feat: node identity part 2 (#2905)

continuation from #2771 for #2595

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Alec Thomas <[email protected]>

backend/controller/controller.go

@@ -462,6 +462,10 @@ func (s *Service) Status(ctx context.Context, req *connect.Request[ftlv1.StatusR
 	return connect.NewResponse(resp), nil
 }
 
+func (s *Service) GetCertification(context.Context, *connect.Request[ftlv1.GetCertificationRequest]) (*connect.Response[ftlv1.GetCertificationResponse], error) {
+	panic("implement me")
+}
+
 func (s *Service) StreamDeploymentLogs(ctx context.Context, stream *connect.ClientStream[ftlv1.StreamDeploymentLogsRequest]) (*connect.Response[ftlv1.StreamDeploymentLogsResponse], error) {
 	for stream.Receive() {
 		msg := stream.Msg()

backend/controller/identity/identity_test.go

@@ -30,6 +30,7 @@ func TestIdentity(t *testing.T) {
 
 	service, err = New(ctx, encryption, conn)
 	assert.NoError(t, err)
-	err = service.Verify(*signedData)
+	data, err := service.Verify(signedData)
 	assert.NoError(t, err)
+	assert.Equal(t, "test", string(data))
 }

backend/controller/identity/dal/dal.go → backend/controller/identity/internal/dal/dal.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/TBD54566975/ftl/backend/controller/identity/dal/internal/sql"
+	"github.com/TBD54566975/ftl/backend/controller/identity/internal/sql"
 	"github.com/TBD54566975/ftl/backend/libdal"
 )
 

backend/controller/identity/identity.go → backend/controller/identity/service.go

@@ -11,22 +11,22 @@ import (
 
 	encryptionsvc "github.com/TBD54566975/ftl/backend/controller/encryption"
 	"github.com/TBD54566975/ftl/backend/controller/encryption/api"
-	"github.com/TBD54566975/ftl/backend/controller/identity/dal"
+	"github.com/TBD54566975/ftl/backend/controller/identity/internal/dal"
 	"github.com/TBD54566975/ftl/backend/libdal"
 	internalidentity "github.com/TBD54566975/ftl/internal/identity"
 	"github.com/TBD54566975/ftl/internal/log"
 )
 
 type Service struct {
-	dal        dal.DAL
+	dal        *dal.DAL
 	encryption *encryptionsvc.Service
 	signer     internalidentity.Signer
 	verifier   internalidentity.Verifier
 }
 
 func New(ctx context.Context, encryption *encryptionsvc.Service, conn *sql.DB) (*Service, error) {
 	svc := &Service{
-		dal:        *dal.New(conn),
+		dal:        dal.New(conn),
 		encryption: encryption,
 	}
 
@@ -55,42 +55,42 @@ func New(ctx context.Context, encryption *encryptionsvc.Service, conn *sql.DB) (
 	return svc, nil
 }
 
-func (s Service) Sign(data []byte) (*internalidentity.SignedData, error) {
+func (s Service) Sign(data []byte) (internalidentity.SignedData, error) {
 	signedData, err := s.signer.Sign(data)
 	if err != nil {
-		return nil, fmt.Errorf("failed to sign data: %w", err)
+		return internalidentity.SignedData{}, fmt.Errorf("failed to sign data: %w", err)
 	}
 
 	return signedData, nil
 }
 
-func (s Service) Verify(signedData internalidentity.SignedData) error {
-	err := s.verifier.Verify(signedData)
+func (s Service) Verify(signedData internalidentity.SignedData) ([]byte, error) {
+	data, err := s.verifier.Verify(signedData)
 	if err != nil {
-		return fmt.Errorf("failed to verify data: %w", err)
+		return nil, fmt.Errorf("failed to verify data: %w", err)
 	}
 
-	return nil
+	return data, nil
 }
 
 func (s Service) getKeyPair(ctx context.Context) (internalidentity.KeyPair, error) {
 	identity, err := s.dal.GetOnlyIdentityKey(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get only identity key: %w", err)
+		return internalidentity.KeyPair{}, fmt.Errorf("failed to get only identity key: %w", err)
 	}
 
 	reader := keyset.NewBinaryReader(bytes.NewReader(identity.Private.Bytes()))
 	aead, err := s.encryption.AEAD()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get AEAD: %w", err)
+		return internalidentity.KeyPair{}, fmt.Errorf("failed to get AEAD: %w", err)
 	}
 
 	handle, err := keyset.Read(reader, aead)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read keyset: %w", err)
+		return internalidentity.KeyPair{}, fmt.Errorf("failed to read keyset: %w", err)
 	}
 
-	keyPair := internalidentity.NewTinkKeyPair(*handle)
+	keyPair := internalidentity.NewKeyPair(*handle)
 	return keyPair, nil
 }
 
@@ -123,7 +123,7 @@ func (s Service) ensureIdentity(ctx context.Context) (err error) {
 }
 
 func (s Service) generateAndSaveIdentity(ctx context.Context, tx *dal.DAL) error {
-	pair, err := internalidentity.GenerateTinkKeyPair()
+	pair, err := internalidentity.GenerateKeyPair()
 	if err != nil {
 		return fmt.Errorf("failed to generate key pair: %w", err)
 	}
@@ -144,9 +144,13 @@ func (s Service) generateAndSaveIdentity(ctx context.Context, tx *dal.DAL) error
 	}
 
 	// For total sanity, verify immediately
-	if err = verifier.Verify(*signed); err != nil {
+	verified, err := verifier.Verify(signed)
+	if err != nil {
 		return fmt.Errorf("failed to verify signed verification: %w", err)
 	}
+	if string(verified) != verificationText {
+		return fmt.Errorf("failed to verify signed verification: got %q, want %q", verified, verificationText)
+	}
 
 	// TODO: Make this support different encryptors.
 	// Might need to refactor internal/identity to access controller encryption types.
@@ -172,7 +176,7 @@ func (s Service) generateAndSaveIdentity(ctx context.Context, tx *dal.DAL) error
 
 	encryptedIdentity := &dal.EncryptedIdentity{
 		Private:         encryptedIdentityColumn,
-		Public:          public,
+		Public:          public.Bytes,
 		VerifySignature: signed.Signature,
 	}
 	if err := tx.CreateOnlyIdentityKey(ctx, *encryptedIdentity); err != nil {