From c6036988cd0c0ce0695c42cf9de79f3b00f2afe0 Mon Sep 17 00:00:00 2001 From: Murali Date: Thu, 5 Dec 2024 15:33:44 +0530 Subject: [PATCH 1/7] fix: apkam add IV to self encryption key and encryption private key data in keystore --- .../lib/src/verb/handler/enroll_verb_handler.dart | 6 ++++++ packages/at_secondary_server/pubspec.yaml | 7 +++++++ tests/at_functional_test/test/enroll_verb_test.dart | 9 ++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart index 0677432e0..b64b5bf65 100644 --- a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart +++ b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart @@ -409,12 +409,18 @@ class EnrollVerbHandler extends AbstractVerbHandler { String newEnrollmentId, EnrollParams enrollParams, String atSign) async { var privateKeyJson = {}; privateKeyJson['value'] = enrollParams.encryptedDefaultEncryptionPrivateKey; + if (enrollParams.encPrivateKeyIV != null) { + privateKeyJson['iv'] = enrollParams.encPrivateKeyIV; + } await keyStore.put( '$newEnrollmentId.${AtConstants.defaultEncryptionPrivateKey}.$enrollManageNamespace$atSign', AtData()..data = jsonEncode(privateKeyJson), skipCommit: true); var selfKeyJson = {}; selfKeyJson['value'] = enrollParams.encryptedDefaultSelfEncryptionKey; + if (enrollParams.selfEncKeyIV != null) { + selfKeyJson['iv'] = enrollParams.selfEncKeyIV; + } await keyStore.put( '$newEnrollmentId.${AtConstants.defaultSelfEncryptionKey}.$enrollManageNamespace$atSign', AtData()..data = jsonEncode(selfKeyJson), diff --git a/packages/at_secondary_server/pubspec.yaml b/packages/at_secondary_server/pubspec.yaml index e30b53f07..7fdb4786a 100644 --- a/packages/at_secondary_server/pubspec.yaml +++ b/packages/at_secondary_server/pubspec.yaml @@ -34,6 +34,13 @@ dependencies: yaml: 3.1.2 logging: 1.2.0 +dependency_overrides: + at_commons: + git: + url: https://github.com/atsign-foundation/at_libraries.git + path: packages/at_commons + ref: apkam_iv_issue_fix + dev_dependencies: build_runner: ^2.3.3 test: ^1.25.9 diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index 004a31a10..da84bbd87 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -1,6 +1,7 @@ import 'dart:convert'; import 'dart:io'; +import 'package:at_chops/at_chops.dart'; import 'package:at_commons/at_commons.dart'; import 'package:at_demo_data/at_demo_data.dart' as at_demos; import 'package:at_demo_data/at_demo_data.dart'; @@ -387,8 +388,12 @@ void main() { var secondEnrollId = enrollJson['enrollmentId']; // connect to the first client to approve the enroll request + final encryptionPrivateKeyIV = + base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes); + final selfEncryptionKeyIV = + base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes); String approveResponse = (await firstAtSignConnection.sendRequestToServer( - 'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}"}')) + 'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encPrivateKeyIV":"$encryptionPrivateKeyIV","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}","selfEncKeyIV":"$selfEncryptionKeyIV"}')) .replaceFirst('data:', ''); var approveJson = jsonDecode(approveResponse); expect(approveJson['status'], 'approved'); @@ -404,6 +409,7 @@ void main() { var selfKey = '$secondEnrollId.default_self_enc_key.__manage$firstAtSign'; String selfKeyResponse = await socketConnection2.sendRequestToServer('keys:get:self'); + print('** selfKeyResponse: $selfKeyResponse'); expect(selfKeyResponse.contains(selfKey), true); // keys:get:private should return private encryption key @@ -411,6 +417,7 @@ void main() { '$secondEnrollId.default_enc_private_key.__manage$firstAtSign'; String privateKeyResponse = await socketConnection2.sendRequestToServer('keys:get:private'); + print('** privateKeyResponse: $privateKeyResponse'); expect(privateKeyResponse.contains(privateKey), true); }); From 3dec0cb7e7421e8316a6be948edf4a73d07883ab Mon Sep 17 00:00:00 2001 From: Murali Date: Thu, 5 Dec 2024 15:46:48 +0530 Subject: [PATCH 2/7] fix: add check in functional test --- tests/at_functional_test/test/enroll_verb_test.dart | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index da84bbd87..38172f8eb 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -409,15 +409,16 @@ void main() { var selfKey = '$secondEnrollId.default_self_enc_key.__manage$firstAtSign'; String selfKeyResponse = await socketConnection2.sendRequestToServer('keys:get:self'); - print('** selfKeyResponse: $selfKeyResponse'); expect(selfKeyResponse.contains(selfKey), true); + String selfKeyGetResponse = await socketConnection2 + .sendRequestToServer('keys:get:keyName:$selfKey'); + print('selfKeyGetResponse: $selfKeyGetResponse'); // keys:get:private should return private encryption key var privateKey = '$secondEnrollId.default_enc_private_key.__manage$firstAtSign'; String privateKeyResponse = await socketConnection2.sendRequestToServer('keys:get:private'); - print('** privateKeyResponse: $privateKeyResponse'); expect(privateKeyResponse.contains(privateKey), true); }); From 78d342bdfa0880c8a7001d250363e7658b11b46e Mon Sep 17 00:00:00 2001 From: Murali Date: Thu, 5 Dec 2024 16:02:00 +0530 Subject: [PATCH 3/7] fix: change to functional test --- .../at_functional_test/test/enroll_verb_test.dart | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index 38172f8eb..b097a6b19 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -414,12 +414,26 @@ void main() { String selfKeyGetResponse = await socketConnection2 .sendRequestToServer('keys:get:keyName:$selfKey'); print('selfKeyGetResponse: $selfKeyGetResponse'); + selfKeyGetResponse = selfKeyGetResponse.replaceFirst('data:', ''); + var selfKeyResponseJson = jsonDecode(selfKeyGetResponse); + expect(selfKeyResponseJson['value'], + apkamEncryptedKeysMap['encryptedSelfEncKey']); + expect(selfKeyResponseJson['iv'], selfEncryptionKeyIV); + // keys:get:private should return private encryption key var privateKey = '$secondEnrollId.default_enc_private_key.__manage$firstAtSign'; String privateKeyResponse = await socketConnection2.sendRequestToServer('keys:get:private'); expect(privateKeyResponse.contains(privateKey), true); + String privateKeyGetResponse = await socketConnection2 + .sendRequestToServer('keys:get:keyName:$privateKey'); + print('**privateKeyGetResponse: $privateKeyGetResponse'); + privateKeyGetResponse = privateKeyGetResponse.replaceFirst('data:', ''); + var privateKeyResponseJson = jsonDecode(privateKeyGetResponse); + expect(privateKeyResponseJson['value'], + apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']); + expect(privateKeyResponseJson['iv'], encryptionPrivateKeyIV); }); test( From 7fec9be974bef3cc04031d59026955f8b4239534 Mon Sep 17 00:00:00 2001 From: Murali Date: Thu, 5 Dec 2024 19:10:35 +0530 Subject: [PATCH 4/7] fix: remove storing apkam encrypted keys for first enrollment --- .../lib/src/verb/handler/enroll_verb_handler.dart | 3 --- tests/at_functional_test/test/enroll_verb_test.dart | 2 -- 2 files changed, 5 deletions(-) diff --git a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart index b64b5bf65..d74b98f36 100644 --- a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart +++ b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart @@ -249,9 +249,6 @@ class EnrollVerbHandler extends AbstractVerbHandler { final inboundConnectionMetadata = atConnection.metaData as InboundConnectionMetadata; inboundConnectionMetadata.enrollmentId = newEnrollmentId; - // Store default encryption private key and self encryption key(both encrypted) - // for future retrieval - await _storeEncryptionKeys(newEnrollmentId, enrollParams, currentAtSign); // store this apkam as default pkam public key for old clients // The keys with AT_PKAM_PUBLIC_KEY does not sync to client. await keyStore.put(AtConstants.atPkamPublicKey, diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index b097a6b19..17f6eb7b9 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -413,7 +413,6 @@ void main() { String selfKeyGetResponse = await socketConnection2 .sendRequestToServer('keys:get:keyName:$selfKey'); - print('selfKeyGetResponse: $selfKeyGetResponse'); selfKeyGetResponse = selfKeyGetResponse.replaceFirst('data:', ''); var selfKeyResponseJson = jsonDecode(selfKeyGetResponse); expect(selfKeyResponseJson['value'], @@ -428,7 +427,6 @@ void main() { expect(privateKeyResponse.contains(privateKey), true); String privateKeyGetResponse = await socketConnection2 .sendRequestToServer('keys:get:keyName:$privateKey'); - print('**privateKeyGetResponse: $privateKeyGetResponse'); privateKeyGetResponse = privateKeyGetResponse.replaceFirst('data:', ''); var privateKeyResponseJson = jsonDecode(privateKeyGetResponse); expect(privateKeyResponseJson['value'], From 84efa75ebe493ebee1914436ccabcaf9f6151a83 Mon Sep 17 00:00:00 2001 From: Murali Date: Thu, 5 Dec 2024 19:17:43 +0530 Subject: [PATCH 5/7] fix: removed test for storing apkam encrypted keys for first enrollment --- .../test/enroll_verb_test.dart | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index 17f6eb7b9..aea2bf7fd 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -275,35 +275,6 @@ void main() { expect(llookupResponseMap['errorCode'], 'AT0009'); expect(llookupResponseMap['errorDescription'], 'UnAuthorized client in request : Connection with enrollment ID $enrollmentId is not authorized to llookup key: $enrollmentKey'); - - // keys:get:self should return default self encryption key - var selfKey = '$enrollmentId.default_self_enc_key.__manage$firstAtSign'; - String selfKeyResponse = - await socketConnection2.sendRequestToServer('keys:get:self'); - expect(selfKeyResponse.contains(selfKey), true); - - // keys:get:private should return private encryption key - var privateKey = - '$enrollmentId.default_enc_private_key.__manage$firstAtSign'; - String privateKeyResponse = - await socketConnection2.sendRequestToServer('keys:get:private'); - expect(privateKeyResponse.contains(privateKey), true); - - // keys:get:keyName should return the enrollment key with __manage namespace - String selfKeyGetResponse = await socketConnection2 - .sendRequestToServer('keys:get:keyName:$selfKey'); - expect( - selfKeyGetResponse - .contains('${apkamEncryptedKeysMap['encryptedSelfEncKey']}'), - true); - - // keys:get:keyName should return the enrollment key with __manage namespace - String privateKeyGetResponse = await socketConnection2 - .sendRequestToServer('keys:get:keyName:$privateKey'); - expect( - privateKeyGetResponse.contains( - '${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}'), - true); }); test( From b21e8d4ff2a82678ab4b6e8c01668524bf0c2820 Mon Sep 17 00:00:00 2001 From: Murali Date: Fri, 6 Dec 2024 17:18:56 +0530 Subject: [PATCH 6/7] fix: replace at_commons dependency overrides with published version --- packages/at_secondary_server/pubspec.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/packages/at_secondary_server/pubspec.yaml b/packages/at_secondary_server/pubspec.yaml index 7fdb4786a..fc4553d6b 100644 --- a/packages/at_secondary_server/pubspec.yaml +++ b/packages/at_secondary_server/pubspec.yaml @@ -19,7 +19,7 @@ dependencies: basic_utils: 5.7.0 ecdsa: 0.1.0 encrypt: 5.0.3 - at_commons: 5.1.0 + at_commons: 5.1.1 at_utils: 3.0.19 at_chops: 2.2.0 at_lookup: 3.0.49 @@ -34,13 +34,6 @@ dependencies: yaml: 3.1.2 logging: 1.2.0 -dependency_overrides: - at_commons: - git: - url: https://github.com/atsign-foundation/at_libraries.git - path: packages/at_commons - ref: apkam_iv_issue_fix - dev_dependencies: build_runner: ^2.3.3 test: ^1.25.9 From 380f9e05c574a60e4560d336036d2c4c7b2d3b60 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 00:12:48 +0000 Subject: [PATCH 7/7] build(deps): Bump actions/attest-build-provenance Bumps the github-actions group with 1 update: [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Updates `actions/attest-build-provenance` from 2.0.0 to 2.0.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/619dbb2e03e0189af0c55118e7d3c5e129e99726...c4fbc648846ca6f503a13a2281a5e7b98aa57202) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/at_server.yaml | 2 +- .github/workflows/promote_canary.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/at_server.yaml b/.github/workflows/at_server.yaml index 72f28c302..1501ddc07 100644 --- a/.github/workflows/at_server.yaml +++ b/.github/workflows/at_server.yaml @@ -179,7 +179,7 @@ jobs: run: | echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} - uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0.0 + uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1 with: subject-path: 'sboms/**' diff --git a/.github/workflows/promote_canary.yaml b/.github/workflows/promote_canary.yaml index de14d87c1..ebfea0c7a 100644 --- a/.github/workflows/promote_canary.yaml +++ b/.github/workflows/promote_canary.yaml @@ -164,7 +164,7 @@ jobs: working-directory: sboms run: | echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - - uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0.0 + - uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1 with: subject-path: 'sboms/**'