chore: merge with release 4.8.2

Cosmian · Oct 31, 2023 · e48ab02 · e48ab02
2 parents ba947bc + 429590e
commit e48ab02
Show file tree

Hide file tree

Showing 34 changed files with 136 additions and 94 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.8.2] - 2023-10-31
+
+### Bug Fixes
+
+- Save certs as DER instead of PEM for KMIP compliance
+
 ## [4.8.1] - 2023-10-12
 
 ### Bug Fixes

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crate/cli/Cargo.toml b/crate/cli/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_cli"
-version = "4.8.1"
+version = "4.8.2"
 edition = "2021"
 license-file = "../../LICENSE.md"
 description = "CLI used to manage the Cosmian KMS."
@@ -23,6 +23,7 @@ cosmian_kms_utils = { path = "../utils" }
 cosmian_logger = { path = "../logger" }
 hex = { workspace = true }
 openssl = { workspace = true }
+pem = "3.0"
 rand = "0.8"
 ratls = { workspace = true }
 reqwest = { workspace = true }

diff --git a/crate/cli/src/actions/certificates/export_certificate.rs b/crate/cli/src/actions/certificates/export_certificate.rs
@@ -106,6 +106,7 @@ impl ExportCertificateAction {
         )
         .await?;
 
+        // DER-encoded certificate bytes
         let certificate_bytes = match &object {
             Object::Certificate {
                 certificate_value, ..
@@ -127,8 +128,10 @@ impl ExportCertificateAction {
                 write_kmip_object_to_file(&object, &self.certificate_file)?;
             }
             CertificateExportFormat::PEM => {
+                // convert DER certificate to PEM certificate
+                let pem = pem::Pem::new("CERTIFICATE", certificate_bytes).to_string();
                 // save it to a file
-                write_bytes_to_file(&certificate_bytes, &self.certificate_file)?;
+                write_bytes_to_file(pem.as_bytes(), &self.certificate_file)?;
             }
             CertificateExportFormat::PKCS12 => {
                 let password = self.pkcs12_password.clone().ok_or(CliError::Cryptographic(
@@ -216,10 +219,10 @@ async fn create_pkcs12(
 
     // Create PKCS12 using Rust-OpenSSL
     let pkey = PKey::private_key_from_pem(private_key_as_pem.as_bytes())?;
-    let cert = X509::from_pem(certificate_bytes)?;
+    let cert = X509::from_der(certificate_bytes)?;
     let mut cas = Stack::<X509>::new()?;
     for ca_issuer_name in cert.issuer_name().entries() {
-        let pem = locate_ca_cert(
+        let der = locate_ca_cert(
             client_connector,
             ca_issuer_name.data().as_utf8()?.as_ref(),
             &Attributes {
@@ -228,7 +231,7 @@ async fn create_pkcs12(
             },
         )
         .await?;
-        let cert = X509::from_pem(&pem)?;
+        let cert = X509::from_der(&der)?;
         cas.push(cert)?;
     }
 

diff --git a/crate/cli/src/actions/certificates/import_certificate.rs b/crate/cli/src/actions/certificates/import_certificate.rs
@@ -30,13 +30,6 @@ pub enum CertificateInputFormat {
 /// - a certificate chain as a PEM-stack
 /// - the Mozilla Common CA Database (CCADB). Automate the Mozilla database fetch.
 ///
-/// The certificate can be in:
-/// - KMIP JSON TTLV format
-/// - PEM format
-///
-///
-/// The private/public keys format is PEM format.
-///
 /// When no certificate unique id is specified, a random UUID v4 is generated.
 ///
 /// Tags can later be used to retrieve the certificate. Tags are optional.

diff --git a/crate/cli/src/actions/certificates/locate.rs b/crate/cli/src/actions/certificates/locate.rs
@@ -84,8 +84,7 @@ pub(crate) async fn locate_ca_cert(
         } => certificate_value,
         _ => {
             cli_bail!(
-                "The object {} is not a certificate but a {}",
-                &cert_uid,
+                "The object {cert_uid} is not a certificate but a {}",
                 get_response.object.object_type()
             );
         }

diff --git a/crate/cli/src/tests/certificates/certify.rs b/crate/cli/src/tests/certificates/certify.rs
@@ -217,7 +217,7 @@ pub async fn test_certify() -> Result<(), CliError> {
         assert_eq!(ids.len(), 3 * (hierarchical_depth + 2));
 
         // Export certificate as PKCS12
-        debug!("\n\n\ntest_certify: export");
+        debug!("\n\n\ntest_certify: export PKCS12");
         let export_filename = tmp_path.join("output.p12").to_str().unwrap().to_owned();
         export(
             &ctx.owner_cli_conf_path,
@@ -229,10 +229,12 @@ pub async fn test_certify() -> Result<(), CliError> {
             None,
             false,
         )?;
+
         // Read the bytes of the file and check them with openssl
         let certificate_bytes = get_file_as_byte_vec(&export_filename);
         check_certificate(&certificate_bytes, "secret");
 
+        debug!("\n\n\ntest_certify: export PEM");
         // Export certificate as PEM only
         let export_filename = tmp_path.join("cert.pem").to_str().unwrap().to_owned();
         export(
@@ -249,6 +251,7 @@ pub async fn test_certify() -> Result<(), CliError> {
         let certificate_str = std::str::from_utf8(&certificate_bytes).unwrap();
         println!("Certificate PEM: {certificate_str}");
 
+        debug!("\n\n\ntest_certify: export RAW KMIP TTLV");
         // Export certificate as RAW KMIP TTLV
         let export_filename = tmp_path.join("ttlv.json").to_str().unwrap().to_owned();
         export(

diff --git a/crate/client/Cargo.toml b/crate/client/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_client"
-version = "4.8.1"
+version = "4.8.2"
 authors = ["Bruno Grieder <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"

diff --git a/crate/kmip/Cargo.toml b/crate/kmip/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kmip"
-version = "4.8.1"
+version = "4.8.2"
 edition = "2021"
 license-file = "../../LICENSE.md"
 

diff --git a/crate/kmip/src/kmip/kmip_objects.rs b/crate/kmip/src/kmip/kmip_objects.rs
@@ -39,7 +39,8 @@ pub enum Object {
     #[serde(rename_all = "PascalCase")]
     Certificate {
         certificate_type: CertificateType,
-        /// A Managed Cryptographic Object that is a digital certificate. It is a DER-encoded X.509 public key certificate.
+        /// A Managed Cryptographic Object that is a digital certificate.
+        /// It is a DER-encoded X.509 public key certificate.
         certificate_value: Vec<u8>,
     },
     #[serde(rename_all = "PascalCase")]

diff --git a/crate/logger/Cargo.toml b/crate/logger/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_logger"
-version = "4.8.1"
+version = "4.8.2"
 authors = ["Emmanuel Coste <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"

diff --git a/crate/pyo3/Cargo.toml b/crate/pyo3/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_python"
-version = "4.8.1"
+version = "4.8.2"
 authors = ["Hugo Rosenkranz-Costa <[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"
@@ -14,16 +14,18 @@ cloudproof = { workspace = true }
 cosmian_kmip = { path = "../kmip" }
 cosmian_kms_client = { path = "../client" }
 cosmian_kms_utils = { path = "../utils" }
-pyo3 = { version = "0.18", features = [
+openssl = { workspace = true }
+pyo3 = { version = "0.19", features = [
     "extension-module",
     "abi3",
     "abi3-py37",
     "generate-import-lib",
 ] }
-pyo3-asyncio = { version = "0.18", features = ["tokio-runtime"] }
+pyo3-asyncio = { version = "0.19", features = ["tokio-runtime"] }
+rustls = { workspace = true }
 serde_json = { workspace = true }
 
 # Added with build.rs to fix build issues on MacOS
 # see https://github.com/PyO3/pyo3/issues/1857
 [build-dependencies]
-pyo3-build-config = "0.18"
+pyo3-build-config = "0.19"