trustbloc / webkms Goto Github PK

• Update SecretLock service for the KMS instance
  • Should not require passphrase from the user
  • Reconstruct a full key and use it as a master key for the KMS instance
• Move KMSCreator logic into its own package

Goal: demonstrate a creation of user's vault for keys (keystore) with ability to generate a keypair and perform Sign/Verify operations with it via REST API.

Keystores should NOT be shared, and every keystore should have its own secretlock. Start with a single masterkey stored solely on Key Server and protected by passphrase, add an option to use Shamir Secret Sharing algorithm later.

Tasks:

• Implement Create Keystore API #5
• Link keystore to a user #8
• Implement API for creating key on a server for a given user #9
• Implement support for masterkey lock (#17)
• Implement API for Sign operation #10
• Implement API for Verify operation #18

Goal: add support for OAuth 2.0 authorization scheme (access token).

Other authZ schemes, like DID Auth or ZCAPs, can be added later, so the design should account that.

Tasks:

• Implement authorization handler (middleware) #20
• Restrict access to the keystore only to the allowed users #21

Add more logging statements and make them testable.

• Generate delegate key for ZCAP authorization
• Generate recipient key for SDS usage

Key Server

• Redesign functionality for creating local KMS instance (#60)
  • Update SecretLock service for the KMS instance
  • Move KMSCreator logic into its own package
• Update Create Keystore API functionality (#62)
  • Generate delegate key for ZCAP authorization
  • Generate recipient key for SDS usage
• Implement support for storing operational keys in external SDS (#61)
  • Implement support for TLS CA Certs param (#77)
• Implement API for exporting public key (#78)
  • Pass secretlock passphrase in header instead of body (#81)
• Implement Wrap/Unwrap Key API (#65)
  • Sync up operations payload with Aries remote kms/crypto (#91)
• Implement secretlock for Keystore KMS (#85)
• Implement secretlock with shared unlock key for user's key manager (#22)
• Fix issue with creating secret lock service (#110)
• Implement authorization layer (should support both OAuth and ZCAP)
  • Implement support for authorizing with oAuth token (#63)
  • Implement support for authorizing with ZCAP-LD (#100)
• Implement API for getting key handle (description) by key ID (#25)
• Improve naming for used components and dependencies (#95)
• Implement support for CryptoBox operations (#117)
• Optimize calls to EDV and Hub Auth (#125, #126)

Documentation

• Add support for OpenAPI spec (#54)

Technical Debt (refactoring, cleanup and chore tasks)

• Refactor logging functionality (#41)
• Support setting log level via param or endpoint on the fly (#52)
• Do not leak the implementation details when sending back the error messages to the client (#38)
• Pass KMS and Keystore services as dependencies to Operation (#29)
• Update golangci-lint to 1.31.0 (#57)
• Enable linter for code within pkg (#58)

Edge Agent

• Configurable aries-framework-go wasm instance
  • Implement a custom aries-framework-go wasm (agent-js-worker) #372
  • Merge functionality of trustbloc-agent-js-worker and agent-js-worker #382
• Implement remote kms/crypto wrappers #401

• Implement support for TLS CA Certs param (#77)

Follow-up tickets:

• Refactor to support KMS unlocking on per-keystore basis (#15)
• Replace Keystore Provider mock with in-memory implementation in kms-rest (#12)
• Add BDD test for "create key" API (#14)

Goal: demonstrate how User Agent (Wallet) can plugin Key Server in place of localkms.

Goal: add an option for securing KMS within keystore with a shared unlock key.

Key Server should not be able to unlock KMS using only its own key. It should request the other part of the key from Locker (part of Hub Auth) and reconstruct the masterkey.

Tasks:

• Implement client to request shared unlock key from Locker #23
• Implement support for secretlock with shared unlock key #24