diff --git a/.github/workflows/manual-deploy-obscuro-gateway.yml b/.github/workflows/manual-deploy-obscuro-gateway.yml index ce0a1afc3..b7d6c272e 100644 --- a/.github/workflows/manual-deploy-obscuro-gateway.yml +++ b/.github/workflows/manual-deploy-obscuro-gateway.yml @@ -99,6 +99,7 @@ jobs: "GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER" "GATEWAY_KEY_EXCHANGE_URL" "GATEWAY_TLS_DOMAIN" + "GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED" ) for VAR_NAME in "${VAR_NAMES[@]}"; do @@ -129,6 +130,7 @@ jobs: echo "GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER: $GATEWAY_MAX_CONCURRENT_REQUESTS_PER_USER" echo "GATEWAY_KEY_EXCHANGE_URL: $GATEWAY_KEY_EXCHANGE_URL" echo "GATEWAY_TLS_DOMAIN: $GATEWAY_TLS_DOMAIN" + echo "GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED: $GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED" - name: "Print GitHub variables" run: | @@ -424,7 +426,8 @@ jobs: -keyExchangeURL="${{ env.GATEWAY_KEY_EXCHANGE_URL }}" \ -insideEnclave=true \ -enableTLS=true \ - -tlsDomain="${{ env.GATEWAY_TLS_DOMAIN }}" + -tlsDomain="${{ env.GATEWAY_TLS_DOMAIN }}" \ + -encryptingCertificateEnabled="${{ env.GATEWAY_ENCRYPTING_CERTIFICATE_ENABLED }}" docker exec "${{ env.VM_NAME }}" sh -c " echo \"Checking volume mount...\"; diff --git a/tools/walletextension/common/config.go b/tools/walletextension/common/config.go index cd0ee6a05..5250392ee 100644 --- a/tools/walletextension/common/config.go +++ b/tools/walletextension/common/config.go @@ -25,9 +25,9 @@ type Config struct { RateLimitWindow time.Duration RateLimitMaxConcurrentRequests int - InsideEnclave bool // Indicates if the program is running inside an enclave - KeyExchangeURL string - - EnableTLS bool - TLSDomain string + InsideEnclave bool // Indicates if the program is running inside an enclave + KeyExchangeURL string + EnableTLS bool + TLSDomain string + EncryptingCertificateEnabled bool } diff --git a/tools/walletextension/main/cli.go b/tools/walletextension/main/cli.go index 6a02e3c3e..ae2cb34bf 100644 --- a/tools/walletextension/main/cli.go +++ b/tools/walletextension/main/cli.go @@ -88,6 +88,10 @@ const ( tlsDomainFlagName = "tlsDomain" tlsDomainFlagDefault = "" tlsDomainFlagUsage = "Domain name for TLS certificate" + + encryptingCertificateEnabledFlagName = "encryptingCertificateEnabled" + encryptingCertificateEnabledFlagDefault = false + encryptingCertificateEnabledFlagUsage = "Flag to enable encrypting certificate functionality. Default: false" ) func parseCLIArgs() wecommon.Config { @@ -111,6 +115,7 @@ func parseCLIArgs() wecommon.Config { keyExchangeURL := flag.String(keyExchangeURLFlagName, keyExchangeURLFlagDefault, keyExchangeURLFlagUsage) enableTLSFlag := flag.Bool(enableTLSFlagName, enableTLSFlagDefault, enableTLSFlagUsage) tlsDomainFlag := flag.String(tlsDomainFlagName, tlsDomainFlagDefault, tlsDomainFlagUsage) + encryptingCertificateEnabled := flag.Bool(encryptingCertificateEnabledFlagName, encryptingCertificateEnabledFlagDefault, encryptingCertificateEnabledFlagUsage) flag.Parse() return wecommon.Config{ @@ -133,5 +138,6 @@ func parseCLIArgs() wecommon.Config { KeyExchangeURL: *keyExchangeURL, EnableTLS: *enableTLSFlag, TLSDomain: *tlsDomainFlag, + EncryptingCertificateEnabled: *encryptingCertificateEnabled, } } diff --git a/tools/walletextension/storage/cert_storage.go b/tools/walletextension/storage/cert_storage.go index c8f1199a9..f75bdfebd 100644 --- a/tools/walletextension/storage/cert_storage.go +++ b/tools/walletextension/storage/cert_storage.go @@ -12,10 +12,10 @@ type CertStorage interface { } // NewCertStorage creates a new certificate storage instance based on the database type -func NewCertStorage(dbType, dbConnectionURL string, randomKey []byte, logger gethlog.Logger) (CertStorage, error) { +func NewCertStorage(dbType, dbConnectionURL string, randomKey []byte, encryptionEnabled bool, logger gethlog.Logger) (CertStorage, error) { switch dbType { case "cosmosDB": - return cosmosdb.NewCertStorageCosmosDB(dbConnectionURL, randomKey) + return cosmosdb.NewCertStorageCosmosDB(dbConnectionURL, randomKey, encryptionEnabled) default: return autocert.DirCache("/data/certs"), nil } diff --git a/tools/walletextension/storage/database/cosmosdb/cert_storage_cosmos.go b/tools/walletextension/storage/database/cosmosdb/cert_storage_cosmos.go index cb0b831d4..8d2bc7341 100644 --- a/tools/walletextension/storage/database/cosmosdb/cert_storage_cosmos.go +++ b/tools/walletextension/storage/database/cosmosdb/cert_storage_cosmos.go @@ -17,9 +17,10 @@ const ( // CertStorageCosmosDB implements autocert.Cache interface using CosmosDB type CertStorageCosmosDB struct { - client *azcosmos.Client - certsContainer *azcosmos.ContainerClient - encryptor encryption.Encryptor + client *azcosmos.Client + certsContainer *azcosmos.ContainerClient + encryptor *encryption.Encryptor + encryptionEnabled bool } // EncryptedCertDocument represents the structure of a certificate document in CosmosDB @@ -29,10 +30,15 @@ type EncryptedCertDocument struct { } // NewCertStorageCosmosDB creates a new CosmosDB-based certificate storage -func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte) (*CertStorageCosmosDB, error) { - encryptor, err := encryption.NewEncryptor(encryptionKey) - if err != nil { - return nil, fmt.Errorf("failed to create encryptor: %w", err) +func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte, encryptionEnabled bool) (*CertStorageCosmosDB, error) { + var encryptor *encryption.Encryptor + var err error + + if encryptionEnabled { + encryptor, err = encryption.NewEncryptor(encryptionKey) + if err != nil { + return nil, fmt.Errorf("failed to create encryptor: %w", err) + } } client, err := azcosmos.NewClientFromConnectionString(connectionString, nil) @@ -54,9 +60,10 @@ func NewCertStorageCosmosDB(connectionString string, encryptionKey []byte) (*Cer } return &CertStorageCosmosDB{ - client: client, - certsContainer: certsContainer, - encryptor: *encryptor, + client: client, + certsContainer: certsContainer, + encryptor: encryptor, + encryptionEnabled: encryptionEnabled, }, nil } @@ -78,21 +85,31 @@ func (c *CertStorageCosmosDB) Get(ctx context.Context, key string) ([]byte, erro return nil, fmt.Errorf("failed to unmarshal document: %w", err) } - return c.encryptor.Decrypt(doc.Data) + if c.encryptionEnabled { + return c.encryptor.Decrypt(doc.Data) + } + return doc.Data, nil } // Put stores certificate data with the given key func (c *CertStorageCosmosDB) Put(ctx context.Context, key string, data []byte) error { keyString, partitionKey := c.dbKey([]byte(key)) - encryptedData, err := c.encryptor.Encrypt(data) - if err != nil { - return fmt.Errorf("failed to encrypt certificate data: %w", err) + var storageData []byte + var err error + + if c.encryptionEnabled { + storageData, err = c.encryptor.Encrypt(data) + if err != nil { + return fmt.Errorf("failed to encrypt certificate data: %w", err) + } + } else { + storageData = data } doc := EncryptedCertDocument{ ID: keyString, - Data: encryptedData, + Data: storageData, } docJSON, err := json.Marshal(doc) diff --git a/tools/walletextension/walletextension_container.go b/tools/walletextension/walletextension_container.go index d95447f87..a3dff0ba6 100644 --- a/tools/walletextension/walletextension_container.go +++ b/tools/walletextension/walletextension_container.go @@ -81,7 +81,7 @@ func NewContainerFromConfig(config wecommon.Config, logger gethlog.Logger) *Cont // CRS is sent to CA (Let's Encrypt) via ACME (automated certificate management environment) client // CA verifies CRS and issues a certificate // Store certificate and private key in certificate storage based on the database type - certStorage, err := storage.NewCertStorage(config.DBType, config.DBConnectionURL, encryptionKey, logger) + certStorage, err := storage.NewCertStorage(config.DBType, config.DBConnectionURL, encryptionKey, config.EncryptingCertificateEnabled, logger) if err != nil { logger.Crit("unable to create certificate storage", log.ErrKey, err) os.Exit(1)