diff --git a/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationRequest.avsc b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationRequest.avsc new file mode 100644 index 0000000000..6dcef5f83c --- /dev/null +++ b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationRequest.avsc @@ -0,0 +1,42 @@ +{ + "type": "record", + "name": "IndividualKeyRotationRequest", + "namespace": "net.corda.data.crypto.wire.ops.key.rotation", + "doc": "Internal over-the-wire individual crypto key rotation operation request envelope.", + "fields": [ + { + "name": "requestId", + "type": "string", + "doc": "GUID allocated by client to control key rotation." + }, + { + "name": "tenantId", + "type": "string", + "doc": "Specifies the specific tenant that owns the old key." + }, + { + "name": "oldParentKeyAlias", + "type": "string", + "doc": "The key alias whose protected content will be re-wrapped with a new key." + }, + { + "name": "newParentKeyAlias", + "type": "string", + "doc": "The new wrapping key which oldParentKeyAlias' content will be re-wrapped with." + }, + { + "name": "targetKeyAlias", + "type": "string", + "doc": "Specifies the wrapped key to rotate." + }, + { + "name": "keyType", + "type": { + "type": "enum", + "name": "KeyType", + "symbols": ["MANAGED", "UNMANAGED"] + }, + "doc": "Type of the key to be rotated." + } + ] +} diff --git a/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationRequest.avsc b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationRequest.avsc new file mode 100644 index 0000000000..7975c07f61 --- /dev/null +++ b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationRequest.avsc @@ -0,0 +1,42 @@ +{ + "type": "record", + "name": "KeyRotationRequest", + "namespace": "net.corda.data.crypto.wire.ops.key.rotation", + "doc": "Internal over-the-wire crypto key rotation operation request envelope.", + "fields": [ + { + "name": "requestId", + "type": "string", + "doc": "GUID allocated by client to control key rotation." + }, + { + "name": "managedKey", + "type": { + "type": "enum", + "name": "KeyType", + "symbols": ["MANAGED", "UNMANAGED"] + }, + "doc": "Type of the key to be rotated." + }, + { + "name": "oldParentKeyAlias", + "type": ["null", "string"], + "doc": "The key alias that should no longer be used, and all its protected content re-wrapped with a new key." + }, + { + "name": "newParentKeyAlias", + "type": ["null", "string"], + "doc": "The unmanaged key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys." + }, + { + "name": "oldGeneration", + "type": ["null", "int"], + "doc": "Specifies the old generation number we should move away from. If absent, rotate all matching keys." + }, + { + "name": "tenantId", + "type": ["null", "string"], + "doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key." + } + ] +} diff --git a/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationStatus.avsc b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationStatus.avsc new file mode 100644 index 0000000000..18162dc5c1 --- /dev/null +++ b/data/avro-schema/src/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationStatus.avsc @@ -0,0 +1,73 @@ +{ + "type": "record", + "name": "KeyRotationStatus", + "namespace": "net.corda.data.crypto.wire.ops.key.rotation", + "doc": "Response for crypto's key rotation operation envelope", + "fields": [ + { + "name": "requestId", + "type": "string", + "doc": "GUID allocated by client and passed in StartRotation message." + }, + { + "name": "managedKey", + "type": { + "type": "enum", + "name": "KeyType", + "symbols": ["MANAGED", "UNMANAGED"] + }, + "doc": "Type of the key to be rotated." + }, + { + "name": "oldParentKeyAlias", + "type": ["null", "string"], + "doc": "The wrapping key alias that should no longer be used, and all its protected content re-wrapped with a new key." + }, + { + "name": "newParentKeyAlias", + "type": ["null", "string"], + "doc": "The wrapping key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys." + }, + { + "name": "oldGeneration", + "type": ["null", "int"], + "doc": "Specifies the old generation number we should move away from. If absent, rotate all matching keys." + }, + { + "name": "tenantId", + "type": ["null", "string"], + "doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key." + }, + { + "name": "newGeneration", + "type": ["null", "int"], + "doc": "Set to the new generation number when rotating a single managed key, otherwise null." + }, + { + "name": "processedCount", + "type": "int", + "doc": "Number of wrapped keys rotated so far." + }, + { + "name": "expectedTotal", + "type": "int", + "doc": "Number of wrapped keys in total to re-wrap as part of this operation." + }, + { + "name": "createdTimestamp", + "type": { + "type": "long", + "logicalType": "timestamp-millis" + }, + "doc": "The date and time the key rotation request was created." + }, + { + "name": "lastUpdateTimestamp", + "type": { + "type": "long", + "logicalType": "timestamp-millis" + }, + "doc": "The date and time when the last individual key rotation operation has finished." + } + ] +} diff --git a/data/topic-schema/src/main/java/net/corda/schema/Schemas.java b/data/topic-schema/src/main/java/net/corda/schema/Schemas.java index 524a27b37b..17ae8eff36 100644 --- a/data/topic-schema/src/main/java/net/corda/schema/Schemas.java +++ b/data/topic-schema/src/main/java/net/corda/schema/Schemas.java @@ -87,6 +87,13 @@ private Crypto() { public static final String FLOW_OPS_MESSAGE_TOPIC = "crypto.ops.flow"; public static final String RPC_OPS_MESSAGE_TOPIC = "crypto.ops.rpc"; public static final String RPC_OPS_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(RPC_OPS_MESSAGE_TOPIC); + public static final String REKEY_MESSAGE_TOPIC = "crypto.key.rotation.ops"; + public static final String REKEY_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(REKEY_MESSAGE_TOPIC); + public static final String REKEY_MESSAGE_STATUS_TOPIC = "crypto.key.rotation.status"; + public static final String REWRAP_MESSAGE_TOPIC = "crypto.key.rotation.individual"; + public static final String REWRAP_MESSAGE_RESPONSE_TOPIC = getRPCResponseTopic(REWRAP_MESSAGE_TOPIC); + + } /** diff --git a/data/topic-schema/src/main/resources/net/corda/schema/Crypto.yaml b/data/topic-schema/src/main/resources/net/corda/schema/Crypto.yaml index 2b483e8b9a..8cc58b0ade 100644 --- a/data/topic-schema/src/main/resources/net/corda/schema/Crypto.yaml +++ b/data/topic-schema/src/main/resources/net/corda/schema/Crypto.yaml @@ -44,3 +44,27 @@ topics: producers: - crypto config: + CryptoOpsRekeyTopic: + name: crypto.key.rotation.ops + consumers: + - crypto + producers: + - rest + CryptoOpsRekeyStatusTopic: + name: crypto.key.rotation.ops.resp + consumers: + - rest + producers: + - crypto + CryptoOpsRewrapTopic: + name: crypto.key.rotation.individual + consumers: + - crypto + producers: + - crypto + CryptoOpsRewrapResponseTopic: + name: crypto.key.rotation.individual.resp + consumers: + - crypto + producers: + - crypto diff --git a/gradle.properties b/gradle.properties index b49575666d..2408da8917 100644 --- a/gradle.properties +++ b/gradle.properties @@ -9,7 +9,7 @@ cordaProductVersion = 5.2.0 # NOTE: update this each time this module contains a breaking change ## NOTE: currently this is a top level revision, so all API versions will line up, but this could be moved to ## a per module property in which case module versions can change independently. -cordaApiRevision = 4 +cordaApiRevision = 5 # Main kotlinVersion = 1.8.21