public void testRoundTrip() throws Exception {
+        var entropy = SecureRandom.getInstance("SHA1PRNG");
+        entropy.setSeed(new byte[] { 6, 6, 6 });
+
+        var algorithm = EncryptionAlgorithm.X_25519;
+        var pair1 = algorithm.generateKeyPair(entropy);
+        assertNotNull(pair1);
+        var pair2 = algorithm.generateKeyPair(entropy);
+        assertNotNull(pair2);
+
+        KeyAgreement ka = KeyAgreement.getInstance("XDH");
+        KeyAgreement ka2 = KeyAgreement.getInstance("XDH");
+
+        ka.init(pair1.getPrivate());
+        ka2.init(pair2.getPrivate());
+
+        ka.doPhase(pair2.getPublic(), true);
+        ka2.doPhase(pair1.getPublic(), true);
+
+        byte[] secret1 = ka.generateSecret();
+        assertNotNull(secret1);
+        byte[] secret2 = ka2.generateSecret();
+        assertNotNull(secret2);
+
+        assertArrayEquals(secret1, secret2);
+    }
+}

model/src/main/java/com/salesforce/apollo/model/Domain.java

@@ -47,8 +47,6 @@
 import java.sql.Connection;
 import java.sql.JDBCType;
 import java.util.*;
-import java.util.concurrent.Executor;
-import java.util.concurrent.Executors;
 
 import static com.salesforce.apollo.cryptography.QualifiedBase64.qb64;
 import static java.nio.file.Path.of;
@@ -62,7 +60,6 @@
 abstract public class Domain {
     private static final Logger log = LoggerFactory.getLogger(Domain.class);
 
-    protected final Executor                   executor = Executors.newVirtualThreadPerTaskExecutor();
     protected final CHOAM                      choam;
     protected final ControlledIdentifierMember member;
     protected final Mutator                    mutator;

model/src/main/java/com/salesforce/apollo/model/ProcessContainerDomain.java

@@ -42,9 +42,7 @@
 import java.nio.file.Path;
 import java.time.Duration;
 import java.util.*;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.RejectedExecutionException;
-import java.util.concurrent.TimeUnit;
+import java.util.concurrent.*;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import static com.salesforce.apollo.comm.grpc.DomainSocketServerInterceptor.IMPL;
@@ -55,22 +53,22 @@
  **/
 public class ProcessContainerDomain extends ProcessDomain {
 
-    private final static Logger                                    log         = LoggerFactory.getLogger(
+    private final static Logger                                                    log                   = LoggerFactory.getLogger(
     ProcessContainerDomain.class);
-    private final static Class<? extends io.netty.channel.Channel> channelType = IMPL.getChannelType();
-
-    private final DomainSocketAddress                                       bridge;
-    private final EventLoopGroup                                            clientEventLoopGroup  = IMPL.getEventLoopGroup();
-    private final Path                                                      communicationsDirectory;
-    private final EventLoopGroup                                            contextEventLoopGroup = IMPL.getEventLoopGroup();
-    private final Map<Digest, Demesne>                                      hostedDomains         = new ConcurrentHashMap<>();
-    private final DomainSocketAddress                                       outerContextEndpoint;
-    private final Server                                                    outerContextService;
-    private final Portal<Member>                                            portal;
-    private final DomainSocketAddress                                       portalEndpoint;
-    private final EventLoopGroup                                            portalEventLoopGroup  = IMPL.getEventLoopGroup();
-    private final Map<String, DomainSocketAddress>                          routes                = new HashMap<>();
-    private final IdentifierSpecification.Builder<SelfAddressingIdentifier> subDomainSpecification;
+    private final static Class<? extends io.netty.channel.Channel>                 channelType           = IMPL.getChannelType();
+    protected final      Executor                                                  executor              = Executors.newVirtualThreadPerTaskExecutor();
+    private final        DomainSocketAddress                                       bridge;
+    private final        EventLoopGroup                                            clientEventLoopGroup  = IMPL.getEventLoopGroup();
+    private final        Path                                                      communicationsDirectory;
+    private final        EventLoopGroup                                            contextEventLoopGroup = IMPL.getEventLoopGroup();
+    private final        Map<Digest, Demesne>                                      hostedDomains         = new ConcurrentHashMap<>();
+    private final        DomainSocketAddress                                       outerContextEndpoint;
+    private final        Server                                                    outerContextService;
+    private final        Portal<Member>                                            portal;
+    private final        DomainSocketAddress                                       portalEndpoint;
+    private final        EventLoopGroup                                            portalEventLoopGroup  = IMPL.getEventLoopGroup();
+    private final        Map<String, DomainSocketAddress>                          routes                = new HashMap<>();
+    private final        IdentifierSpecification.Builder<SelfAddressingIdentifier> subDomainSpecification;
 
     public ProcessContainerDomain(Digest group, ControlledIdentifierMember member, ProcessDomainParameters parameters,
                                   Parameters.Builder builder, Parameters.RuntimeParameters.Builder runtime,

pom.xml

@@ -552,6 +552,11 @@
                 <version>${graal.vm.version}</version>
                 <scope>provided</scope>
             </dependency>
+            <dependency>
+                <groupId>org.netbeans.api</groupId>
+                <artifactId>org-netbeans-modules-keyring</artifactId>
+                <version>RELEASE200</version>
+            </dependency>
 
             <!-- Test dependencies only below this line! -->
             <dependency>
@@ -772,6 +777,11 @@
                     <artifactId>maven-surefire-plugin</artifactId>
                     <version>3.1.2</version>
                 </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-clean-plugin</artifactId>
+                    <version>3.3.2</version>
+                </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>

stereotomy/pom.xml

@@ -83,8 +83,8 @@
                 <artifactId>build-helper-maven-plugin</artifactId>
             </plugin>
             <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-clean-plugin</artifactId>
-                <version>2.5</version>
                 <executions>
                     <execution>
                         <id>clean-db</id>