keyamanger-runtime: replace with test/simple-keymanager

Common keymanager initalization code is extracted into the `keymanager-lib`
crate. This enables for the actual key manager implementation to only
provide a set of key manager policy signers.

Aditionally the `keymanager-runtime` crate is removed and replaced with
a test `simple-keymanager` runtime that is used in E2E tests.

.buildkite/code.pipeline.yml

@@ -140,15 +140,15 @@ steps:
   # .buildkite/rust/test_runtime_and_gateway.sh and .buildkite/scripts/download_utils.sh.
   - label: Build key manager runtime
     command:
-      - .buildkite/rust/build_runtime.sh keymanager-runtime
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keymanager
       - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keyvalue
 
       # Upload the built artifacts.
       - cd /var/tmp/artifacts/sgx/x86_64-fortanix-unknown-sgx/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime.sgxs
+      - buildkite-agent artifact upload simple-keymanager.sgxs
       - buildkite-agent artifact upload simple-keyvalue.sgxs
       - cd /var/tmp/artifacts/default/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime
+      - buildkite-agent artifact upload simple-keymanager
       - buildkite-agent artifact upload simple-keyvalue
     agents:
       buildkite_agent_size: large

.buildkite/longtests.pipeline.yml

@@ -79,15 +79,15 @@ steps:
 
   - label: Build key manager runtime
     command:
-      - .buildkite/rust/build_runtime.sh keymanager-runtime
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keymanager
       - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keyvalue
 
       # Upload the built artifacts.
       - cd /var/tmp/artifacts/sgx/x86_64-fortanix-unknown-sgx/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime.sgxs
+      - buildkite-agent artifact upload simple-keymanager.sgxs
       - buildkite-agent artifact upload simple-keyvalue.sgxs
       - cd /var/tmp/artifacts/default/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime
+      - buildkite-agent artifact upload simple-keymanager
       - buildkite-agent artifact upload simple-keyvalue
     agents:
       buildkite_agent_size: large

.buildkite/scripts/download_e2e_test_artifacts.sh

@@ -19,9 +19,9 @@ download_artifact oasis-test-runner go/oasis-test-runner 755
 download_artifact oasis-remote-signer go/oasis-remote-signer 755
 download_artifact oasis-core-runtime-loader target/default/debug 755
 
-# Key manager runtime.
-download_artifact oasis-core-keymanager-runtime.sgxs target/sgx/x86_64-fortanix-unknown-sgx/debug 755
-download_artifact oasis-core-keymanager-runtime target/default/debug 755
+# Simple Key manager runtime.
+download_artifact simple-keymanager.sgxs target/sgx/x86_64-fortanix-unknown-sgx/debug 755
+download_artifact simple-keymanager target/default/debug 755
 
 # Test simple-keyvalue runtime and clients.
 download_artifact test-long-term-client target/default/debug 755

.changelog/2837.internal.md

@@ -0,0 +1,8 @@
+keyamanger-runtime: replace with test/simple-keymanager
+
+Common keymanager initalization code is extracted into the keymanager-lib
+crate. This enables for the actual key manager implementation to only
+provide a set of key manager policy signers.
+Aditionally the `keymanager-runtime` crate is removed and replaced with
+a test `simple-keymanager` runtime that is used in E2E tests.
+

Cargo.toml

@@ -6,11 +6,11 @@ members = [
     "keymanager-client",
     "keymanager-api-common",
     "keymanager-lib",
-    "keymanager-runtime",
     "tools",
 
     # Test runtimes.
     "tests/runtimes/simple-keyvalue",
+    "tests/runtimes/simple-keymanager",
     # Test clients.
     "tests/clients/simple-keyvalue",
     "tests/clients/simple-keyvalue-enc",

Makefile

@@ -3,8 +3,8 @@
 include common.mk
 
 # List of runtimes to build.
-RUNTIMES := keymanager-runtime \
-	tests/runtimes/simple-keyvalue
+RUNTIMES := tests/runtimes/simple-keyvalue \
+	tests/runtimes/simple-keymanager
 
 # Set all target as the default target.
 all: build

README.md

@@ -275,7 +275,7 @@ runtime, do:
   --net.node.binary go/oasis-node/oasis-node \
   --net.runtime.binary target/default/debug/simple-keyvalue \
   --net.runtime.loader target/default/debug/oasis-core-runtime-loader \
-  --net.keymanager.binary target/default/debug/oasis-core-keymanager-runtime
+  --net.keymanager.binary target/default/debug/simple-keymanager
 ```
 
 Wait for the network to start, there should be messages about nodes being
@@ -361,7 +361,7 @@ except the `oasis-net-runner` invocation:
   --net.node.binary go/oasis-node/oasis-node \
   --net.runtime.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/simple-keyvalue.sgxs \
   --net.runtime.loader target/default/debug/oasis-core-runtime-loader \
-  --net.keymanager.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/oasis-core-keymanager-runtime.sgxs
+  --net.keymanager.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/simple-keymanager.sgxs
 ```
 <!-- markdownlint-enable line-length -->
 
@@ -408,8 +408,9 @@ For even more output, check the other `*.log` files.
 * `client`: Client library for talking with the runtimes.
 * `docker`: Docker environment definitions.
 * `go`: Oasis node.
+* `keymanager-api-common`: Common keymanager code shared between client and lib.
 * `keymanager-client`: Client crate for the key manager.
-* `keymanager-runtime`: (INSECURE) key manager implementation.
+* `keymanager-lib`: Keymanager library crate.
 * `runtime`: The runtime library that simplifies writing SGX and non-SGX
   runtimes.
 * `runtime-loader`: The SGX and non-SGX runtime loader process.

docker/deployment/Dockerfile

@@ -14,7 +14,5 @@ LABEL com.oasislabs.oasis-core-build-image-tag="${OASIS_CORE_BUILD_IMAGE_TAG}"
 
 COPY go/oasis-node/oasis-node /oasis/bin/oasis-node
 COPY target/release/oasis-core-runtime-loader /oasis/bin/
-COPY target/release/oasis-core-keymanager-runtime /oasis/lib/
-COPY target/x86_64-fortanix-unknown-sgx/release/oasis-core-keymanager-runtime.sgxs /oasis/lib/
 
 ENV PATH "/oasis/bin:${PATH}"

docker/deployment/build_context.sh

@@ -34,6 +34,4 @@ popd
 tar -czf "$dst" \
     go/oasis-node/oasis-node \
     target/release/oasis-core-runtime-loader \
-    target/release/oasis-core-keymanager-runtime \
-    target/x86_64-fortanix-unknown-sgx/release/oasis-core-keymanager-runtime.sgxs \
     docker/deployment/Dockerfile

go/oasis-net-runner/fixtures/default.go

@@ -138,7 +138,7 @@ func init() {
 	Flags.String(cfgRuntimeBinary, "simple-keyvalue", "path to the runtime binary")
 	Flags.String(cfgRuntimeGenesisState, "", "path to the runtime genesis state")
 	Flags.String(cfgRuntimeLoader, "oasis-core-runtime-loader", "path to the runtime loader")
-	Flags.String(cfgKeymanagerBinary, "oasis-core-keymanager-runtime", "path to the keymanager runtime")
+	Flags.String(cfgKeymanagerBinary, "simple-keymanager", "path to the keymanager runtime")
 	Flags.String(cfgTEEHardware, "", "TEE hardware to use")
 	Flags.Bool(cfgEpochtimeMock, false, "use mock epochtime")
 	Flags.Uint64(cfgHaltEpoch, math.MaxUint64, "halt epoch height")

go/oasis-test-runner/scenario/e2e/common.go

@@ -61,7 +61,7 @@ func resolveRuntimeBinary(runtimeBinary string) (string, error) {
 }
 
 func resolveDefaultKeyManagerBinary() (string, error) {
-	return resolveRuntimeBinary("oasis-core-keymanager-runtime")
+	return resolveRuntimeBinary("simple-keymanager")
 }
 
 func startClient(env *env.Env, net *oasis.Network, binary string, clientArgs []string) (*exec.Cmd, error) {

keymanager-api-common/Cargo.toml

@@ -5,8 +5,9 @@ authors = ["Oasis Labs Inc. <[email protected]>"]
 edition = "2018"
 
 [dependencies]
-base64 = "0.10.1"
 oasis-core-runtime = { path = "../runtime" }
+
+base64 = "0.10.1"
 serde = "1.0.71"
 serde_derive = "1.0"
 serde_bytes = "~0.10"

keymanager-api-common/src/api.rs

@@ -15,7 +15,7 @@ use oasis_core_runtime::{
         runtime::RuntimeId,
         sgx::avr::EnclaveIdentity,
     },
-    impl_bytes,
+    impl_bytes, runtime_api,
 };
 
 impl_bytes!(ContractId, 32, "A 256-bit contract identifier.");
@@ -248,3 +248,11 @@ impl Default for TrustedPolicySigners {
         }
     }
 }
+
+runtime_api! {
+    pub fn get_or_create_keys(RequestIds) -> ContractKey;
+
+    pub fn get_public_key(RequestIds) -> Option<SignedPublicKey>;
+
+    pub fn replicate_master_secret(ReplicateRequest) -> ReplicateResponse;
+}

keymanager-api-common/src/lib.rs

@@ -1,7 +1,10 @@
 //! Key manager API common types and functions.
 use failure::Fallible;
 use lazy_static::lazy_static;
-use oasis_core_runtime::common::{cbor, crypto::signature::PublicKey as OasisPublicKey};
+use oasis_core_runtime::common::{
+    cbor,
+    crypto::signature::{PrivateKey as OasisPrivateKey, PublicKey as OasisPublicKey},
+};
 use std::{
     collections::HashSet,
     sync::{Mutex, Once},
@@ -69,3 +72,28 @@ impl SignedPolicySGX {
         Ok(self.policy.clone())
     }
 }
+
+/// Returns the defult set of the trusted policy signers for key manager.
+pub fn default_trusted_policy_signers() -> TrustedPolicySigners {
+    TrustedPolicySigners {
+        signers: {
+            let mut set = HashSet::new();
+            if option_env!("OASIS_UNSAFE_KM_POLICY_KEYS").is_some() {
+                for seed in [
+                    "ekiden key manager test multisig key 0",
+                    "ekiden key manager test multisig key 1",
+                    "ekiden key manager test multisig key 2",
+                ]
+                .iter()
+                {
+                    let private_key = OasisPrivateKey::from_test_seed(seed.to_string());
+                    set.insert(private_key.public_key());
+                }
+            }
+
+            // TODO: Populate with the production keys as well.
+            set
+        },
+        threshold: 9001, // TODO: Set this to a real value.
+    }
+}

keymanager-client/Cargo.toml

@@ -7,7 +7,7 @@ edition = "2018"
 [dependencies]
 oasis-core-client = { path = "../client" }
 oasis-core-runtime = { path = "../runtime" }
-oasis-core-keymanager-api = { path = "../keymanager-runtime/api" }
+oasis-core-keymanager-api-common = { path = "../keymanager-api-common" }
 failure = "0.1.5"
 futures = "0.1.25"
 io-context = "0.2.0"

keymanager-client/src/client.rs

@@ -16,7 +16,7 @@ use std::iter::FromIterator;
 use oasis_core_runtime::{common::cbor, protocol::ProtocolError, types::Body};
 
 use oasis_core_client::{create_rpc_api_client, BoxFuture, RpcClient};
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::{
     common::{runtime::RuntimeId, sgx::avr::EnclaveIdentity},
     protocol::Protocol,
@@ -94,7 +94,7 @@ impl RemoteClient {
         keys_cache_sizes: usize,
     ) -> Self {
         #[cfg(target_env = "sgx")]
-        init_trusted_policy_signers();
+        set_trusted_policy_signers(default_trusted_policy_signers()); // TODO: configurable?
 
         #[cfg(target_env = "sgx")]
         let enclaves: Option<HashSet<EnclaveIdentity>> = match protocol

keymanager-client/src/lib.rs

@@ -7,7 +7,7 @@ use std::sync::Arc;
 
 use io_context::Context;
 use oasis_core_client::BoxFuture;
-use oasis_core_keymanager_api;
+use oasis_core_keymanager_api_common;
 
 /// Key manager client interface.
 pub trait KeyManagerClient: Send + Sync {
@@ -57,4 +57,4 @@ impl<T: ?Sized + KeyManagerClient> KeyManagerClient for Arc<T> {
 }
 
 // Re-exports.
-pub use self::{client::RemoteClient, oasis_core_keymanager_api::*};
+pub use self::{client::RemoteClient, oasis_core_keymanager_api_common::*};

keymanager-client/src/mock.rs

@@ -4,7 +4,7 @@ use std::{collections::HashMap, sync::Mutex};
 use futures::{future, Future};
 use io_context::Context;
 use oasis_core_client::BoxFuture;
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::common::crypto::signature::Signature;
 
 use super::KeyManagerClient;

keymanager-lib/Cargo.toml

@@ -8,6 +8,7 @@ edition = "2018"
 oasis-core-runtime = { path = "../runtime" }
 oasis-core-keymanager-api-common = { path = "../keymanager-api-common" }
 oasis-core-keymanager-client = { path = "../keymanager-client" }
+
 failure = "0.1.5"
 lazy_static = "1.3.0"
 lru = "0.1.17"