Refactor KmsKeyring and KmsUpdater to use a centralized serializer

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=151853998
2025-05-14 00:17:20 +02:00 · 2017-03-31 12:27:10 -07:00 · 2017-03-31 12:27:10 -07:00 · bb70fcb66d
commit bb70fcb66d
parent ff9c72097c
7 changed files with 377 additions and 195 deletions
--- a/java/google/registry/keyring/kms/KmsKeyring.java
+++ b/java/google/registry/keyring/kms/KmsKeyring.java
@ -14,31 +14,23 @@

 package google.registry.keyring.kms;

+import static com.google.common.base.CaseFormat.LOWER_HYPHEN;
+import static com.google.common.base.CaseFormat.UPPER_UNDERSCORE;
 import static com.google.common.base.Preconditions.checkState;
-import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
 import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
-import static java.nio.charset.StandardCharsets.UTF_8;

 import com.googlecode.objectify.Key;
+import google.registry.keyring.api.KeySerializer;
 import google.registry.keyring.api.Keyring;
 import google.registry.keyring.api.KeyringException;
-import google.registry.keyring.api.PgpHelper;
 import google.registry.model.server.KmsSecret;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import javax.inject.Inject;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPrivateKey;
 import org.bouncycastle.openpgp.PGPPublicKey;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.PGPUtil;
-import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
-import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
-import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
-import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;

 /**
 * A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them
@ -49,22 +41,42 @@ import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
 */
 public class KmsKeyring implements Keyring {

-  static final String BRAINTREE_PRIVATE_KEY_NAME = "braintree-private-key";
-  static final String BRDA_RECEIVER_PUBLIC_NAME = "brda-receiver-public";
-  static final String BRDA_SIGNING_PRIVATE_NAME = "brda-signing-private";
-  static final String BRDA_SIGNING_PUBLIC_NAME = "brda-signing-public";
-  static final String ICANN_REPORTING_PASSWORD_NAME = "icann-reporting-password";
-  static final String JSON_CREDENTIAL_NAME = "json-credential";
-  static final String MARKSDB_DNL_LOGIN_NAME = "marksdb-dnl-login";
-  static final String MARKSDB_LORDN_PASSWORD_NAME = "marksdb-lordn-password";
-  static final String MARKSDB_SMDRL_LOGIN_NAME = "marksdb-smdrl-login";
-  static final String RDE_RECEIVER_PUBLIC_NAME = "rde-receiver-public";
-  static final String RDE_SIGNING_PRIVATE_NAME = "rde-signing-private";
-  static final String RDE_SIGNING_PUBLIC_NAME = "rde-signing-public";
-  static final String RDE_SSH_CLIENT_PRIVATE_NAME = "rde-ssh-client-private";
-  static final String RDE_SSH_CLIENT_PUBLIC_NAME = "rde-ssh-client-public";
-  static final String RDE_STAGING_PRIVATE_NAME = "rde-staging-private";
-  static final String RDE_STAGING_PUBLIC_NAME = "rde-staging-public";
+  static enum PrivateKeyLabel {
+    BRDA_SIGNING_PRIVATE,
+    RDE_SIGNING_PRIVATE,
+    RDE_STAGING_PRIVATE;
+
+    String getLabel() {
+      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
+    }
+  }
+
+  static enum PublicKeyLabel {
+    BRDA_RECEIVER_PUBLIC,
+    BRDA_SIGNING_PUBLIC,
+    RDE_RECEIVER_PUBLIC,
+    RDE_SIGNING_PUBLIC,
+    RDE_STAGING_PUBLIC;
+
+    String getLabel() {
+      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
+    }
+  }
+
+  static enum StringKeyLabel {
+    BRAINTREE_PRIVATE_KEY_STRING,
+    ICANN_REPORTING_PASSWORD_STRING,
+    JSON_CREDENTIAL_STRING,
+    MARKSDB_DNL_LOGIN_STRING,
+    MARKSDB_LORDN_PASSWORD_STRING,
+    MARKSDB_SMDRL_LOGIN_STRING,
+    RDE_SSH_CLIENT_PRIVATE_STRING,
+    RDE_SSH_CLIENT_PUBLIC_STRING;
+
+    String getLabel() {
+      return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
+    }
+  }

  private final KmsConnection kmsConnection;

@ -75,118 +87,101 @@ public class KmsKeyring implements Keyring {

  @Override
  public PGPKeyPair getRdeSigningKey() {
-    return getKeyPair(RDE_SIGNING_PUBLIC_NAME, RDE_SIGNING_PRIVATE_NAME);
+    return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
  }

  @Override
  public PGPPublicKey getRdeStagingEncryptionKey() {
-    return getPublicKeyForEncrypting(RDE_STAGING_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.RDE_STAGING_PUBLIC);
  }

  @Override
  public PGPPrivateKey getRdeStagingDecryptionKey() {
-    return getPrivateKey(RDE_STAGING_PRIVATE_NAME);
+    return getPrivateKey(PrivateKeyLabel.RDE_STAGING_PRIVATE);
  }

  @Override
  public PGPPublicKey getRdeReceiverKey() {
-    return getPublicKeyForEncrypting(RDE_RECEIVER_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.RDE_RECEIVER_PUBLIC);
  }

  @Override
  public PGPKeyPair getBrdaSigningKey() {
-    return getKeyPair(BRDA_SIGNING_PUBLIC_NAME, BRDA_SIGNING_PRIVATE_NAME);
+    return getKeyPair(PrivateKeyLabel.BRDA_SIGNING_PRIVATE);
  }

  @Override
  public PGPPublicKey getBrdaReceiverKey() {
-    return getPublicKeyForEncrypting(BRDA_RECEIVER_PUBLIC_NAME);
+    return getPublicKey(PublicKeyLabel.BRDA_RECEIVER_PUBLIC);
  }

  @Override
  public String getRdeSshClientPublicKey() {
-    return new String(getDecryptedData((RDE_SSH_CLIENT_PUBLIC_NAME)), UTF_8);
+    return getString(StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING);
  }

  @Override
  public String getRdeSshClientPrivateKey() {
-    return new String(getDecryptedData(RDE_SSH_CLIENT_PRIVATE_NAME), UTF_8);
+    return getString(StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING);
  }

  @Override
  public String getIcannReportingPassword() {
-    return new String(getDecryptedData(ICANN_REPORTING_PASSWORD_NAME), UTF_8);
+    return getString(StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING);
  }

  @Override
  public String getMarksdbDnlLogin() {
-    return new String(getDecryptedData(MARKSDB_DNL_LOGIN_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_DNL_LOGIN_STRING);
  }

  @Override
  public String getMarksdbLordnPassword() {
-    return new String(getDecryptedData(MARKSDB_LORDN_PASSWORD_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING);
  }

  @Override
  public String getMarksdbSmdrlLogin() {
-    return new String(getDecryptedData(MARKSDB_SMDRL_LOGIN_NAME), UTF_8);
+    return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
  }

  @Override
  public String getJsonCredential() {
-    return new String(getDecryptedData(JSON_CREDENTIAL_NAME), UTF_8);
+    return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
  }

  @Override
  public String getBraintreePrivateKey() {
-    return new String(getDecryptedData(BRAINTREE_PRIVATE_KEY_NAME), UTF_8);
+    return getString(StringKeyLabel.BRAINTREE_PRIVATE_KEY_STRING);
  }

  /** No persistent resources are maintained for this Keyring implementation. */
  @Override
  public void close() {}

-  private PGPKeyPair getKeyPair(String publicKeyName, String privateKeyName) {
-    try {
-      PGPPublicKey publicKey =
-          new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)).getPublicKey();
-      return new PGPKeyPair(publicKey, getPrivateKey(privateKeyName));
-    } catch (IOException e) {
-      throw new KeyringException(
-          String.format(
-              "Could not parse public key %s and private key %s", publicKeyName, privateKeyName),
-          e);
-    }
+  private String getString(StringKeyLabel keyLabel) {
+    return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel()));
  }

-  private PGPPublicKey getPublicKeyForEncrypting(String publicKeyName) {
+  private PGPKeyPair getKeyPair(PrivateKeyLabel keyLabel) {
    try {
-      return PgpHelper.lookupPublicSubkey(
-              new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)), ENCRYPT)
-          .get();
-    } catch (IOException e) {
-      throw new KeyringException(String.format("Could not parse public key %s", publicKeyName), e);
-    }
-  }
-
-  private PGPPrivateKey getPrivateKey(String privateKeyName) {
-    try {
-      PGPSecretKeyRing privateKeyRing = new BcPGPSecretKeyRing(getPgpInputStream(privateKeyName));
-      // There shouldn't be a passphrase on the key
-      return privateKeyRing
-          .getSecretKey()
-          .extractPrivateKey(
-              new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
-                  .build(new char[0]));
+      return KeySerializer.deserializeKeyPair(getDecryptedData(keyLabel.getLabel()));
    } catch (IOException | PGPException e) {
      throw new KeyringException(
-          String.format("Could not parse private key %s", privateKeyName), e);
+          String.format("Could not parse private keyLabel %s", keyLabel), e);
    }
  }

-  private InputStream getPgpInputStream(String privateKeyName) throws IOException {
-    return PGPUtil.getDecoderStream(new ByteArrayInputStream(getDecryptedData(privateKeyName)));
+  private PGPPublicKey getPublicKey(PublicKeyLabel keyLabel) {
+    try {
+      return KeySerializer.deserializePublicKey(getDecryptedData(keyLabel.getLabel()));
+    } catch (IOException e) {
+      throw new KeyringException(String.format("Could not parse public keyLabel %s", keyLabel), e);
+    }
+  }
+
+  private PGPPrivateKey getPrivateKey(PrivateKeyLabel keyLabel) {
+    return getKeyPair(keyLabel).getPrivateKey();
  }

  private byte[] getDecryptedData(String keyName) {