chore: Merge branch 'release/4.9.1'

.github/workflows/ci.yml

@@ -56,6 +56,7 @@ jobs:
       - cargo-doc
       - cargo-tests
       - python_and_docker
+      # - sgx_docker # do not depend on this for releases
     runs-on: [self-hosted, not-sgx]
     strategy:
       fail-fast: false

.github/workflows/docker_kms_sgx.yml

@@ -17,7 +17,6 @@ jobs:
     container: docker:19.03.15
 
     steps:
-
       - uses: actions/checkout@v1
 
       - name: Login to GitHub Packages
@@ -59,9 +58,9 @@ jobs:
       image-tag: ${{ steps.meta.outputs.version }}
 
   tests:
-        needs:
-          - build-and-push-image
-        uses: ./.github/workflows/docker_kms_sgx_tests.yml
-        secrets: inherit
-        with:
-          kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
+    needs:
+      - build-and-push-image
+    uses: ./.github/workflows/docker_kms_sgx_tests.yml
+    secrets: inherit
+    with:
+      kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}

.github/workflows/docker_kms_sgx_tests.yml

@@ -6,7 +6,7 @@ env:
   KMS_USE_CERTBOT: true
   KMS_CERTBOT_HOSTNAME: kms.sgx.ci.cosmian.dev
   KMS_CERTBOT_EMAIL: [email protected]
-  KMS_CERTBOT_USE_TEE_KEY: abcdef0123456789    
+  KMS_CERTBOT_USE_TEE_KEY: abcdef0123456789
 
 on:
   workflow_call:
@@ -16,9 +16,11 @@ on:
         type: string
 
 jobs:
-
   run_and_test:
 
+    concurrency:
+      group: sgx_concurrency_group
+
     services:
       kms:
         image: ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }}
@@ -40,7 +42,7 @@ jobs:
             -p 80:80 \
             -p 9998:9998 \
             -d --rm --name enclave-kms-insecure ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }}
-          
+
       - name: Install Rust toolchain
         uses: actions-rs/toolchain@v1
 
@@ -51,10 +53,10 @@ jobs:
         run: |
           KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms bootstrap-start --sqlite-path private_data/  --database-type sqlite
           sleep 20
-      
+
       - name: Verify
         run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms verify
-            
+
       - name: Symmetric key create
         run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms sym keys create
 

.github/workflows/python_and_docker.yml

@@ -69,17 +69,14 @@ jobs:
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
       branch: develop
 
-  cloudproof_js:
+  cloudproof_kms_js:
     needs:
       - build-and-push-image
       - pyo3
-    uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_js.yml@develop
+    uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop
     with:
-      branch: develop
-      target: wasm32-unknown-unknown
+      branch: test/kms_4_9
       kms-version: ${{ needs.build-and-push-image.outputs.image-tag }}
-      findex-cloud-version: 0.3.1
-      copy_fresh_build: false
 
   cloudproof_java:
     needs:

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.9.1] - 2023-11-14
+
+### Bug Fixes
+
+- KMIP server operations only support DER format for certificates (#89)
+
 ## [4.9.0] - 2023-11-10
 
 ### Bug Fixes

crate/cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_cli"
-version = "4.9.0"
+version = "4.9.1"
 edition = "2021"
 license-file = "../../LICENSE.md"
 description = "CLI used to manage the Cosmian KMS."

crate/cli/src/actions/certificates/import_certificate.rs

@@ -5,7 +5,7 @@ use cosmian_kmip::kmip::{kmip_objects::Object, kmip_types::CertificateType};
 use cosmian_kms_client::KmsRestClient;
 use openssl::x509::X509;
 use tracing::{debug, trace};
-use x509_parser::nom::AsBytes;
+use x509_parser::{nom::AsBytes, pem::parse_x509_pem};
 
 use crate::{
     actions::shared::utils::{import_object, read_bytes_from_file, read_key_from_file},
@@ -93,10 +93,10 @@ impl ImportCertificateAction {
             CertificateInputFormat::PEM => {
                 debug!("CLI: import certificate as PEM file");
                 let pem_value = read_bytes_from_file(&self.get_certificate_file()?)?;
-
+                let (_, pem) = parse_x509_pem(&pem_value)?;
                 let object = Object::Certificate {
                     certificate_type: CertificateType::X509,
-                    certificate_value: pem_value,
+                    certificate_value: pem.contents,
                 };
                 self.import(kms_rest_client, object, self.replace_existing)
                     .await?;
@@ -122,7 +122,7 @@ impl ImportCertificateAction {
                                 "X509 certificate not found in PKCS12".to_string(),
                             )
                         })?
-                        .to_pem()?,
+                        .to_der()?,
                 };
                 self.import(kms_rest_client, object, self.replace_existing)
                     .await?;
@@ -134,7 +134,7 @@ impl ImportCertificateAction {
                         .ok_or_else(|| {
                             CliError::InvalidRequest("Private key not found in PKCS12".to_string())
                         })?
-                        .private_key_to_pem_pkcs8()?,
+                        .private_key_to_der()?,
                 };
                 self.import(kms_rest_client, object, self.replace_existing)
                     .await?;
@@ -146,7 +146,7 @@ impl ImportCertificateAction {
                 for x509 in chain {
                     let object = Object::Certificate {
                         certificate_type: CertificateType::X509,
-                        certificate_value: x509.to_pem()?,
+                        certificate_value: x509.to_der()?,
                     };
                     self.import(kms_rest_client, object, self.replace_existing)
                         .await?;
@@ -160,7 +160,7 @@ impl ImportCertificateAction {
                 for cert in stack {
                     let object = Object::Certificate {
                         certificate_type: CertificateType::X509,
-                        certificate_value: cert.to_pem()?,
+                        certificate_value: cert.to_der()?,
                     };
                     self.import(kms_rest_client, object, self.replace_existing)
                         .await?;
@@ -187,7 +187,7 @@ impl ImportCertificateAction {
                 for cert in stack {
                     let object = Object::Certificate {
                         certificate_type: CertificateType::X509,
-                        certificate_value: cert.to_pem()?,
+                        certificate_value: cert.to_der()?,
                     };
                     self.import(kms_rest_client, object, true).await?;
                 }

crate/cli/src/tests/certificates/import.rs

@@ -77,26 +77,26 @@ pub async fn test_certificate_import_different_format() -> Result<(), CliError>
     // Create a test server
     let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
 
-    // import as TTLV JSON
+    // import as PEM
     import(
         &ctx.owner_cli_conf_path,
         "certificates",
-        "test_data/certificates/exported_certificate_ttlv.json",
-        CertificateInputFormat::TTLV,
-        None,
+        "test_data/certificates/ca.crt",
+        CertificateInputFormat::PEM,
         None,
+        Some(&["import_cert"]),
         false,
         false,
     )?;
 
-    // import as PEM
+    // import as TTLV JSON
     import(
         &ctx.owner_cli_conf_path,
         "certificates",
-        "test_data/certificates/ca.crt",
-        CertificateInputFormat::PEM,
+        "test_data/certificates/exported_certificate_ttlv.json",
+        CertificateInputFormat::TTLV,
+        None,
         None,
-        Some(&["import_cert"]),
         false,
         false,
     )?;

crate/cli/test_data/certificates/exported_certificate_ttlv.json

@@ -10,7 +10,7 @@
     {
       "tag": "CertificateValue",
       "type": "ByteString",
-      "value": "2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D494942517A434239714144416745434168454132302B6E4F6B6B4D5153433156646257702F5A546954414642674D725A584177455445504D413047413155450A4177774755335669513045784D4234584454497A4D446B774E4445774E4451774D466F584454497A4D5449774E4445344D5451774D466F77464445534D4241470A413155454177774A54586B6763325679646D56794D436F77425159444B325677417945414C766E474C3930656C48393958434C6930464A574C684F4F4D4936630A426978733269656259452F53334B436A594442654D4230474131556444675157424253304F706E557146696E6A79506F67507776796652516B41435A4F5441660A42674E5648534D4547444157674251594A4E496E4D5264444855712F324431694276306342626554507A414D42674E5648524D4241663845416A41414D4134470A41315564447745422F775145417749443644414642674D725A584144515143354D4E4830546530666666752F6B3179646B654B367759456E62664C597434376D0A634D6F6C3354615031415132534B7641304E7838345A654A72622B674C4177492B59315169456C4D637A4B465759535A4234734F0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A"
+      "value": "3082033030820218020900C03CBFDC0BD87789300D06092A864886F70D01010B0500305A310B3009060355040613024652310C300A06035504080C03496446310E300C06035504070C0550617269733111300F060355040A0C0841636D6554657374311A301806035504030C1141636D65205465737420526F6F74204341301E170D3233303531393135323934355A170D3333303531363135323934355A305A310B3009060355040613024652310C300A06035504080C03496446310E300C06035504070C0550617269733111300F060355040A0C0841636D6554657374311A301806035504030C1141636D65205465737420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100D61FF874D90172D96968F8DEA453A9D2ACD29886EAC934A18ED1172136FFE284EA702B14FA3BD2900782BCE489A6CF2FC8063F1C8BC13C52F92A3B72B44A343786B1A1DC7A3C49CA1EB24AAFF809F5AE3BB64120553B9B40E2E104966C9C8C0CF2DEBDA167FA804BDB1FBC66CDA82052F9918771FDE318D74E4894D51B808A06A10330C3E985EC2B0067C60F955AD74D64FD4667ABA76D9DC17F681B36391698BF2A3303665C19E2C20A9CADD174A49FD236E89E7541F3AACDC8453ECE094D1C886761A39CBBF809F5F27396E1C9CF431280C07670E87A3BCC9ED6C38037F53E5E006FE2D952D48D9B57D765061A5F8C2CA30CCE394DD2ED88EB6856623239190203010001300D06092A864886F70D01010B05000382010100C48C6AC67FD80062816E065637B64B17D8821299A8718CF04E7D3998C761E72C3030F27DD3C955754BFE25F3D750D15C6ABFFC887FD63B27A1C345B8F9C78BA886196866C49180C3BA37BF20D918B0EAD6051C1AEAB3C98798C43580AA10E7909F7F7F122E9349CC74FE6EFCF947C761945C3BABF68973773CC7B36FBF346D4D4286BB88BB45FA5388870F58BD192F6ED6B8541C269C7F4D77D62DE860E981CDB6D5E99579164C048C80898BF6B53E731AB97997FF48DA5FC8BB6357574CDB58BE6922ECA9CD644E7442177B66032665D186A9F6027ECF6295235922EF045285D9118182E12D608EAA21E5879B08B3BCA894D10E947625058B90796FC7FCDD57"
     }
   ]
 }

crate/client/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_client"
-version = "4.9.0"
+version = "4.9.1"
 authors = ["Bruno Grieder <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"

crate/kmip/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kmip"
-version = "4.9.0"
+version = "4.9.1"
 edition = "2021"
 license-file = "../../LICENSE.md"
 

crate/logger/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_logger"
-version = "4.9.0"
+version = "4.9.1"
 authors = ["Emmanuel Coste <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"

crate/pyo3/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_python"
-version = "4.9.0"
+version = "4.9.1"
 authors = ["Hugo Rosenkranz-Costa <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"

crate/server/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_server"
-version = "4.9.0"
+version = "4.9.1"
 authors = ["Bruno Grieder <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"