remove file storing for symmetric key and submit rotate key on node i…

…nitialization
atoma-network · Dec 17, 2024 · 32e09c0 · 32e09c0
1 parent bcffcea
commit 32e09c0
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 83 deletions.
diff --git a/atoma-confidential/src/key_management.rs b/atoma-confidential/src/key_management.rs
@@ -4,15 +4,6 @@ use atoma_utils::encryption::{
 use thiserror::Error;
 use x25519_dalek::{PublicKey, SharedSecret, StaticSecret};
 
-/// The size of the X25519 secret key in bytes.
-const DH_SECRET_KEY_SIZE: usize = 32;
-
-/// The directory where the private key file is stored.
-const KEY_FILE_DIR: &str = "keys";
-
-/// The name of the private key file.
-const KEY_FILE_NAME: &str = "dh_privkey";
-
 type Result<T> = std::result::Result<T, KeyManagementError>;
 
 /// A struct that manages X25519 key pair operations.
@@ -32,23 +23,9 @@ impl X25519KeyPairManager {
     /// Constructor
     #[allow(clippy::new_without_default)]
     pub fn new() -> Result<Self> {
-        let path = Self::get_key_file_path();
-
-        if path.exists() {
-            // Read the existing key from the file
-            let key_bytes = std::fs::read(&path).map_err(KeyManagementError::IoError)?;
-            let mut key_bytes_array: [u8; DH_SECRET_KEY_SIZE] = [0u8; DH_SECRET_KEY_SIZE];
-            key_bytes_array.copy_from_slice(&key_bytes[..DH_SECRET_KEY_SIZE]);
-            let secret_key = StaticSecret::from(key_bytes_array);
-            Ok(Self { secret_key })
-        } else {
-            // Generate a new key
-            let mut rng = rand::thread_rng();
-            let secret_key = StaticSecret::random_from_rng(&mut rng);
-            let this = Self { secret_key };
-            this.write_private_key_to_file()?;
-            Ok(this)
-        }
+        let mut rng = rand::thread_rng();
+        let secret_key = StaticSecret::random_from_rng(&mut rng);
+        Ok(Self { secret_key })
     }
 
     /// Returns a reference to the current X25519 public key.
@@ -83,10 +60,9 @@ impl X25519KeyPairManager {
     ///
     /// Note: This operation automatically updates the device options to ensure
     /// the attestation report reflects the new keypair.
-    pub fn rotate_keys(&mut self) -> Result<()> {
+    pub fn rotate_keys(&mut self) {
         let mut rng = rand::thread_rng();
         self.secret_key = StaticSecret::random_from_rng(&mut rng);
-        self.write_private_key_to_file()
     }
 
     /// Computes the shared secret between the current secret key and a given public key.
@@ -178,60 +154,6 @@ impl X25519KeyPairManager {
         let shared_secret = self.compute_shared_secret(&public_key);
         Ok(encrypt_plaintext(plaintext, &shared_secret, salt, None)?)
     }
-
-    /// Returns the file path where the private key should be stored.
-    ///
-    /// This method constructs a path by:
-    /// 1. Starting from the current working directory
-    /// 2. Adding a "keys" subdirectory
-    /// 3. Adding the "dh_privkey" file name
-    ///
-    /// # Returns
-    /// * `PathBuf` - Path to the private key file: `./keys/dh_privkey`
-    ///
-    /// # Note
-    /// Currently uses a hardcoded path relative to the current directory.
-    /// This is primarily intended for development/testing purposes.
-    /// Production environments should use a more secure and configurable location.
-    fn get_key_file_path() -> std::path::PathBuf {
-        // Use a more appropriate path, possibly from config
-        std::env::current_dir()
-            .unwrap_or_default()
-            .join(KEY_FILE_DIR)
-            .join(KEY_FILE_NAME)
-    }
-
-    /// Writes the current private key to a file at the root directory.
-    ///
-    /// # Warning
-    /// This function is intended for development/testing purposes only.
-    /// Writing private keys to disk in production is a security risk.
-    ///
-    /// # Returns
-    /// * `Ok(())` if the write was successful
-    /// * `Err(KeyManagementError)` if the write failed
-    pub fn write_private_key_to_file(&self) -> Result<()> {
-        use std::fs::{self, create_dir_all};
-        #[cfg(unix)]
-        use std::os::unix::fs::PermissionsExt; // Unix-specific permissions
-
-        let path = Self::get_key_file_path();
-
-        // Ensure directory exists
-        if let Some(parent) = path.parent() {
-            create_dir_all(parent).map_err(KeyManagementError::IoError)?;
-        }
-
-        // Write key with restricted permissions
-        fs::write(&path, self.secret_key.to_bytes()).map_err(KeyManagementError::IoError)?;
-
-        // Set file permissions to owner read/write only (0600)
-        #[cfg(unix)]
-        fs::set_permissions(&path, fs::Permissions::from_mode(0o600))
-            .map_err(KeyManagementError::IoError)?;
-
-        Ok(())
-    }
 }
 
 #[derive(Debug, Error)]

diff --git a/atoma-confidential/src/service.rs b/atoma-confidential/src/service.rs
@@ -136,6 +136,8 @@ impl AtomaConfidentialComputeService {
             "Running confidential compute service, with dh public key: {:?}",
             self.key_manager.get_public_key().as_bytes()
         );
+        // Submit the first node key rotation attestation, because the node is starting up afresh
+        self.submit_node_key_rotation_tdx_attestation().await?;
         loop {
             tokio::select! {
                 Some((decryption_request, sender)) = self.service_decryption_receiver.recv() => {
@@ -195,7 +197,7 @@ impl AtomaConfidentialComputeService {
     /// - `AtomaConfidentialComputeError::SuiClientError` if the attestation submission to Sui fails
     #[instrument(level = "debug", skip_all)]
     async fn submit_node_key_rotation_tdx_attestation(&mut self) -> Result<()> {
-        self.key_manager.rotate_keys()?;
+        self.key_manager.rotate_keys();
         let public_key = self.key_manager.get_public_key();
         let public_key_bytes = public_key.to_bytes();
         #[cfg(feature = "tdx")]