add flag to handle certificate encryption (#2218)

.github/workflows/manual-deploy-obscuro-gateway.yml

@@ -99,6 +99,7 @@ jobs:
             "GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER"
             "GATEWAY_KEY_EXCHANGE_URL"
             "GATEWAY_TLS_DOMAIN"
+            "GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED"
           )
 
           for VAR_NAME in "${VAR_NAMES[@]}"; do
@@ -129,6 +130,7 @@ jobs:
           echo "GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER: $GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER"
           echo "GATEWAY_KEY_EXCHANGE_URL: $GATEWAY_KEY_EXCHANGE_URL"
           echo "GATEWAY_TLS_DOMAIN: $GATEWAY_TLS_DOMAIN"
+          echo "GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED: $GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED"
 
       - name: "Print GitHub variables"
         run: |
@@ -424,7 +426,8 @@ jobs:
             -keyExchangeURL="${{ env.GATEWAY_KEY_EXCHANGE_URL }}" \
             -insideEnclave=true \
             -enableTLS=true \
-            -tlsDomain="${{ env.GATEWAY_TLS_DOMAIN }}"
+            -tlsDomain="${{ env.GATEWAY_TLS_DOMAIN }}" \
+            -encryptingCertificateEnabled="${{ env.GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED }}"
             
             docker exec "${{ env.VM_NAME }}" sh -c "
                 echo \"Checking volume mount...\";

tools/walletextension/common/config.go

@@ -25,9 +25,9 @@ type Config struct {
 	RateLimitWindow                time.Duration
 	RateLimitMaxConcurrentRequests int
 
-	InsideEnclave  bool // Indicates if the program is running inside an enclave
-	KeyExchangeURL string
-
-	EnableTLS bool
-	TLSDomain string
+	InsideEnclave                  bool // Indicates if the program is running inside an enclave
+	KeyExchangeURL                 string
+	EnableTLS                      bool
+	TLSDomain                      string
+	EncryptingCertificateEnabled   bool
 }

tools/walletextension/main/cli.go

@@ -88,6 +88,10 @@ const (
 	tlsDomainFlagName    = "tlsDomain"
 	tlsDomainFlagDefault = ""
 	tlsDomainFlagUsage   = "Domain name for TLS certificate"
+
+	encryptingCertificateEnabledFlagName    = "encryptingCertificateEnabled"
+	encryptingCertificateEnabledFlagDefault = false
+	encryptingCertificateEnabledFlagUsage   = "Flag to enable encrypting certificate functionality. Default: false"
 )
 
 func parseCLIArgs() wecommon.Config {
@@ -111,6 +115,7 @@ func parseCLIArgs() wecommon.Config {
 	keyExchangeURL := flag.String(keyExchangeURLFlagName, keyExchangeURLFlagDefault, keyExchangeURLFlagUsage)
 	enableTLSFlag := flag.Bool(enableTLSFlagName, enableTLSFlagDefault, enableTLSFlagUsage)
 	tlsDomainFlag := flag.String(tlsDomainFlagName, tlsDomainFlagDefault, tlsDomainFlagUsage)
+	encryptingCertificateEnabled := flag.Bool(encryptingCertificateEnabledFlagName, encryptingCertificateEnabledFlagDefault, encryptingCertificateEnabledFlagUsage)
 	flag.Parse()
 
 	return wecommon.Config{
@@ -133,5 +138,6 @@ func parseCLIArgs() wecommon.Config {
 		KeyExchangeURL:                 *keyExchangeURL,
 		EnableTLS:                      *enableTLSFlag,
 		TLSDomain:                      *tlsDomainFlag,
+		EncryptingCertificateEnabled:   *encryptingCertificateEnabled,
 	}
 }

tools/walletextension/storage/cert_storage.go

@@ -12,10 +12,10 @@ type CertStorage interface {
 }
 
 // NewCertStorage creates a new certificate storage instance based on the database type
-func NewCertStorage(dbType, dbConnectionURL string, randomKey []byte, logger gethlog.Logger) (CertStorage, error) {
+func NewCertStorage(dbType, dbConnectionURL string, randomKey []byte, encryptionEnabled bool, logger gethlog.Logger) (CertStorage, error) {
 	switch dbType {
 	case "cosmosDB":
-		return cosmosdb.NewCertStorageCosmosDB(dbConnectionURL, randomKey)
+		return cosmosdb.NewCertStorageCosmosDB(dbConnectionURL, randomKey, encryptionEnabled)
 	default:
 		return autocert.DirCache("/data/certs"), nil
 	}

tools/walletextension/storage/database/cosmosdb/cert_storage_cosmos.go

@@ -17,9 +17,10 @@ const (
 
 // CertStorageCosmosDB implements autocert.Cache interface using CosmosDB
 type CertStorageCosmosDB struct {
-	client         *azcosmos.Client
-	certsContainer *azcosmos.ContainerClient
-	encryptor      encryption.Encryptor
+	client            *azcosmos.Client
+	certsContainer    *azcosmos.ContainerClient
+	encryptor         *encryption.Encryptor
+	encryptionEnabled bool
 }
 
 // EncryptedCertDocument represents the structure of a certificate document in CosmosDB
@@ -29,10 +30,15 @@ type EncryptedCertDocument struct {
 }
 
 // NewCertStorageCosmosDB creates a new CosmosDB-based certificate storage
-func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte) (*CertStorageCosmosDB, error) {
-	encryptor, err := encryption.NewEncryptor(encryptionKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create encryptor: %w", err)
+func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte, encryptionEnabled bool) (*CertStorageCosmosDB, error) {
+	var encryptor *encryption.Encryptor
+	var err error
+
+	if encryptionEnabled {
+		encryptor, err = encryption.NewEncryptor(encryptionKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create encryptor: %w", err)
+		}
 	}
 
 	client, err := azcosmos.NewClientFromConnectionString(connectionString, nil)
@@ -54,9 +60,10 @@ func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte) (*Cer
 	}
 
 	return &CertStorageCosmosDB{
-		client:         client,
-		certsContainer: certsContainer,
-		encryptor:      *encryptor,
+		client:            client,
+		certsContainer:    certsContainer,
+		encryptor:         encryptor,
+		encryptionEnabled: encryptionEnabled,
 	}, nil
 }
 
@@ -78,21 +85,31 @@ func (c *CertStorageCosmosDB) Get(ctx context.Context, key string) ([]byte, erro
 		return nil, fmt.Errorf("failed to unmarshal document: %w", err)
 	}
 
-	return c.encryptor.Decrypt(doc.Data)
+	if c.encryptionEnabled {
+		return c.encryptor.Decrypt(doc.Data)
+	}
+	return doc.Data, nil
 }
 
 // Put stores certificate data with the given key
 func (c *CertStorageCosmosDB) Put(ctx context.Context, key string, data []byte) error {
 	keyString, partitionKey := c.dbKey([]byte(key))
 
-	encryptedData, err := c.encryptor.Encrypt(data)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt certificate data: %w", err)
+	var storageData []byte
+	var err error
+
+	if c.encryptionEnabled {
+		storageData, err = c.encryptor.Encrypt(data)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt certificate data: %w", err)
+		}
+	} else {
+		storageData = data
 	}
 
 	doc := EncryptedCertDocument{
 		ID:   keyString,
-		Data: encryptedData,
+		Data: storageData,
 	}
 
 	docJSON, err := json.Marshal(doc)

tools/walletextension/walletextension_container.go

@@ -81,7 +81,7 @@ func NewContainerFromConfig(config wecommon.Config, logger gethlog.Logger) *Cont
 		// CRS is sent to CA (Let's Encrypt) via ACME (automated certificate management environment) client
 		// CA verifies CRS and issues a certificate
 		// Store certificate and private key in certificate storage based on the database type
-		certStorage, err := storage.NewCertStorage(config.DBType, config.DBConnectionURL, encryptionKey, logger)
+		certStorage, err := storage.NewCertStorage(config.DBType, config.DBConnectionURL, encryptionKey, config.EncryptingCertificateEnabled, logger)
 		if err != nil {
 			logger.Crit("unable to create certificate storage", log.ErrKey, err)
 			os.Exit(1)