refactor: remove EDV support

Signed-off-by: Yevgen Pukhta <[email protected]>

Makefile

@@ -71,7 +71,6 @@ stress-test:
 	KMS_STRESS_KMS_URL=https://ops-oathkeeper-proxy.dev.trustbloc.dev \
 	KMS_STRESS_AUTH_KMS_URL=https://authz-oathkeeper-proxy.dev.trustbloc.dev \
 	KMS_STRESS_HUB_AUTH_URL=https://hub-auth.dev.trustbloc.dev \
-	KMS_STRESS_EDV_URL=https://edv.dev.trustbloc.dev \
 	[email protected] \
 	ACCESS_TOKEN=m_QNKTLWFgyFEGPf6dHHs3h3f0TOoJ2ZSlD912u_LKw.6xWwAF61vGM5EHxGuQG9nuwAwd_hNKqMMEe4W2V-V1Q \
 	SECRET_SHARE=dD78WKu9/51CRFVhmzlH7nUYbaZvC5Eb30WNC3rfPjLz \

README.md

@@ -162,18 +162,6 @@ If Shamir secret lock is used, every request that involves User's Key Store is e
 The following databases are supported for the Server DB: MongoDB, CouchDB, and in-memory. You specify a type of the
 database in the `KMS_DATABASE_TYPE` environment variable (`--database-type` flag).
 
-User's Key Store can also use EDV for storing working keys. EDV parameters can be set with `create key store` request:
-
-```json
-{
-  "controller": "did:example:controller",
-  "edv": {
-    "vault_url": "https://edv-host/encrypted-data-vaults/vault-id",
-    "capability": "eyJAY29udGV4dCI6Imh0dHBzOi8vdzNpZC5v..."
-  }
-}
-```
-
 ## Use Cases
 
 Refer [here](docs/use_cases.md) for in-depth description on how lock keys are used in example server's configurations.

cmd/kms-server/go.mod

@@ -81,7 +81,6 @@ require (
 	github.com/google/trillian v1.3.14-0.20210520152752-ceda464a95a3 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce // indirect
-	github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 // indirect
 	github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect
 	github.com/igor-pavlenko/httpsignatures-go v0.0.23 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect

cmd/kms-server/go.sum

@@ -688,8 +688,6 @@ github.com/hyperledger/aries-framework-go-ext/component/vdr/orb v1.0.0-rc2.0.202
 github.com/hyperledger/aries-framework-go-ext/component/vdr/orb v1.0.0-rc2.0.20220811162145-47649b185a56/go.mod h1:5ZDdDP1oCcjR8T7+uxOs0JF3PsY8h18pMfylqwjieII=
 github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce h1:COpeqKShWjBJ/hDnnjgQg0MCC1BuV4tMA2ksSKmchRc=
 github.com/hyperledger/aries-framework-go-ext/component/vdr/sidetree v1.0.0-rc2.0.20220729203359-da1de2fa21ce/go.mod h1:mmoE3SQsM0WYLweUmBCQJE2abf73iO4LxpP/e0NONYI=
-github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 h1:YWww6rlXZprOnBP3LD8RAzbkszmplnLvabtlBZtzLTA=
-github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85/go.mod h1:JrwivOOQmuXbV1mFWgBGWnfCorOFdfGkpBsYK8dYrfM=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85 h1:P82lZe6zDjaP2j87nDYQBSBYrB6Nq6nc9MtyNMC3K4A=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220614152730-3d817acfa48b h1:wSUDDrB87VuaxOmyb0CmA3wB8vvgZ3p9Te4Dnsi6NXs=

cmd/kms-server/startcmd/start.go

@@ -242,8 +242,6 @@ func startServer(srv server, params *serverParameters) error { //nolint:funlen
 		BaseKeyStoreURL:         baseKeyStoreURL,
 		ShamirProvider:          shamirProvider,
 		MainKeyType:             kms.AES256GCMType,
-		EDVRecipientKeyType:     kms.NISTP256ECDHKW,
-		EDVMACKeyType:           kms.HMACSHA256Tag256,
 		KeyStoreCacheTTL:        params.keyStoreCacheTTL,
 		MetricsProvider:         metrics.Get(),
 	}

docs/use_cases.md

@@ -1,6 +1,6 @@
 # Use Cases
 
-**Scenario 1**: server's lock is based on AWS key, user's lock uses local key, no EDV
+**Scenario 1**: server's lock is based on AWS key, user's lock uses local key
 
 In this scenario, a key for the user's lock is created when the key store is created. That key is encrypted with an AWS
 key and stored in the server's DB. When a working key is created for the user, it is encrypted with that stored lock key.
@@ -32,45 +32,3 @@ Before using, user's lock key should be decrypted with an AWS key.
         Storage-->>KMS: {key ID}
         KMS-->>User: {key URL, public key bytes}
 ```
-
-**Scenario 2**: server's lock is based on local key, user's lock uses Shamir-based key, working keys are stored in EDV
-
-Key for the server's lock is stored in a local file and the path to it is specified in a startup flag or environment
-variable. When a key store is created, helper recipient and MAC keys for the EDV provider are created as well. They are
-encrypted with a key from the local file (server's lock) and saved to the server's DB. These keys are associated with
-a created key store to support EDV operations.
-
-User's lock key is created on a fly using HKDF algorithm that expands the combined secret (from shares using Shamir
-Secret Sharing) into a symmetric key. That key is used to encrypt/decrypt the user's working keys stored in EDV.
-
-```mermaid
-    sequenceDiagram
-        participant User
-        participant KMS
-        participant DB
-        participant EDV
-        participant Auth as Auth Server
-
-        User->>KMS: create keystore {controller, EDV vault URL and ZCAPs}
-        loop for EDV recipient key, EDV MAC key
-            KMS->>KMS: create key
-            KMS->>KMS: encrypt key with server's local (master) key
-            KMS->>DB: save encrypted key
-            DB-->>KMS: {key ID}
-        end
-        KMS-->>User: {keystore URL, root ZCAPs}
-
-        User->>KMS: create key {key type, secret share}
-        KMS->>KMS: create key
-        KMS->>Auth: get secret share
-        Auth-->>KMS: secret share
-        KMS->>KMS: create lock key on a fly from secret shares
-        KMS->>KMS: encrypt key with lock key
-        loop for EDV recipient key, EDV MAC key
-            KMS->>DB: get key
-            KMS->>KMS: decrypt key with server's local (master) key
-        end
-        KMS->>EDV: save encrypted key
-        EDV-->>KMS: {key ID}
-        KMS-->>User: {key URL, public key bytes}
-```

go.mod

@@ -12,7 +12,6 @@ require (
 	github.com/google/tink/go v1.6.1
 	github.com/gorilla/mux v1.8.0
 	github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02
-	github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85
 	github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85
 	github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85
 	github.com/igor-pavlenko/httpsignatures-go v0.0.23
@@ -39,6 +38,7 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 // indirect
 	github.com/hyperledger/ursa-wrapper-go v0.3.1 // indirect
 	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect

go.sum

@@ -198,13 +198,12 @@ github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKe
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02 h1:phipjA38PzjN7/h6t+8Vv8XPlW5t+327GD0p9v8wx4Y=
 github.com/hyperledger/aries-framework-go v0.1.9-0.20220822173318-77fbef728d02/go.mod h1:28aD9QTgVjeAl86vHNFwkOYwQwZiTrrODMpjE2PYz3M=
-github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85 h1:YWww6rlXZprOnBP3LD8RAzbkszmplnLvabtlBZtzLTA=
-github.com/hyperledger/aries-framework-go/component/storage/edv v0.0.0-20220610133818-119077b0ec85/go.mod h1:JrwivOOQmuXbV1mFWgBGWnfCorOFdfGkpBsYK8dYrfM=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85 h1:P82lZe6zDjaP2j87nDYQBSBYrB6Nq6nc9MtyNMC3K4A=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220610133818-119077b0ec85/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85 h1:y+9tj2KusE4tT2iDKdB20GfRY4W7Ftvpp2kB/TEVrGs=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220610133818-119077b0ec85/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
 github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1 h1:vxZ0DlFNLjgxMdBESLZu895AsI1JWL2SJerphwIn8Po=
+github.com/hyperledger/aries-framework-go/test/component v0.0.0-20220428211718-66cc046674a1/go.mod h1:lykx3N+GX+sAWSxO2Ycc4Dz+ynV9b0Fv4NdP+ms4Alc=
 github.com/hyperledger/ursa-wrapper-go v0.3.1 h1:Do+QrVNniY77YK2jTIcyWqj9rm/Yb5SScN0bqCjiibA=
 github.com/hyperledger/ursa-wrapper-go v0.3.1/go.mod h1:nPSAuMasIzSVciQo22PedBk4Opph6bJ6ia3ms7BH/mk=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=

pkg/controller/command/actions.go

@@ -32,7 +32,6 @@ const (
 	ActionBlind            = "blind"
 	ActionCorrectnessProof = "correctnessProof"
 	ActionSignWithSecrets  = "signWithSecrets"
-	ActionStoreCapability  = "updateEDVCapability"
 )
 
 func allActions() []string {
@@ -59,6 +58,5 @@ func allActions() []string {
 		ActionBlind,
 		ActionCorrectnessProof,
 		ActionSignWithSecrets,
-		ActionStoreCapability,
 	}
 }

pkg/controller/command/command.go

@@ -21,9 +21,7 @@ import (
 	"time"
 
 	"github.com/google/tink/go/keyset"
-	"github.com/hyperledger/aries-framework-go/component/storage/edv"
 	"github.com/hyperledger/aries-framework-go/pkg/crypto"
-	"github.com/hyperledger/aries-framework-go/pkg/doc/jose"
 	"github.com/hyperledger/aries-framework-go/pkg/kms"
 	"github.com/hyperledger/aries-framework-go/pkg/secretlock"
 	"github.com/hyperledger/aries-framework-go/spi/storage"
@@ -32,7 +30,6 @@ import (
 
 	"github.com/trustbloc/kms/pkg/controller/errors"
 	"github.com/trustbloc/kms/pkg/secretlock/key"
-	"github.com/trustbloc/kms/pkg/storage/metrics"
 )
 
 type zcapService interface {
@@ -99,8 +96,6 @@ type Config struct {
 	BaseKeyStoreURL         string
 	ShamirProvider          shamirProvider
 	MainKeyType             kms.KeyType
-	EDVRecipientKeyType     kms.KeyType
-	EDVMACKeyType           kms.KeyType
 	MetricsProvider         metricsProvider
 	CacheProvider           cacheProvider
 	KeyStoreCacheTTL        time.Duration
@@ -124,8 +119,6 @@ type Command struct {
 	baseKeyStoreURL     string
 	shamirProvider      shamirProvider
 	mainKeyType         kms.KeyType
-	edvRecipientKeyType kms.KeyType
-	edvMACKeyType       kms.KeyType
 	cacheProvider       cacheProvider
 	keyStoreCacheTTL    time.Duration
 	metrics             metricsProvider
@@ -155,8 +148,6 @@ func New(c *Config) (*Command, error) {
 		baseKeyStoreURL:     c.BaseKeyStoreURL,
 		shamirProvider:      c.ShamirProvider,
 		mainKeyType:         c.MainKeyType,
-		edvRecipientKeyType: c.EDVRecipientKeyType,
-		edvMACKeyType:       c.EDVMACKeyType,
 		cacheProvider:       c.CacheProvider,
 		keyStoreCacheTTL:    c.KeyStoreCacheTTL,
 		metrics:             c.MetricsProvider,
@@ -774,7 +765,7 @@ func (c *Command) resolveKeyStore(keyStoreID, user string, secretShare []byte) (
 		return nil, fmt.Errorf("unmarshal key store meta: %w", err)
 	}
 
-	storageProvider, err := c.getStorageProvider(&meta)
+	storageProvider, err := c.getStorageProvider()
 	if err != nil {
 		return nil, err
 	}
@@ -812,84 +803,12 @@ func (c *Command) resolveKeyStore(keyStoreID, user string, secretShare []byte) (
 	})
 }
 
-func (c *Command) getStorageProvider(meta *keyStoreMeta) (storage.Provider, error) {
-	var storageProvider storage.Provider
-
-	if meta.EDV.VaultURL != "" {
-		var err error
-
-		storageProvider, err = c.resolveEDVProvider(meta.EDV.VaultURL, meta.EDV.RecipientKeyID, meta.EDV.MACKeyID,
-			meta.EDV.Capability)
-		if err != nil {
-			return nil, fmt.Errorf("resolve edv provider: %w", err)
-		}
-
-		storageProvider = metrics.Wrap(storageProvider, "EDV")
-	} else {
-		storageProvider = c.keyStorageProvider
-	}
+func (c *Command) getStorageProvider() (storage.Provider, error) {
+	storageProvider := c.keyStorageProvider
 
 	if c.cacheProvider != nil && c.keyStoreCacheTTL > 0 {
 		storageProvider = c.cacheProvider.Wrap(storageProvider, c.keyStoreCacheTTL)
 	}
 
 	return storageProvider, nil
 }
-
-func (c *Command) resolveEDVProvider(vaultURL, recKeyID, macKeyID string, capability []byte) (storage.Provider, error) {
-	recPubBytes, _, err := c.kms.ExportPubKeyBytes(recKeyID)
-	if err != nil {
-		return nil, fmt.Errorf("get edv recipient key: %w", err)
-	}
-
-	recPub := new(crypto.PublicKey)
-	recPub.KID = recKeyID
-
-	if err = json.Unmarshal(recPubBytes, recPub); err != nil {
-		return nil, fmt.Errorf("unmarshal recipient key bytes to public key: %w", err)
-	}
-
-	macKH, err := c.kms.Get(macKeyID)
-	if err != nil {
-		return nil, fmt.Errorf("get edv mac key handle: %w", err)
-	}
-
-	edvProvider, err := c.createEDVStorageProvider(vaultURL, recPub, macKH, capability)
-	if err != nil {
-		return nil, fmt.Errorf("create edv provider: %w", err)
-	}
-
-	return edvProvider, nil
-}
-
-func (c *Command) createEDVStorageProvider(vaultURL string, recipientPubKey *crypto.PublicKey,
-	macKeyHandle interface{}, capability []byte) (storage.Provider, error) {
-	jweEncrypt, err := jose.NewJWEEncrypt(encAlg, encType, "", "", nil, []*crypto.PublicKey{recipientPubKey}, c.crypto)
-	if err != nil {
-		return nil, fmt.Errorf("create jwe encrypt: %w", err)
-	}
-
-	jweDecrypt := jose.NewJWEDecrypt(nil, c.crypto, c.kms)
-
-	encryptedFormatter := edv.NewEncryptedFormatter(
-		jweEncrypt,
-		jweDecrypt,
-		edv.NewMACCrypto(macKeyHandle, c.crypto),
-		edv.WithDeterministicDocumentIDs(),
-	)
-
-	s := strings.Split(vaultURL, "/")
-
-	edvServerURL := strings.Join(s[:len(s)-1], "/")
-	vaultID := s[len(s)-1]
-
-	return edv.NewRESTProvider(
-		edvServerURL,
-		vaultID,
-		encryptedFormatter,
-		edv.WithTLSConfig(c.tlsConfig),
-		edv.WithHeaders(func(req *http.Request) (*http.Header, error) {
-			return c.headerSigner.SignHeader(req, capability)
-		}),
-	), nil
-}