chore: Merge branch 'release/4.19.0'

.github/scripts/cargo_build.sh

@@ -7,6 +7,7 @@ set -ex
 # export DEBUG_OR_RELEASE=debug
 # export OPENSSL_DIR=/usr/local/openssl
 # export SKIP_SERVICES_TESTS="--skip test_mysql --skip test_pgsql --skip test_redis --skip google_cse --skip test_all_authentications"
+# export FEATURES="fips"
 
 ROOT_FOLDER=$(pwd)
 
@@ -65,11 +66,10 @@ rustup target add "$TARGET"
 if [ "$DEBUG_OR_RELEASE" = "release" ]; then
   # Before building the crates, test crates individually on specific features
   cargo install --version 0.6.31 cargo-hack --force
-  crates=("crate/kmip" "crate/client" "crate/cli" "crate/server")
+  crates=("crate/kmip" "crate/client")
   for crate in "${crates[@]}"; do
-    echo "cargo hack on $crate"
     cd "$crate"
-    cargo hack test --feature-powerset --no-dev-deps
+    cargo hack test --feature-powerset --all-targets
     cd "$ROOT_FOLDER"
   done
 fi

.github/workflows/build_rhel9.yml

@@ -81,6 +81,7 @@ jobs:
         run: |
           set -x
 
+          yum -y install python-devel
           yum -y install wget
           yum -y install perl-IPC-Cmd perl-Digest-SHA1 perl-CPAN perl-devel
 

.pre-commit-config.yaml

@@ -7,27 +7,17 @@
 
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-exclude: crate/cli/test_data|documentation/pandoc|documentation/overrides|enclave|crate/server/src/tests/test_utils.rs|crate/cli/src/tests/utils/test_utils.rs|crate/client/src/lib.rs|crate/cli/src/tests/certificates/openssl.rs|crate/client/src/kms_rest_client.rs|.pre-commit-config.yaml|crate/server/src/routes/google_cse/jwt.rs|crate/server/src/routes/google_cse/python/openssl|documentation/docs/google_cse|crate/pkcs11/sys
+exclude: crate/cli/test_data|documentation/pandoc|documentation/overrides|enclave|crate/server/src/tests/test_utils.rs|crate/cli/src/tests/utils/test_utils.rs|crate/client/src/lib.rs|crate/cli/src/tests/certificates/openssl.rs|crate/client/src/kms_rest_client.rs|.pre-commit-config.yaml|crate/server/src/routes/google_cse/jwt.rs|crate/server/src/routes/google_cse/python/openssl|documentation/docs/google_cse|crate/pkcs11/sys|documentation/docs/drawings
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v3.2.0
+    rev: v3.4.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]
         args: [] # optional: list of Conventional Commits types to allow e.g. [feat, fix, ci, chore, test]
 
-  # - repo: https://github.com/pre-commit/mirrors-prettier
-  #   rev: v4.0.0-alpha.8
-  #   hooks:
-  #     - id: prettier
-  #       stages: [commit]
-  #       exclude_types:
-  #         - yaml
-  #         - markdown
-  #       exclude: documentation/theme_overrides|.cargo_check
-
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.40.0
+    rev: v0.42.0
     hooks:
       - id: markdownlint-fix
         args:
@@ -43,7 +33,7 @@ repos:
         exclude: documentation/docs
 
   - repo: https://github.com/tcort/markdown-link-check
-    rev: v3.12.1
+    rev: v3.12.2
     hooks:
       - id: markdown-link-check
         args: [-q]
@@ -57,7 +47,7 @@ repos:
         exclude: ansible
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.21.0
+    rev: v1.25.0
     hooks:
       - id: typos
         exclude: documentation/docs/images/google_cse.drawio.svg|crate/test_server/src/test_jwt.rs|crate/pkcs11/documentation/veracrypt_ckms.svg|crate/client/test_data/configs/kms.bad|crate/test_server/certificates/|crate/client/test_data/configs/|crate/server/src/tests/google_cse/|documentation/docs/pkcs11/images|crate/server/resources|documentation/docs/algorithms.md|crate/server/src/tests/certificates/chain/root/ca/|documentation/docs/pki/smime.md
@@ -73,7 +63,7 @@ repos:
         exclude: ^.git/|crate/server/src/tests/certificates/chain/root/ca
 
   - repo: https://github.com/sirosen/texthooks
-    rev: 0.6.6
+    rev: 0.6.7
     hooks:
       - id: fix-smartquotes
       - id: fix-ligatures
@@ -88,7 +78,7 @@ repos:
       - id: shellcheck
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-added-large-files
       - id: check-ast
@@ -122,7 +112,7 @@ repos:
         exclude: crate/kmip/src/kmip/extra/x509_extensions.rs
 
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 24.8.0
     hooks:
       - id: black
         # avoid clash with `double-quote-string-fixer`
@@ -150,7 +140,7 @@ repos:
       - id: docker-compose-down
 
   - repo: https://github.com/EmbarkStudios/cargo-deny
-    rev: 0.14.16 # choose your preferred tag
+    rev: 0.16.1 # choose your preferred tag
     hooks:
       - id: cargo-deny
         args: [--all-features, check]

.vale.ini

@@ -4,3 +4,4 @@ MinAlertLevel = suggestion
 
 [*.md]
 BasedOnStyles = Vale
+Vale.Spelling = NO

CHANGELOG.md

@@ -2,19 +2,25 @@
 
 All notable changes to this project will be documented in this file.
 
-## [4.19.0] - 2024-10-04
+## [4.19.0] - 2024-10-09
 
 ### 🚀 Features
 
-- Google Workspace Client-Side-Encryption (CSE) updates ([#319](https://github.com/Cosmian/kms/pull/319))
-  - Generate Google S/MIME key-pairs and identities and upload them to Gmail API from ckms CLI ([#270](https://github.com/Cosmian/kms/issues/270))
+- Google Workspace Client-Side-Encryption (CSE)
+  updates ([#319](https://github.com/Cosmian/kms/pull/319))
+  - Generate Google S/MIME key-pairs and identities and upload them to Gmail API from ckms
+      CLI ([#270](https://github.com/Cosmian/kms/issues/270))
   - Server-side, export cert at PKCS7 format
   - Implement missing CSE endpoints
   - Wrap/unwrap CSE elements with authenticated encryption
   - Export wrapped keys from KMS specifying the cipher mode
   - Handle auth for guest users ([#271](https://github.com/Cosmian/kms/issues/271))
 - Add SetAttribute/DeleteAttribute KMIP operations ([#303](https://github.com/Cosmian/kms/pull/303))
-- Reenable wrap/unwrap on ckms by linking statically on openssl ([#317](https://github.com/Cosmian/kms/pull/317))
+- Re-enable wrap/unwrap on ckms by linking statically on openssl ([#317](https://github.com/Cosmian/kms/pull/317))
+- Added AES GCM-SIV and AES XTS ([#328](https://github.com/Cosmian/kms/pull/328))
+- Added the ability to client side encrypt files with `ckms` and a hybrid scheme ([#328](https://github.com/Cosmian/kms/pull/328))
+- Create Symmetric Key / Private keys with custom unique id ([#326](https://github.com/Cosmian/kms/pull/326))
+- Replace Debug derive trait of KMIP Object by a custom Display impl ([#327](https://github.com/Cosmian/kms/pull/327))
 
 ### Documentation
 

Cargo.toml

@@ -1,16 +1,16 @@
 [workspace]
 default-members = ["crate/cli", "crate/server", "crate/pkcs11/provider"]
 members = [
-    "crate/cli",
-    "crate/client",
-    "crate/kmip",
-    "crate/server",
-    "crate/logger",
-    "crate/pyo3",
-    "crate/test_server",
-    "crate/pkcs11/sys",
-    "crate/pkcs11/module",
-    "crate/pkcs11/provider",
+  "crate/cli",
+  "crate/client",
+  "crate/kmip",
+  "crate/server",
+  "crate/logger",
+  "crate/pyo3",
+  "crate/test_server",
+  "crate/pkcs11/sys",
+  "crate/pkcs11/module",
+  "crate/pkcs11/provider",
 ]
 # Do that if you don't want to enable `dev` feature by default due to the `dev-dependencies` of the cli.
 # For more details, read: https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2
@@ -22,9 +22,9 @@ version = "4.19.0"
 edition = "2021"
 rust-version = "1.71.0"
 authors = [
-    "Bruno Grieder <[email protected]>",
-    "Emmanuel Coste <[email protected]>",
-    "Hugo Rosenkranz-Costa <[email protected]>",
+  "Bruno Grieder <[email protected]>",
+  "Emmanuel Coste <[email protected]>",
+  "Hugo Rosenkranz-Costa <[email protected]>",
 ]
 license = "BUSL-1.1" # "Business Source License 1.1"
 license-file = "LICENSE"
@@ -60,6 +60,7 @@ cloudproof = "3.0"
 der = { version = "0.7", default-features = false }
 env_logger = "0.11"
 hex = { version = "0.4", default-features = false }
+leb128 = "0.2.5"
 log = { version = "0.4", default-features = false }
 native-tls = "0.2"
 num_cpus = "1.13"
@@ -71,7 +72,7 @@ reqwest = { version = "0.11", default-features = false }
 rustls = "0.21"
 serde = "1.0"
 serde_json = "1.0"
-sha3 = { version = "0.10", default-features = false}
+sha3 = { version = "0.10", default-features = false }
 strum = { version = "0.25", default-features = false }
 thiserror = "1.0"
 time = "0.3"

README.md

@@ -49,7 +49,7 @@ Keys can be wrapped and unwrapped using RSA, ECIES or RFC5649/AES KWP.
 
 ## Quick start
 
-Pre-built binaries [are available](https://package.cosmian.com/kms/4.18.0/)
+Pre-built binaries [are available](https://package.cosmian.com/kms/4.19.0/)
 for Linux, MacOS, and Windows, as well as Docker images. To run the server binary, OpenSSL must be
 available in your path (see "building the KMS" below for details); other binaries do not have this
 requirement.

crate/cli/Cargo.toml

@@ -19,8 +19,6 @@ test = false
 doctest = false
 
 [features]
-# default is used to run tests with the remote kms test server. Otherwise, the test runs a local kms server.
-default = []
 fips = ["cosmian_kms_client/fips"]
 
 [dependencies]
@@ -43,6 +41,7 @@ hex = { workspace = true }
 jwt-simple = { version = "0.12", default-features = false, features = [
   "pure-rust",
 ] }
+leb128 = { workspace = true }
 oauth2 = { version = "4.4", features = ["reqwest"] }
 pem = { workspace = true }
 reqwest = { workspace = true }
@@ -62,10 +61,6 @@ actix-rt = { workspace = true }
 actix-server = { workspace = true }
 assert_cmd = "2.0"
 const-oid = { version = "0.9", features = ["db"] }
-cosmian_kms_server = { path = "../server", features = [
-  "insecure",
-], default-features = false }
-cosmian_logger = { path = "../logger" }
 kms_test_server = { path = "../test_server" }
 openssl = { workspace = true }
 predicates = "3.1"

crate/cli/src/actions/cover_crypt/decrypt.rs

@@ -87,7 +87,7 @@ impl DecryptAction {
             }),
         );
 
-        tracing::debug!("{decrypt_request:?}");
+        tracing::debug!("{decrypt_request}");
 
         // Query the KMS with your kmip data and get the key pair ids
         let decrypt_response = kms_rest_client

crate/cli/src/actions/cover_crypt/encrypt.rs

@@ -82,6 +82,7 @@ impl EncryptAction {
             Some(self.encryption_policy.to_string()),
             data,
             None,
+            None,
             self.authentication_data
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),
@@ -91,7 +92,7 @@ impl EncryptAction {
             }),
         )?;
 
-        tracing::debug!("{encrypt_request:?}");
+        tracing::debug!("{encrypt_request}");
 
         // Query the KMS with your kmip data and get the key pair ids
         let encrypt_response = kms_rest_client

crate/cli/src/actions/elliptic_curves/encrypt.rs

@@ -62,6 +62,7 @@ impl EncryptAction {
             None,
             data,
             None,
+            None,
             self.authentication_data
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),

crate/cli/src/actions/elliptic_curves/keys/create_key_pair.rs

@@ -4,6 +4,7 @@ use cosmian_kms_client::{
         crypto::elliptic_curves::kmip_requests::create_ec_key_pair_request,
         kmip::kmip_types::RecommendedCurve,
     },
+    kmip::kmip_types::UniqueIdentifier,
     KmsClient,
 };
 
@@ -73,11 +74,21 @@ pub struct CreateKeyPairAction {
     /// To specify multiple tags, use the option multiple times.
     #[clap(long = "tag", short = 't', value_name = "TAG")]
     tags: Vec<String>,
+
+    /// The unique id of the private key; a unique id based
+    /// on the key material is generated if not specified.
+    #[clap(required = false)]
+    private_key_id: Option<String>,
 }
 
 impl CreateKeyPairAction {
     pub async fn run(&self, kms_rest_client: &KmsClient) -> CliResult<()> {
-        let create_key_pair_request = create_ec_key_pair_request(&self.tags, self.curve.into())?;
+        let private_key_id = self
+            .private_key_id
+            .as_ref()
+            .map(|id| UniqueIdentifier::TextString(id.clone()));
+        let create_key_pair_request =
+            create_ec_key_pair_request(private_key_id, &self.tags, self.curve.into())?;
 
         // Query the KMS with your kmip data and get the key pair ids
         let create_key_pair_response = kms_rest_client

crate/cli/src/actions/google/keypairs/create.rs

@@ -146,7 +146,11 @@ impl CreateKeyPairsAction {
             }
             None => {
                 let created_key_pair = kms_rest_client
-                    .create_key_pair(create_rsa_key_pair_request(Vec::<String>::new(), RSA_4096)?)
+                    .create_key_pair(create_rsa_key_pair_request(
+                        None,
+                        Vec::<String>::new(),
+                        RSA_4096,
+                    )?)
                     .await?;
                 (
                     created_key_pair.private_key_unique_identifier.to_string(),

crate/cli/src/actions/rsa/encrypt.rs

@@ -96,6 +96,7 @@ impl EncryptAction {
             data,
             None,
             None,
+            None,
             Some(to_cryptographic_parameters(
                 self.encryption_algorithm,
                 self.hash_fn,