Merge pull request #1349 from corda/dickon/CORE-12165-feature-rotatio…

…n-no-limit CORE-12165: undo revert of revert and remove limit and time to live on key rotation
corda · Nov 20, 2023 · dc0b8c8 · dc0b8c8
2 parents 1c03eb3 + d2da8c5
commit dc0b8c8
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 58 deletions.
diff --git a/application/src/main/java/net/corda/v5/application/crypto/SigningService.java b/application/src/main/java/net/corda/v5/application/crypto/SigningService.java
@@ -57,28 +57,4 @@ public interface SigningService {
     @Suspendable
     @NotNull
     Map<PublicKey, PublicKey> findMySigningKeys(@NotNull Set<PublicKey> keys);
-
-    /**
-     * Sign with the subset of keys we own from a specified set of keys.
-     * 
-     * @param bytes The data to sign over use the keys we own
-     * @param keys The set of keys to consider; we will sign with the subset of the keys which we own.
-     * @param signatureSpec The {@link SignatureSpec} to use when producing these signatures
-     * @return A set of {@link DigitalSignature.WithKeyId}, one per key we own.
-     */
-    @Suspendable
-    @NotNull
-    Set<DigitalSignature.WithKeyId> signWithMyKeys(@NotNull byte bytes[], @NotNull Set<PublicKey> keys, @NotNull SignatureSpec signatureSpec);
-
-    /**
-     * Sign with all the keys we have in a specified category.
-     *
-     * @param bytes The data to sign over use the keys we own
-     * @param category The key categories we use.
-     * @param signatureSpec The {@link SignatureSpec} to use when producing these signatures
-     * @return A set of {@link DigitalSignature.WithKeyId}, one per key we own.
-     */
-    @Suspendable
-    @NotNull
-    Set<DigitalSignature.WithKeyId> signWithMyCategoryKeys(@NotNull byte bytes[], @NotNull String category, @NotNull SignatureSpec signatureSpec);
 }
diff --git a/...ources/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationRequest.avsc b/...ources/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationRequest.avsc
@@ -15,19 +15,28 @@
       "doc": "Specifies the specific tenant that owns the old key."
     },
     {
-      "name": "oldKeyAlias",
+      "name": "oldParentKeyAlias",
       "type": "string",
       "doc": "The key alias whose protected content will be re-wrapped with a new key."
     },
     {
-      "name": "newKeyAlias",
+      "name": "newParentKeyAlias",
       "type": "string",
-      "doc": "The new wrapping key which oldKeyAlias' content will be re-wrapped with."
+      "doc": "The new wrapping key which oldParentKeyAlias' content will be re-wrapped with."
     },
     {
       "name": "targetKeyAlias",
       "type": "string",
-      "doc": "Specifies the wrapped key to rotate"
+      "doc": "Specifies the wrapped key to rotate."
+    },
+    {
+      "name": "keyType",
+      "type": {
+        "type": "enum",
+        "name": "KeyType",
+        "symbols": ["MANAGED", "UNMANAGED"]
+      },
+      "doc": "Type of the key to be rotated."
     }
   ]
 }
diff --git a/...urces/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationResponse.avsc b/...urces/avro/net/corda/data/crypto/wire/ops/key/rotation/IndividualKeyRotationResponse.avsc
@@ -15,19 +15,19 @@
       "doc": "Specifies the specific tenant that owns the old key."
     },
     {
-      "name": "oldKeyAlias",
+      "name": "oldParentKeyAlias",
       "type": "string",
       "doc": "The key alias whose protected content has been re-wrapped with a new key."
     },
     {
-      "name": "newKeyAlias",
+      "name": "newParentKeyAlias",
       "type": "string",
-      "doc": "The new wrapping key which oldKeyAlias' content has been re-wrapped with."
+      "doc": "The new wrapping key which oldParentKeyAlias' content has been re-wrapped with."
     },
     {
       "name": "targetKeyAlias",
       "type": "string",
-      "doc": "Specifies the wrapped key to rotate"
+      "doc": "Specifies the alias of the key that should be rotated."
     },
     {
       "name": "endOperationTimestamp",

diff --git a/...c/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationRequest.avsc b/...c/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationRequest.avsc
@@ -19,12 +19,12 @@
       "doc": "Type of the key to be rotated."
     },
     {
-      "name": "oldKeyAlias",
+      "name": "oldParentKeyAlias",
       "type": ["null", "string"],
       "doc": "The key alias that should no longer be used, and all its protected content re-wrapped with a new key."
     },
     {
-      "name": "newKeyAlias",
+      "name": "newParentKeyAlias",
       "type": ["null", "string"],
       "doc": "The unmanaged key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys."
     },
@@ -37,21 +37,6 @@
       "name": "tenantId",
       "type": ["null", "string"],
       "doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key."
-    },
-    {
-      "name": "simulate",
-      "type": "boolean",
-      "doc": "If true, only work out the number of keys to rotate; defaults to false, which causes the key rotation to actually happen."
-    },
-    {
-      "name": "timeToLive",
-      "type": ["null", "int"],
-      "doc": "The maximum number of milliseconds which should pass, after which the key rotation loop will exit. The server can return before this time, and should do at least one key rotation."
-    },
-    {
-      "name": "limit",
-      "type": ["null", "int"],
-      "doc": "The maximum number of key rotations to do, after which the key rotation loop will exit. The server can return after doing at least one, but at the server discretion not all of these keys, and should do at least one."
     }
   ]
 }
diff --git a/...rc/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationStatus.avsc b/...rc/main/resources/avro/net/corda/data/crypto/wire/ops/key/rotation/KeyRotationStatus.avsc
@@ -19,14 +19,14 @@
       "doc": "Type of the key to be rotated."
     },
     {
-      "name": "oldKeyAlias",
+      "name": "oldParentKeyAlias",
       "type": ["null", "string"],
-      "doc": "The key alias that should no longer be used, and all its protected content re-wrapped with a new key."
+      "doc": "The wrapping key alias that should no longer be used, and all its protected content re-wrapped with a new key."
     },
     {
-      "name": "newKeyAlias",
+      "name": "newParentKeyAlias",
       "type": ["null", "string"],
-      "doc": "The unmanaged key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys."
+      "doc": "The wrapping key alias that should be used for material currently wrapped with old key. Only specified when rotating unmanaged keys."
     },
     {
       "name": "oldGeneration",
@@ -38,11 +38,6 @@
       "type": ["null", "string"],
       "doc": "Only specified when targeting managed keys. Specifies the specific tenant that owns the old and new key."
     },
-    {
-      "name": "simulate",
-      "type": "boolean",
-      "doc": "True, if the invocation was a simulation."
-    },
     {
       "name": "newGeneration",
       "type": ["null", "int"],