just saving

mkleene · mkleene · commit 493e5cb0ab50 · 2025-07-08T09:30:03.000+02:00
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java b/sdk/src/main/java/io/opentdf/platform/sdk/AesGcm.java
@@ -152,10 +152,9 @@ public byte[] encrypt(byte[] iv, int authTagLen, byte[] plaintext, int offset, i
             System.arraycopy(iv, 0, cipherTextWithNonce, 0, iv.length);
             System.arraycopy(cipherText, 0, cipherTextWithNonce, iv.length, cipherText.length);
             return cipherTextWithNonce;
-        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
-            throw new RuntimeException("error gcm decrypt", e);
-        } catch (InvalidKeyException | BadPaddingException | IllegalBlockSizeException e) {
-            throw new RuntimeException("error gcm decrypt", e);
+        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidAlgorithmParameterException |
+                 InvalidKeyException | BadPaddingException | IllegalBlockSizeException e) {
+            throw new RuntimeException("error gcm encrypt", e);
         }
     }
 
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java b/sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java
@@ -910,14 +910,7 @@ static void storeKeysToCache(List<KeyAccessServer> kases, List<SimpleKasKey> kas
     }
 
     static String algProto2String(Algorithm e) {
-        switch (e) {
-            case ALGORITHM_EC_P521:
-                return "ec:p521";
-            case ALGORITHM_RSA_2048:
-                return "rsa:2048";
-            default:
-                throw new IllegalArgumentException("Unknown algorithm: " + e);
-        }
+        return KeyType.fromAlgorithm(e).getCurveName();
     }
 
     static String algProto2String(KasPublicKeyAlgEnum e) {
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/ECCMode.java b/sdk/src/main/java/io/opentdf/platform/sdk/ECCMode.java
@@ -1,5 +1,7 @@
 package io.opentdf.platform.sdk;
 
+import java.util.Objects;
+
 public class ECCMode {
     private ECCModeStruct data;
 
@@ -115,6 +117,18 @@ public static int getECCompressedPubKeySize(NanoTDFType.ECCurve curve) {
         }
     }
 
+    @Override
+    public boolean equals(Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        ECCMode eccMode = (ECCMode) o;
+        return Objects.equals(data, eccMode.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(data);
+    }
+
     private class ECCModeStruct {
         int curveMode;
         int unused;
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java b/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
@@ -197,18 +197,12 @@ public static byte[] compressECPublickey(String pemECPubKey) {
             PemObject pemObject = pemReader.readPemObject();
             PublicKey pubKey = ecKeyFac.generatePublic(new X509EncodedKeySpec(pemObject.getContent()));
             return ((ECPublicKey) pubKey).getQ().getEncoded(true);
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException(e);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        } catch (InvalidKeySpecException e) {
-            throw new RuntimeException(e);
-        } catch (NoSuchProviderException e) {
+        } catch (NoSuchAlgorithmException | IOException | InvalidKeySpecException | NoSuchProviderException e) {
             throw new RuntimeException(e);
         }
     }
 
-    public static String publicKeyFromECPoint(byte[] ecPoint, String curveName) {
+    public static String publicKeyFromECPoint(byte[] ecPoint, String curveName) throws RuntimeException {
         try {
             // Create EC Public key
             ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(curveName);
@@ -274,7 +268,7 @@ public static byte[] computeECDHKey(ECPublicKey publicKey, ECPrivateKey privateK
     }
 
     public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
-        byte[] key = new byte[secret.length];
+        byte[] key = new byte[32];
         HKDFParameters params = new HKDFParameters(secret, salt, null);
 
         HKDFBytesGenerator hkdf = new HKDFBytesGenerator(SHA256Digest.newInstance());
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java b/sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
@@ -1,5 +1,9 @@
 package io.opentdf.platform.sdk;
 
+import io.opentdf.platform.policy.Algorithm;
+
+import java.util.Set;
+
 public enum KeyType {
     RSA2048Key("rsa:2048"),
     EC256Key("ec:secp256r1"),
@@ -39,7 +43,24 @@ public static KeyType fromString(String keyType) {
         throw new IllegalArgumentException("No enum constant for key type: " + keyType);
     }
 
+    public static KeyType fromAlgorithm(Algorithm a) {
+        switch (a) {
+            case ALGORITHM_RSA_2048:
+                return RSA2048Key;
+            case ALGORITHM_EC_P256:
+                return EC256Key;
+            case ALGORITHM_EC_P384:
+                return EC384Key;
+            case ALGORITHM_EC_P521:
+                return EC521Key;
+            default:
+                throw new IllegalArgumentException("Unsupported algorithm: " + a);
+        }
+    }
+
+    private static final Set<KeyType> EC_KEY_TYPES = Set.of(EC256Key, EC384Key, EC521Key);
+
     public boolean isEc() {
-        return this != RSA2048Key;
+        return EC_KEY_TYPES.contains(this);
     }
 }
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java b/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java
@@ -16,6 +16,8 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
+import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClientInterface;
+import org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi;
 import org.bouncycastle.jce.interfaces.ECPublicKey;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -65,6 +67,17 @@ public InvalidNanoTDFConfig(String errorMessage) {
         }
     }
 
+    private static Optional<Config.KASInfo> getBaseKey(WellKnownServiceClientInterface wellKnownService) {
+        var key = Planner.fetchBaseKey(wellKnownService);
+        key.ifPresent(k -> {
+            if (!KeyType.fromAlgorithm(k.getPublicKey().getAlgorithm()).isEc()) {
+                throw new SDKException(String.format("base key is not an EC key, cannot create NanoTDF using a key of type %s",
+                        k.getPublicKey().getAlgorithm()));
+            }
+        });
+        return key.map(Config.KASInfo::fromSimpleKasKey);
+    }
+
     private Config.HeaderInfo getHeaderInfo(Config.NanoTDFConfig nanoTDFConfig) throws InvalidNanoTDFConfig, UnsupportedNanoTDFFeature {
         if (nanoTDFConfig.collectionConfig.useCollection) {
             Config.HeaderInfo headerInfo = nanoTDFConfig.collectionConfig.getHeaderInfo();
@@ -74,22 +87,19 @@ private Config.HeaderInfo getHeaderInfo(Config.NanoTDFConfig nanoTDFConfig) thro
         }
 
         Gson gson = new GsonBuilder().create();
-        if (nanoTDFConfig.kasInfoList.isEmpty()) {
-            throw new InvalidNanoTDFConfig("kas url is missing");
-        }
+        Optional<Config.KASInfo> maybeKas = getKasInfo(nanoTDFConfig).or(() -> NanoTDF.getBaseKey(services.wellknown()));
 
-        Config.KASInfo kasInfo = nanoTDFConfig.kasInfoList.get(0);
-        String url = kasInfo.URL;
-        if (kasInfo.PublicKey == null || kasInfo.PublicKey.isEmpty()) {
-            logger.info("no public key provided for KAS at {}, retrieving", url);
-            kasInfo = services.kas().getECPublicKey(kasInfo, nanoTDFConfig.eccMode.getEllipticCurveType());
+        if (maybeKas.isEmpty()) {
+            throw new SDKException("no KAS info provided and couldn't get base key, cannot create NanoTDF");
         }
 
+        var kasInfo = maybeKas.get();
+
         // Kas url resource locator
-        ResourceLocator kasURL = new ResourceLocator(nanoTDFConfig.kasInfoList.get(0).URL, kasInfo.KID);
+        ResourceLocator kasURL = new ResourceLocator(kasInfo.URL, kasInfo.KID);
         assert kasURL.getIdentifier() != null : "Identifier in ResourceLocator cannot be null";
 
-        ECKeyPair keyPair = new ECKeyPair(nanoTDFConfig.eccMode.getCurveName(), ECKeyPair.ECAlgorithm.ECDSA);
+        ECKeyPair keyPair = new ECKeyPair(kasInfo.Algorithm, ECKeyPair.ECAlgorithm.ECDSA);
 
         // Generate symmetric key
         ECPublicKey kasPublicKey = ECKeyPair.publicKeyFromPem(kasInfo.PublicKey);
@@ -138,7 +148,12 @@ private Config.HeaderInfo getHeaderInfo(Config.NanoTDFConfig nanoTDFConfig) thro
         // Create header
         byte[] compressedPubKey = keyPair.compressECPublickey();
         Header header = new Header();
-        header.setECCMode(nanoTDFConfig.eccMode);
+        var mode = new ECCMode();
+        mode.setEllipticCurve(Enum.valueOf(NanoTDFType.ECCurve.class, keyPair.curveName()));
+        if (logger.isWarnEnabled() && !nanoTDFConfig.eccMode.equals(mode)) {
+            logger.warn("ECC mode provided in NanoTDFConfig: {}, ECC mode from key: {}", nanoTDFConfig.eccMode, mode);
+        }
+        header.setECCMode(mode);
         header.setPayloadConfig(nanoTDFConfig.config);
         header.setEphemeralKey(compressedPubKey);
         header.setKasLocator(kasURL);
@@ -152,6 +167,21 @@ private Config.HeaderInfo getHeaderInfo(Config.NanoTDFConfig nanoTDFConfig) thro
         return headerInfo;
     }
 
+    private Optional<Config.KASInfo> getKasInfo(Config.NanoTDFConfig nanoTDFConfig) {
+        if (nanoTDFConfig.kasInfoList.isEmpty()) {
+            logger.debug("no kas info provided in NanoTDFConfig");
+            return Optional.empty();
+        }
+
+        Config.KASInfo kasInfo = nanoTDFConfig.kasInfoList.get(0);
+        String url = kasInfo.URL;
+        if (kasInfo.PublicKey == null || kasInfo.PublicKey.isEmpty()) {
+            logger.info("no public key provided for KAS at {}, retrieving", url);
+            kasInfo = services.kas().getECPublicKey(kasInfo, nanoTDFConfig.eccMode.getEllipticCurveType());
+        }
+        return Optional.of(kasInfo);
+    }
+
     public int createNanoTDF(ByteBuffer data, OutputStream outputStream,
             Config.NanoTDFConfig nanoTDFConfig) throws SDKException, IOException {
         int nanoTDFSize = 0;
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/NanoTDFTest.java

Original file line number	Diff line number	Diff line change
`@@ -152,10 +152,9 @@ public byte[] encrypt(byte[] iv, int authTagLen, byte[] plaintext, int offset, i`
`152`	`152`	`System.arraycopy(iv, 0, cipherTextWithNonce, 0, iv.length);`
`153`	`153`	`System.arraycopy(cipherText, 0, cipherTextWithNonce, iv.length, cipherText.length);`
`154`	`154`	`return cipherTextWithNonce;`
`155`		`- } catch (NoSuchPaddingException \| NoSuchAlgorithmException \| InvalidAlgorithmParameterException e) {`
`156`		`- throw new RuntimeException("error gcm decrypt", e);`
`157`		`- } catch (InvalidKeyException \| BadPaddingException \| IllegalBlockSizeException e) {`
`158`		`- throw new RuntimeException("error gcm decrypt", e);`
	`155`	`+ } catch (NoSuchPaddingException \| NoSuchAlgorithmException \| InvalidAlgorithmParameterException \|`
	`156`	`+ InvalidKeyException \| BadPaddingException \| IllegalBlockSizeException e) {`
	`157`	`+ throw new RuntimeException("error gcm encrypt", e);`
`159`	`158`	`}`
`160`	`159`	`}`
`161`	`160`
Original file line number	Diff line number	Diff line change
`@@ -910,14 +910,7 @@ static void storeKeysToCache(List<KeyAccessServer> kases, List<SimpleKasKey> kas`
`910`	`910`	`}`
`911`	`911`
`912`	`912`	`static String algProto2String(Algorithm e) {`
`913`		`- switch (e) {`
`914`		`- case ALGORITHM_EC_P521:`
`915`		`- return "ec:p521";`
`916`		`- case ALGORITHM_RSA_2048:`
`917`		`- return "rsa:2048";`
`918`		`- default:`
`919`		`- throw new IllegalArgumentException("Unknown algorithm: " + e);`
`920`		`- }`
	`913`	`+ return KeyType.fromAlgorithm(e).getCurveName();`
`921`	`914`	`}`
`922`	`915`
`923`	`916`	`static String algProto2String(KasPublicKeyAlgEnum e) {`