Simplify NetworkIdentity type (#6666)

Author: eddyashton

include/ccf/node/cose_signatures_config.h

@@ -6,13 +6,16 @@
 
 #include <string>
 
-struct COSESignaturesConfig
+namespace ccf
 {
-  std::string issuer = "";
-  std::string subject = "";
+  struct COSESignaturesConfig
+  {
+    std::string issuer = "";
+    std::string subject = "";
 
-  bool operator==(const COSESignaturesConfig& other) const = default;
-};
+    bool operator==(const COSESignaturesConfig& other) const = default;
+  };
 
-DECLARE_JSON_TYPE(COSESignaturesConfig);
-DECLARE_JSON_REQUIRED_FIELDS(COSESignaturesConfig, issuer, subject);
+  DECLARE_JSON_TYPE(COSESignaturesConfig);
+  DECLARE_JSON_REQUIRED_FIELDS(COSESignaturesConfig, issuer, subject);
+}

include/ccf/node/startup_config.h

@@ -87,7 +87,7 @@ struct StartupConfig : CCFConfig
   // Only if starting or recovering
   size_t initial_service_certificate_validity_days = 1;
   std::string service_subject_name = "CN=CCF Service";
-  COSESignaturesConfig cose_signatures;
+  ccf::COSESignaturesConfig cose_signatures;
 
   nlohmann::json service_data = nullptr;
 

src/host/configuration.h

@@ -144,7 +144,7 @@ namespace host
         ccf::ServiceConfiguration service_configuration;
         size_t initial_service_certificate_validity_days = 1;
         std::string service_subject_name = "CN=CCF Service";
-        COSESignaturesConfig cose_signatures;
+        ccf::COSESignaturesConfig cose_signatures;
 
         bool operator==(const Start&) const = default;
       };

src/js/extensions/ccf/network.cpp

@@ -163,7 +163,7 @@ namespace ccf::js::extensions
 
       try
       {
-        auto renewed_cert = network->identity->issue_certificate(
+        auto renewed_cert = network->identity->renew_certificate(
           valid_from, validity_period_days);
 
         return JS_NewString(ctx, renewed_cert.str().c_str());

src/kv/kv_types.h

@@ -428,6 +428,7 @@ namespace ccf::kv
     virtual void set_service_signing_identity(
       std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> keypair,
       const COSESignaturesConfig& cose_signatures) = 0;
+    virtual const ccf::COSESignaturesConfig& get_cose_signatures_config() = 0;
   };
 
   class Consensus : public ConfigurableConsensus

src/node/history.h

@@ -198,11 +198,16 @@ namespace ccf
 
     void set_service_signing_identity(
       std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> service_kp_,
-      const COSESignaturesConfig& cose_signatures) override
+      const ccf::COSESignaturesConfig& cose_signatures) override
     {
       std::ignore = std::move(service_kp_);
     }
 
+    const ccf::COSESignaturesConfig& get_cose_signatures_config() override
+    {
+      throw std::logic_error("Unimplemented");
+    }
+
     ccf::crypto::Sha256Hash get_replicated_state_root() override
     {
       return ccf::crypto::Sha256Hash(std::to_string(version));
@@ -323,7 +328,7 @@ namespace ccf
     ccf::crypto::KeyPair& node_kp;
     ccf::crypto::KeyPair_OpenSSL& service_kp;
     ccf::crypto::Pem& endorsed_cert;
-    const COSESignaturesConfig& cose_signatures_config;
+    const ccf::COSESignaturesConfig& cose_signatures_config;
 
   public:
     MerkleTreeHistoryPendingTx(
@@ -334,7 +339,7 @@ namespace ccf
       ccf::crypto::KeyPair& node_kp_,
       ccf::crypto::KeyPair_OpenSSL& service_kp_,
       ccf::crypto::Pem& endorsed_cert_,
-      const COSESignaturesConfig& cose_signatures_config_) :
+      const ccf::COSESignaturesConfig& cose_signatures_config_) :
       txid(txid_),
       store(store_),
       history(history_),
@@ -566,7 +571,6 @@ namespace ccf
     T replicated_state_tree;
 
     ccf::crypto::KeyPair& node_kp;
-    std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> service_kp{};
     ccf::crypto::COSEVerifierUniquePtr cose_verifier{};
     std::vector<uint8_t> cose_cert_cached{};
 
@@ -580,7 +584,14 @@ namespace ccf
     ccf::kv::Term term_of_next_version;
 
     std::optional<ccf::crypto::Pem> endorsed_cert = std::nullopt;
-    COSESignaturesConfig cose_signatures_config;
+
+    struct ServiceSigningIdentity
+    {
+      const std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> service_kp;
+      const ccf::COSESignaturesConfig cose_signatures_config;
+    };
+
+    std::optional<ServiceSigningIdentity> signing_identity = std::nullopt;
 
   public:
     HashedTxHistory(
@@ -604,14 +615,33 @@ namespace ccf
 
     void set_service_signing_identity(
       std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> service_kp_,
-      const COSESignaturesConfig& cose_signatures_config_) override
+      const ccf::COSESignaturesConfig& cose_signatures_config_) override
     {
-      service_kp = std::move(service_kp_);
-      cose_signatures_config = cose_signatures_config_;
+      if (signing_identity.has_value())
+      {
+        throw std::logic_error(
+          "Called set_service_signing_identity() multiple times");
+      }
+
+      signing_identity.emplace(
+        ServiceSigningIdentity{service_kp_, cose_signatures_config_});
+
       LOG_INFO_FMT(
         "Setting service signing identity to iss: {} sub: {}",
-        cose_signatures_config.issuer,
-        cose_signatures_config.subject);
+        cose_signatures_config_.issuer,
+        cose_signatures_config_.subject);
+    }
+
+    const ccf::COSESignaturesConfig& get_cose_signatures_config() override
+    {
+      if (!signing_identity.has_value())
+      {
+        throw std::logic_error(
+          "Called get_cose_signatures_config() before "
+          "set_service_signing_identity()");
+      }
+
+      return signing_identity->cose_signatures_config;
     }
 
     void start_signature_emit_timer() override
@@ -870,7 +900,7 @@ namespace ccf
 
       LOG_DEBUG_FMT("Signed at {} in view: {}", txid.version, txid.term);
 
-      if (!service_kp)
+      if (!signing_identity.has_value())
       {
         throw std::logic_error(
           fmt::format("No service key has been set yet to sign"));
@@ -884,9 +914,9 @@ namespace ccf
           *this,
           id,
           node_kp,
-          *service_kp,
+          *signing_identity->service_kp,
           endorsed_cert.value(),
-          cose_signatures_config),
+          signing_identity->cose_signatures_config),
         true);
     }
 

src/node/identity.h

@@ -14,70 +14,18 @@
 
 namespace ccf
 {
-  enum class IdentityType
-  {
-    REPLICATED,
-    SPLIT
-  };
-
   struct NetworkIdentity
   {
     ccf::crypto::Pem priv_key;
     ccf::crypto::Pem cert;
-    std::optional<IdentityType> type = IdentityType::REPLICATED;
-    std::string subject_name = "CN=CCF Service";
-    COSESignaturesConfig cose_signatures_config;
-    std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> kp{};
-
-    std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> get_key_pair()
-    {
-      if (!kp)
-      {
-        kp = std::make_shared<ccf::crypto::KeyPair_OpenSSL>(priv_key);
-      }
 
-      return kp;
-    }
-
-    bool operator==(const NetworkIdentity& other) const
-    {
-      return cert == other.cert && priv_key == other.priv_key &&
-        type == other.type && subject_name == other.subject_name &&
-        cose_signatures_config == other.cose_signatures_config;
-    }
+    bool operator==(const NetworkIdentity& other) const = default;
 
     NetworkIdentity(
-      const std::string& subject_name_,
-      const COSESignaturesConfig& cose_signatures_config_) :
-      type(IdentityType::REPLICATED),
-      subject_name(subject_name_),
-      cose_signatures_config(cose_signatures_config_)
-    {}
-    NetworkIdentity() = default;
-
-    virtual ccf::crypto::Pem issue_certificate(
-      const std::string& valid_from, size_t validity_period_days)
-    {
-      return {};
-    }
-
-    virtual void set_certificate(const ccf::crypto::Pem& certificate) {}
-
-    virtual ~NetworkIdentity() {}
-  };
-
-  class ReplicatedNetworkIdentity : public NetworkIdentity
-  {
-  public:
-    ReplicatedNetworkIdentity() = default;
-
-    ReplicatedNetworkIdentity(
-      const std::string& subject_name_,
+      const std::string& subject_name,
       ccf::crypto::CurveID curve_id,
       const std::string& valid_from,
-      size_t validity_period_days,
-      const COSESignaturesConfig& cose_signatures_config_) :
-      NetworkIdentity(subject_name_, cose_signatures_config_)
+      size_t validity_period_days)
     {
       auto identity_key_pair =
         std::make_shared<ccf::crypto::KeyPair_OpenSSL>(curve_id);
@@ -91,37 +39,34 @@ namespace ccf
         validity_period_days);
     }
 
-    ReplicatedNetworkIdentity(const NetworkIdentity& other) :
-      NetworkIdentity(
-        ccf::crypto::get_subject_name(other.cert), other.cose_signatures_config)
+    NetworkIdentity(const NetworkIdentity& other) = default;
+
+    NetworkIdentity() = default;
+
+    virtual ~NetworkIdentity()
     {
-      if (type != other.type)
-      {
-        throw std::runtime_error("invalid identity type conversion");
-      }
-      priv_key = other.priv_key;
-      cert = other.cert;
+      OPENSSL_cleanse(priv_key.data(), priv_key.size());
     }
 
-    virtual ccf::crypto::Pem issue_certificate(
-      const std::string& valid_from, size_t validity_period_days) override
+    ccf::crypto::Pem renew_certificate(
+      const std::string& valid_from, size_t validity_period_days)
     {
       return ccf::crypto::create_self_signed_cert(
         get_key_pair(),
-        subject_name,
+        ccf::crypto::get_subject_name(cert),
         {} /* SAN */,
         valid_from,
         validity_period_days);
     }
 
-    virtual void set_certificate(const ccf::crypto::Pem& new_cert) override
+    void set_certificate(const ccf::crypto::Pem& new_cert)
     {
       cert = new_cert;
     }
 
-    ~ReplicatedNetworkIdentity() override
+    std::shared_ptr<ccf::crypto::KeyPair_OpenSSL> get_key_pair()
     {
-      OPENSSL_cleanse(priv_key.data(), priv_key.size());
+      return std::make_shared<ccf::crypto::KeyPair_OpenSSL>(priv_key);
     }
   };
-}
+}

src/node/node_state.h

@@ -498,12 +498,11 @@ namespace ccf
       {
         case StartType::Start:
         {
-          network.identity = std::make_unique<ReplicatedNetworkIdentity>(
+          network.identity = std::make_unique<ccf::NetworkIdentity>(
             config.service_subject_name,
             curve_id,
             config.startup_host_time,
-            config.initial_service_certificate_validity_days,
-            config.cose_signatures);
+            config.initial_service_certificate_validity_days);
 
           network.ledger_secrets->init();
 
@@ -539,12 +538,11 @@ namespace ccf
           ccf::crypto::Pem previous_service_identity_cert(
             config.recover.previous_service_identity.value());
 
-          network.identity = std::make_unique<ReplicatedNetworkIdentity>(
+          network.identity = std::make_unique<ccf::NetworkIdentity>(
             ccf::crypto::get_subject_name(previous_service_identity_cert),
             curve_id,
             config.startup_host_time,
-            config.initial_service_certificate_validity_days,
-            config.cose_signatures);
+            config.initial_service_certificate_validity_days);
 
           history->set_service_signing_identity(
             network.identity->get_key_pair(), config.cose_signatures);
@@ -664,7 +662,7 @@ namespace ccf
               throw std::logic_error("Expected network info in join response");
             }
 
-            network.identity = std::make_unique<ReplicatedNetworkIdentity>(
+            network.identity = std::make_unique<ccf::NetworkIdentity>(
               resp.network_info->identity);
             network.ledger_secrets->init_from_map(
               std::move(resp.network_info->ledger_secrets));
@@ -1764,6 +1762,18 @@ namespace ccf
       return self_signed_node_cert;
     }
 
+    const ccf::COSESignaturesConfig& get_cose_signatures_config() override
+    {
+      if (history == nullptr)
+      {
+        throw std::logic_error(
+          "Attempting to access COSE signatures config before history has been "
+          "constructed");
+      }
+
+      return history->get_cose_signatures_config();
+    }
+
   private:
     bool is_ip(const std::string_view& hostname)
     {

src/node/rpc/node_call_types.h

@@ -106,7 +106,7 @@ namespace ccf
         std::optional<ServiceStatus> service_status = std::nullopt;
 
         std::optional<ccf::crypto::Pem> endorsed_certificate = std::nullopt;
-        std::optional<COSESignaturesConfig> cose_signatures_config =
+        std::optional<ccf::COSESignaturesConfig> cose_signatures_config =
           std::nullopt;
 
         NetworkInfo() {}
@@ -118,7 +118,8 @@ namespace ccf
           const NetworkIdentity& identity,
           ServiceStatus service_status,
           const std::optional<ccf::crypto::Pem>& endorsed_certificate,
-          const std::optional<COSESignaturesConfig>& cose_signatures_config_) :
+          const std::optional<ccf::COSESignaturesConfig>&
+            cose_signatures_config_) :
           public_only(public_only),
           last_recovered_signed_idx(last_recovered_signed_idx),
           ledger_secrets(ledger_secrets),