use KeyPairResourceResolver explicitly

eclipse-edc · Jun 3, 2024 · c7c4766 · c7c4766
1 parent 4f3d373
commit c7c4766
Show file tree

Hide file tree

Showing 17 changed files with 61 additions and 275 deletions.
diff --git a/...entity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/CoreServicesExtension.java b/...entity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/CoreServicesExtension.java
@@ -24,11 +24,13 @@
 import org.eclipse.edc.identithub.verifiablepresentation.generators.JwtPresentationGenerator;
 import org.eclipse.edc.identithub.verifiablepresentation.generators.LdpPresentationGenerator;
 import org.eclipse.edc.identityhub.accesstoken.verification.AccessTokenVerifierImpl;
+import org.eclipse.edc.identityhub.publickey.KeyPairResourcePublicKeyResolver;
 import org.eclipse.edc.identityhub.query.CredentialQueryResolverImpl;
 import org.eclipse.edc.identityhub.spi.ScopeToCriterionTransformer;
 import org.eclipse.edc.identityhub.spi.keypair.KeyPairService;
 import org.eclipse.edc.identityhub.spi.model.IdentityHubConstants;
 import org.eclipse.edc.identityhub.spi.store.CredentialStore;
+import org.eclipse.edc.identityhub.spi.store.KeyPairResourceStore;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.CredentialStatusCheckService;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.generator.PresentationCreatorRegistry;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.generator.VerifiablePresentationService;
@@ -74,16 +76,6 @@ public class CoreServicesExtension implements ServiceExtension {
     @Setting(value = "Configure this IdentityHub's DID", required = true)
     public static final String OWN_DID_PROPERTY = "edc.ih.iam.id";
 
-    @Setting(value = "Key alias, which was used to store the public key in the vaule", required = true)
-    public static final String PUBLIC_KEY_VAULT_ALIAS_PROPERTY = "edc.ih.iam.publickey.alias";
-
-    @Setting(value = "Path to a file that holds the public key, e.g. a PEM file. Do not use in production!")
-    public static final String PUBLIC_KEY_PATH_PROPERTY = "edc.ih.iam.publickey.path";
-
-    @Setting(value = "Public key in PEM format")
-    public static final String PUBLIC_KEY_PEM = "edc.ih.iam.publickey.pem";
-
-
     public static final String PRESENTATION_EXCHANGE_V_1_JSON = "presentation-exchange.v1.json";
     public static final String PRESENTATION_QUERY_V_08_JSON = "iatp.v08.json";
     public static final String PRESENTATION_SUBMISSION_V1_JSON = "presentation-submission.v1.json";
@@ -122,6 +114,8 @@ public class CoreServicesExtension implements ServiceExtension {
     private KeyPairService keyPairService;
     @Inject
     private RevocationListService revocationService;
+    @Inject
+    private KeyPairResourceStore store;
 
     @Override
     public String name() {
@@ -137,7 +131,8 @@ public void initialize(ServiceExtensionContext context) {
 
     @Provider
     public AccessTokenVerifier createAccessTokenVerifier(ServiceExtensionContext context) {
-        return new AccessTokenVerifierImpl(tokenValidationService, createPublicKey(context), tokenValidationRulesRegistry, context.getMonitor(), publicKeyResolver);
+        var keyResolver = new KeyPairResourcePublicKeyResolver(vault, store, keyParserRegistry, context.getMonitor());
+        return new AccessTokenVerifierImpl(tokenValidationService, keyResolver, tokenValidationRulesRegistry, context.getMonitor(), publicKeyResolver);
     }
 
     @Provider
@@ -187,13 +182,4 @@ private void cacheContextDocuments(ClassLoader classLoader) {
         }
     }
 
-    private LocalPublicKeySupplier createPublicKey(ServiceExtensionContext context) {
-        return LocalPublicKeySupplier.Builder.newInstance()
-                .vault(vault)
-                .vaultAlias(context.getSetting(PUBLIC_KEY_VAULT_ALIAS_PROPERTY, null))
-                .publicKeyPath(context.getSetting(PUBLIC_KEY_PATH_PROPERTY, null))
-                .rawString(context.getSetting(PUBLIC_KEY_PEM, null))
-                .keyParserRegistry(keyParserRegistry)
-                .build();
-    }
 }
diff --git a/...ntity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/LocalPublicKeySupplier.java b/...ntity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/LocalPublicKeySupplier.java
diff --git a/core/lib/accesstoken-lib/build.gradle.kts b/core/lib/accesstoken-lib/build.gradle.kts
@@ -4,6 +4,7 @@ plugins {
 
 dependencies {
     api(project(":spi:identity-hub-spi"))
+    api(project(":core:lib:keypair-lib")) // for the KeyPairResourcePublicKeyResolver
     implementation(libs.edc.spi.token)
     implementation(libs.edc.spi.jwt)
 

diff --git a/...in/java/org/eclipse/edc/identityhub/accesstoken/verification/AccessTokenVerifierImpl.java b/...in/java/org/eclipse/edc/identityhub/accesstoken/verification/AccessTokenVerifierImpl.java
@@ -16,19 +16,18 @@
 
 import org.eclipse.edc.identityhub.spi.verification.AccessTokenVerifier;
 import org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames;
+import org.eclipse.edc.keys.spi.LocalPublicKeyService;
 import org.eclipse.edc.keys.spi.PublicKeyResolver;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.token.spi.TokenValidationRule;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
 import org.eclipse.edc.token.spi.TokenValidationService;
 
-import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
-import java.util.function.Supplier;
 
 import static org.eclipse.edc.identityhub.accesstoken.verification.AccessTokenConstants.ACCESS_TOKEN_SCOPE_CLAIM;
 import static org.eclipse.edc.identityhub.accesstoken.verification.AccessTokenConstants.IATP_ACCESS_TOKEN_CONTEXT;
@@ -44,17 +43,17 @@ public class AccessTokenVerifierImpl implements AccessTokenVerifier {
 
     private static final String SCOPE_SEPARATOR = " ";
     private final TokenValidationService tokenValidationService;
+    private final LocalPublicKeyService localPublicKeyService;
     private final TokenValidationRulesRegistry tokenValidationRulesRegistry;
-    private final Supplier<PublicKey> stsPublicKey;
     private final Monitor monitor;
     private final PublicKeyResolver publicKeyResolver;
 
-    public AccessTokenVerifierImpl(TokenValidationService tokenValidationService, Supplier<PublicKey> publicKeySupplier, TokenValidationRulesRegistry tokenValidationRulesRegistry, Monitor monitor,
+    public AccessTokenVerifierImpl(TokenValidationService tokenValidationService, LocalPublicKeyService localPublicKeyService, TokenValidationRulesRegistry tokenValidationRulesRegistry, Monitor monitor,
                                    PublicKeyResolver publicKeyResolver) {
         this.tokenValidationService = tokenValidationService;
+        this.localPublicKeyService = localPublicKeyService;
         this.tokenValidationRulesRegistry = tokenValidationRulesRegistry;
         this.monitor = monitor;
-        this.stsPublicKey = publicKeySupplier;
         this.publicKeyResolver = publicKeyResolver;
     }
 
@@ -92,7 +91,7 @@ public Result<List<String>> verify(String token, String participantId) {
         var rules = new ArrayList<>(tokenValidationRulesRegistry.getRules(IATP_ACCESS_TOKEN_CONTEXT));
         rules.add(subClaimsMatch);
         rules.add(audMustMatchParticipantIdRule);
-        var result = tokenValidationService.validate(accessTokenString, id -> Result.success(stsPublicKey.get()), rules);
+        var result = tokenValidationService.validate(accessTokenString, localPublicKeyService, rules);
         if (result.failed()) {
             return result.mapFailure();
         }