-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: replace attribute rotation to access policy rekey * refacto: move policy and rekey action in dedicated files * chore: change vendor attribute name for covercrypt rekey action * feat: change CLI command rotate to rekey and update tests * fix: update user key locate tests * ci: fix pyo3 tests * ci: use last cloudproof python branch * refacto: master keys rekey * feat(pyo3): support and test policy attribute removal and renaming * refacto: reuse updated private key to refresh user key * ci: update cloudproof_kms_js branch * refacto: factor user keys update inner for loop in `refresh_user_decryption_key` * fix: cli rekey imports * ci: fix cargo udeps * feat: add cli command `cc keys rekey` and `cc keys prune` * feat: add cli policy edit command and tests * fix: remove deadcode and fix comments * use closures in CC keys update * fix: group KMS objects with their IDs * fix: use release test to avoid worker stack overflow upon test error * fix: review * fix: define type `KmipKeyUidObject` to store a key UID and its KmipObject * fix: apply review suggestions (cherry picked from commit ebd196e8ed251603b657e1e6445a9e6d8e75ce48) * ci: double `RUST_MIN_STACK` to `4MB` to avoid stack overflow during tests * docs: update doc of CLI rekey and policy edit * docs: update CLI doc and CHANGELOG * fix: Reduce stack footprint (#200) * CI: remove min stack size * Box in Attributes * Box key_wrapping_data and more cryptographic_parameters * Box attributes in KeyValue * Box BigUint and SafeBigUint in KeyMaterial * chore: update KMS version to `4.13.0` --------- Co-authored-by: Manuthor <[email protected]> Co-authored-by: Théophile BRÉZOT <[email protected]> Co-authored-by: Thibs <[email protected]>
- Loading branch information
1 parent
2f89b89
commit 4da4327
Showing
61 changed files
with
1,720 additions
and
1,264 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
use clap::Parser; | ||
use cosmian_kmip::crypto::cover_crypt::{ | ||
attributes::RekeyEditAction, kmip_requests::build_rekey_keypair_request, | ||
}; | ||
use cosmian_kms_client::KmsRestClient; | ||
|
||
use crate::{ | ||
cli_bail, | ||
error::{result::CliResultHelper, CliError}, | ||
}; | ||
|
||
/// Rekey the master and user keys for a given access policy. | ||
/// | ||
/// Active user decryption keys are automatically re-keyed. | ||
/// Revoked or destroyed user decryption keys are not re-keyed. | ||
/// | ||
/// User keys that have not been rekeyed will only be able to decrypt | ||
/// data encrypted before this operation. | ||
#[derive(Parser, Debug)] | ||
#[clap(verbatim_doc_comment)] | ||
pub struct RekeyAction { | ||
/// The access policy to rekey. | ||
/// Example: `department::marketing && level::confidential` | ||
#[clap(required = true)] | ||
access_policy: String, | ||
|
||
/// The private master key unique identifier stored in the KMS. | ||
/// If not specified, tags should be specified | ||
#[clap(long = "key-id", short = 'k', group = "key-tags")] | ||
secret_key_id: Option<String>, | ||
|
||
/// Tag to use to retrieve the key when no key id is specified. | ||
/// To specify multiple tags, use the option multiple times. | ||
#[clap(long = "tag", short = 't', value_name = "TAG", group = "key-tags")] | ||
tags: Option<Vec<String>>, | ||
} | ||
|
||
impl RekeyAction { | ||
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> { | ||
let id = if let Some(key_id) = &self.secret_key_id { | ||
key_id.clone() | ||
} else if let Some(tags) = &self.tags { | ||
serde_json::to_string(&tags)? | ||
} else { | ||
cli_bail!("Either --key-id or one or more --tag must be specified") | ||
}; | ||
|
||
// Create the kmip query | ||
let query = build_rekey_keypair_request( | ||
&id, | ||
RekeyEditAction::RekeyAccessPolicy(self.access_policy.clone()), | ||
)?; | ||
|
||
// Query the KMS with your kmip data | ||
let response = kms_rest_client | ||
.rekey_keypair(query) | ||
.await | ||
.with_context(|| "failed rekeying the master keys")?; | ||
|
||
println!( | ||
"The master private key {} and master public key {} were rekeyed for the access \ | ||
policy {:?}", | ||
&response.private_key_unique_identifier, | ||
&response.public_key_unique_identifier, | ||
&self.access_policy | ||
); | ||
Ok(()) | ||
} | ||
} | ||
|
||
/// Prune the master and user keys for a given access policy. | ||
/// | ||
/// Active user decryption keys are automatically pruned. | ||
/// Revoked or destroyed user decryption keys are not. | ||
/// | ||
/// Pruned user keys will only be able to decrypt ciphertexts | ||
/// generated after the last rekeying. | ||
#[derive(Parser, Debug)] | ||
#[clap(verbatim_doc_comment)] | ||
pub struct PruneAction { | ||
/// The access policy to prune. | ||
/// Example: `department::marketing && level::confidential` | ||
#[clap(required = true)] | ||
access_policy: String, | ||
|
||
/// The private master key unique identifier stored in the KMS. | ||
/// If not specified, tags should be specified | ||
#[clap(long = "key-id", short = 'k', group = "key-tags")] | ||
secret_key_id: Option<String>, | ||
|
||
/// Tag to use to retrieve the key when no key id is specified. | ||
/// To specify multiple tags, use the option multiple times. | ||
#[clap(long = "tag", short = 't', value_name = "TAG", group = "key-tags")] | ||
tags: Option<Vec<String>>, | ||
} | ||
|
||
impl PruneAction { | ||
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> { | ||
let id = if let Some(key_id) = &self.secret_key_id { | ||
key_id.clone() | ||
} else if let Some(tags) = &self.tags { | ||
serde_json::to_string(&tags)? | ||
} else { | ||
cli_bail!("Either --key-id or one or more --tag must be specified") | ||
}; | ||
|
||
// Create the kmip query | ||
let query = build_rekey_keypair_request( | ||
&id, | ||
RekeyEditAction::PruneAccessPolicy(self.access_policy.clone()), | ||
)?; | ||
|
||
// Query the KMS with your kmip data | ||
let response = kms_rest_client | ||
.rekey_keypair(query) | ||
.await | ||
.with_context(|| "failed pruning the master keys")?; | ||
|
||
println!( | ||
"The master private key {} and master public key {} were pruned for the access policy \ | ||
{:?}", | ||
&response.private_key_unique_identifier, | ||
&response.public_key_unique_identifier, | ||
&self.access_policy | ||
); | ||
Ok(()) | ||
} | ||
} |
Oops, something went wrong.