diff --git a/atoma-confidential/src/key_management.rs b/atoma-confidential/src/key_management.rs index 3eec2c5f..7a1066e7 100644 --- a/atoma-confidential/src/key_management.rs +++ b/atoma-confidential/src/key_management.rs @@ -4,15 +4,6 @@ use atoma_utils::encryption::{ use thiserror::Error; use x25519_dalek::{PublicKey, SharedSecret, StaticSecret}; -/// The size of the X25519 secret key in bytes. -const DH_SECRET_KEY_SIZE: usize = 32; - -/// The directory where the private key file is stored. -const KEY_FILE_DIR: &str = "keys"; - -/// The name of the private key file. -const KEY_FILE_NAME: &str = "dh_privkey"; - type Result = std::result::Result; /// A struct that manages X25519 key pair operations. @@ -32,23 +23,9 @@ impl X25519KeyPairManager { /// Constructor #[allow(clippy::new_without_default)] pub fn new() -> Result { - let path = Self::get_key_file_path(); - - if path.exists() { - // Read the existing key from the file - let key_bytes = std::fs::read(&path).map_err(KeyManagementError::IoError)?; - let mut key_bytes_array: [u8; DH_SECRET_KEY_SIZE] = [0u8; DH_SECRET_KEY_SIZE]; - key_bytes_array.copy_from_slice(&key_bytes[..DH_SECRET_KEY_SIZE]); - let secret_key = StaticSecret::from(key_bytes_array); - Ok(Self { secret_key }) - } else { - // Generate a new key - let mut rng = rand::thread_rng(); - let secret_key = StaticSecret::random_from_rng(&mut rng); - let this = Self { secret_key }; - this.write_private_key_to_file()?; - Ok(this) - } + let mut rng = rand::thread_rng(); + let secret_key = StaticSecret::random_from_rng(&mut rng); + Ok(Self { secret_key }) } /// Returns a reference to the current X25519 public key. @@ -83,10 +60,9 @@ impl X25519KeyPairManager { /// /// Note: This operation automatically updates the device options to ensure /// the attestation report reflects the new keypair. - pub fn rotate_keys(&mut self) -> Result<()> { + pub fn rotate_keys(&mut self) { let mut rng = rand::thread_rng(); self.secret_key = StaticSecret::random_from_rng(&mut rng); - self.write_private_key_to_file() } /// Computes the shared secret between the current secret key and a given public key. @@ -178,60 +154,6 @@ impl X25519KeyPairManager { let shared_secret = self.compute_shared_secret(&public_key); Ok(encrypt_plaintext(plaintext, &shared_secret, salt, None)?) } - - /// Returns the file path where the private key should be stored. - /// - /// This method constructs a path by: - /// 1. Starting from the current working directory - /// 2. Adding a "keys" subdirectory - /// 3. Adding the "dh_privkey" file name - /// - /// # Returns - /// * `PathBuf` - Path to the private key file: `./keys/dh_privkey` - /// - /// # Note - /// Currently uses a hardcoded path relative to the current directory. - /// This is primarily intended for development/testing purposes. - /// Production environments should use a more secure and configurable location. - fn get_key_file_path() -> std::path::PathBuf { - // Use a more appropriate path, possibly from config - std::env::current_dir() - .unwrap_or_default() - .join(KEY_FILE_DIR) - .join(KEY_FILE_NAME) - } - - /// Writes the current private key to a file at the root directory. - /// - /// # Warning - /// This function is intended for development/testing purposes only. - /// Writing private keys to disk in production is a security risk. - /// - /// # Returns - /// * `Ok(())` if the write was successful - /// * `Err(KeyManagementError)` if the write failed - pub fn write_private_key_to_file(&self) -> Result<()> { - use std::fs::{self, create_dir_all}; - #[cfg(unix)] - use std::os::unix::fs::PermissionsExt; // Unix-specific permissions - - let path = Self::get_key_file_path(); - - // Ensure directory exists - if let Some(parent) = path.parent() { - create_dir_all(parent).map_err(KeyManagementError::IoError)?; - } - - // Write key with restricted permissions - fs::write(&path, self.secret_key.to_bytes()).map_err(KeyManagementError::IoError)?; - - // Set file permissions to owner read/write only (0600) - #[cfg(unix)] - fs::set_permissions(&path, fs::Permissions::from_mode(0o600)) - .map_err(KeyManagementError::IoError)?; - - Ok(()) - } } #[derive(Debug, Error)] diff --git a/atoma-confidential/src/service.rs b/atoma-confidential/src/service.rs index 15ce6b51..632971df 100644 --- a/atoma-confidential/src/service.rs +++ b/atoma-confidential/src/service.rs @@ -136,6 +136,8 @@ impl AtomaConfidentialComputeService { "Running confidential compute service, with dh public key: {:?}", self.key_manager.get_public_key().as_bytes() ); + // Submit the first node key rotation attestation, because the node is starting up afresh + self.submit_node_key_rotation_tdx_attestation().await?; loop { tokio::select! { Some((decryption_request, sender)) = self.service_decryption_receiver.recv() => { @@ -195,7 +197,7 @@ impl AtomaConfidentialComputeService { /// - `AtomaConfidentialComputeError::SuiClientError` if the attestation submission to Sui fails #[instrument(level = "debug", skip_all)] async fn submit_node_key_rotation_tdx_attestation(&mut self) -> Result<()> { - self.key_manager.rotate_keys()?; + self.key_manager.rotate_keys(); let public_key = self.key_manager.get_public_key(); let public_key_bytes = public_key.to_bytes(); #[cfg(feature = "tdx")]