Class: Robocap::SDK::KeyVault

Inherits:

Object

• Object
• Robocap::SDK::KeyVault

Defined in:

lib/robocap/sdk/key_vault.rb

Constant Summary

RSA_VERSION_DIR_RE =

/\Av(\d+)\z/

Instance Attribute Summary

• #sdk_root ⇒ Object readonly

  Returns the value of attribute sdk_root.

Class Method Summary

• .private_pem_path_for_dir(key_dir) ⇒ Object
• .public_pem_path_for_dir(key_dir) ⇒ Object

Instance Method Summary

• #customer_root(customer_id) ⇒ Object
• #delete_rsa_key_dir(customer_id, key_dir) ⇒ Object
• #delete_rsa_version(customer_id, version) ⇒ Object
• #exists_customer?(customer_id) ⇒ Boolean
• #get_latest_public_key(customer_id) ⇒ Object
• #get_latest_rsa_version(customer_id) ⇒ Object
• #get_private_key(customer_id, version) ⇒ Object
• #get_public_key(customer_id, version) ⇒ Object
• #import_rsa_version(customer_id:, public_pem:, private_pem:, meta:) ⇒ Object
• #initialize(sdk_root) ⇒ KeyVault constructor

  A new instance of KeyVault.

• #list_rsa_key_dirs(customer_id) ⇒ Object
• #list_rsa_versions(customer_id) ⇒ Object
• #load_rsa_meta(customer_id, version) ⇒ Object
• #private_pem(customer_id, version) ⇒ Object
• #public_pem(customer_id, version) ⇒ Object
• #rsa_dir(customer_id) ⇒ Object
• #rsa_meta_path(customer_id, version) ⇒ Object
• #rsa_version_dir(customer_id, version) ⇒ Object
• #trial_unwrap_cek(customer_id, cek_wrapped) ⇒ Object

Constructor Details

#initialize(sdk_root) ⇒ KeyVault

Returns a new instance of KeyVault.

# File 'lib/robocap/sdk/key_vault.rb', line 19

def initialize(sdk_root)
  @sdk_root  = Pathname(sdk_root)
  @keys_root = Config.keys_vault_root(@sdk_root)
end

Instance Attribute Details

#sdk_root ⇒ Object (readonly)

Returns the value of attribute sdk_root.

# File 'lib/robocap/sdk/key_vault.rb', line 24

def sdk_root
  @sdk_root
end

Class Method Details

.private_pem_path_for_dir(key_dir) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 51

def self.private_pem_path_for_dir(key_dir)
  Pathname(key_dir).join('private.pem')
end

.public_pem_path_for_dir(key_dir) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 47

def self.public_pem_path_for_dir(key_dir)
  Pathname(key_dir).join('public.pem')
end

Instance Method Details

#customer_root(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 26

def customer_root(customer_id)
  Config.validate_customer_id!(customer_id)
  @keys_root.join(customer_id)
end

#delete_rsa_key_dir(customer_id, key_dir) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 205

def delete_rsa_key_dir(customer_id, key_dir)
  Config.validate_customer_id!(customer_id)
  unless exists_customer?(customer_id)
    raise Error.new(
      code: ErrorCode::ERR_CUSTOMER_NOT_FOUND,
      message: "Customer not found: #{customer_id}",
    )
  end
  resolved_rsa_dir = Pathname(rsa_dir(customer_id).realpath)
  resolved = Pathname(key_dir).expand_path
  resolved = Pathname(resolved.realpath) if resolved.exist?
  unless resolved.parent == resolved_rsa_dir
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "Key folder is not under rsa/ for #{customer_id}",
    )
  end
  unless valid_rsa_key_dir?(resolved)
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "Key folder missing public.pem or private.pem: #{resolved.basename}",
    )
  end
  begin
    FileUtils.remove_entry_secure(resolved)
  rescue SystemCallError => exc
    raise Error.new(
      code: ErrorCode::ERR_VAULT_IO,
      message: "Failed to delete key folder #{resolved.basename}: #{exc.message}",
    )
  end
end

#delete_rsa_version(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 170

def delete_rsa_version(customer_id, version)
  Config.validate_customer_id!(customer_id)
  unless exists_customer?(customer_id)
    raise Error.new(
      code: ErrorCode::ERR_CUSTOMER_NOT_FOUND,
      message: "Customer not found: #{customer_id}",
    )
  end
  dir = rsa_version_dir(customer_id, version)
  unless dir.directory?
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "RSA version v#{version} not found for #{customer_id}",
    )
  end
  begin
    FileUtils.remove_entry_secure(dir)
  rescue SystemCallError => exc
    raise Error.new(
      code: ErrorCode::ERR_VAULT_IO,
      message: "Failed to delete RSA version v#{version}: #{exc.message}",
    )
  end
end

#exists_customer?(customer_id) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/robocap/sdk/key_vault.rb', line 59

def exists_customer?(customer_id)
  customer_root(customer_id).directory?
end

#get_latest_public_key(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 106

def get_latest_public_key(customer_id)
  get_public_key(customer_id, get_latest_rsa_version(customer_id))
end

#get_latest_rsa_version(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 73

def get_latest_rsa_version(customer_id)
  versions = list_rsa_versions(customer_id)
  if versions.empty?
    raise Error.new(
      code: ErrorCode::ERR_RSA_NOT_IMPORTED,
      message: "No RSA keys imported for customer #{customer_id}",
    )
  end
  versions.max
end

#get_private_key(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 95

def get_private_key(customer_id, version)
  path = private_pem(customer_id, version)
  unless path.file?
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "RSA private key v#{version} not found for #{customer_id}",
    )
  end
  load_private_key_from(path)
end

#get_public_key(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 84

def get_public_key(customer_id, version)
  path = public_pem(customer_id, version)
  unless path.file?
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "RSA public key v#{version} not found for #{customer_id}",
    )
  end
  load_public_key_from(path)
end

#import_rsa_version(customer_id:, public_pem:, private_pem:, meta:) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 121

def import_rsa_version(customer_id:, public_pem:, private_pem:, meta:)
  Config.validate_customer_id!(customer_id)
  version = meta.rsa_key_version
  pub_key  = OpenSSL::PKey::RSA.new(public_pem)
  priv_key = OpenSSL::PKey::RSA.new(private_pem)

  if pub_key.private? || !priv_key.private?
    raise Error.new(code: ErrorCode::ERR_RSA_IMPORT_INVALID, message: 'Invalid RSA key pair PEM')
  end

  unless Config::RSA_BITS_ALLOWED.include?(meta.rsa_bits)
    raise Error.new(
      code: ErrorCode::ERR_INVALID_RSA_BITS,
      message: "RSA rsa_bits must be one of #{Config::RSA_BITS_ALLOWED}",
    )
  end

  actual_bits_pub  = pub_key.n.num_bits
  actual_bits_priv = priv_key.n.num_bits
  if actual_bits_pub != meta.rsa_bits || actual_bits_priv != meta.rsa_bits
    raise Error.new(
      code: ErrorCode::ERR_INVALID_RSA_BITS,
      message: "RSA keys must be #{meta.rsa_bits} bits",
    )
  end

  if pub_key.n != priv_key.n || pub_key.e != priv_key.e
    raise Error.new(
      code: ErrorCode::ERR_RSA_IMPORT_INVALID,
      message: 'Public and private key do not match',
    )
  end

  dir = rsa_version_dir(customer_id, version)
  if dir.exist?
    raise Error.new(
      code: ErrorCode::ERR_CUSTOMER_ALREADY_EXISTS,
      message: "RSA version v#{version} already exists for #{customer_id}",
    )
  end

  VaultLayout.ensure_private_dir(dir)
  VaultLayout.atomic_write_bytes(self.public_pem(customer_id, version),  public_pem)
  VaultLayout.atomic_write_bytes(self.private_pem(customer_id, version), private_pem)
  VaultLayout.atomic_write_text(rsa_meta_path(customer_id, version), meta.to_pretty_json)
  VaultLayout.ensure_private_dir(customer_root(customer_id))
  version
end

#list_rsa_key_dirs(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 195

def list_rsa_key_dirs(customer_id)
  Config.validate_customer_id!(customer_id)
  dir = rsa_dir(customer_id)
  return [] unless dir.directory?
  dir.children.sort_by { |c| c.basename.to_s.downcase }.filter_map do |child|
    next nil unless valid_rsa_key_dir?(child)
    Pathname(child.realpath)
  end
end

#list_rsa_versions(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 63

def list_rsa_versions(customer_id)
  rsa_dir = customer_root(customer_id).join('rsa')
  return [] unless rsa_dir.directory?
  rsa_dir.children.each_with_object([]) do |child, acc|
    next unless child.directory?
    m = RSA_VERSION_DIR_RE.match(child.basename.to_s)
    acc << m[1].to_i if m
  end.sort
end

#load_rsa_meta(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 110

def load_rsa_meta(customer_id, version)
  path = rsa_meta_path(customer_id, version)
  unless path.file?
    raise Error.new(
      code: ErrorCode::ERR_RSA_VERSION_MISSING,
      message: "RSA meta v#{version} not found for #{customer_id}",
    )
  end
  RsaKeyMeta.from_json(path.read(encoding: 'UTF-8'))
end

#private_pem(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 39

def private_pem(customer_id, version)
  rsa_version_dir(customer_id, version).join('private.pem')
end

#public_pem(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 35

def public_pem(customer_id, version)
  rsa_version_dir(customer_id, version).join('public.pem')
end

#rsa_dir(customer_id) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 55

def rsa_dir(customer_id)
  customer_root(customer_id).join('rsa')
end

#rsa_meta_path(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 43

def rsa_meta_path(customer_id, version)
  rsa_version_dir(customer_id, version).join('meta.json')
end

#rsa_version_dir(customer_id, version) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 31

def rsa_version_dir(customer_id, version)
  customer_root(customer_id).join('rsa', "v#{version}")
end

#trial_unwrap_cek(customer_id, cek_wrapped) ⇒ Object

# File 'lib/robocap/sdk/key_vault.rb', line 238

def trial_unwrap_cek(customer_id, cek_wrapped)
  Config.validate_customer_id!(customer_id)
  unless cek_wrapped.bytesize == Config::RSA_2048_CIPHERTEXT_BYTES
    raise Error.new(
      code: ErrorCode::ERR_CENC_CEKA_WRAP,
      message: "Wrapped CEK must be #{Config::RSA_2048_CIPHERTEXT_BYTES} bytes",
    )
  end

  eligible = list_rsa_versions(customer_id).filter_map do |version|
    meta = load_rsa_meta(customer_id, version)
    next nil unless meta.rsa_bits == 2048
    priv = get_private_key(customer_id, version)
    next nil unless priv.n.num_bits == 2048
    [version, priv]
  end

  if eligible.empty?
    raise Error.new(
      code: ErrorCode::ERR_CENC_CEKA_TRIAL_FAILED,
      message: "No 2048-bit RSA keys available for trial unwrap: #{customer_id}",
    )
  end

  first_success = nil
  eligible.each do |version, priv|
    begin
      cek = RSAOAEP.unwrap_cek(cek_wrapped, priv)
    rescue Error
      next
    end
    return first_success if first_success
    first_success = CekTrialUnwrapResult.new(cek: cek, rsa_key_version: version)
  end

  unless first_success
    raise Error.new(
      code: ErrorCode::ERR_CENC_CEKA_TRIAL_FAILED,
      message: "CEK trial unwrap failed for all vault versions: #{customer_id}",
    )
  end
  first_success
end