diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d301d6678..3f599bbcd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,6 +56,7 @@ jobs: - cargo-doc - cargo-tests - python_and_docker + # - sgx_docker # do not depend on this for releases runs-on: [self-hosted, not-sgx] strategy: fail-fast: false diff --git a/.github/workflows/docker_kms_sgx.yml b/.github/workflows/docker_kms_sgx.yml index 2c57fb1f7..5c5fdaaa5 100644 --- a/.github/workflows/docker_kms_sgx.yml +++ b/.github/workflows/docker_kms_sgx.yml @@ -17,7 +17,6 @@ jobs: container: docker:19.03.15 steps: - - uses: actions/checkout@v1 - name: Login to GitHub Packages @@ -59,9 +58,9 @@ jobs: image-tag: ${{ steps.meta.outputs.version }} tests: - needs: - - build-and-push-image - uses: ./.github/workflows/docker_kms_sgx_tests.yml - secrets: inherit - with: - kms-version: ${{ needs.build-and-push-image.outputs.image-tag }} \ No newline at end of file + needs: + - build-and-push-image + uses: ./.github/workflows/docker_kms_sgx_tests.yml + secrets: inherit + with: + kms-version: ${{ needs.build-and-push-image.outputs.image-tag }} diff --git a/.github/workflows/docker_kms_sgx_tests.yml b/.github/workflows/docker_kms_sgx_tests.yml index 852ccf6e4..04a5d7fa0 100644 --- a/.github/workflows/docker_kms_sgx_tests.yml +++ b/.github/workflows/docker_kms_sgx_tests.yml @@ -6,7 +6,7 @@ env: KMS_USE_CERTBOT: true KMS_CERTBOT_HOSTNAME: kms.sgx.ci.cosmian.dev KMS_CERTBOT_EMAIL: tech@cosmian.com - KMS_CERTBOT_USE_TEE_KEY: abcdef0123456789 + KMS_CERTBOT_USE_TEE_KEY: abcdef0123456789 on: workflow_call: @@ -16,9 +16,11 @@ on: type: string jobs: - run_and_test: + concurrency: + group: sgx_concurrency_group + services: kms: image: ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }} @@ -40,7 +42,7 @@ jobs: -p 80:80 \ -p 9998:9998 \ -d --rm --name enclave-kms-insecure ghcr.io/cosmian/enclave-kms-insecure:${{ inputs.kms-version }} - + - name: Install Rust toolchain uses: actions-rs/toolchain@v1 @@ -51,10 +53,10 @@ jobs: run: | KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms bootstrap-start --sqlite-path private_data/ --database-type sqlite sleep 20 - + - name: Verify run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms verify - + - name: Symmetric key create run: KMS_CLI_CONF=ci/sgx/kms-test-ci.json ckms sym keys create diff --git a/.github/workflows/python_and_docker.yml b/.github/workflows/python_and_docker.yml index f232e7c47..c2322396a 100644 --- a/.github/workflows/python_and_docker.yml +++ b/.github/workflows/python_and_docker.yml @@ -69,17 +69,14 @@ jobs: kms-version: ${{ needs.build-and-push-image.outputs.image-tag }} branch: develop - cloudproof_js: + cloudproof_kms_js: needs: - build-and-push-image - pyo3 - uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_js.yml@develop + uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop with: - branch: develop - target: wasm32-unknown-unknown + branch: test/kms_4_9 kms-version: ${{ needs.build-and-push-image.outputs.image-tag }} - findex-cloud-version: 0.3.1 - copy_fresh_build: false cloudproof_java: needs: diff --git a/CHANGELOG.md b/CHANGELOG.md index 60371ca00..1c47d6975 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. +## [4.9.1] - 2023-11-14 + +### Bug Fixes + +- KMIP server operations only support DER format for certificates (#89) + ## [4.9.0] - 2023-11-10 ### Bug Fixes diff --git a/Cargo.lock b/Cargo.lock index f99941f6a..8aaf224a5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1118,7 +1118,7 @@ dependencies = [ [[package]] name = "cosmian_kmip" -version = "4.9.0" +version = "4.9.1" dependencies = [ "bitflags 2.3.2", "chrono", @@ -1136,7 +1136,7 @@ dependencies = [ [[package]] name = "cosmian_kms_cli" -version = "4.9.0" +version = "4.9.1" dependencies = [ "actix-rt", "actix-server", @@ -1173,7 +1173,7 @@ dependencies = [ [[package]] name = "cosmian_kms_client" -version = "4.9.0" +version = "4.9.1" dependencies = [ "base64 0.21.4", "cosmian_kmip", @@ -1196,7 +1196,7 @@ dependencies = [ [[package]] name = "cosmian_kms_python" -version = "4.9.0" +version = "4.9.1" dependencies = [ "cloudproof", "cosmian_kmip", @@ -1212,7 +1212,7 @@ dependencies = [ [[package]] name = "cosmian_kms_server" -version = "4.9.0" +version = "4.9.1" dependencies = [ "acme-lib", "actix-cors", @@ -1265,7 +1265,7 @@ dependencies = [ [[package]] name = "cosmian_kms_utils" -version = "4.9.0" +version = "4.9.1" dependencies = [ "argon2", "cloudproof", @@ -1280,7 +1280,7 @@ dependencies = [ [[package]] name = "cosmian_logger" -version = "4.9.0" +version = "4.9.1" dependencies = [ "tracing", "tracing-subscriber", diff --git a/crate/cli/Cargo.toml b/crate/cli/Cargo.toml index 49b84145c..0cd4e41a3 100644 --- a/crate/cli/Cargo.toml +++ b/crate/cli/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_cli" -version = "4.9.0" +version = "4.9.1" edition = "2021" license-file = "../../LICENSE.md" description = "CLI used to manage the Cosmian KMS." diff --git a/crate/cli/src/actions/certificates/import_certificate.rs b/crate/cli/src/actions/certificates/import_certificate.rs index 05708d221..c1df0409f 100644 --- a/crate/cli/src/actions/certificates/import_certificate.rs +++ b/crate/cli/src/actions/certificates/import_certificate.rs @@ -5,7 +5,7 @@ use cosmian_kmip::kmip::{kmip_objects::Object, kmip_types::CertificateType}; use cosmian_kms_client::KmsRestClient; use openssl::x509::X509; use tracing::{debug, trace}; -use x509_parser::nom::AsBytes; +use x509_parser::{nom::AsBytes, pem::parse_x509_pem}; use crate::{ actions::shared::utils::{import_object, read_bytes_from_file, read_key_from_file}, @@ -93,10 +93,10 @@ impl ImportCertificateAction { CertificateInputFormat::PEM => { debug!("CLI: import certificate as PEM file"); let pem_value = read_bytes_from_file(&self.get_certificate_file()?)?; - + let (_, pem) = parse_x509_pem(&pem_value)?; let object = Object::Certificate { certificate_type: CertificateType::X509, - certificate_value: pem_value, + certificate_value: pem.contents, }; self.import(kms_rest_client, object, self.replace_existing) .await?; @@ -122,7 +122,7 @@ impl ImportCertificateAction { "X509 certificate not found in PKCS12".to_string(), ) })? - .to_pem()?, + .to_der()?, }; self.import(kms_rest_client, object, self.replace_existing) .await?; @@ -134,7 +134,7 @@ impl ImportCertificateAction { .ok_or_else(|| { CliError::InvalidRequest("Private key not found in PKCS12".to_string()) })? - .private_key_to_pem_pkcs8()?, + .private_key_to_der()?, }; self.import(kms_rest_client, object, self.replace_existing) .await?; @@ -146,7 +146,7 @@ impl ImportCertificateAction { for x509 in chain { let object = Object::Certificate { certificate_type: CertificateType::X509, - certificate_value: x509.to_pem()?, + certificate_value: x509.to_der()?, }; self.import(kms_rest_client, object, self.replace_existing) .await?; @@ -160,7 +160,7 @@ impl ImportCertificateAction { for cert in stack { let object = Object::Certificate { certificate_type: CertificateType::X509, - certificate_value: cert.to_pem()?, + certificate_value: cert.to_der()?, }; self.import(kms_rest_client, object, self.replace_existing) .await?; @@ -187,7 +187,7 @@ impl ImportCertificateAction { for cert in stack { let object = Object::Certificate { certificate_type: CertificateType::X509, - certificate_value: cert.to_pem()?, + certificate_value: cert.to_der()?, }; self.import(kms_rest_client, object, true).await?; } diff --git a/crate/cli/src/tests/certificates/import.rs b/crate/cli/src/tests/certificates/import.rs index 9cf1d9296..eb5a18f21 100644 --- a/crate/cli/src/tests/certificates/import.rs +++ b/crate/cli/src/tests/certificates/import.rs @@ -77,26 +77,26 @@ pub async fn test_certificate_import_different_format() -> Result<(), CliError> // Create a test server let ctx = ONCE.get_or_init(start_default_test_kms_server).await; - // import as TTLV JSON + // import as PEM import( &ctx.owner_cli_conf_path, "certificates", - "test_data/certificates/exported_certificate_ttlv.json", - CertificateInputFormat::TTLV, - None, + "test_data/certificates/ca.crt", + CertificateInputFormat::PEM, None, + Some(&["import_cert"]), false, false, )?; - // import as PEM + // import as TTLV JSON import( &ctx.owner_cli_conf_path, "certificates", - "test_data/certificates/ca.crt", - CertificateInputFormat::PEM, + "test_data/certificates/exported_certificate_ttlv.json", + CertificateInputFormat::TTLV, + None, None, - Some(&["import_cert"]), false, false, )?; diff --git a/crate/cli/test_data/certificates/exported_certificate_ttlv.json b/crate/cli/test_data/certificates/exported_certificate_ttlv.json index a10076590..ac4d63719 100644 --- a/crate/cli/test_data/certificates/exported_certificate_ttlv.json +++ b/crate/cli/test_data/certificates/exported_certificate_ttlv.json @@ -10,7 +10,7 @@ { "tag": "CertificateValue", "type": "ByteString", - "value": "2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D494942517A434239714144416745434168454132302B6E4F6B6B4D5153433156646257702F5A546954414642674D725A584177455445504D413047413155450A4177774755335669513045784D4234584454497A4D446B774E4445774E4451774D466F584454497A4D5449774E4445344D5451774D466F77464445534D4241470A413155454177774A54586B6763325679646D56794D436F77425159444B325677417945414C766E474C3930656C48393958434C6930464A574C684F4F4D4936630A426978733269656259452F53334B436A594442654D4230474131556444675157424253304F706E557146696E6A79506F67507776796652516B41435A4F5441660A42674E5648534D4547444157674251594A4E496E4D5264444855712F324431694276306342626554507A414D42674E5648524D4241663845416A41414D4134470A41315564447745422F775145417749443644414642674D725A584144515143354D4E4830546530666666752F6B3179646B654B367759456E62664C597434376D0A634D6F6C3354615031415132534B7641304E7838345A654A72622B674C4177492B59315169456C4D637A4B465759535A4234734F0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A" + "value": "3082033030820218020900C03CBFDC0BD87789300D06092A864886F70D01010B0500305A310B3009060355040613024652310C300A06035504080C03496446310E300C06035504070C0550617269733111300F060355040A0C0841636D6554657374311A301806035504030C1141636D65205465737420526F6F74204341301E170D3233303531393135323934355A170D3333303531363135323934355A305A310B3009060355040613024652310C300A06035504080C03496446310E300C06035504070C0550617269733111300F060355040A0C0841636D6554657374311A301806035504030C1141636D65205465737420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100D61FF874D90172D96968F8DEA453A9D2ACD29886EAC934A18ED1172136FFE284EA702B14FA3BD2900782BCE489A6CF2FC8063F1C8BC13C52F92A3B72B44A343786B1A1DC7A3C49CA1EB24AAFF809F5AE3BB64120553B9B40E2E104966C9C8C0CF2DEBDA167FA804BDB1FBC66CDA82052F9918771FDE318D74E4894D51B808A06A10330C3E985EC2B0067C60F955AD74D64FD4667ABA76D9DC17F681B36391698BF2A3303665C19E2C20A9CADD174A49FD236E89E7541F3AACDC8453ECE094D1C886761A39CBBF809F5F27396E1C9CF431280C07670E87A3BCC9ED6C38037F53E5E006FE2D952D48D9B57D765061A5F8C2CA30CCE394DD2ED88EB6856623239190203010001300D06092A864886F70D01010B05000382010100C48C6AC67FD80062816E065637B64B17D8821299A8718CF04E7D3998C761E72C3030F27DD3C955754BFE25F3D750D15C6ABFFC887FD63B27A1C345B8F9C78BA886196866C49180C3BA37BF20D918B0EAD6051C1AEAB3C98798C43580AA10E7909F7F7F122E9349CC74FE6EFCF947C761945C3BABF68973773CC7B36FBF346D4D4286BB88BB45FA5388870F58BD192F6ED6B8541C269C7F4D77D62DE860E981CDB6D5E99579164C048C80898BF6B53E731AB97997FF48DA5FC8BB6357574CDB58BE6922ECA9CD644E7442177B66032665D186A9F6027ECF6295235922EF045285D9118182E12D608EAA21E5879B08B3BCA894D10E947625058B90796FC7FCDD57" } ] } diff --git a/crate/client/Cargo.toml b/crate/client/Cargo.toml index 94c1d0218..01434e65e 100644 --- a/crate/client/Cargo.toml +++ b/crate/client/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_client" -version = "4.9.0" +version = "4.9.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/kmip/Cargo.toml b/crate/kmip/Cargo.toml index fb229af01..91670cc11 100644 --- a/crate/kmip/Cargo.toml +++ b/crate/kmip/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kmip" -version = "4.9.0" +version = "4.9.1" edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/logger/Cargo.toml b/crate/logger/Cargo.toml index e8a8f3566..14568c4e5 100644 --- a/crate/logger/Cargo.toml +++ b/crate/logger/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_logger" -version = "4.9.0" +version = "4.9.1" authors = ["Emmanuel Coste "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/pyo3/Cargo.toml b/crate/pyo3/Cargo.toml index 0469d5c79..97fa5cf88 100644 --- a/crate/pyo3/Cargo.toml +++ b/crate/pyo3/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_python" -version = "4.9.0" +version = "4.9.1" authors = ["Hugo Rosenkranz-Costa "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/server/Cargo.toml b/crate/server/Cargo.toml index 99b203487..d2c5d54ae 100644 --- a/crate/server/Cargo.toml +++ b/crate/server/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_server" -version = "4.9.0" +version = "4.9.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/crate/server/src/core/operations/import.rs b/crate/server/src/core/operations/import.rs index 0b0e802fd..024097e38 100644 --- a/crate/server/src/core/operations/import.rs +++ b/crate/server/src/core/operations/import.rs @@ -23,7 +23,7 @@ use openssl::{ sha::Sha1, }; use tracing::{debug, trace, warn}; -use x509_parser::{parse_x509_certificate, prelude::parse_x509_pem}; +use x509_parser::parse_x509_certificate; use super::wrapping::unwrap_key; use crate::{ @@ -46,8 +46,7 @@ fn parse_certificate_and_create_tags( debug!("Import with _cert system tag"); tags.insert("_cert".to_string()); - let (_, pem) = parse_x509_pem(certificate_value)?; - let (_, x509) = parse_x509_certificate(&pem.contents)?; + let (_, x509) = parse_x509_certificate(certificate_value)?; if !x509.validity().is_valid() { warn!( @@ -201,7 +200,7 @@ async fn create_certificate_link( ) -> Option> { match locate_certificate_by_spki(spki, kms, owner, params).await { Ok(certificate_id) => { - debug!("import_pem: add Link with certificate_id: {certificate_id:?}"); + debug!("import_der: add Link with certificate_id: {certificate_id:?}"); let link = Link { link_type: LinkType::CertificateLink, linked_object_identifier: LinkedObjectIdentifier::TextString(certificate_id), @@ -216,22 +215,21 @@ async fn create_certificate_link( } } -/// The function `import_pem` takes in a PEM value, parses it, and creates an object -/// based on the type of PEM (certificate or private key). +/// The function `import_der` takes in a DER value, parses it, and creates an object +/// based on the type of DER (certificate or private key). /// /// Arguments: /// /// * `tags`: A mutable `HashSet` of strings used to store tags associated with the /// imported object. -/// * `pem_value`: The `pem_value` parameter is a byte slice that contains the -/// PEM-encoded data. PEM stands for Privacy-Enhanced Mail and is a format for -/// storing and transmitting cryptographic keys, certificates, and other data. +/// * `der_value`: The `der_value` parameter is a byte slice that contains the +/// DER-encoded data. /// * `kms`: The `kms` parameter is of type `KMS`, which is likely an abbreviation /// for Key Management Service. It is used for cryptographic operations such as /// creating certificate links and retrieving private key objects. The specific /// implementation and functionality of the `KMS` type would depend on the context /// and the code -/// * `owner`: The `owner` parameter in the `import_pem` function is a string that +/// * `owner`: The `owner` parameter in the `import_der` function is a string that /// represents the owner of the imported object. It is used in the /// `create_certificate_link` function to associate the imported object with the /// owner. @@ -241,31 +239,32 @@ async fn create_certificate_link( /// /// Returns: /// -/// The imported PEM certificate as a KMIP `Object` -async fn import_pem( +/// The imported DER certificate as a KMIP `Object` +async fn import_der( tags: &mut HashSet, - pem_value: &[u8], + der_value: &[u8], kms: &KMS, owner: &str, params: Option<&ExtraDatabaseParams>, ) -> KResult { - let (_, pem) = parse_x509_pem(pem_value)?; + let der_is_a_cert = parse_x509_certificate(der_value).is_ok(); + + let object = if der_is_a_cert { + debug!("import_der: parsing certificate"); + parse_certificate_and_create_tags(tags, der_value)?; - let object = if pem.label == "CERTIFICATE" { - debug!("import_pem: parsing certificate: {}", pem.label); - parse_certificate_and_create_tags(tags, pem_value)?; Object::Certificate { certificate_type: CertificateType::X509, - certificate_value: pem.contents, + certificate_value: der_value.into(), } - } else if pem.label.contains("PRIVATE KEY") { - debug!("import_pem: parsing private key: {}", pem.label); - let pkey = PKey::private_key_from_pem(pem_value)?; + } else { + debug!("import_der: parsing private key"); + let pkey = PKey::private_key_from_der(der_value)?; match pkey.id() { Id::EC => { - debug!("import_pem: parsing private key with PKey: {:?}", pkey); - let private_key = EcKey::private_key_from_der(&pem.contents)?; - debug!("import_pem: convert private key to EcKey"); + debug!("import_der: parsing private key with PKey: {:?}", pkey); + let private_key = EcKey::private_key_from_der(der_value)?; + debug!("import_der: convert private key to EcKey"); // Create tag from public key sha1 digest let spki = create_ec_spki_tag(tags, &private_key)?; @@ -285,7 +284,7 @@ async fn import_pem( }; let private_key_bytes = private_key.private_key().to_vec(); debug!( - "import_pem: private_key_bytes len: {}", + "import_der: private_key_bytes len: {}", private_key_bytes.len() ); get_ec_private_key_object(private_key_bytes, recommended_curve, links) @@ -309,8 +308,6 @@ async fn import_pem( } _ => kms_bail!("Private key id not supported: {:?}", pkey.id()), } - } else { - kms_bail!("Unsupported PEM format: found {}", pem.label); }; Ok(object) @@ -368,7 +365,7 @@ pub async fn import( ObjectType::Certificate => { debug!("Import with _cert system tag"); tags.insert("_cert".to_string()); - let certificate_pem_bytes = match &request.object { + let certificate_der_bytes = match &request.object { Object::Certificate { certificate_value, .. } => Ok(certificate_value), @@ -376,7 +373,7 @@ pub async fn import( "Invalid object type {object_type:?} when importing a certificate" ))), }?; - import_pem(&mut tags, certificate_pem_bytes, kms, owner, params).await? + import_der(&mut tags, certificate_der_bytes, kms, owner, params).await? } x => { return Err(KmsError::InvalidRequest(format!( diff --git a/crate/utils/Cargo.toml b/crate/utils/Cargo.toml index c75a33974..cf7586655 100644 --- a/crate/utils/Cargo.toml +++ b/crate/utils/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "cosmian_kms_utils" -version = "4.9.0" +version = "4.9.1" authors = ["Bruno Grieder "] edition = "2021" license-file = "../../LICENSE.md" diff --git a/delivery/Dockerfile.standalone b/delivery/Dockerfile.standalone index df259cb0e..3361a4b25 100644 --- a/delivery/Dockerfile.standalone +++ b/delivery/Dockerfile.standalone @@ -1,6 +1,6 @@ FROM ubuntu:22.04 as builder -LABEL version="4.9.0" +LABEL version="4.9.1" LABEL name="Cosmian KMS docker container" ENV DEBIAN_FRONTEND=noninteractive diff --git a/documentation/docs/authentication.md b/documentation/docs/authentication.md index 8db23c6a0..5c333ac63 100644 --- a/documentation/docs/authentication.md +++ b/documentation/docs/authentication.md @@ -26,7 +26,7 @@ The server must be started using TLS, and the certificate used to verify the cli !!! info "Example client TLS authentication." ```sh - docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 \ + docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 \ --https-p12-file kms.server.p12 --https-p12-password password \ --authority-cert-file verifier.cert.pem ``` @@ -65,7 +65,7 @@ The KMS server JWT authentication is configured using three command line options Below is an example of a JWT configuration for the KMS server using Google as the authorization server. ```sh -docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 \ +docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 \ --jwt-issuer-uri=https://accounts.google.com \ --jwks-uri=https://www.googleapis.com/oauth2/v3/certs \ --jwt-audience=cosmian_kms diff --git a/documentation/docs/bootstrap.md b/documentation/docs/bootstrap.md index 5a3a66033..07e17ca76 100644 --- a/documentation/docs/bootstrap.md +++ b/documentation/docs/bootstrap.md @@ -11,7 +11,7 @@ When [running in a zero-trust environment](./zero_trust.md) inside a confidentia To start the KMS server in bootstrap mode, use the `--use-bootstrap-server` option: ```sh -docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 \ +docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 \ --use-bootstrap-server ``` diff --git a/documentation/docs/cli/cli.md b/documentation/docs/cli/cli.md index a337edecd..294c6a750 100644 --- a/documentation/docs/cli/cli.md +++ b/documentation/docs/cli/cli.md @@ -1,7 +1,7 @@ The `ckms` binary is a command line interface (CLI) used to manage cryptographic objects inside the KMS. !!! info "Download ckms" - Please download the latest version of the CLI for your Operating System from the [Cosmian public packages repository](https://package.cosmian.com/kms/4.9.0/) + Please download the latest version of the CLI for your Operating System from the [Cosmian public packages repository](https://package.cosmian.com/kms/4.9.1/) The CLI expects a configuration file to be located at `~/.cosmian/kms.json` where `~` is your home folder. diff --git a/documentation/docs/high_availability_mode.md b/documentation/docs/high_availability_mode.md index cb3da06a6..68c108b0e 100644 --- a/documentation/docs/high_availability_mode.md +++ b/documentation/docs/high_availability_mode.md @@ -53,7 +53,7 @@ e.g. ```sh docker run --rm -p 9998:9998 \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ --database-type=postgresql \ --database-url=postgres://kms_user:kms_password@pgsql-server:5432/kms @@ -68,7 +68,7 @@ Example: ```sh docker run --rm -p 9998:9998 \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ --database-type=redis-findex \ --database-url=redis://localhost:6379 \ --redis-master-password password \ @@ -105,7 +105,7 @@ Say the certificate is called `cert.p12` and is in a directory called `/certific ```sh docker run --rm -p 9998:9998 \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ -v /certificate/cert.p12:/root/cosmian-kms/cert.p12 \ --database-type=mysql \ --database-url=mysql://mysql_server:3306/kms \ diff --git a/documentation/docs/index.md b/documentation/docs/index.md index 25e211157..e9660da2a 100644 --- a/documentation/docs/index.md +++ b/documentation/docs/index.md @@ -6,7 +6,7 @@ The Cosmian KMS is designed to [operate in **zero-trust** environments](./zero_t To quick-start a Cosmian KMS server on `http://localhost:9998` that stores its data inside the container, simply run ```sh - docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 + docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 ``` Check the Cosmian KMS server version @@ -78,7 +78,7 @@ The KMS has an easy-to-use command line interface client built for many operatin The KMS server is available as a Docker image on the [Cosmian public Docker repository](https://github.com/Cosmian/kms/pkgs/container/kms). -Raw binaries for multiple operating systems are also available on the [Cosmian public packages repository](https://package.cosmian.com/kms/4.9.0/) +Raw binaries for multiple operating systems are also available on the [Cosmian public packages repository](https://package.cosmian.com/kms/4.9.1/) #### Integrated with Cloudproof libraries @@ -91,7 +91,7 @@ The libraries are available in many languages, including Javascript, Java, Dart, Just like the [`ckms` Command Line Interface](./cli/cli.md), the KMS server has a built-in help system that can be accessed using the `--help` command line option. ```sh -docker run --rm ghcr.io/cosmian/kms:4.9.0 --help +docker run --rm ghcr.io/cosmian/kms:4.9.1 --help ``` The options are enabled on the docker command line or using the environment variables listed in the options help. diff --git a/documentation/docs/single_server_mode.md b/documentation/docs/single_server_mode.md index 66d10cc6b..c21ddfc06 100644 --- a/documentation/docs/single_server_mode.md +++ b/documentation/docs/single_server_mode.md @@ -9,7 +9,7 @@ This configuration also supports user encrypted databases, a secure way to store To run in single server mode, using the defaults, run the container as follows: ```sh -docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 +docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 ``` The KMS will be available on `http://localhost:9998`, and the server will store its data inside the container in the `/root/cosmian-kms/sqlite-data` directory. @@ -21,7 +21,7 @@ To persist data between restarts, map the `/root/cosmian-kms/sqlite-data` path t ```sh docker run --rm -p 9998:9998 \ -v cosmian-kms:/root/cosmian-kms/sqlite-data \ - --name kms ghcr.io/cosmian/kms:4.9.0 + --name kms ghcr.io/cosmian/kms:4.9.1 ``` ### Using user encrypted databases @@ -31,7 +31,7 @@ To start the KMS server with user encrypted SQLite databases, pass the `--databa ```sh docker run --rm -p 9998:9998 \ -v cosmian-kms:/root/cosmian-kms/sqlite-data \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ --database-type=sqlite-enc ``` diff --git a/documentation/docs/tls.md b/documentation/docs/tls.md index d3080672c..17e39d5a9 100644 --- a/documentation/docs/tls.md +++ b/documentation/docs/tls.md @@ -29,7 +29,7 @@ Say the certificate is called `server.mydomain.com.p12`, is protected by the pas ```sh docker run --rm -p 443:9998 \ -v /certificate/server.mydomain.com.p12:/root/cosmian-kms/server.mydomain.com.p12 \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ --database-type=mysql \ --database-url=mysql://mysql_server:3306/kms \ --https-p12-file=server.mydomain.com.p12 \ @@ -67,7 +67,7 @@ Example: docker run --rm -p 443:9998 \ -v cosmian-kms:/root/cosmian-kms/sqlite-data \ -v cosmian-kms-certs:/root/cosmian-kms/certbot-ssl \ - --name kms ghcr.io/cosmian/kms:4.9.0 \ + --name kms ghcr.io/cosmian/kms:4.9.1 \ --database-type=sqlite-enc \ --use-certbot \ --certbot-server-name server.mydomain.com \ diff --git a/documentation/docs/zero_trust.md b/documentation/docs/zero_trust.md index d20d98ae7..c516b5093 100644 --- a/documentation/docs/zero_trust.md +++ b/documentation/docs/zero_trust.md @@ -37,7 +37,7 @@ The KMS servers must be installed in confidential VMs and started in bootstrap m - To start the database server in bootstrap mode, use the `-use-bootstrap-server` option (see [bootstrap](./bootstrap.md) from more details) on the docker started in the confidential VM : ```bash -docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.0 --use-bootstrap-server +docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.9.1 --use-bootstrap-server ``` - To use the TLS generation using LetsEncrypt inside the confidential VM add the arguments described in [tls](./tls.md#using-the-certificates-bot)