From a203e88feb814d5b763468dec7f5e55cfa94fea2 Mon Sep 17 00:00:00 2001 From: Carlo Mazzaferro Date: Fri, 27 Dec 2024 17:32:44 +0100 Subject: [PATCH 1/2] configurable region for key-manager --- deploy/e2e/iris-mpc-0.yaml.tpl | 9 ++++++--- deploy/e2e/iris-mpc-1.yaml.tpl | 8 +++++--- deploy/e2e/iris-mpc-2.yaml.tpl | 8 +++++--- iris-mpc-common/src/bin/README.md | 24 ++++++++++++++++++++++++ iris-mpc-common/src/bin/key_manager.rs | 19 ++++++++++++++----- 5 files changed, 54 insertions(+), 14 deletions(-) create mode 100644 iris-mpc-common/src/bin/README.md diff --git a/deploy/e2e/iris-mpc-0.yaml.tpl b/deploy/e2e/iris-mpc-0.yaml.tpl index 40c53bde5..92888e28c 100644 --- a/deploy/e2e/iris-mpc-0.yaml.tpl +++ b/deploy/e2e/iris-mpc-0.yaml.tpl @@ -141,7 +141,7 @@ iris-mpc-0: value: "0" - name: SMPC__PUBLIC_KEY_BASE_URL - value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566" + value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566" - name: SMPC__ENABLE_S3_IMPORTER value: "false" @@ -202,10 +202,13 @@ iris-mpc-0: name: "iris-mpc-0-init" init.sh: | #!/usr/bin/env bash - apt update && apt install -y awscli + set -e + cd /libs + aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 . aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 . - key-manager --node-id 0 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys + AWS_ENDPOINT="http://localstack:4566" key-manager --node-id 0 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys --region $AWS_REGION + diff --git a/deploy/e2e/iris-mpc-1.yaml.tpl b/deploy/e2e/iris-mpc-1.yaml.tpl index ceeb86636..84a5a5516 100644 --- a/deploy/e2e/iris-mpc-1.yaml.tpl +++ b/deploy/e2e/iris-mpc-1.yaml.tpl @@ -142,7 +142,7 @@ iris-mpc-1: value: "1" - name: SMPC__PUBLIC_KEY_BASE_URL - value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566" + value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566" - name: SMPC__ENABLE_S3_IMPORTER value: "false" @@ -203,10 +203,12 @@ iris-mpc-1: name: "iris-mpc-1-init" init.sh: | #!/usr/bin/env bash - apt-update && apt install -y awscli + set -e + cd /libs + aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 . aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 . - key-manager --node-id 1 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys + key-manager --node-id 1 --env $ENV rotate --public-key-bucket-name wf-$ENV-public-keys diff --git a/deploy/e2e/iris-mpc-2.yaml.tpl b/deploy/e2e/iris-mpc-2.yaml.tpl index 30f37b93c..c58cd76ec 100644 --- a/deploy/e2e/iris-mpc-2.yaml.tpl +++ b/deploy/e2e/iris-mpc-2.yaml.tpl @@ -142,7 +142,7 @@ iris-mpc-2: value: "2" - name: SMPC__PUBLIC_KEY_BASE_URL - value: "http://wf-$ENV-stage-public-keys.s3.localhost.localstack.cloud:4566" + value: "http://wf-$ENV-public-keys.s3.localhost.localstack.cloud:4566" - name: SMPC__ENABLE_S3_IMPORTER value: "false" @@ -203,10 +203,12 @@ iris-mpc-2: name: "iris-mpc-2-init" init.sh: | #!/usr/bin/env bash - apt update && apt install -y awscli + set -e + cd /libs + aws s3 cp s3://wf-smpcv2-stage-libs/libcublas.so.12.2.5.6 . aws s3 cp s3://wf-smpcv2-stage-libs/libcublasLt.so.12.2.5.6 . - key-manager --node-id 2 --env $ENV rotate --public-key-bucket-name wf-$ENV-stage-public-keys + key-manager --node-id 2 --env $ENV rotate --public-key-bucket-name wf-$ENV-public-keys diff --git a/iris-mpc-common/src/bin/README.md b/iris-mpc-common/src/bin/README.md new file mode 100644 index 000000000..a6ef7c67a --- /dev/null +++ b/iris-mpc-common/src/bin/README.md @@ -0,0 +1,24 @@ +# Key Manager CLI + +The Key Manager CLI is a command line interface to rotate public and private keys used to encode shares. +The initial private key is generated using `smpc-setup`, and it is empty. + +Key manager must be run from each of the participant accounts at least once before initiating the protocol. + +Keys can be rotated at any time using the `rotate` command. + +## Usage + +```bash +>>> key-manager --node-id 2 --env prod rotate --public-key-bucket-name wf-env-stage-public-keys +``` + +This will: + +1. Update the public key in the bucket `wf-env-stage-public-keys` for node 2. +2. Generate a new private key and store aws secrets manager under the secret name: `prod/iris-mpc/ecdh-private-key-2` + +This key will be immediately valid, though the previous key will retain a validity of 24 hours (dictated by the cloudfront caching behavior, +and by application logic that checks against AWSCURRENT and AWSPREVIOUS version of the secret). + + diff --git a/iris-mpc-common/src/bin/key_manager.rs b/iris-mpc-common/src/bin/key_manager.rs index a11398756..2440a16ef 100644 --- a/iris-mpc-common/src/bin/key_manager.rs +++ b/iris-mpc-common/src/bin/key_manager.rs @@ -15,7 +15,6 @@ use sodiumoxide::crypto::box_::{curve25519xsalsa20poly1305, PublicKey, SecretKey const PUBLIC_KEY_S3_BUCKET_NAME: &str = "wf-smpcv2-stage-public-keys"; const PUBLIC_KEY_S3_KEY_NAME_PREFIX: &str = "public-key"; -const REGION: &str = "eu-north-1"; /// A fictional versioning CLI #[derive(Debug, Parser)] // requires `derive` feature @@ -32,6 +31,9 @@ struct KeyManagerCli { #[arg(short, long, env, default_value = "stage")] env: String, + + #[arg(short, long, env, default_value = "eu-north-1")] + region: String, } #[derive(Debug, Subcommand)] @@ -67,8 +69,9 @@ async fn main() -> eyre::Result<()> { tracing_subscriber::fmt::init(); let args = KeyManagerCli::parse(); + let region = args.region; - let region_provider = S3Region::new(REGION); + let region_provider = S3Region::new(region.clone()); let shared_config = aws_config::from_env().region(region_provider).load().await; let bucket_key_name = format!("{}-{}", PUBLIC_KEY_S3_KEY_NAME_PREFIX, args.node_id); @@ -101,6 +104,7 @@ async fn main() -> eyre::Result<()> { b64_pub_key, &bucket_key_name, public_key_bucket_name, + region.clone(), ) .await?; } @@ -115,6 +119,7 @@ async fn validate_keys( b64_pub_key: Option, bucket_key_name: &str, public_key_bucket_name: Option, + region: String, ) -> eyre::Result<()> { let sm_client = SecretsManagerClient::new(sdk_config); @@ -133,7 +138,7 @@ async fn validate_keys( } else { // Otherwise, get the latest one from S3 using HTTPS let user_pubkey_string = - download_key_from_s3(bucket_name.as_str(), bucket_key_name).await?; + download_key_from_s3(bucket_name.as_str(), bucket_key_name, region.clone()).await?; let user_pubkey = STANDARD.decode(user_pubkey_string.as_bytes()).unwrap(); match PublicKey::from_slice(&user_pubkey) { Some(key) => key, @@ -231,9 +236,13 @@ async fn rotate_keys( Ok(()) } -async fn download_key_from_s3(bucket: &str, key: &str) -> Result { +async fn download_key_from_s3( + bucket: &str, + key: &str, + region: String, +) -> Result { print!("Downloading key from S3 bucket: {} key: {}", bucket, key); - let s3_url = format!("https://{}.s3.{}.amazonaws.com/{}", bucket, REGION, key); + let s3_url = format!("https://{}.s3.{}.amazonaws.com/{}", bucket, region, key); let client = Client::new(); let response = client.get(&s3_url).send().await?.text().await?; Ok(response) From 565efedcdae97be718206f6674c7b15b0b6aa322 Mon Sep 17 00:00:00 2001 From: Carlo Mazzaferro Date: Fri, 27 Dec 2024 17:34:49 +0100 Subject: [PATCH 2/2] remove leftover --- iris-mpc-common/src/bin/key_manager.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/iris-mpc-common/src/bin/key_manager.rs b/iris-mpc-common/src/bin/key_manager.rs index 2440a16ef..afc0cc1e6 100644 --- a/iris-mpc-common/src/bin/key_manager.rs +++ b/iris-mpc-common/src/bin/key_manager.rs @@ -16,7 +16,6 @@ use sodiumoxide::crypto::box_::{curve25519xsalsa20poly1305, PublicKey, SecretKey const PUBLIC_KEY_S3_BUCKET_NAME: &str = "wf-smpcv2-stage-public-keys"; const PUBLIC_KEY_S3_KEY_NAME_PREFIX: &str = "public-key"; -/// A fictional versioning CLI #[derive(Debug, Parser)] // requires `derive` feature #[command(name = "key-manager")] #[command(about = "Key manager CLI", long_about = None)]