opentdf · dmihalcik-virtru · Dec 30, 2024 · Jan 7, 2025 · Jan 9, 2025 · Jan 9, 2025
@@ -19,7 +19,7 @@ toolcheck:
 	@which buf > /dev/null || (echo "buf not found, please install it from https://docs.buf.build/installation" && exit 1)
 	@which golangci-lint > /dev/null || (echo "golangci-lint not found, run  'go install github.com/golangci/golangci-lint/cmd/[email protected]'" && exit 1)
 	@which protoc-gen-doc > /dev/null || (echo "protoc-gen-doc not found, run 'go install github.com/pseudomuto/protoc-gen-doc/cmd/[email protected]'" && exit 1)
-	@golangci-lint --version | grep "version v\?1.6[123]" > /dev/null || (echo "golangci-lint version must be v1.61 or later [$$(golangci-lint --version)]" && exit 1)
+	@golangci-lint --version | grep "version v\?1.6[1234]" > /dev/null || (echo "golangci-lint version must be v1.61 or later [$$(golangci-lint --version)]" && exit 1)
 	@which goimports >/dev/null || (echo "goimports not found, run 'go install golang.org/x/tools/cmd/goimports@latest'")
 
 fix: tidy fmt

@@ -202,6 +202,15 @@ func runBenchmark(cmd *cobra.Command, args []string) error {
 		successCount++
 		totalDuration += result
 	}
+	if successCount == 0 {
+		if errorCount > 0 {
+			cmd.Printf("\nError Summary:\n")
+			for errMsg, count := range errorMsgs {
+				cmd.Printf("%s: %d occurrences\n", errMsg, count)
+			}
+		}
+		return fmt.Errorf("no successful requests")
+	}
 
 	totalTime := time.Since(startTime)
 	averageLatency := totalDuration / time.Duration(successCount)

@@ -36,7 +36,7 @@ func init() {
 	encryptCmd.Flags().BoolVar(&nanoFormat, "nano", false, "Output in nanoTDF format")
 	encryptCmd.Flags().BoolVar(&autoconfigure, "autoconfigure", true, "Use attribute grants to select kases")
 	encryptCmd.Flags().BoolVar(&noKIDInKAO, "no-kid-in-kao", false, "[deprecated] Disable storing key identifiers in TDF KAOs")
-	encryptCmd.Flags().BoolVar(&noKIDInNano, "no-kid-in-nano", true, "Disable storing key identifiers in nanoTDF KAS ResourceLocator")
+	encryptCmd.Flags().BoolVar(&noKIDInNano, "no-kid-in-nano", false, "Disable storing key identifiers in nanoTDF KAS ResourceLocator")
 	encryptCmd.Flags().StringVarP(&outputName, "output", "o", "sensitive.txt.tdf", "name or path of output file; - for stdout")
 	encryptCmd.Flags().IntVarP(&collection, "collection", "c", 0, "number of nano's to create for collection. If collection >0 (default) then output will be <iteration>_<output>")
 
@@ -51,19 +51,6 @@ func encrypt(cmd *cobra.Command, args []string) error {
 	plainText := args[0]
 	in := strings.NewReader(plainText)
 
-	opts := []sdk.Option{
-		sdk.WithInsecurePlaintextConn(),
-		sdk.WithClientCredentials("opentdf-sdk", "secret", nil),
-	}
-
-	if noKIDInKAO {
-		opts = append(opts, sdk.WithNoKIDInKAO())
-	}
-	// double negative always gets me
-	if !noKIDInNano {
-		opts = append(opts, sdk.WithNoKIDInNano())
-	}
-
 	// Create new offline client
 	client, err := newSDK()
 	if err != nil {

@@ -48,7 +48,16 @@ func newSDK() (*sdk.SDK, error) {
 	if storeCollectionHeaders {
 		opts = append(opts, sdk.WithStoreCollectionHeaders())
 	}
-	if clientCredentials != "" {
+
+	if noKIDInKAO {
+		opts = append(opts, sdk.WithNoKIDInKAO())
+	}
+	if noKIDInNano {
+		opts = append(opts, sdk.WithNoKIDInNano())
+	}
+	if clientCredentials == "" {
+		opts = append(opts, sdk.WithClientCredentials("opentdf-sdk", "secret", nil))
+	} else {
 		i := strings.Index(clientCredentials, ":")
 		if i < 0 {
 			return nil, fmt.Errorf("invalid client id/secret pair")

@@ -18,7 +18,7 @@ type AsymDecryption struct {
 func NewAsymDecryption(privateKeyInPem string) (AsymDecryption, error) {
 	block, _ := pem.Decode([]byte(privateKeyInPem))
 	if block == nil {
-		return AsymDecryption{}, errors.New("failed to parse PEM formatted private key")
+		return AsymDecryption{}, errors.New("failed to parse PEM formatted RSA private key (decode failed)")
 	}
 
 	priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)

@@ -19,7 +19,7 @@ type AsymEncryption struct {
 func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error) {
 	block, _ := pem.Decode([]byte(publicKeyInPem))
 	if block == nil {
-		return AsymEncryption{}, errors.New("failed to parse PEM formatted public key")
+		return AsymEncryption{}, errors.New("failed to parse PEM formatted public key (decode fail)")
 	}
 
 	var pub any
@@ -31,7 +31,7 @@ func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error) {
 
 		var ok bool
 		if pub, ok = cert.PublicKey.(*rsa.PublicKey); !ok {
-			return AsymEncryption{}, errors.New("failed to parse PEM formatted public key")
+			return AsymEncryption{}, errors.New("failed to parse PEM formatted public key (incorrect type)")
 		}
 	} else {
 		var err error

@@ -45,7 +45,7 @@ func GetECCurveFromECCMode(mode ECCMode) (elliptic.Curve, error) {
 		// TODO FIXME - unsupported?
 		return nil, errors.New("unsupported nanoTDF ecc mode")
 	default:
-		return nil, fmt.Errorf("unsupported nanoTDF ecc mode %d", mode)
+		return nil, fmt.Errorf("unsupported nanoTDF ecc mode [%d]", mode)
 	}
 
 	return c, nil
@@ -211,7 +211,7 @@ func VerifyECDSASig(digest, r, s []byte, pubKey *ecdsa.PublicKey) bool {
 func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error) {
 	block, _ := pem.Decode(pemECPubKey)
 	if block == nil {
-		return nil, fmt.Errorf("failed to parse PEM formatted public key")
+		return nil, fmt.Errorf("failed to parse PEM formatted public key (decode fail)")
 	}
 
 	var pub any
@@ -223,7 +223,7 @@ func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error) {
 
 		var ok bool
 		if pub, ok = cert.PublicKey.(*ecdsa.PublicKey); !ok {
-			return nil, fmt.Errorf("failed to parse PEM formatted public key")
+			return nil, fmt.Errorf("failed to parse PEM formatted public key (incorrect cert type)")
 		}
 	} else {
 		var err error
@@ -247,7 +247,7 @@ func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error) {
 func ECPrivateKeyFromPem(privateECKeyInPem []byte) (*ecdh.PrivateKey, error) {
 	block, _ := pem.Decode(privateECKeyInPem)
 	if block == nil {
-		return nil, fmt.Errorf("failed to parse PEM formatted private key")
+		return nil, fmt.Errorf("failed to parse PEM formatted EC private key (decode failed)")
 	}
 
 	priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
@@ -322,7 +322,7 @@ func UncompressECPubKey(curve elliptic.Curve, compressedPubKey []byte) (*ecdsa.P
 	}
 	// Creating ecdsa.PublicKey from *big.Int
 	ephemeralECDSAPublicKey := &ecdsa.PublicKey{
-		Curve: elliptic.P256(),
+		Curve: curve,
 		X:     x,
 		Y:     y,
 	}

@@ -13,14 +13,14 @@ services:
     keyring:
       - kid: e1
         alg: ec:secp256r1
-      - kid: e1
-        alg: ec:secp256r1
-        legacy: true
-      - kid: r1
-        alg: rsa:2048
+        cert: kas-ec-cert.pem
+        private: kas-ec-private.pem
+        active: true
       - kid: r1
         alg: rsa:2048
-        legacy: true
+        cert: kas-cert.pem
+        private: kas-private.pem
+        active: true
   entityresolution:
     log_level: info
     url: http://localhost:8888/auth
@@ -105,16 +105,4 @@ server:
     maxage: 3600
   grpc:
     reflectionEnabled: true # Default is false
-  cryptoProvider:
-    type: standard
-    standard:
-      keys:
-        - kid: r1
-          alg: rsa:2048
-          private: kas-private.pem
-          cert: kas-cert.pem
-        - kid: e1
-          alg: ec:secp256r1
-          private: kas-ec-private.pem
-          cert: kas-ec-cert.pem
   port: 8080
@@ -16,13 +16,15 @@ services:
     keyring:
       - kid: e1
         alg: ec:secp256r1
-      - kid: e1
-        alg: ec:secp256r1
+        private: kas-ec-private.pem
+        cert: kas-ec-cert.pem
+        active: true
         legacy: true
       - kid: r1
         alg: rsa:2048
-      - kid: r1
-        alg: rsa:2048
+        private: kas-private.pem
+        cert: kas-cert.pem
+        active: true
         legacy: true
 server:
   tls:
@@ -95,16 +97,4 @@ server:
     maxage: 3600
   grpc:
     reflectionEnabled: true # Default is false
-  cryptoProvider:
-    type: standard
-    standard:
-      keys:
-        - kid: r1
-          alg: rsa:2048
-          private: kas-private.pem
-          cert: kas-cert.pem
-        - kid: e1
-          alg: ec:secp256r1
-          private: kas-ec-private.pem
-          cert: kas-ec-cert.pem
   port: 8181
@@ -361,16 +361,16 @@ func (s SDK) getPublicKey(ctx context.Context, url, algorithm string) (*KASInfo,
 	}
 
 	kid := resp.GetKid()
-	if s.config.tdfFeatures.noKID {
-		kid = ""
-	}
 
 	ki := KASInfo{
 		URL:       url,
 		Algorithm: algorithm,
 		KID:       kid,
 		PublicKey: resp.GetPublicKey(),
 	}
+	if s.config.tdfFeatures.noKID {
+		ki.KID = ""
+	}
 	if s.kasKeyCache != nil {
 		s.kasKeyCache.store(ki)
 	}

@@ -453,6 +453,9 @@ func (s SDK) prepareManifest(ctx context.Context, t *TDFObject, tdfConfig TDFCon
 				SplitID:           splitID,
 				WrappedKey:        string(ocrypto.Base64Encode(wrappedKey)),
 			}
+			if s.config.tdfFeatures.noKID {
+				keyAccess.KID = ""
+			}
 
 			manifest.EncryptionInformation.KeyAccessObjs = append(manifest.EncryptionInformation.KeyAccessObjs, keyAccess)
 		}