feat(sdk)!: add base key and support for key grants in ZTDF (#271)

Introduces the `Planner` class, which encapsulates the policy about how
to create a split plan, basing its
decision on `TDFConfig.autoconfigure`, whether KASes were provided in
config, and whether a split plan
was manually provided in config.

Modifies the `Autoconfigure.Granter` class to consume key grants. When a
key is specified using a KID
the KID is used during key assignment. When there are no grants or
mapped keys present `Autoconfigure.Granter`
reaches out to the `wellknown` endpoint to download a base key and
constructs a single element split plan.

* update visibility of some internal classes
* get rid of a bit of duplication
* include a `WellknownServiceClientInterface` in the `SDK.Services`
interface. Not sure if this is a good idea
or not but it doesn't seem dangerous.
* update some test classes

Author: mkleene

examples/src/main/java/io/opentdf/platform/GetEntitlements.java

@@ -7,7 +7,6 @@
 import io.opentdf.platform.sdk.*;
 
 import java.util.Collections;
-import java.util.concurrent.ExecutionException;
 
 import java.util.List;
 

sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java

@@ -1,13 +1,18 @@
 package io.opentdf.platform.sdk;
 
+import io.opentdf.platform.policy.KeyAccessServer;
+import io.opentdf.platform.policy.SimpleKasKey;
 import io.opentdf.platform.policy.Value;
 import io.opentdf.platform.sdk.Autoconfigure.AttributeValueFQN;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.*;
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 /**
  * Configuration class for setting various configurations related to TDF.
@@ -22,6 +27,7 @@ public class Config {
     public static final String KAS_PUBLIC_KEY_PATH = "/kas_public_key";
     public static final String DEFAULT_MIME_TYPE = "application/octet-stream";
     public static final int MAX_COLLECTION_ITERATION = (1 << 24) - 1;
+    private static Logger logger = LoggerFactory.getLogger(Config.class);
 
     public enum TDFFormat {
         JSONFormat,
@@ -33,8 +39,6 @@ public enum IntegrityAlgorithm {
         GMAC
     }
 
-    public static final int K_HTTP_OK = 200;
-
     public static class KASInfo implements Cloneable {
         public String URL;
         public String PublicKey;
@@ -71,6 +75,36 @@ public String toString() {
             }
             return sb.append("}").toString();
         }
+
+        public static List<KASInfo> fromKeyAccessServer(KeyAccessServer kas) {
+            var keys = kas.getPublicKey().getCached().getKeysList();
+            if (keys.isEmpty()) {
+                logger.warn("Invalid KAS key mapping for kas [{}]: publicKey is empty", kas.getUri());
+                return Collections.emptyList();
+            }
+            return keys.stream().flatMap(ki -> {
+                if (ki.getPem().isEmpty()) {
+                    logger.warn("Invalid KAS key mapping for kas [{}]: publicKey PEM is empty", kas.getUri());
+                    return Stream.empty();
+                }
+                Config.KASInfo kasInfo = new Config.KASInfo();
+                kasInfo.URL = kas.getUri();
+                kasInfo.KID = ki.getKid();
+                kasInfo.Algorithm = KeyType.fromPublicKeyAlgorithm(ki.getAlg()).toString();
+                kasInfo.PublicKey = ki.getPem();
+                return Stream.of(kasInfo);
+            }).collect(Collectors.toList());
+        }
+
+        public static KASInfo fromSimpleKasKey(SimpleKasKey ki) {
+            Config.KASInfo kasInfo = new Config.KASInfo();
+            kasInfo.URL = ki.getKasUri();
+            kasInfo.KID = ki.getPublicKey().getKid();
+            kasInfo.Algorithm = KeyType.fromAlgorithm(ki.getPublicKey().getAlgorithm()).toString();
+            kasInfo.PublicKey = ki.getPublicKey().getPem();
+
+            return kasInfo;
+        }
     }
 
     public static class AssertionVerificationKeys {
@@ -239,6 +273,11 @@ public static Consumer<TDFConfig> withKasInformation(KASInfo... kasInfoList) {
         };
     }
 
+    /**
+     * Deprecated since 9.1.0, will be removed. To produce key shares use
+     * the key mapping feature
+     */
+    @Deprecated(since = "9.1.0", forRemoval = true)
     public static Consumer<TDFConfig> withSplitPlan(Autoconfigure.KeySplitStep... p) {
         return (TDFConfig config) -> {
             config.splitPlan = new ArrayList<>(Arrays.asList(p));

sdk/src/main/java/io/opentdf/platform/sdk/Config.java

@@ -91,7 +91,7 @@ public KASInfo getECPublicKey(Config.KASInfo kasInfo, NanoTDFType.ECCurve curve)
 
     @Override
     public Config.KASInfo getPublicKey(Config.KASInfo kasInfo) {
-        Config.KASInfo cachedValue = this.kasKeyCache.get(kasInfo.URL, kasInfo.Algorithm);
+        Config.KASInfo cachedValue = this.kasKeyCache.get(kasInfo.URL, kasInfo.Algorithm, kasInfo.KID);
         if (cachedValue != null) {
             return cachedValue;
         }

sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java

@@ -7,6 +7,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Objects;
 
 /**
  * Class representing a cache for KAS (Key Access Server) information.
@@ -24,14 +25,14 @@ public void clear() {
         this.cache = new HashMap<>();
     }
 
-    public Config.KASInfo get(String url, String algorithm) {
-        log.debug("retrieving kasinfo for url = [{}], algorithm = [{}]", url, algorithm);
-        KASKeyRequest cacheKey = new KASKeyRequest(url, algorithm);
+    public Config.KASInfo get(String url, String algorithm, String kid) {
+        log.debug("retrieving kasinfo for url = [{}], algorithm = [{}], kid = [{}]", url, algorithm, kid);
+        KASKeyRequest cacheKey = new KASKeyRequest(url, algorithm, kid);
         LocalDateTime now = LocalDateTime.now();
         TimeStampedKASInfo cachedValue = cache.get(cacheKey);
 
         if (cachedValue == null) {
-            log.debug("didn't find kasinfo for url = [{}], algorithm = [{}]", url, algorithm);
+            log.debug("didn't find kasinfo for key= [{}]", cacheKey);
             return null;
         }
 
@@ -49,7 +50,7 @@ public Config.KASInfo get(String url, String algorithm) {
 
     public void store(Config.KASInfo kasInfo) {
         log.debug("storing kasInfo into the cache {}", kasInfo);
-        KASKeyRequest cacheKey = new KASKeyRequest(kasInfo.URL, kasInfo.Algorithm);
+        KASKeyRequest cacheKey = new KASKeyRequest(kasInfo.URL, kasInfo.Algorithm, kasInfo.KID);
         cache.put(cacheKey, new TimeStampedKASInfo(kasInfo, LocalDateTime.now()));
     }
 }
@@ -85,30 +86,34 @@ public TimeStampedKASInfo(Config.KASInfo kasInfo, LocalDateTime timestamp) {
 class KASKeyRequest {
     private String url;
     private String algorithm;
+    private String kid;
 
-    public KASKeyRequest(String url, String algorithm) {
+    public KASKeyRequest(String url, String algorithm, String kid) {
         this.url = url;
         this.algorithm = algorithm;
+        this.kid = kid;
     }
 
-    // Override equals and hashCode to ensure proper functioning of the HashMap
     @Override
     public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || !(o instanceof KASKeyRequest)) return false;
+        if (o == null || getClass() != o.getClass()) return false;
         KASKeyRequest that = (KASKeyRequest) o;
-       if (algorithm == null){
-            return url.equals(that.url);
-        }
-        return url.equals(that.url) && algorithm.equals(that.algorithm);
+        return Objects.equals(url, that.url) && Objects.equals(algorithm, that.algorithm) && Objects.equals(kid, that.kid);
     }
 
     @Override
     public int hashCode() {
-        int result = 31 * url.hashCode();
-        if (algorithm != null) {
-            result = result + algorithm.hashCode();
-        }
-        return result;
+        return Objects.hash(url, algorithm, kid);
+    }
+
+    @Override
+    public String toString() {
+        return "KASKeyRequest{" +
+                "url='" + url + '\'' +
+                ", algorithm='" + algorithm + '\'' +
+                ", kid='" + kid + '\'' +
+                '}';
     }
+
+    // Override equals and hashCode to ensure proper functioning of the HashMap
 }

sdk/src/main/java/io/opentdf/platform/sdk/KASKeyCache.java

@@ -1,5 +1,8 @@
 package io.opentdf.platform.sdk;
 
+import io.opentdf.platform.policy.Algorithm;
+import io.opentdf.platform.policy.KasPublicKeyAlgEnum;
+
 import javax.annotation.Nonnull;
 
 import static io.opentdf.platform.sdk.NanoTDFType.ECCurve.SECP256R1;
@@ -46,7 +49,43 @@ public static KeyType fromString(String keyType) {
         throw new IllegalArgumentException("No enum constant for key type: " + keyType);
     }
 
+    public static KeyType fromAlgorithm(Algorithm algorithm) {
+        if (algorithm == null) {
+            throw new IllegalArgumentException("Algorithm cannot be null");
+        }
+        switch (algorithm) {
+            case ALGORITHM_RSA_2048:
+                return KeyType.RSA2048Key;
+            case ALGORITHM_EC_P256:
+                return KeyType.EC256Key;
+            case ALGORITHM_EC_P384:
+                return KeyType.EC384Key;
+            case ALGORITHM_EC_P521:
+                return KeyType.EC521Key;
+            default:
+                throw new IllegalArgumentException("Unsupported algorithm: " + algorithm);
+        }
+    }
+
+    public static KeyType fromPublicKeyAlgorithm(KasPublicKeyAlgEnum algorithm) {
+        if (algorithm == null) {
+            throw new IllegalArgumentException("Algorithm cannot be null");
+        }
+        switch (algorithm) {
+            case KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048:
+                return KeyType.RSA2048Key;
+            case KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1:
+                return KeyType.EC256Key;
+            case KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1:
+                return KeyType.EC384Key;
+            case KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1:
+                return KeyType.EC521Key;
+            default:
+                throw new IllegalArgumentException("Unsupported algorithm: " + algorithm);
+        }
+    }
+
     public boolean isEc() {
         return this.curve != null;
     }
-}
+}