Refactor KmsKeyring and KmsUpdater to use a centralized serializer

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=151853998
2025-08-04 17:01:51 +02:00 · 2017-03-31 12:27:10 -07:00 · 2017-03-31 12:27:10 -07:00 · bb70fcb66d
commit bb70fcb66d
parent ff9c72097c
7 changed files with 377 additions and 195 deletions
--- a/javatests/google/registry/keyring/kms/BUILD
+++ b/javatests/google/registry/keyring/kms/BUILD
@ -15,6 +15,7 @@ java_library(
        "pgp-public-keyring.asc",
    ],
    deps = [
+        "//java/google/registry/keyring/api",
        "//java/google/registry/keyring/kms",
        "//java/google/registry/model",
        "//javatests/google/registry/testing",
--- a/javatests/google/registry/keyring/kms/KmsKeyringTest.java
+++ b/javatests/google/registry/keyring/kms/KmsKeyringTest.java
@ -16,13 +16,13 @@ package google.registry.keyring.kms;

 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.testing.DatastoreHelper.persistResources;
-import static java.nio.charset.StandardCharsets.UTF_8;
-
 import com.google.common.collect.ImmutableList;
+import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import google.registry.model.server.KmsSecretRevision.Builder;
 import google.registry.testing.AppEngineRule;
+import google.registry.testing.BouncyCastleProviderRule;
 import java.io.IOException;
 import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPrivateKey;
@ -36,6 +36,8 @@ import org.junit.runners.JUnit4;
@RunWith(JUnit4.class)
 public class KmsKeyringTest {

+  @Rule public final BouncyCastleProviderRule bouncy = new BouncyCastleProviderRule();
+
  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();

  private KmsKeyring keyring;
@ -51,8 +53,8 @@ public class KmsKeyringTest {

    PGPKeyPair rdeSigningKey = keyring.getRdeSigningKey();

-    assertThat(rdeSigningKey.getKeyID())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getKeyID());
+    assertThat(KeySerializer.serializeKeyPair(rdeSigningKey))
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }

  @Test
@ -62,17 +64,20 @@ public class KmsKeyringTest {
    PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();

    assertThat(rdeStagingEncryptionKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }

  @Test
  public void test_getRdeStagingDecryptionKey() throws Exception {
    savePrivateKeySecret("rde-staging-private");
+    savePublicKeySecret("rde-staging-public");

    PGPPrivateKey rdeStagingDecryptionKey = keyring.getRdeStagingDecryptionKey();
+    PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();
+    PGPKeyPair keyPair = new PGPKeyPair(rdeStagingEncryptionKey, rdeStagingDecryptionKey);

-    assertThat(rdeStagingDecryptionKey.getKeyID())
-        .isEqualTo(KmsTestHelper.getPrivateKeyring().getSecretKey().getKeyID());
+    assertThat(KeySerializer.serializeKeyPair(keyPair))
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }

  @Test
@ -82,7 +87,7 @@ public class KmsKeyringTest {
    PGPPublicKey rdeReceiverKey = keyring.getRdeReceiverKey();

    assertThat(rdeReceiverKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }

  @Test
@ -91,8 +96,8 @@ public class KmsKeyringTest {

    PGPKeyPair brdaSigningKey = keyring.getBrdaSigningKey();

-    assertThat(brdaSigningKey.getKeyID())
-        .isEqualTo(KmsTestHelper.getPrivateKeyring().getPublicKey().getKeyID());
+    assertThat(KeySerializer.serializeKeyPair(brdaSigningKey))
+        .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }

  @Test
@ -102,80 +107,80 @@ public class KmsKeyringTest {
    PGPPublicKey brdaReceiverKey = keyring.getBrdaReceiverKey();

    assertThat(brdaReceiverKey.getFingerprint())
-        .isEqualTo(KmsTestHelper.getPublicKeyring().getPublicKey().getFingerprint());
+        .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
  }

  @Test
  public void test_getRdeSshClientPublicKey() throws Exception {
-    saveCleartextSecret("rde-ssh-client-public");
+    saveCleartextSecret("rde-ssh-client-public-string");

    String rdeSshClientPublicKey = keyring.getRdeSshClientPublicKey();

-    assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-publicmoo");
+    assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-public-stringmoo");
  }

  @Test
  public void test_getRdeSshClientPrivateKey() throws Exception {
-    saveCleartextSecret("rde-ssh-client-private");
+    saveCleartextSecret("rde-ssh-client-private-string");

    String rdeSshClientPrivateKey = keyring.getRdeSshClientPrivateKey();

-    assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-privatemoo");
+    assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-private-stringmoo");
  }

  @Test
  public void test_getIcannReportingPassword() throws Exception {
-    saveCleartextSecret("icann-reporting-password");
+    saveCleartextSecret("icann-reporting-password-string");

    String icannReportingPassword = keyring.getIcannReportingPassword();

-    assertThat(icannReportingPassword).isEqualTo("icann-reporting-passwordmoo");
+    assertThat(icannReportingPassword).isEqualTo("icann-reporting-password-stringmoo");
  }

  @Test
  public void test_getMarksdbDnlLogin() throws Exception {
-    saveCleartextSecret("marksdb-dnl-login");
+    saveCleartextSecret("marksdb-dnl-login-string");

    String marksdbDnlLogin = keyring.getMarksdbDnlLogin();

-    assertThat(marksdbDnlLogin).isEqualTo("marksdb-dnl-loginmoo");
+    assertThat(marksdbDnlLogin).isEqualTo("marksdb-dnl-login-stringmoo");
  }

  @Test
  public void test_getMarksdbLordnPassword() throws Exception {
-    saveCleartextSecret("marksdb-lordn-password");
+    saveCleartextSecret("marksdb-lordn-password-string");

    String marksdbLordnPassword = keyring.getMarksdbLordnPassword();

-    assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-passwordmoo");
+    assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-password-stringmoo");
  }

  @Test
  public void test_getMarksdbSmdrlLogin() throws Exception {
-    saveCleartextSecret("marksdb-smdrl-login");
+    saveCleartextSecret("marksdb-smdrl-login-string");

    String marksdbSmdrlLogin = keyring.getMarksdbSmdrlLogin();

-    assertThat(marksdbSmdrlLogin).isEqualTo("marksdb-smdrl-loginmoo");
+    assertThat(marksdbSmdrlLogin).isEqualTo("marksdb-smdrl-login-stringmoo");

  }

  @Test
  public void test_getJsonCredential() throws Exception {
-    saveCleartextSecret("json-credential");
+    saveCleartextSecret("json-credential-string");

    String jsonCredential = keyring.getJsonCredential();

-    assertThat(jsonCredential).isEqualTo("json-credentialmoo");
+    assertThat(jsonCredential).isEqualTo("json-credential-stringmoo");
  }

  @Test
  public void test_getBraintreePrivateKey() throws Exception {
-    saveCleartextSecret("braintree-private-key");
+    saveCleartextSecret("braintree-private-key-string");

    String braintreePrivateKey = keyring.getBraintreePrivateKey();

-    assertThat(braintreePrivateKey).isEqualTo("braintree-private-keymoo");
+    assertThat(braintreePrivateKey).isEqualTo("braintree-private-key-stringmoo");
  }

  private static void persistSecret(String secretName, byte[] secretValue) throws IOException {
@ -192,15 +197,15 @@ public class KmsKeyringTest {
  }

  private static void saveCleartextSecret(String secretName) throws Exception {
-    persistSecret(secretName, (secretName + "moo").getBytes(UTF_8));
+    persistSecret(secretName, KeySerializer.serializeString(secretName + "moo"));
  }

  private static void savePublicKeySecret(String publicKeyName) throws Exception {
-    persistSecret(publicKeyName, KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded());
+    persistSecret(publicKeyName, KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey()));
  }

  private static void savePrivateKeySecret(String privateKeyName) throws Exception {
-    persistSecret(privateKeyName, KmsTestHelper.getPrivateKeyring().getEncoded());
+    persistSecret(privateKeyName, KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
  }

  private static void saveKeyPairSecret(String publicKeyName, String privateKeyName)
--- a/javatests/google/registry/keyring/kms/KmsTestHelper.java
+++ b/javatests/google/registry/keyring/kms/KmsTestHelper.java
@ -18,9 +18,13 @@ import static com.google.common.io.Resources.getResource;

 import com.google.common.io.ByteSource;
 import com.google.common.io.Resources;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPSecretKey;
 import org.bouncycastle.openpgp.PGPUtil;
-import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
 import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
+import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;

 /** Stores dummy values for test use in {@link KmsUpdaterTest} and {@link KmsKeyringTest}. */
 final class KmsTestHelper {
@ -28,20 +32,25 @@ final class KmsTestHelper {
  static final String DUMMY_CRYPTO_KEY_VERSION = "cheeseburger";
  static final String DUMMY_ENCRYPTED_VALUE = "meow";

-  /** The contents of a dummy PGP public key stored in a file. */
-  private static final ByteSource PGP_PUBLIC_KEYRING =
-      Resources.asByteSource(getResource(KmsTestHelper.class, "pgp-public-keyring.asc"));
-
  /** The contents of a dummy PGP private key stored in a file. */
  private static final ByteSource PGP_PRIVATE_KEYRING =
      Resources.asByteSource(getResource(KmsTestHelper.class, "pgp-private-keyring-registry.asc"));

-  static BcPGPPublicKeyRing getPublicKeyring() throws Exception {
-    return new BcPGPPublicKeyRing(PGPUtil.getDecoderStream(PGP_PUBLIC_KEYRING.openStream()));
+  private static BcPGPSecretKeyRing getPrivateKeyring() throws Exception {
+    return new BcPGPSecretKeyRing(PGPUtil.getDecoderStream(PGP_PRIVATE_KEYRING.openStream()));
  }

-  static BcPGPSecretKeyRing getPrivateKeyring() throws Exception {
-    return new BcPGPSecretKeyRing(PGPUtil.getDecoderStream(PGP_PRIVATE_KEYRING.openStream()));
+  static PGPPublicKey getPublicKey() throws Exception {
+    return getPrivateKeyring().getPublicKey();
+  }
+
+  static PGPKeyPair getKeyPair() throws Exception {
+    PGPSecretKey secretKey = getPrivateKeyring().getSecretKey();
+    return new PGPKeyPair(
+        secretKey.getPublicKey(),
+        secretKey.extractPrivateKey(
+            new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
+            .build(new char[0])));
  }

  private KmsTestHelper() {}
--- a/javatests/google/registry/keyring/kms/KmsUpdaterTest.java
+++ b/javatests/google/registry/keyring/kms/KmsUpdaterTest.java
@ -17,13 +17,15 @@ package google.registry.keyring.kms;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
 import static google.registry.model.ofy.ObjectifyService.ofy;
-import static java.nio.charset.StandardCharsets.UTF_8;
-
 import com.googlecode.objectify.Key;
+import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import google.registry.testing.AppEngineRule;
+import google.registry.testing.BouncyCastleProviderRule;
 import java.io.IOException;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.PGPPublicKey;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@ -35,6 +37,8 @@ public class KmsUpdaterTest {

  @Rule public final AppEngineRule appEngine = AppEngineRule.builder().withDatastore().build();

+  @Rule public final BouncyCastleProviderRule bouncy = new BouncyCastleProviderRule();
+
  private KmsUpdater updater;

  @Before
@ -51,11 +55,15 @@ public class KmsUpdaterTest {
        .update();

    verifySecretAndSecretRevisionWritten(
-        "braintree-private-key", "braintree-private-key/foo", getCiphertext("value1"));
+        "braintree-private-key-string",
+        "braintree-private-key-string/foo",
+        getCiphertext("value1"));
    verifySecretAndSecretRevisionWritten(
-        "icann-reporting-password", "icann-reporting-password/foo", getCiphertext("value2"));
+        "icann-reporting-password-string",
+        "icann-reporting-password-string/foo",
+        getCiphertext("value2"));
    verifySecretAndSecretRevisionWritten(
-        "json-credential", "json-credential/foo", getCiphertext("value3"));
+        "json-credential-string", "json-credential-string/foo", getCiphertext("value3"));
  }

  @Test
@ -63,31 +71,33 @@ public class KmsUpdaterTest {
    updater.setBraintreePrivateKey("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "braintree-private-key", "braintree-private-key/foo", getCiphertext("value1"));
+        "braintree-private-key-string",
+        "braintree-private-key-string/foo",
+        getCiphertext("value1"));
  }

  @Test
  public void test_setBrdaReceiverKey() throws Exception {
-    updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKeyring().getPublicKey()).update();
+    updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKey()).update();

    verifySecretAndSecretRevisionWritten(
        "brda-receiver-public",
        "brda-receiver-public/foo",
-        getCiphertext(KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }

  @Test
  public void test_setBrdaSigningKey() throws Exception {
-    updater.setBrdaSigningKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setBrdaSigningKey(KmsTestHelper.getKeyPair()).update();

    verifySecretAndSecretRevisionWritten(
        "brda-signing-private",
        "brda-signing-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "brda-signing-public",
        "brda-signing-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }

  @Test
@ -95,7 +105,9 @@ public class KmsUpdaterTest {
    updater.setIcannReportingPassword("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "icann-reporting-password", "icann-reporting-password/foo", getCiphertext("value1"));
+        "icann-reporting-password-string",
+        "icann-reporting-password-string/foo",
+        getCiphertext("value1"));
  }

  @Test
@ -103,7 +115,7 @@ public class KmsUpdaterTest {
    updater.setJsonCredential("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "json-credential", "json-credential/foo", getCiphertext("value1"));
+        "json-credential-string", "json-credential-string/foo", getCiphertext("value1"));
  }

  @Test
@ -111,7 +123,7 @@ public class KmsUpdaterTest {
    updater.setMarksdbDnlLogin("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "marksdb-dnl-login", "marksdb-dnl-login/foo", getCiphertext("value1"));
+        "marksdb-dnl-login-string", "marksdb-dnl-login-string/foo", getCiphertext("value1"));
  }

  @Test
@ -119,7 +131,9 @@ public class KmsUpdaterTest {
    updater.setMarksdbLordnPassword("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "marksdb-lordn-password", "marksdb-lordn-password/foo", getCiphertext("value1"));
+        "marksdb-lordn-password-string",
+        "marksdb-lordn-password-string/foo",
+        getCiphertext("value1"));
  }

  @Test
@ -127,31 +141,32 @@ public class KmsUpdaterTest {
    updater.setMarksdbSmdrlLogin("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "marksdb-smdrl-login", "marksdb-smdrl-login/foo", getCiphertext("value1"));
+        "marksdb-smdrl-login-string", "marksdb-smdrl-login-string/foo", getCiphertext("value1"));
  }

  @Test
  public void test_setRdeReceiverKey() throws Exception {
-    updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKeyring().getPublicKey()).update();
+    updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKey()).update();

    verifySecretAndSecretRevisionWritten(
        "rde-receiver-public",
        "rde-receiver-public/foo",
-        getCiphertext(KmsTestHelper.getPublicKeyring().getPublicKey().getEncoded()));
+        getCiphertext(
+            KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey())));
  }

  @Test
  public void test_setRdeSigningKey() throws Exception {
-    updater.setRdeSigningKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setRdeSigningKey(KmsTestHelper.getKeyPair()).update();

    verifySecretAndSecretRevisionWritten(
        "rde-signing-private",
        "rde-signing-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "rde-signing-public",
        "rde-signing-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }

  @Test
@ -159,7 +174,9 @@ public class KmsUpdaterTest {
    updater.setRdeSshClientPrivateKey("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "rde-ssh-client-private", "rde-ssh-client-private/foo", getCiphertext("value1"));
+        "rde-ssh-client-private-string",
+        "rde-ssh-client-private-string/foo",
+        getCiphertext("value1"));
  }

  @Test
@ -167,21 +184,23 @@ public class KmsUpdaterTest {
    updater.setRdeSshClientPublicKey("value1").update();

    verifySecretAndSecretRevisionWritten(
-        "rde-ssh-client-public", "rde-ssh-client-public/foo", getCiphertext("value1"));
+        "rde-ssh-client-public-string",
+        "rde-ssh-client-public-string/foo",
+        getCiphertext("value1"));
  }

  @Test
  public void test_setRdeStagingKey() throws Exception {
-    updater.setRdeStagingKey(KmsTestHelper.getPrivateKeyring()).update();
+    updater.setRdeStagingKey(KmsTestHelper.getKeyPair()).update();

    verifySecretAndSecretRevisionWritten(
        "rde-staging-private",
        "rde-staging-private/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getEncoded()));
+        getCiphertext(KmsTestHelper.getKeyPair()));
    verifySecretAndSecretRevisionWritten(
        "rde-staging-public",
        "rde-staging-public/foo",
-        getCiphertext(KmsTestHelper.getPrivateKeyring().getPublicKey().getEncoded()));
+        getCiphertext(KmsTestHelper.getPublicKey()));
  }


@ -200,6 +219,14 @@ public class KmsUpdaterTest {
  }

  private static String getCiphertext(String plaintext) throws IOException {
-    return getCiphertext(plaintext.getBytes(UTF_8));
+    return getCiphertext(KeySerializer.serializeString(plaintext));
+  }
+
+  private static String getCiphertext(PGPPublicKey publicKey) throws IOException {
+    return getCiphertext(KeySerializer.serializePublicKey(publicKey));
+  }
+
+  private static String getCiphertext(PGPKeyPair keyPair) throws Exception {
+    return getCiphertext(KeySerializer.serializeKeyPair(keyPair));
  }
 }