Skip to content

Commit

Permalink
CORE-16125: add Avro messages and topics for crypto key rotation (#1359)
Browse files Browse the repository at this point in the history
Add initial versions of the Avro messages for crypto key rotation, and Kafka topics for them.
  • Loading branch information
anien authored Nov 22, 2023
1 parent 6911079 commit 4dfdabe
Show file tree
Hide file tree
Showing 6 changed files with 189 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"type": "record",
"name": "IndividualKeyRotationRequest",
"namespace": "net.corda.data.crypto.wire.ops.key.rotation",
"doc": "Internal over-the-wire individual crypto key rotation operation request envelope.",
"fields": [
{
"name": "requestId",
"type": "string",
"doc": "GUID allocated by client to control key rotation."
},
{
"name": "tenantId",
"type": "string",
"doc": "Specifies the specific tenant that owns the old key."
},
{
"name": "oldParentKeyAlias",
"type": "string",
"doc": "The key alias whose protected content will be re-wrapped with a new key."
},
{
"name": "newParentKeyAlias",
"type": "string",
"doc": "The new wrapping key which oldParentKeyAlias' content will be re-wrapped with."
},
{
"name": "targetKeyAlias",
"type": "string",
"doc": "Specifies the wrapped key to rotate."
},
{
"name": "keyType",
"type": {
"type": "enum",
"name": "KeyType",
"symbols": ["MANAGED", "UNMANAGED"]
},
"doc": "Type of the key to be rotated."
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"type": "record",
"name": "KeyRotationRequest",
"namespace": "net.corda.data.crypto.wire.ops.key.rotation",
"doc": "Internal over-the-wire crypto key rotation operation request envelope.",
"fields": [
{
"name": "requestId",
"type": "string",
"doc": "GUID allocated by client to control key rotation."
},
{
"name": "managedKey",
"type": {
"type": "enum",
"name": "KeyType",
"symbols": ["MANAGED", "UNMANAGED"]
},
"doc": "Type of the key to be rotated."
},
{
"name": "oldParentKeyAlias",
"type": ["null", "string"],
"doc": "The key alias that should no longer be used, and all its protected content re-wrapped with a new key."
},
{
"name": "newParentKeyAlias",
"type": ["null", "string"],
"doc": "The unmanaged key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys."
},
{
"name": "oldGeneration",
"type": ["null", "int"],
"doc": "Specifies the old generation number we should move away from. If absent, rotate all matching keys."
},
{
"name": "tenantId",
"type": ["null", "string"],
"doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key."
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"type": "record",
"name": "KeyRotationStatus",
"namespace": "net.corda.data.crypto.wire.ops.key.rotation",
"doc": "Response for crypto's key rotation operation envelope",
"fields": [
{
"name": "requestId",
"type": "string",
"doc": "GUID allocated by client and passed in StartRotation message."
},
{
"name": "managedKey",
"type": {
"type": "enum",
"name": "KeyType",
"symbols": ["MANAGED", "UNMANAGED"]
},
"doc": "Type of the key to be rotated."
},
{
"name": "oldParentKeyAlias",
"type": ["null", "string"],
"doc": "The wrapping key alias that should no longer be used, and all its protected content re-wrapped with a new key."
},
{
"name": "newParentKeyAlias",
"type": ["null", "string"],
"doc": "The wrapping key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys."
},
{
"name": "oldGeneration",
"type": ["null", "int"],
"doc": "Specifies the old generation number we should move away from. If absent, rotate all matching keys."
},
{
"name": "tenantId",
"type": ["null", "string"],
"doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key."
},
{
"name": "newGeneration",
"type": ["null", "int"],
"doc": "Set to the new generation number when rotating a single managed key, otherwise null."
},
{
"name": "processedCount",
"type": "int",
"doc": "Number of wrapped keys rotated so far."
},
{
"name": "expectedTotal",
"type": "int",
"doc": "Number of wrapped keys in total to re-wrap as part of this operation."
},
{
"name": "createdTimestamp",
"type": {
"type": "long",
"logicalType": "timestamp-millis"
},
"doc": "The date and time the key rotation request was created."
},
{
"name": "lastUpdateTimestamp",
"type": {
"type": "long",
"logicalType": "timestamp-millis"
},
"doc": "The date and time when the last individual key rotation operation has finished."
}
]
}
7 changes: 7 additions & 0 deletions data/topic-schema/src/main/java/net/corda/schema/Schemas.java
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,13 @@ private Crypto() {
public static final String FLOW_OPS_MESSAGE_TOPIC = "crypto.ops.flow";
public static final String RPC_OPS_MESSAGE_TOPIC = "crypto.ops.rpc";
public static final String RPC_OPS_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(RPC_OPS_MESSAGE_TOPIC);
public static final String REKEY_MESSAGE_TOPIC = "crypto.key.rotation.ops";
public static final String REKEY_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(REKEY_MESSAGE_TOPIC);
public static final String REKEY_MESSAGE_STATUS_TOPIC = "crypto.key.rotation.status";
public static final String REWRAP_MESSAGE_TOPIC = "crypto.key.rotation.individual";
public static final String REWRAP_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(REWRAP_MESSAGE_TOPIC);


}

/**
Expand Down
24 changes: 24 additions & 0 deletions data/topic-schema/src/main/resources/net/corda/schema/Crypto.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,27 @@ topics:
producers:
- crypto
config:
CryptoOpsRekeyTopic:
name: crypto.key.rotation.ops
consumers:
- crypto
producers:
- rest
CryptoOpsRekeyStatusTopic:
name: crypto.key.rotation.ops.resp
consumers:
- rest
producers:
- crypto
CryptoOpsRewrapTopic:
name: crypto.key.rotation.individual
consumers:
- crypto
producers:
- crypto
CryptoOpsRewrapResponseTopic:
name: crypto.key.rotation.individual.resp
consumers:
- crypto
producers:
- crypto
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ cordaProductVersion = 5.2.0
# NOTE: update this each time this module contains a breaking change
## NOTE: currently this is a top level revision, so all API versions will line up, but this could be moved to
## a per module property in which case module versions can change independently.
cordaApiRevision = 4
cordaApiRevision = 5

# Main
kotlinVersion = 1.8.21
Expand Down

0 comments on commit 4dfdabe

Please sign in to comment.