AWS Key Manager

[tomdaffurn]

Overview

• Implement a KeyManager that uses AWS KMS
• Improve the KeyManager interface to allow mapping of DIDs to aliases

[mistermoe]

barring @phoebe-lew's comment, looks gud2me! 🏅

[bradleydwyer]

Consider allowing the kmsClient to be provided by the caller (e.g. to allow configurable behaviour of the client like timeouts)

[tomdaffurn]

It's already possibly for the caller to supply, isn't it?

  fun `test a custom KMS client`() {
    val kmsClient = AWSKMSClient.builder()
      .withCredentials(AWSStaticCredentialsProvider(BasicAWSCredentials("foo", "bar")))
      .build()
    val customisedKeyManager = AwsKeyManager(kmsClient = kmsClient)

    assertThrows<AmazonServiceException> {
      customisedKeyManager.generatePrivateKey(JWSAlgorithm.ES256K)
    }
  }

[bradleydwyer]

As a note, it is possible to drop the enum type for the assignment, which might be useful given the use of named params. e.g.

    ES256K to AlgorithmDetails(
      algorithm = ES256K,
      curve = SECP256K1,
      keySpec = ECC_SECG_P256K1,
      signingAlgorithm = ECDSA_SHA_256,
      newDigest = { SHA256Digest() }
    )

[andresuribe87]

Curious why thumbprint instead of using the kid field?

[tomdaffurn]

This does go into kid up in generatePrivateKey

[mistermoe]

@andresuribe87 because kid isn't a required property of JWKs (reference).

IMO, Using JWK thumbprints makes it so there's a deterministic mapping between a DID's verification method (presuming that the verification method has publicKeyJwk, a requirement we intend to surface as part of an upcoming interop profile) and a key manager's key alias without having to rely on a Verification Method ID or JWK kid. Especially because a verification method id and a kid (even if both are present) don't have to match

[andresuribe87]

I think this would make it easier to consume for everyone.

Suggested change

	public fun sign(keyAlias: String, signingInput: ByteArray): ByteArray
	public fun sign(keyAlias: String, signingInput: ByteArray): JWSObject

[tomdaffurn]

There was an argument made that all crypto ops should be bytes-in/bytes-out. This makes KeyManager compatible with Crypto.kt

[andresuribe87]

Given that JWK already have a kid field, is it possible to use that field to identify keys?

IMO, it's easier to put the alias within that field, rather than expanding the interface.

[tomdaffurn]

Yeah, this a good point, and kicked off a big discussion. Both AwsKeyManager and InMemoryKeyManager are setting the alias into kid, so it would work with the code we have here.

It's not clear that the publicKeyJwk will always have a kid though. It's optional. I think it's up to the DID method how that publicKeyJwk is put together?

[tomdaffurn]

I'm gonna merge this now to unblock #63, but happy to keep the convo going in Slack

[codecov-commenter]

Codecov Report

Merging #65 (bbef724) into main (6901ced) will decrease coverage by 13.10%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main     #65       +/-   ##
==========================================
- Coverage   13.09%   0.00%   -13.10%     
==========================================
  Files          15      16        +1     
  Lines         443     519       +76     
  Branches       54      57        +3     
==========================================
- Hits           58       0       -58     
- Misses        380     519      +139     
+ Partials        5       0        -5     

Files	Coverage Δ
...ypto/src/main/kotlin/web5/sdk/crypto/KeyManager.kt	0.00% <ø> (ø)
.../main/kotlin/web5/sdk/crypto/InMemoryKeyManager.kt	0.00% <0.00%> (ø)
...o/src/main/kotlin/web5/sdk/crypto/AwsKeyManager.kt	0.00% <0.00%> (ø)

... and 3 files with indirect coverage changes