From da8d6abf96d238888072cc0e0774cfb19620fd09 Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Tue, 26 May 2026 09:13:28 +0200 Subject: [PATCH 1/2] fix: use random UUID as private key alias for participant manifests Generate a UUID for PrivateKeyAlias instead of reusing the KeyID, so each participant manifest gets a unique, unpredictable vault alias. Co-Authored-By: Claude Sonnet 4.6 --- agent/common/identityhub/types.go | 7 +++---- agent/common/identityhub/types_test.go | 4 +++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/agent/common/identityhub/types.go b/agent/common/identityhub/types.go index 966a762..6c87a3a 100644 --- a/agent/common/identityhub/types.go +++ b/agent/common/identityhub/types.go @@ -18,6 +18,7 @@ import ( "strings" commonvault "github.com/eclipse-cfm/cfm/agent/common/vault" + "github.com/google/uuid" ) const ( @@ -85,7 +86,7 @@ func NewParticipantManifest( IsActive: true, KeyGeneratorParameters: KeyGeneratorParameters{ KeyID: DefaultKeyID, - PrivateKeyAlias: DefaultKeyID, + PrivateKeyAlias: uuid.NewString(), KeyAlgorithm: DefaultAlgorithm, Curve: DefaultCurve, }, @@ -103,9 +104,7 @@ func NewParticipantManifest( if !strings.HasPrefix(sanitizedKeyID, "#") { sanitizedKeyID = "#" + sanitizedKeyID } - sanitizedKeyID = did + sanitizedKeyID - manifest.KeyGeneratorParameters.KeyID = sanitizedKeyID - manifest.KeyGeneratorParameters.PrivateKeyAlias = sanitizedKeyID + manifest.KeyGeneratorParameters.KeyID = did + sanitizedKeyID } return manifest diff --git a/agent/common/identityhub/types_test.go b/agent/common/identityhub/types_test.go index d026a92..95fee76 100644 --- a/agent/common/identityhub/types_test.go +++ b/agent/common/identityhub/types_test.go @@ -18,6 +18,7 @@ import ( "encoding/json" "testing" + "github.com/google/uuid" "github.com/stretchr/testify/require" ) @@ -28,7 +29,8 @@ func TestNewParticipantManifest_WithDefaults(t *testing.T) { require.Equal(t, manifest.ProtocolServiceID, "test-id-dsp") require.Equal(t, manifest.IsActive, true) require.Equal(t, manifest.KeyGeneratorParameters.KeyID, "did:web:foo#"+DefaultKeyID) - require.Equal(t, manifest.KeyGeneratorParameters.PrivateKeyAlias, "did:web:foo#"+DefaultKeyID) + _, err := uuid.Parse(manifest.KeyGeneratorParameters.PrivateKeyAlias) + require.NoError(t, err) require.Equal(t, manifest.VaultConfig.SecretPath, "v1/participants") require.Equal(t, manifest.VaultConfig.FolderPath, "test-id/identityhub") } From d81eb0c39c89bfc143f4d156b9f6b42af361ad3a Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Tue, 26 May 2026 09:28:08 +0200 Subject: [PATCH 2/2] fix vault container start --- assembly/vault/fixtures.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assembly/vault/fixtures.go b/assembly/vault/fixtures.go index 2843bcf..0019dbb 100644 --- a/assembly/vault/fixtures.go +++ b/assembly/vault/fixtures.go @@ -26,6 +26,7 @@ import ( "github.com/eclipse-cfm/cfm/assembly/serviceapi" "github.com/eclipse-cfm/cfm/common/system" "github.com/google/uuid" + "github.com/moby/moby/api/types/container" "github.com/stretchr/testify/require" "github.com/testcontainers/testcontainers-go" "github.com/testcontainers/testcontainers-go/network" @@ -66,6 +67,9 @@ func StartVaultContainer(ctx context.Context, networkName string) (*ContainerRes ExposedPorts: []string{vaultPort}, Networks: []string{networkName}, Name: name, + HostConfigModifier: func(hc *container.HostConfig) { + hc.CapAdd = append(hc.CapAdd, "IPC_LOCK") + }, Env: map[string]string{ "VAULT_DEV_ROOT_TOKEN_ID": vaultRootToken, "SKIP_SETCAP": "true", // this is required to run as non-root user in some environments, such as M1 macs