refactor: move crypto/kms APIs to spi module. (#3558)

.codecov.yaml

@@ -15,5 +15,5 @@ coverage:
 ignore:
   - "test/bdd"  # ignore bdd tests
   - "proto"
-  - "component/kmscrypto/pkg/crypto/tinkcrypto/primitive/proto"
+  - "component/kmscrypto/crypto/tinkcrypto/primitive/proto"
   - "component/kmscrypto/internal/third_party"

component/kmscrypto/crypto/api.go

@@ -0,0 +1,10 @@
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package crypto
+
+// DefKeySize is the default key size for crypto primitives.
+const DefKeySize = 32

component/kmscrypto/pkg/crypto/eckey.go → component/kmscrypto/crypto/eckey.go

@@ -11,10 +11,12 @@ import (
 	"crypto/elliptic"
 	"fmt"
 	"math/big"
+
+	"github.com/hyperledger/aries-framework-go/spi/crypto"
 )
 
 // ToECKey converts key to an ecdsa public key. It returns an error if the curve is invalid.
-func ToECKey(key *PublicKey) (*ecdsa.PublicKey, error) {
+func ToECKey(key *crypto.PublicKey) (*ecdsa.PublicKey, error) {
 	crv, err := toCurve(key.Curve)
 	if err != nil {
 		return nil, err

component/kmscrypto/pkg/crypto/eckey_test.go → component/kmscrypto/crypto/eckey_test.go

@@ -13,6 +13,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/hyperledger/aries-framework-go/spi/crypto"
 )
 
 func TestToECKey(t *testing.T) {
@@ -42,7 +44,7 @@ func TestToECKey(t *testing.T) {
 		tc := tt
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.name == "invalid curve" {
-				_, err := ToECKey(&PublicKey{
+				_, err := ToECKey(&crypto.PublicKey{
 					Curve: "undefined",
 					Type:  "EC",
 				})
@@ -54,7 +56,7 @@ func TestToECKey(t *testing.T) {
 			privKey, err := ecdsa.GenerateKey(tc.curve, rand.Reader)
 			require.NoError(t, err)
 
-			pubKey := &PublicKey{
+			pubKey := &crypto.PublicKey{
 				X:     privKey.X.Bytes(),
 				Y:     privKey.Y.Bytes(),
 				Curve: tc.curve.Params().Name,

component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go → component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs12381g2pub.go

@@ -8,10 +8,10 @@ SPDX-License-Identifier: Apache-2.0
 // to use BBS+ keys created by the kms along with the framework's Crypto service.
 //
 // The default local Crypto service is found at:
-// "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto"
+// "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto"
 //
 // While the remote Crypto service is found at:
-// "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/webkms"
+// "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/webkms"
 package bbs12381g2pub
 
 import (

component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub/bbs_test.go → component/kmscrypto/crypto/primitive/bbs12381g2pub/bbs_test.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/primitive/bbs12381g2pub"
 )
 
 //nolint:lll

component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub/keys_test.go → component/kmscrypto/crypto/primitive/bbs12381g2pub/keys_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/btcsuite/btcutil/base58"
 	"github.com/stretchr/testify/require"
 
-	bbs "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub"
+	bbs "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/primitive/bbs12381g2pub"
 )
 
 func TestGenerateKeyPair(t *testing.T) {

component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub/signature_test.go → component/kmscrypto/crypto/primitive/bbs12381g2pub/signature_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	bbs "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/primitive/bbs12381g2pub"
+	bbs "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/primitive/bbs12381g2pub"
 )
 
 func TestParseSignature(t *testing.T) {

component/kmscrypto/pkg/crypto/tinkcrypto/cl_crypto.go → component/kmscrypto/crypto/tinkcrypto/cl_crypto.go

@@ -14,8 +14,8 @@ import (
 
 	"github.com/google/tink/go/keyset"
 
-	bld "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/cl/blinder"
-	sgn "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/cl/signer"
+	bld "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/cl/blinder"
+	sgn "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/cl/signer"
 )
 
 // Blind will blind provided values with MasterSecret provided in a kh

component/kmscrypto/pkg/crypto/tinkcrypto/cl_crypto_test.go → component/kmscrypto/crypto/tinkcrypto/cl_crypto_test.go

@@ -16,8 +16,8 @@ import (
 	"github.com/hyperledger/ursa-wrapper-go/pkg/libursa/ursa"
 	"github.com/stretchr/testify/require"
 
-	bld "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/cl/blinder"
-	sgn "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/cl/signer"
+	bld "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/cl/blinder"
+	sgn "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/cl/signer"
 )
 
 func TestCL(t *testing.T) {

component/kmscrypto/pkg/crypto/tinkcrypto/crypto.go → component/kmscrypto/crypto/tinkcrypto/crypto.go

@@ -22,9 +22,10 @@ import (
 	"github.com/google/tink/go/signature"
 	"golang.org/x/crypto/chacha20poly1305"
 
-	cryptoapi "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/aead/subtle"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/bbs"
+	"github.com/hyperledger/aries-framework-go/spi/crypto"
+
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/aead/subtle"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/bbs"
 )
 
 const (
@@ -239,13 +240,13 @@ func (t *Crypto) VerifyMAC(macBytes, data []byte, kh interface{}) error {
 //     (for recPubKey with X25519 curve).
 //
 // returns the resulting key wrapping info as *composite.RecipientWrappedKey or error in case of wrapping failure.
-func (t *Crypto) WrapKey(cek, apu, apv []byte, recPubKey *cryptoapi.PublicKey,
-	wrapKeyOpts ...cryptoapi.WrapKeyOpts) (*cryptoapi.RecipientWrappedKey, error) {
+func (t *Crypto) WrapKey(cek, apu, apv []byte, recPubKey *crypto.PublicKey,
+	wrapKeyOpts ...crypto.WrapKeyOpts) (*crypto.RecipientWrappedKey, error) {
 	if recPubKey == nil {
 		return nil, errors.New("wrapKey: recipient public key is required")
 	}
 
-	pOpts := cryptoapi.NewOpt()
+	pOpts := crypto.NewOpt()
 
 	for _, opt := range wrapKeyOpts {
 		opt(pOpts)
@@ -294,13 +295,13 @@ func (t *Crypto) WrapKey(cek, apu, apv []byte, recPubKey *cryptoapi.PublicKey,
 //	curved keys. Unwrapping a key with non matching types/curves will result in unwrapping failure.
 //
 // 4- recipientKH must contain the private key since unwrapping is usually done on the recipient side.
-func (t *Crypto) UnwrapKey(recWK *cryptoapi.RecipientWrappedKey, recipientKH interface{},
-	wrapKeyOpts ...cryptoapi.WrapKeyOpts) ([]byte, error) {
+func (t *Crypto) UnwrapKey(recWK *crypto.RecipientWrappedKey, recipientKH interface{},
+	wrapKeyOpts ...crypto.WrapKeyOpts) ([]byte, error) {
 	if recWK == nil {
 		return nil, fmt.Errorf("unwrapKey: RecipientWrappedKey is empty")
 	}
 
-	pOpts := cryptoapi.NewOpt()
+	pOpts := crypto.NewOpt()
 
 	for _, opt := range wrapKeyOpts {
 		opt(pOpts)

component/kmscrypto/pkg/crypto/tinkcrypto/crypto_test.go → component/kmscrypto/crypto/tinkcrypto/crypto_test.go

@@ -24,20 +24,22 @@ import (
 	"github.com/stretchr/testify/require"
 	chacha "golang.org/x/crypto/chacha20poly1305"
 
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/aead"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/aead/subtle"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/bbs"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/composite/ecdh"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/composite/keyio"
-	ecdhpb "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/proto/ecdh_aead_go_proto"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/secp256k1"
+	cryptoapi "github.com/hyperledger/aries-framework-go/spi/crypto"
+
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/aead"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/aead/subtle"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/bbs"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/composite/ecdh"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/composite/keyio"
+	ecdhpb "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/proto/ecdh_aead_go_proto"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/secp256k1"
 )
 
 const testMessage = "test message"
 
 // Assert that Crypto implements the Crypto interface.
-var _ crypto.Crypto = (*Crypto)(nil)
+var _ cryptoapi.Crypto = (*Crypto)(nil)
 
 func TestNew(t *testing.T) {
 	_, err := New()
@@ -581,17 +583,17 @@ func TestCrypto_ECDHES_Wrap_Unwrap_ForAllKeyTypes(t *testing.T) {
 
 			var senderKH *keyset.Handle
 
-			var wrapKeyOtps []crypto.WrapKeyOpts
+			var wrapKeyOtps []cryptoapi.WrapKeyOpts
 			if tc.useXC20P {
 				// WithXC20OKW option used for WrapKey() only. UnwrapKey() does not check this option, it checks kwAlg.
-				wrapKeyOtps = append(wrapKeyOtps, crypto.WithXC20PKW())
+				wrapKeyOtps = append(wrapKeyOtps, cryptoapi.WithXC20PKW())
 			}
 
 			if tc.senderKT != nil {
 				senderKH, err = keyset.NewHandle(tc.senderKT)
 				require.NoError(t, err)
 
-				wrapKeyOtps = append(wrapKeyOtps, crypto.WithSender(senderKH))
+				wrapKeyOtps = append(wrapKeyOtps, cryptoapi.WithSender(senderKH))
 			}
 
 			wrappedKey, err := c.WrapKey(cek, apu, apv, recipientKey, wrapKeyOtps...)
@@ -605,14 +607,14 @@ func TestCrypto_ECDHES_Wrap_Unwrap_ForAllKeyTypes(t *testing.T) {
 			require.Equal(t, tc.keyType, wrappedKey.EPK.Type)
 
 			if senderKH != nil {
-				var senderPubKey *crypto.PublicKey
+				var senderPubKey *cryptoapi.PublicKey
 
 				// mimic recipient side (by using sender public key for unwrapping instead of the private key)
 				senderPubKey, err = keyio.ExtractPrimaryPublicKey(senderKH)
 				require.NoError(t, err)
 
 				// reset wrapKeyOpts because UnwrapKey only uses WithSender() option.
-				wrapKeyOtps = []crypto.WrapKeyOpts{crypto.WithSender(senderPubKey)}
+				wrapKeyOtps = []cryptoapi.WrapKeyOpts{cryptoapi.WithSender(senderPubKey)}
 			}
 
 			uCEK, err := c.UnwrapKey(wrappedKey, recipientKeyHandle, wrapKeyOtps...)
@@ -640,13 +642,13 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key(t *testing.T) {
 	apv := random.GetRandomBytes(uint32(10)) // or recipient name
 
 	// test with bad senderKH value
-	_, err = c.WrapKey(cek, apu, apv, recipientKey, crypto.WithSender("badKey"))
+	_, err = c.WrapKey(cek, apu, apv, recipientKey, cryptoapi.WithSender("badKey"))
 	require.EqualError(t, err, "wrapKey: deriveKEKAndWrap: error ECDH-1PU kek derivation: derive1PUKEK: EC key"+
 		" derivation error derive1PUWithECKey: failed to retrieve sender key: ksToPrivateECDSAKey: bad key handle "+
 		"format")
 
 	// now test WrapKey with good key
-	wrappedKey, err := c.WrapKey(cek, apu, apv, recipientKey, crypto.WithSender(senderKH))
+	wrappedKey, err := c.WrapKey(cek, apu, apv, recipientKey, cryptoapi.WithSender(senderKH))
 	require.NoError(t, err)
 	require.NotEmpty(t, wrappedKey.EncryptedCEK)
 	require.NotEmpty(t, wrappedKey.EPK)
@@ -658,7 +660,7 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key(t *testing.T) {
 	senderPubKH, err := senderKH.Public()
 	require.NoError(t, err)
 
-	uCEK, err := c.UnwrapKey(wrappedKey, recipientKeyHandle, crypto.WithSender(senderPubKH))
+	uCEK, err := c.UnwrapKey(wrappedKey, recipientKeyHandle, cryptoapi.WithSender(senderPubKH))
 	require.NoError(t, err)
 	require.EqualValues(t, cek, uCEK)
 
@@ -675,7 +677,7 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key(t *testing.T) {
 		Y:     new(big.Int).SetBytes(senderPubKey.Y),
 	}
 
-	uCEK, err = c.UnwrapKey(wrappedKey, recipientKeyHandle, crypto.WithSender(senderECPubKey))
+	uCEK, err = c.UnwrapKey(wrappedKey, recipientKeyHandle, cryptoapi.WithSender(senderECPubKey))
 	require.NoError(t, err)
 	require.EqualValues(t, cek, uCEK)
 }
@@ -703,7 +705,7 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key_Using_CryptoPubKey_as_SenderKey(t *testi
 
 	// test WrapKey with extacted crypto.PublicKey above directly
 	// WrapKey() only accepts senderKH as keyset.Handle because it will use its private key.
-	wrappedKey, err := c.WrapKey(cek, apu, apv, recipientKey, crypto.WithSender(senderKH))
+	wrappedKey, err := c.WrapKey(cek, apu, apv, recipientKey, cryptoapi.WithSender(senderKH))
 	require.NoError(t, err)
 	require.NotEmpty(t, wrappedKey.EncryptedCEK)
 	require.NotEmpty(t, wrappedKey.EPK)
@@ -712,7 +714,7 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key_Using_CryptoPubKey_as_SenderKey(t *testi
 	require.Equal(t, wrappedKey.Alg, ECDH1PUA256KWAlg)
 
 	// UnwrapKey require sender public key used here or keyset.Handle which was tested in the previous function above
-	uCEK, err := c.UnwrapKey(wrappedKey, recipientKeyHandle, crypto.WithSender(senderPubKey))
+	uCEK, err := c.UnwrapKey(wrappedKey, recipientKeyHandle, cryptoapi.WithSender(senderPubKey))
 	require.NoError(t, err)
 	require.EqualValues(t, cek, uCEK)
 
@@ -725,7 +727,7 @@ func TestCrypto_ECDH1PU_Wrap_Unwrap_Key_Using_CryptoPubKey_as_SenderKey(t *testi
 		Y:     new(big.Int).SetBytes(senderPubKey.Y),
 	}
 
-	uCEK, err = c.UnwrapKey(wrappedKey, recipientKeyHandle, crypto.WithSender(senderECPubKey))
+	uCEK, err = c.UnwrapKey(wrappedKey, recipientKeyHandle, cryptoapi.WithSender(senderECPubKey))
 	require.NoError(t, err)
 	require.EqualValues(t, cek, uCEK)
 }

component/kmscrypto/pkg/crypto/tinkcrypto/key_wrapper.go → component/kmscrypto/crypto/tinkcrypto/key_wrapper.go

@@ -20,11 +20,13 @@ import (
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/curve25519"
 
-	cryptoapi "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/aead/subtle"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/composite/keyio"
-	ecdhpb "github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/crypto/tinkcrypto/primitive/proto/ecdh_aead_go_proto"
-	"github.com/hyperledger/aries-framework-go/component/kmscrypto/pkg/internal/cryptoutil"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/internal/cryptoutil"
+
+	cryptoapi "github.com/hyperledger/aries-framework-go/spi/crypto"
+
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/aead/subtle"
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/composite/keyio"
+	ecdhpb "github.com/hyperledger/aries-framework-go/component/kmscrypto/crypto/tinkcrypto/primitive/proto/ecdh_aead_go_proto"
 )
 
 const defKeySize = 32