keymanger-runtime: replace with test/simple-keymanager

Common keymanager initalization code is extracted into the `keymanager-lib`
crate. This enables for the actual key manager implementation to only
provide a set of key manager policy signers.

Aditionally the `keymanager-runtime` crate is removed and replaced with
a test `simple-keymanager` runtime that is used in E2E tests.

.buildkite/code.pipeline.yml

@@ -140,15 +140,15 @@ steps:
   # .buildkite/rust/test_runtime_and_gateway.sh and .buildkite/scripts/download_utils.sh.
   - label: Build key manager runtime
     command:
-      - .buildkite/rust/build_runtime.sh keymanager-runtime
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keymanager
       - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keyvalue
 
       # Upload the built artifacts.
       - cd /var/tmp/artifacts/sgx/x86_64-fortanix-unknown-sgx/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime.sgxs
+      - buildkite-agent artifact upload simple-keymanager.sgxs
       - buildkite-agent artifact upload simple-keyvalue.sgxs
       - cd /var/tmp/artifacts/default/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime
+      - buildkite-agent artifact upload simple-keymanager
       - buildkite-agent artifact upload simple-keyvalue
     agents:
       buildkite_agent_size: large

.buildkite/longtests.pipeline.yml

@@ -79,15 +79,15 @@ steps:
 
   - label: Build key manager runtime
     command:
-      - .buildkite/rust/build_runtime.sh keymanager-runtime
+      - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keymanager
       - .buildkite/rust/build_runtime.sh tests/runtimes/simple-keyvalue
 
       # Upload the built artifacts.
       - cd /var/tmp/artifacts/sgx/x86_64-fortanix-unknown-sgx/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime.sgxs
+      - buildkite-agent artifact upload simple-keymanager.sgxs
       - buildkite-agent artifact upload simple-keyvalue.sgxs
       - cd /var/tmp/artifacts/default/debug
-      - buildkite-agent artifact upload oasis-core-keymanager-runtime
+      - buildkite-agent artifact upload simple-keymanager
       - buildkite-agent artifact upload simple-keyvalue
     agents:
       buildkite_agent_size: large

.buildkite/scripts/download_e2e_test_artifacts.sh

@@ -20,9 +20,9 @@ download_artifact oasis-test-runner.test go/oasis-test-runner 755
 download_artifact oasis-remote-signer go/oasis-remote-signer 755
 download_artifact oasis-core-runtime-loader target/default/debug 755
 
-# Key manager runtime.
-download_artifact oasis-core-keymanager-runtime.sgxs target/sgx/x86_64-fortanix-unknown-sgx/debug 755
-download_artifact oasis-core-keymanager-runtime target/default/debug 755
+# Simple Key manager runtime.
+download_artifact simple-keymanager.sgxs target/sgx/x86_64-fortanix-unknown-sgx/debug 755
+download_artifact simple-keymanager target/default/debug 755
 
 # Test simple-keyvalue runtime and clients.
 download_artifact test-long-term-client target/default/debug 755

.changelog/2837.internal.md

@@ -0,0 +1,7 @@
+keymanger-runtime: replace with test/simple-keymanager
+
+Common keymanager initalization code is extracted into the keymanager-lib
+crate. This enables for the actual key manager implementation to only
+provide a set of key manager policy signers.
+Aditionally the `keymanager-runtime` crate is removed and replaced with
+a test `simple-keymanager` runtime that is used in E2E tests.

Cargo.toml

@@ -6,11 +6,11 @@ members = [
     "keymanager-client",
     "keymanager-api-common",
     "keymanager-lib",
-    "keymanager-runtime",
     "tools",
 
     # Test runtimes.
     "tests/runtimes/simple-keyvalue",
+    "tests/runtimes/simple-keymanager",
     # Test clients.
     "tests/clients/simple-keyvalue",
     "tests/clients/simple-keyvalue-enc",

Makefile

@@ -3,8 +3,8 @@
 include common.mk
 
 # List of runtimes to build.
-RUNTIMES := keymanager-runtime \
-	tests/runtimes/simple-keyvalue
+RUNTIMES := tests/runtimes/simple-keyvalue \
+	tests/runtimes/simple-keymanager
 
 # Set all target as the default target.
 all: build

README.md

@@ -275,7 +275,7 @@ runtime, do:
   --net.node.binary go/oasis-node/oasis-node \
   --net.runtime.binary target/default/debug/simple-keyvalue \
   --net.runtime.loader target/default/debug/oasis-core-runtime-loader \
-  --net.keymanager.binary target/default/debug/oasis-core-keymanager-runtime
+  --net.keymanager.binary target/default/debug/simple-keymanager
 ```
 
 Wait for the network to start, there should be messages about nodes being
@@ -361,7 +361,7 @@ except the `oasis-net-runner` invocation:
   --net.node.binary go/oasis-node/oasis-node \
   --net.runtime.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/simple-keyvalue.sgxs \
   --net.runtime.loader target/default/debug/oasis-core-runtime-loader \
-  --net.keymanager.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/oasis-core-keymanager-runtime.sgxs
+  --net.keymanager.binary target/sgx/x86_64-fortanix-unknown-sgx/debug/simple-keymanager.sgxs
 ```
 <!-- markdownlint-enable line-length -->
 
@@ -408,8 +408,9 @@ For even more output, check the other `*.log` files.
 * `client`: Client library for talking with the runtimes.
 * `docker`: Docker environment definitions.
 * `go`: Oasis node.
+* `keymanager-api-common`: Common keymanager code shared between client and lib.
 * `keymanager-client`: Client crate for the key manager.
-* `keymanager-runtime`: (INSECURE) key manager implementation.
+* `keymanager-lib`: Keymanager library crate.
 * `runtime`: The runtime library that simplifies writing SGX and non-SGX
   runtimes.
 * `runtime-loader`: The SGX and non-SGX runtime loader process.

docker/deployment/Dockerfile

@@ -14,7 +14,5 @@ LABEL com.oasislabs.oasis-core-build-image-tag="${OASIS_CORE_BUILD_IMAGE_TAG}"
 
 COPY go/oasis-node/oasis-node /oasis/bin/oasis-node
 COPY target/release/oasis-core-runtime-loader /oasis/bin/
-COPY target/release/oasis-core-keymanager-runtime /oasis/lib/
-COPY target/x86_64-fortanix-unknown-sgx/release/oasis-core-keymanager-runtime.sgxs /oasis/lib/
 
 ENV PATH "/oasis/bin:${PATH}"

docker/deployment/build_context.sh

@@ -34,6 +34,4 @@ popd
 tar -czf "$dst" \
     go/oasis-node/oasis-node \
     target/release/oasis-core-runtime-loader \
-    target/release/oasis-core-keymanager-runtime \
-    target/x86_64-fortanix-unknown-sgx/release/oasis-core-keymanager-runtime.sgxs \
     docker/deployment/Dockerfile

go/oasis-net-runner/fixtures/default.go

@@ -138,7 +138,7 @@ func init() {
 	Flags.String(cfgRuntimeBinary, "simple-keyvalue", "path to the runtime binary")
 	Flags.String(cfgRuntimeGenesisState, "", "path to the runtime genesis state")
 	Flags.String(cfgRuntimeLoader, "oasis-core-runtime-loader", "path to the runtime loader")
-	Flags.String(cfgKeymanagerBinary, "oasis-core-keymanager-runtime", "path to the keymanager runtime")
+	Flags.String(cfgKeymanagerBinary, "simple-keymanager", "path to the keymanager runtime")
 	Flags.String(cfgTEEHardware, "", "TEE hardware to use")
 	Flags.Bool(cfgEpochtimeMock, false, "use mock epochtime")
 	Flags.Uint64(cfgHaltEpoch, math.MaxUint64, "halt epoch height")

go/oasis-test-runner/scenario/e2e/common.go

@@ -61,7 +61,7 @@ func resolveRuntimeBinary(runtimeBinary string) (string, error) {
 }
 
 func resolveDefaultKeyManagerBinary() (string, error) {
-	return resolveRuntimeBinary("oasis-core-keymanager-runtime")
+	return resolveRuntimeBinary("simple-keymanager")
 }
 
 func startClient(env *env.Env, net *oasis.Network, binary string, clientArgs []string) (*exec.Cmd, error) {

keymanager-api-common/Cargo.toml

@@ -5,8 +5,9 @@ authors = ["Oasis Labs Inc. <[email protected]>"]
 edition = "2018"
 
 [dependencies]
-base64 = "0.10.1"
 oasis-core-runtime = { path = "../runtime" }
+
+base64 = "0.10.1"
 serde = "1.0.71"
 serde_derive = "1.0"
 serde_bytes = "~0.10"

keymanager-api-common/src/api.rs

@@ -15,7 +15,7 @@ use oasis_core_runtime::{
         runtime::RuntimeId,
         sgx::avr::EnclaveIdentity,
     },
-    impl_bytes,
+    impl_bytes, runtime_api,
 };
 
 impl_bytes!(ContractId, 32, "A 256-bit contract identifier.");
@@ -248,3 +248,11 @@ impl Default for TrustedPolicySigners {
         }
     }
 }
+
+runtime_api! {
+    pub fn get_or_create_keys(RequestIds) -> ContractKey;
+
+    pub fn get_public_key(RequestIds) -> Option<SignedPublicKey>;
+
+    pub fn replicate_master_secret(ReplicateRequest) -> ReplicateResponse;
+}

keymanager-client/Cargo.toml

@@ -7,7 +7,7 @@ edition = "2018"
 [dependencies]
 oasis-core-client = { path = "../client" }
 oasis-core-runtime = { path = "../runtime" }
-oasis-core-keymanager-api = { path = "../keymanager-runtime/api" }
+oasis-core-keymanager-api-common = { path = "../keymanager-api-common" }
 failure = "0.1.5"
 futures = "0.1.25"
 io-context = "0.2.0"

keymanager-client/src/client.rs

@@ -16,7 +16,7 @@ use std::iter::FromIterator;
 use oasis_core_runtime::{common::cbor, protocol::ProtocolError, types::Body};
 
 use oasis_core_client::{create_rpc_api_client, BoxFuture, RpcClient};
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::{
     common::{runtime::RuntimeId, sgx::avr::EnclaveIdentity},
     protocol::Protocol,
@@ -92,9 +92,10 @@ impl RemoteClient {
         protocol: Arc<Protocol>,
         rak: Arc<RAK>,
         keys_cache_sizes: usize,
+        signers: TrustedPolicySigners,
     ) -> Self {
         #[cfg(target_env = "sgx")]
-        init_trusted_policy_signers();
+        set_trusted_policy_signers(signers);
 
         #[cfg(target_env = "sgx")]
         let enclaves: Option<HashSet<EnclaveIdentity>> = match protocol

keymanager-client/src/lib.rs

@@ -7,7 +7,7 @@ use std::sync::Arc;
 
 use io_context::Context;
 use oasis_core_client::BoxFuture;
-use oasis_core_keymanager_api;
+use oasis_core_keymanager_api_common;
 
 /// Key manager client interface.
 pub trait KeyManagerClient: Send + Sync {
@@ -57,4 +57,4 @@ impl<T: ?Sized + KeyManagerClient> KeyManagerClient for Arc<T> {
 }
 
 // Re-exports.
-pub use self::{client::RemoteClient, oasis_core_keymanager_api::*};
+pub use self::{client::RemoteClient, oasis_core_keymanager_api_common::*};

keymanager-client/src/mock.rs

@@ -4,7 +4,7 @@ use std::{collections::HashMap, sync::Mutex};
 use futures::{future, Future};
 use io_context::Context;
 use oasis_core_client::BoxFuture;
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::common::crypto::signature::Signature;
 
 use super::KeyManagerClient;

keymanager-lib/Cargo.toml

@@ -8,6 +8,7 @@ edition = "2018"
 oasis-core-runtime = { path = "../runtime" }
 oasis-core-keymanager-api-common = { path = "../keymanager-api-common" }
 oasis-core-keymanager-client = { path = "../keymanager-client" }
+
 failure = "0.1.5"
 lazy_static = "1.3.0"
 lru = "0.1.17"

keymanager-runtime/src/main.rs → keymanager-lib/src/keymanager.rs

@@ -1,38 +1,37 @@
 use std::sync::Arc;
 
-mod methods;
-
 use failure::Fallible;
 
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::{
-    common::version::Version,
+    dispatcher::Initializer,
     rak::RAK,
     register_runtime_rpc_methods,
     rpc::{
         dispatcher::{Method as RpcMethod, MethodDescriptor as RpcMethodDescriptor},
         Context as RpcContext,
     },
-    version_from_cargo, Protocol, RpcDemux, RpcDispatcher, TxnDispatcher,
+    Protocol, RpcDemux, RpcDispatcher, TxnDispatcher,
 };
 
-use oasis_core_keymanager_lib::{context, kdf::Kdf, policy::Policy};
+use crate::{context, kdf::Kdf, policy::Policy};
 
 /// Initialize the Kdf.
 fn init_kdf(req: &InitRequest, ctx: &mut RpcContext) -> Fallible<SignedInitResponse> {
     let policy_checksum = Policy::global().init(ctx, &req.policy)?;
     Kdf::global().init(&req, ctx, policy_checksum)
 }
 
-fn main() {
+/// Initialize a keymanager with trusted policy signers.
+pub fn new_keymanager(signers: TrustedPolicySigners) -> Box<dyn Initializer> {
     // Initializer.
-    let init = |protocol: &Arc<Protocol>,
-                _rak: &Arc<RAK>,
-                _rpc_demux: &mut RpcDemux,
-                rpc: &mut RpcDispatcher|
-     -> Option<Box<dyn TxnDispatcher>> {
+    let init = move |protocol: &Arc<Protocol>,
+                     _rak: &Arc<RAK>,
+                     _rpc_demux: &mut RpcDemux,
+                     rpc: &mut RpcDispatcher|
+          -> Option<Box<dyn TxnDispatcher>> {
         // Initialize the set of trusted policy signers.
-        init_trusted_policy_signers();
+        set_trusted_policy_signers(signers.clone());
 
         // Register RPC methods exposed via EnclaveRPC to remote clients.
         {
@@ -65,6 +64,5 @@ fn main() {
         None
     };
 
-    // Start the runtime.
-    oasis_core_runtime::start_runtime(Box::new(init), version_from_cargo!());
+    Box::new(init)
 }

keymanager-lib/src/lib.rs

@@ -1,3 +1,5 @@
 pub mod context;
 pub mod kdf;
+pub mod keymanager;
+mod methods;
 pub mod policy;

keymanager-runtime/src/methods.rs → keymanager-lib/src/methods.rs

@@ -1,9 +1,9 @@
 //! Methods exported to remote clients via EnclaveRPC.
 use failure::Fallible;
-use oasis_core_keymanager_api::*;
+use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::rpc::Context as RpcContext;
 
-use oasis_core_keymanager_lib::{kdf::Kdf, policy::Policy};
+use crate::{kdf::Kdf, policy::Policy};
 
 /// See `Kdf::get_or_create_keys`.
 pub fn get_or_create_keys(req: &RequestIds, ctx: &mut RpcContext) -> Fallible<ContractKey> {