feat(sdk): Get the algorithm from the KASInfo and not the config (#272)

Instead of taking what's in the config use what's in the key since what we use
to actually do the cryptography. Also some refactoring to simplify how we get
key metadata.

Author: mkleene

sdk/src/main/java/io/opentdf/platform/sdk/ECCMode.java

@@ -1,5 +1,7 @@
 package io.opentdf.platform.sdk;
 
+import javax.annotation.Nonnull;
+
 public class ECCMode {
     private ECCModeStruct data;
 
@@ -13,7 +15,7 @@ public ECCMode() {
     public ECCMode(byte value) {
         data = new ECCModeStruct();
         int curveMode = value & 0x07; // first 3 bits
-        setEllipticCurve(NanoTDFType.ECCurve.values()[curveMode]);
+        setEllipticCurve(NanoTDFType.ECCurve.fromCurveMode(curveMode));
         int useECDSABinding = (value >> 7) & 0x01; // most significant bit
         data.useECDSABinding = useECDSABinding;
     }
@@ -44,75 +46,24 @@ public void setEllipticCurve(NanoTDFType.ECCurve curve) {
         }
     }
 
-    public NanoTDFType.ECCurve getEllipticCurveType() {
-        return NanoTDFType.ECCurve.values()[data.curveMode];
-    }
-
     public boolean isECDSABindingEnabled() {
         return data.useECDSABinding == 1;
     }
 
-    public String getCurveName() {
-        return getEllipticCurveName(NanoTDFType.ECCurve.values()[data.curveMode]);
-    }
-
     public byte getECCModeAsByte() {
         int value = (data.useECDSABinding << 7) | data.curveMode;
         return (byte) value;
     }
 
-    public static String getEllipticCurveName(NanoTDFType.ECCurve curve) {
-        switch (curve) {
-            case SECP256R1:
-                return "secp256r1";
-            case SECP384R1:
-                return "secp384r1";
-            case SECP521R1:
-                return "secp521r1";
-            case SECP256K1:
-                throw new RuntimeException("SDK doesn't support 'secp256k1' curve");
-            default:
-                throw new RuntimeException("Unsupported ECC algorithm.");
-        }
-    }
-
-    public static int getECKeySize(NanoTDFType.ECCurve curve) {
-        switch (curve) {
-            case SECP256K1:
-                throw new RuntimeException("SDK doesn't support 'secp256k1' curve");
-            case SECP256R1:
-                return 32;
-            case SECP384R1:
-                return 48;
-            case SECP521R1:
-                return 66;
-            default:
-                throw new RuntimeException("Unsupported ECC algorithm.");
-        }
-    }
-
     public static int getECDSASignatureStructSize(NanoTDFType.ECCurve curve) {
-        int keySize = getECKeySize(curve);
+        int keySize = curve.getKeySize();
         return (1 + keySize + 1 + keySize);
     }
 
-    public static int getECKeySize(String curveName) {
-        return ECKeyPair.getECKeySize(curveName);
-    }
 
-    public static int getECCompressedPubKeySize(NanoTDFType.ECCurve curve) {
-        switch (curve) {
-            case SECP256K1:
-                throw new RuntimeException("SDK doesn't support 'secp256k1' curve");
-            case SECP256R1:
-                return 33;
-            case SECP384R1:
-                return 49;
-            case SECP521R1:
-                return 67;
-            default:
-                throw new RuntimeException("Unsupported ECC algorithm.");
-        }
+    @Nonnull
+    public NanoTDFType.ECCurve getCurve() {
+        return NanoTDFType.ECCurve.fromCurveMode(data.curveMode);
     }
 
     private class ECCModeStruct {

sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java

@@ -24,6 +24,7 @@
 import java.io.*;
 import java.security.*;
 import java.security.spec.*;
+import java.util.Objects;
 // https://www.bouncycastle.org/latest_releases.html
 
 public class ECKeyPair {
@@ -32,45 +33,23 @@ public class ECKeyPair {
         Security.addProvider(new BouncyCastleProvider());
     }
 
+    private final NanoTDFType.ECCurve curve;
+
     public enum ECAlgorithm {
         ECDH,
         ECDSA
     }
 
     private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();
 
-    public enum NanoTDFECCurve {
-        SECP256R1("secp256r1", KeyType.EC256Key),
-        PRIME256V1("prime256v1", KeyType.EC256Key),
-        SECP384R1("secp384r1", KeyType.EC384Key),
-        SECP521R1("secp521r1", KeyType.EC521Key);
-
-        private String name;
-        private KeyType keyType;
-
-        NanoTDFECCurve(String curveName, KeyType keyType) {
-            this.name = curveName;
-            this.keyType = keyType;
-        }
-
-        @Override
-        public String toString() {
-            return name;
-        }
-
-        public KeyType getKeyType() {
-            return keyType;
-        }
-    }
-
     private KeyPair keyPair;
-    private String curveName;
 
     public ECKeyPair() {
-        this("secp256r1", ECAlgorithm.ECDH);
+        this(NanoTDFType.ECCurve.SECP256R1, ECAlgorithm.ECDH);
     }
 
-    public ECKeyPair(String curveName, ECAlgorithm algorithm) {
+    public ECKeyPair(NanoTDFType.ECCurve curve, ECAlgorithm algorithm) {
+        this.curve = Objects.requireNonNull(curve);
         KeyPairGenerator generator;
 
         try {
@@ -85,19 +64,13 @@ public ECKeyPair(String curveName, ECAlgorithm algorithm) {
             throw new RuntimeException(e);
         }
 
-        ECGenParameterSpec spec = new ECGenParameterSpec(curveName);
+        ECGenParameterSpec spec = new ECGenParameterSpec(this.curve.getCurveName());
         try {
             generator.initialize(spec);
         } catch (InvalidAlgorithmParameterException e) {
             throw new RuntimeException(e);
         }
         this.keyPair = generator.generateKeyPair();
-        this.curveName = curveName;
-    }
-
-    public ECKeyPair(ECPublicKey publicKey, ECPrivateKey privateKey, String curveName) {
-        this.keyPair = new KeyPair(publicKey, privateKey);
-        this.curveName = curveName;
     }
 
     public ECPublicKey getPublicKey() {
@@ -108,17 +81,8 @@ public ECPrivateKey getPrivateKey() {
         return (ECPrivateKey) this.keyPair.getPrivate();
     }
 
-    public static int getECKeySize(String curveName) {
-        if (curveName.equalsIgnoreCase(NanoTDFECCurve.SECP256R1.toString()) ||
-                curveName.equalsIgnoreCase(NanoTDFECCurve.PRIME256V1.toString())) {
-            return 32;
-        } else if (curveName.equalsIgnoreCase(NanoTDFECCurve.SECP384R1.toString())) {
-            return 48;
-        } else if (curveName.equalsIgnoreCase(NanoTDFECCurve.SECP521R1.toString())) {
-            return 66;
-        } else {
-            throw new IllegalArgumentException("Unsupported ECC algorithm.");
-        }
+    NanoTDFType.ECCurve getCurve() {
+        return this.curve;
     }
 
     public String publicKeyInPEMFormat() {
@@ -155,10 +119,6 @@ public int keySize() {
         return this.keyPair.getPrivate().getEncoded().length * 8;
     }
 
-    public String curveName() {
-        return this.curveName;
-    }
-
     public byte[] compressECPublickey() {
         return ((ECPublicKey) this.keyPair.getPublic()).getQ().getEncoded(true);
     }

sdk/src/main/java/io/opentdf/platform/sdk/Header.java

@@ -26,7 +26,7 @@ public Header(ByteBuffer buffer) {
         this.payloadConfig = new SymmetricAndPayloadConfig(buffer.get());
         this.policyInfo = new PolicyInfo(buffer, this.eccMode);
 
-        int compressedPubKeySize = ECCMode.getECCompressedPubKeySize(this.eccMode.getEllipticCurveType());
+        int compressedPubKeySize = this.eccMode.getCurve().getCompressedPubKeySize();
         this.ephemeralKey = new byte[compressedPubKeySize];
         buffer.get(this.ephemeralKey);
     }
@@ -79,10 +79,10 @@ public PolicyInfo getPolicyInfo() {
     }
 
     public void setEphemeralKey(byte[] bytes) {
-        if (bytes.length < eccMode.getECCompressedPubKeySize(eccMode.getEllipticCurveType())) {
+        if (bytes.length < eccMode.getCurve().getCompressedPubKeySize()) {
             throw new IllegalArgumentException("Failed to read ephemeral key - invalid buffer size.");
         }
-        ephemeralKey = Arrays.copyOf(bytes, eccMode.getECCompressedPubKeySize(eccMode.getEllipticCurveType()));
+        ephemeralKey = Arrays.copyOf(bytes, eccMode.getCurve().getCompressedPubKeySize());
     }
 
     public byte[] getEphemeralKey() {

sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java

@@ -21,6 +21,8 @@
 import io.opentdf.platform.sdk.SDK.KasBadRequestException;
 
 import okhttp3.OkHttpClient;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -49,6 +51,8 @@ class KASClient implements SDK.KAS {
     private String clientPublicKey;
     private KASKeyCache kasKeyCache;
 
+    private static final Logger log = LoggerFactory.getLogger(KASClient.class);
+
     /***
      * A client that communicates with KAS
      * 
@@ -69,7 +73,9 @@ class KASClient implements SDK.KAS {
 
     @Override
     public KASInfo getECPublicKey(Config.KASInfo kasInfo, NanoTDFType.ECCurve curve) {
-        var req = PublicKeyRequest.newBuilder().setAlgorithm(format("ec:%s", curve.toString())).build();
+        log.debug("retrieving public key with kasinfo = [{}]", kasInfo);
+
+        var req = PublicKeyRequest.newBuilder().setAlgorithm(curve.getPlatformCurveName()).build();
         var r = getStub(kasInfo.URL).publicKeyBlocking(req, Collections.emptyMap()).execute();
         PublicKeyResponse res;
         try {
@@ -147,10 +153,9 @@ static class NanoTDFRewrapRequestBody {
     @Override
     public byte[] unwrap(Manifest.KeyAccess keyAccess, String policy,  KeyType sessionKeyType) {
         ECKeyPair ecKeyPair = null;
-
         if (sessionKeyType.isEc()) {
-            var curveName = sessionKeyType.getCurveName();
-            ecKeyPair = new ECKeyPair(curveName, ECKeyPair.ECAlgorithm.ECDH);
+            var curve = sessionKeyType.getECCurve();
+            ecKeyPair = new ECKeyPair(curve, ECKeyPair.ECAlgorithm.ECDH);
             clientPublicKey = ecKeyPair.publicKeyInPEMFormat();
         } else {
             // Initialize the RSA key pair only once and reuse it for future unwrap operations
@@ -198,7 +203,7 @@ public byte[] unwrap(Manifest.KeyAccess keyAccess, String policy,  KeyType sessi
         }
 
         var wrappedKey = response.getEntityWrappedKey().toByteArray();
-        if (sessionKeyType != KeyType.RSA2048Key) {
+        if (sessionKeyType.isEc()) {
 
             if (ecKeyPair == null) {
                 throw new SDKException("ECKeyPair is null. Unable to proceed with the unwrap operation.");
@@ -219,7 +224,7 @@ public byte[] unwrap(Manifest.KeyAccess keyAccess, String policy,  KeyType sessi
     }
 
     public byte[] unwrapNanoTDF(NanoTDFType.ECCurve curve, String header, String kasURL) {
-        ECKeyPair keyPair = new ECKeyPair(curve.toString(), ECKeyPair.ECAlgorithm.ECDH);
+        ECKeyPair keyPair = new ECKeyPair(curve, ECKeyPair.ECAlgorithm.ECDH);
 
         NanoTDFKeyAccess keyAccess = new NanoTDFKeyAccess();
         keyAccess.header = header;
@@ -228,7 +233,7 @@ public byte[] unwrapNanoTDF(NanoTDFType.ECCurve curve, String header, String kas
         keyAccess.protocol = "kas";
 
         NanoTDFRewrapRequestBody body = new NanoTDFRewrapRequestBody();
-        body.algorithm = format("ec:%s", curve.toString());
+        body.algorithm = format("ec:%s", curve.getCurveName());
         body.clientPublicKey = keyPair.publicKeyInPEMFormat();
         body.keyAccess = keyAccess;
 

sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java

@@ -1,33 +1,40 @@
 package io.opentdf.platform.sdk;
 
+import javax.annotation.Nonnull;
+
+import static io.opentdf.platform.sdk.NanoTDFType.ECCurve.SECP256R1;
+import static io.opentdf.platform.sdk.NanoTDFType.ECCurve.SECP384R1;
+import static io.opentdf.platform.sdk.NanoTDFType.ECCurve.SECP521R1;
+
 public enum KeyType {
     RSA2048Key("rsa:2048"),
-    EC256Key("ec:secp256r1"),
-    EC384Key("ec:secp384r1"),
-    EC521Key("ec:secp521r1");
+    EC256Key("ec:secp256r1", SECP256R1),
+    EC384Key("ec:secp384r1", SECP384R1),
+    EC521Key("ec:secp521r1", SECP521R1);
 
     private final String keyType;
+    private final NanoTDFType.ECCurve curve;
 
-    KeyType(String keyType) {
+    KeyType(String keyType, NanoTDFType.ECCurve ecCurve) {
         this.keyType = keyType;
+        this.curve = ecCurve;
     }
 
-    @Override
-    public String toString() {
-        return keyType;
+    KeyType(String keyType) {
+        this(keyType, null);
     }
 
-    public String getCurveName() {
-        switch (this) {
-            case EC256Key:
-                return "secp256r1";
-            case EC384Key:
-                return "secp384r1";
-            case EC521Key:
-                return "secp521r1";
-            default:
-                throw new IllegalArgumentException("Unsupported key type: " + this);
+    @Nonnull
+    NanoTDFType.ECCurve getECCurve() {
+        if (!isEc()) {
+            throw new IllegalStateException("This key type does not have an ECCurve associated with it: " + keyType);
         }
+        return curve;
+    }
+
+    @Override
+    public String toString() {
+        return keyType;
     }
 
     public static KeyType fromString(String keyType) {
@@ -40,6 +47,6 @@ public static KeyType fromString(String keyType) {
     }
 
     public boolean isEc() {
-        return this != RSA2048Key;
+        return this.curve != null;
     }
 }