feat: get kas public key from base key (#623)

Author: eugenioenko

cli/package-lock.json

@@ -3,7 +3,10 @@ import { ServiceError } from './errors.js';
 import { RewrapResponse } from './platform/kas/kas_pb.js';
 import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
 
-import { fetchKeyAccessServers as fetchKeyAccessServersRpc } from './access/access-rpc.js';
+import {
+  fetchKasBasePubKey,
+  fetchKeyAccessServers as fetchKeyAccessServersRpc,
+} from './access/access-rpc.js';
 import { fetchKeyAccessServers as fetchKeyAccessServersLegacy } from './access/access-fetch.js';
 import { fetchWrappedKey as fetchWrappedKeysRpc } from './access/access-rpc.js';
 import { fetchWrappedKey as fetchWrappedKeysLegacy } from './access/access-fetch.js';
@@ -144,17 +147,34 @@ export async function fetchKeyAccessServers(
 }
 
 /**
- * If we have KAS url but not public key we can fetch it from KAS, fetching
- * the value from `${kas}/kas_public_key`.
+ * Fetch the EC (secp256r1) public key for a KAS endpoint.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @returns The public key information for the KAS endpoint.
  */
 export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
   return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
 }
 
+/**
+ * Fetch the public key for a KAS endpoint.
+ * This function will first try to fetch the base public key,
+ * then it will try to fetch the public key using the RPC method,
+ * and finally it will try to fetch the public key using the legacy method.
+ * If all attempts fail, it will return the error from RPC Public Key fetch.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @param algorithm Optional algorithm to fetch the public key for.
+ * @returns The public key information.
+ */
 export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
+  try {
+    return await fetchKasBasePubKey(kasEndpoint);
+  } catch (e) {
+    console.log(e);
+  }
+
   return await tryPromisesUntilFirstSuccess(
     () => fetchKasPubKeyRpc(kasEndpoint, algorithm),
     () => fetchKasPubKeyLegacy(kasEndpoint, algorithm)

lib/src/access.ts

@@ -1,4 +1,5 @@
 import {
+  isPublicKeyAlgorithm,
   KasPublicKeyAlgorithm,
   KasPublicKeyInfo,
   noteInvalidPublicKey,
@@ -74,6 +75,31 @@ export async function fetchKeyAccessServers(
   return new OriginAllowList(serverUrls, false);
 }
 
+interface PlatformBaseKey {
+  kas_id?: string;
+  kas_uri: string;
+  public_key: {
+    algorithm: KasPublicKeyAlgorithm;
+    kid: string;
+    pem: string;
+  };
+}
+
+function isBaseKey(baseKey?: unknown): baseKey is PlatformBaseKey {
+  if (!baseKey) {
+    return false;
+  }
+  const bk = baseKey as PlatformBaseKey;
+  return (
+    !!bk.kas_uri &&
+    !!bk.public_key &&
+    typeof bk.public_key === 'object' &&
+    !!bk.public_key.pem &&
+    !!bk.public_key.algorithm &&
+    isPublicKeyAlgorithm(bk.public_key.algorithm)
+  );
+}
+
 export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
@@ -105,3 +131,45 @@ export async function fetchKasPubKey(
     throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
   }
 }
+
+/**
+ * Fetch the base public key from WellKnownConfiguration of the platform.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @throws {ConfigurationError} If the KAS endpoint is not defined.
+ * @throws {NetworkError} If there is an error fetching the public key from the KAS endpoint.
+ * @returns The base public key information for the KAS endpoint.
+ */
+export async function fetchKasBasePubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  validateSecureUrl(kasEndpoint);
+
+  const platformUrl = getPlatformUrlFromKasEndpoint(kasEndpoint);
+  const platform = new PlatformClient({
+    platformUrl,
+  });
+  try {
+    const { configuration } = await platform.v1.wellknown.getWellKnownConfiguration({});
+    const baseKey = configuration?.base_key as unknown as PlatformBaseKey;
+    if (!isBaseKey(baseKey)) {
+      throw new NetworkError(
+        `Invalid Platform Configuration: [${kasEndpoint}] is missing BaseKey in WellKnownConfiguration`
+      );
+    }
+
+    const result: KasPublicKeyInfo = {
+      key: noteInvalidPublicKey(
+        new URL(baseKey.kas_uri),
+        pemToCryptoPublicKey(baseKey.public_key.pem)
+      ),
+      publicKey: baseKey.public_key.pem,
+      url: baseKey.kas_uri,
+      algorithm: baseKey.public_key.algorithm,
+      kid: baseKey.public_key.kid,
+    };
+    return result;
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
+  }
+}

lib/src/access/access-rpc.ts

@@ -335,7 +335,7 @@ export class OpenTDF {
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
-      kasEndpoint: 'https://disallow.all.invalid',
+      kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       policyEndpoint,
     });
     this.dpopKeys =
@@ -522,14 +522,17 @@ class NanoTDFReader {
       r.header = nanotdf.header;
       return r;
     }
+    const platformUrl = this.opts.platformUrl || this.outer.platformUrl;
+    const kasEndpoint =
+      this.opts.allowedKASEndpoints?.[0] || platformUrl || 'https://disallow.all.invalid';
     const nc = new Client({
       allowedKases: this.opts.allowedKASEndpoints,
       authProvider: this.outer.authProvider,
       ignoreAllowList: this.opts.ignoreAllowlist,
       dpopEnabled: this.outer.dpopEnabled,
       dpopKeys: this.outer.dpopKeys,
-      kasEndpoint: this.opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
-      platformUrl: this.opts.platformUrl || this.outer.platformUrl,
+      kasEndpoint,
+      platformUrl,
     });
     // TODO: The version number should be fetched from the API
     const version = '0.0.1';
@@ -691,9 +694,12 @@ class Collection {
         break;
     }
 
+    const kasEndpoint =
+      opts.defaultKASEndpoint || opts.platformUrl || 'https://disallow.all.invalid';
+
     this.client = new NanoTDFDatasetClient({
       authProvider,
-      kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
+      kasEndpoint: kasEndpoint,
       maxKeyIterations: opts.maxKeyIterations,
       platformUrl: opts.platformUrl,
     });

lib/src/opentdf.ts

@@ -398,7 +398,7 @@ export class Client {
       keyMiddleware = defaultKeyMiddleware,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
       tdfSpecVersion,
-      wrappingKeyAlgorithm = 'rsa:2048',
+      wrappingKeyAlgorithm,
     } = opts;
     const scope = opts.scope ?? { attributes: [], dissem: [] };
 
@@ -462,7 +462,6 @@ export class Client {
         ? maxByteLimit
         : opts.byteLimit;
     const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService));
-    // TODO KAS: check here
     const splits: SplitStep[] = splitPlan?.length
       ? splitPlan
       : [{ kas: opts.defaultKASEndpoint ?? this.kasEndpoint }];

lib/tdf3/src/client/index.ts

@@ -199,7 +199,7 @@ export async function fetchKasPublicKey(
   kas: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  return fetchKasPubKeyV2(kas, algorithm || 'rsa:2048');
+  return fetchKasPubKeyV2(kas, algorithm);
 }
 
 export async function extractPemFromKeyString(

lib/tdf3/src/tdf.ts

@@ -91,7 +91,7 @@ describe('fetchKasPublicKey', async () => {
   it('localhost kas is valid', async () => {
     const pk2 = await TDF.fetchKasPublicKey('http://localhost:3000');
     expect(pk2.publicKey).to.include('BEGIN CERTIFICATE');
-    expect(pk2.kid).to.equal('r1');
+    expect(pk2.kid).to.equal('e1');
   });
 
   it('invalid algorithms', async () => {
@@ -100,10 +100,15 @@ describe('fetchKasPublicKey', async () => {
       console.log(res);
       expect.fail('did not throw');
     } catch (e) {
-      // TODO RPC: check why error thrown is failed to fetch
       expect(!!e).to.equal(true);
     }
   });
+
+  it('localhost BaseKey', async () => {
+    const pk2 = await TDF.fetchKasPublicKey('http://localhost:3000');
+    expect(pk2.publicKey).to.include('BEGIN CERTIFICATE');
+    expect(pk2.kid).to.equal('e1');
+  });
 });
 
 describe('validatePolicyObject', () => {

lib/tests/mocha/unit/tdf.spec.ts

@@ -421,7 +421,21 @@ const kas: RequestListener = async (req, res) => {
     ) {
       res.statusCode = 200;
       res.setHeader('Content-Type', 'application/json');
-      res.end(JSON.stringify({ health: { endpoint: '/healthz' } }));
+      res.end(
+        JSON.stringify({
+          configuration: {
+            base_key: {
+              kas_id: '34f2acdc-3d9c-4e92-80b6-90fe4dc9afcb',
+              kas_uri: 'http://localhost:3000',
+              public_key: {
+                algorithm: 'ec:secp256r1',
+                kid: 'e1',
+                pem: Mocks.kasECCert,
+              },
+            },
+          },
+        })
+      );
       return;
     } else if (url.pathname === '/policy.attributes.AttributesService/ListAttributes') {
       const token = req.headers['authorization'] as string;