Enclave public key length constraint removed for private transactions (…

…hyperledger#4086)

* removed constraint with the length of the privacy public key

* refactor to include tessera ec encryptor

* added EC snippet to the tessera json config, still need to replace base64string from web3j

* acceptance tests working after modifying the web3j library to allow secp256r1 keys

* using NACL encryptor by default

* using web3j v4.9.4 and web3j-quorum v4.9.0

Signed-off-by: Miguel Rojo <[email protected]>

Co-authored-by: Antony Denyer <[email protected]>

acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/node/configuration/privacy/PrivacyNodeFactory.java

@@ -48,16 +48,6 @@ public PrivacyNode create(
     return new PrivacyNode(privacyNodeConfig, vertx, enclaveType, containerNetwork);
   }
 
-  public PrivacyNode createPrivateTransactionEnabledMinerNode(
-      final String name,
-      final PrivacyAccount privacyAccount,
-      final EnclaveType enclaveType,
-      final Optional<Network> containerNetwork)
-      throws IOException {
-    return createPrivateTransactionEnabledMinerNode(
-        name, privacyAccount, enclaveType, containerNetwork, false, false, false);
-  }
-
   public PrivacyNode createPrivateTransactionEnabledMinerNode(
       final String name,
       final PrivacyAccount privacyAccount,
@@ -83,21 +73,13 @@ public PrivacyNode createPrivateTransactionEnabledMinerNode(
                 .extraCLIOptions(List.of("--plugin-privacy-service-encryption-prefix=0xAA"))
                 .build(),
             new EnclaveKeyConfiguration(
-                privacyAccount.getEnclaveKeyPaths(), privacyAccount.getEnclavePrivateKeyPaths())),
+                privacyAccount.getEnclaveKeyPaths(),
+                privacyAccount.getEnclavePrivateKeyPaths(),
+                privacyAccount.getEnclaveEncryptorType())),
         enclaveType,
         containerNetwork);
   }
 
-  public PrivacyNode createPrivateTransactionEnabledNode(
-      final String name,
-      final PrivacyAccount privacyAccount,
-      final EnclaveType enclaveType,
-      final Optional<Network> containerNetwork)
-      throws IOException {
-    return createPrivateTransactionEnabledNode(
-        name, privacyAccount, enclaveType, containerNetwork, false, false, false);
-  }
-
   public PrivacyNode createPrivateTransactionEnabledNode(
       final String name,
       final PrivacyAccount privacyAccount,
@@ -122,21 +104,13 @@ public PrivacyNode createPrivateTransactionEnabledNode(
                 .extraCLIOptions(List.of("--plugin-privacy-service-encryption-prefix=0xBB"))
                 .build(),
             new EnclaveKeyConfiguration(
-                privacyAccount.getEnclaveKeyPaths(), privacyAccount.getEnclavePrivateKeyPaths())),
+                privacyAccount.getEnclaveKeyPaths(),
+                privacyAccount.getEnclavePrivateKeyPaths(),
+                privacyAccount.getEnclaveEncryptorType())),
         enclaveType,
         containerNetwork);
   }
 
-  public PrivacyNode createIbft2NodePrivacyEnabled(
-      final String name,
-      final PrivacyAccount privacyAccount,
-      final EnclaveType enclaveType,
-      final Optional<Network> containerNetwork)
-      throws IOException {
-    return createIbft2NodePrivacyEnabled(
-        name, privacyAccount, false, enclaveType, containerNetwork, false, false, false, "0xAA");
-  }
-
   public PrivacyNode createIbft2NodePrivacyEnabled(
       final String name,
       final PrivacyAccount privacyAccount,
@@ -167,7 +141,9 @@ public PrivacyNode createIbft2NodePrivacyEnabled(
                     List.of("--plugin-privacy-service-encryption-prefix=" + unrestrictedPrefix))
                 .build(),
             new EnclaveKeyConfiguration(
-                privacyAccount.getEnclaveKeyPaths(), privacyAccount.getEnclavePrivateKeyPaths())),
+                privacyAccount.getEnclaveKeyPaths(),
+                privacyAccount.getEnclavePrivateKeyPaths(),
+                privacyAccount.getEnclaveEncryptorType())),
         enclaveType,
         containerNetwork);
   }
@@ -204,7 +180,9 @@ public PrivacyNode createIbft2NodePrivacyEnabledWithGenesis(
                         "--plugin-privacy-service-genesis-enabled=true"))
                 .build(),
             new EnclaveKeyConfiguration(
-                privacyAccount.getEnclaveKeyPaths(), privacyAccount.getEnclavePrivateKeyPaths())),
+                privacyAccount.getEnclaveKeyPaths(),
+                privacyAccount.getEnclavePrivateKeyPaths(),
+                privacyAccount.getEnclaveEncryptorType())),
         enclaveType,
         containerNetwork);
   }
@@ -238,7 +216,9 @@ public PrivacyNode createQbftNodePrivacyEnabled(
                     List.of("--plugin-privacy-service-encryption-prefix=" + unrestrictedPrefix))
                 .build(),
             new EnclaveKeyConfiguration(
-                privacyAccount.getEnclaveKeyPaths(), privacyAccount.getEnclavePrivateKeyPaths())),
+                privacyAccount.getEnclaveKeyPaths(),
+                privacyAccount.getEnclavePrivateKeyPaths(),
+                privacyAccount.getEnclaveEncryptorType())),
         enclaveType,
         containerNetwork);
   }

acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/privacy/ParameterizedEnclaveTestBase.java

@@ -14,6 +14,8 @@
  */
 package org.hyperledger.besu.tests.acceptance.dsl.privacy;
 
+import static org.hyperledger.enclave.testutil.EnclaveEncryptorType.EC;
+import static org.hyperledger.enclave.testutil.EnclaveEncryptorType.NACL;
 import static org.hyperledger.enclave.testutil.EnclaveType.NOOP;
 import static org.hyperledger.enclave.testutil.EnclaveType.TESSERA;
 import static org.web3j.utils.Restriction.RESTRICTED;
@@ -22,6 +24,7 @@
 import org.hyperledger.besu.tests.acceptance.dsl.privacy.transaction.PluginCreateRandomPrivacyGroupIdTransaction;
 import org.hyperledger.besu.tests.acceptance.dsl.privacy.transaction.RestrictedCreatePrivacyGroupTransaction;
 import org.hyperledger.besu.tests.acceptance.dsl.transaction.Transaction;
+import org.hyperledger.enclave.testutil.EnclaveEncryptorType;
 import org.hyperledger.enclave.testutil.EnclaveType;
 
 import java.util.Arrays;
@@ -36,19 +39,24 @@
 public abstract class ParameterizedEnclaveTestBase extends PrivacyAcceptanceTestBase {
   protected final Restriction restriction;
   protected final EnclaveType enclaveType;
+  protected final EnclaveEncryptorType enclaveEncryptorType;
 
   protected ParameterizedEnclaveTestBase(
-      final Restriction restriction, final EnclaveType enclaveType) {
+      final Restriction restriction,
+      final EnclaveType enclaveType,
+      final EnclaveEncryptorType enclaveEncryptorType) {
     this.restriction = restriction;
     this.enclaveType = enclaveType;
+    this.enclaveEncryptorType = enclaveEncryptorType;
   }
 
-  @Parameters(name = "{0} tx with {1} enclave")
+  @Parameters(name = "{0} tx with {1} enclave and {2} encryptor type")
   public static Collection<Object[]> params() {
     return Arrays.asList(
         new Object[][] {
-          {RESTRICTED, TESSERA},
-          {UNRESTRICTED, NOOP}
+          {RESTRICTED, TESSERA, NACL},
+          {RESTRICTED, TESSERA, EC},
+          {UNRESTRICTED, NOOP, EnclaveEncryptorType.NOOP}
         });
   }
 

acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/privacy/PrivacyAcceptanceTestBase.java

@@ -21,7 +21,6 @@
 import org.hyperledger.besu.tests.acceptance.dsl.condition.net.NetConditions;
 import org.hyperledger.besu.tests.acceptance.dsl.condition.priv.PrivConditions;
 import org.hyperledger.besu.tests.acceptance.dsl.node.configuration.privacy.PrivacyNodeFactory;
-import org.hyperledger.besu.tests.acceptance.dsl.privacy.account.PrivacyAccountResolver;
 import org.hyperledger.besu.tests.acceptance.dsl.privacy.condition.PrivateContractVerifier;
 import org.hyperledger.besu.tests.acceptance.dsl.privacy.condition.PrivateTransactionVerifier;
 import org.hyperledger.besu.tests.acceptance.dsl.privacy.contract.PrivateContractTransactions;
@@ -47,7 +46,6 @@ public class PrivacyAcceptanceTestBase {
   protected final PrivateContractTransactions privateContractTransactions;
   protected final PrivConditions priv;
   protected final PrivacyCluster privacyCluster;
-  protected final PrivacyAccountResolver privacyAccountResolver;
   protected final ContractTransactions contractTransactions;
   protected final NetConditions net;
   protected final EthTransactions ethTransactions;
@@ -63,7 +61,6 @@ public PrivacyAcceptanceTestBase() {
     privacyBesu = new PrivacyNodeFactory(vertx);
     privateContractTransactions = new PrivateContractTransactions();
     privacyCluster = new PrivacyCluster(net);
-    privacyAccountResolver = new PrivacyAccountResolver();
     priv =
         new PrivConditions(
             new org.hyperledger.besu.tests.acceptance.dsl.transaction.privacy

acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/privacy/account/PrivacyAccount.java

@@ -14,6 +14,8 @@
  */
 package org.hyperledger.besu.tests.acceptance.dsl.privacy.account;
 
+import org.hyperledger.enclave.testutil.EnclaveEncryptorType;
+
 import java.io.File;
 import java.net.URL;
 import java.util.Arrays;
@@ -23,27 +25,38 @@ public class PrivacyAccount {
   private final URL privateKeyPath;
   private final URL[] enclaveKeyPaths;
   private final URL[] enclavePrivateKeyPaths;
+  private final EnclaveEncryptorType enclaveEncryptorType;
 
   private PrivacyAccount(
       final URL privateKeyPath,
       final URL[] enclavePublicKeyPaths,
-      final URL[] enclavePrivateKeyPaths) {
+      final URL[] enclavePrivateKeyPaths,
+      final EnclaveEncryptorType enclaveEncryptorType) {
     this.privateKeyPath = privateKeyPath;
     this.enclaveKeyPaths = enclavePublicKeyPaths;
     this.enclavePrivateKeyPaths = enclavePrivateKeyPaths;
+    this.enclaveEncryptorType = enclaveEncryptorType;
   }
 
   public static PrivacyAccount create(
-      final URL privateKeyPath, final URL enclavePublicKeyPath, final URL enclavePrivateKeyPath) {
+      final URL privateKeyPath,
+      final URL enclavePublicKeyPath,
+      final URL enclavePrivateKeyPath,
+      final EnclaveEncryptorType enclaveEncryptorType) {
     return new PrivacyAccount(
-        privateKeyPath, new URL[] {enclavePublicKeyPath}, new URL[] {enclavePrivateKeyPath});
+        privateKeyPath,
+        new URL[] {enclavePublicKeyPath},
+        new URL[] {enclavePrivateKeyPath},
+        enclaveEncryptorType);
   }
 
   public static PrivacyAccount create(
       final URL privateKeyPath,
       final URL[] enclavePublicKeyPath,
-      final URL[] enclavePrivateKeyPath) {
-    return new PrivacyAccount(privateKeyPath, enclavePublicKeyPath, enclavePrivateKeyPath);
+      final URL[] enclavePrivateKeyPath,
+      final EnclaveEncryptorType enclaveEncryptorType) {
+    return new PrivacyAccount(
+        privateKeyPath, enclavePublicKeyPath, enclavePrivateKeyPath, enclaveEncryptorType);
   }
 
   public String getPrivateKeyPath() {
@@ -62,6 +75,10 @@ public String[] getEnclavePrivateKeyPaths() {
         .toArray(String[]::new);
   }
 
+  public EnclaveEncryptorType getEnclaveEncryptorType() {
+    return enclaveEncryptorType;
+  }
+
   private String toStringResource(final URL path) {
     return path.getPath().substring(path.getPath().lastIndexOf(File.separator) + 1);
   }

acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/privacy/account/PrivacyAccountResolver.java

@@ -14,59 +14,88 @@
  */
 package org.hyperledger.besu.tests.acceptance.dsl.privacy.account;
 
+import org.hyperledger.enclave.testutil.EnclaveEncryptorType;
+
 import java.net.URL;
 
 /** Supplier of known funded accounts defined in dev.json */
-public class PrivacyAccountResolver {
-
-  public static final PrivacyAccount ALICE =
-      PrivacyAccount.create(
+public enum PrivacyAccountResolver {
+  ALICE {
+    @Override
+    public PrivacyAccount resolve(final EnclaveEncryptorType enclaveEncryptorType) {
+      return PrivacyAccount.create(
           resolveResource("key"),
-          resolveResource("enclave_key_0.pub"),
-          resolveResource("enclave_key_0.key"));
-
-  public static final PrivacyAccount BOB =
-      PrivacyAccount.create(
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_0.pub")
+              : resolveResource("enclave_key_0.pub"),
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_0.key")
+              : resolveResource("enclave_key_0.key"),
+          enclaveEncryptorType);
+    }
+  },
+  BOB {
+    @Override
+    public PrivacyAccount resolve(final EnclaveEncryptorType enclaveEncryptorType) {
+      return PrivacyAccount.create(
           resolveResource("key1"),
-          resolveResource("enclave_key_1.pub"),
-          resolveResource("enclave_key_1.key"));
-
-  public static final PrivacyAccount CHARLIE =
-      PrivacyAccount.create(
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_1.pub")
+              : resolveResource("enclave_key_1.pub"),
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_1.key")
+              : resolveResource("enclave_key_1.key"),
+          enclaveEncryptorType);
+    }
+  },
+  CHARLIE {
+    @Override
+    public PrivacyAccount resolve(final EnclaveEncryptorType enclaveEncryptorType) {
+      return PrivacyAccount.create(
           resolveResource("key2"),
-          resolveResource("enclave_key_2.pub"),
-          resolveResource("enclave_key_2.key"));
-
-  public static final PrivacyAccount MULTI_TENANCY =
-      PrivacyAccount.create(
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_2.pub")
+              : resolveResource("enclave_key_2.pub"),
+          enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+              ? resolveResource("enclave_ec_key_2.key")
+              : resolveResource("enclave_key_2.key"),
+          enclaveEncryptorType);
+    }
+  },
+  MULTI_TENANCY {
+    @Override
+    public PrivacyAccount resolve(final EnclaveEncryptorType enclaveEncryptorType) {
+      return PrivacyAccount.create(
           resolveResource("key"),
           new URL[] {
-            resolveResource("enclave_key_0.pub"),
-            resolveResource("enclave_key_1.pub"),
-            resolveResource("enclave_key_2.pub")
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_0.pub")
+                : resolveResource("enclave_key_0.pub"),
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_1.pub")
+                : resolveResource("enclave_key_1.pub"),
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_2.pub")
+                : resolveResource("enclave_key_2.pub")
           },
           new URL[] {
-            resolveResource("enclave_key_0.key"),
-            resolveResource("enclave_key_1.key"),
-            resolveResource("enclave_key_2.key")
-          });
-
-  private static URL resolveResource(final String resource) {
-    return PrivacyAccountResolver.class.getClassLoader().getResource(resource);
-  }
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_0.key")
+                : resolveResource("enclave_key_0.key"),
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_1.key")
+                : resolveResource("enclave_key_1.key"),
+            enclaveEncryptorType.equals(EnclaveEncryptorType.EC)
+                ? resolveResource("enclave_ec_key_2.key")
+                : resolveResource("enclave_key_2.key")
+          },
+          enclaveEncryptorType);
+    }
+  };
 
-  public PrivacyAccountResolver() {}
+  public abstract PrivacyAccount resolve(final EnclaveEncryptorType enclaveEncryptorType);
 
-  public PrivacyAccount resolve(final Integer account) {
-    switch (account) {
-      case 0:
-        return ALICE;
-      case 1:
-        return BOB;
-      case 2:
-        return CHARLIE;
-      default:
-        throw new RuntimeException("Unknown privacy account");
-    }
+  URL resolveResource(final String resource) {
+    return PrivacyAccountResolver.class.getClassLoader().getResource(resource);
   }
 }