Merge branch 'release/4.15.0'

Cosmian · Apr 8, 2024 · f3a43a9 · f3a43a9
2 parents d40fdfd + ccaf768
commit f3a43a9
Show file tree

Hide file tree

Showing 73 changed files with 911 additions and 329 deletions.
diff --git a/.github/workflows/build_and_test_cosmian_vm.yml b/.github/workflows/build_and_test_cosmian_vm.yml
@@ -226,5 +226,12 @@ jobs:
           TAG=${{ github.ref_name }}
           VERSION=$(echo $TAG | sed 's/\./-/g; s/_/-/g; s/+/-/g')
           NEW_IMAGE_NAME=cosmian-vm-kms-$VERSION-sev-${{ inputs.distrib }}
+
+          if [ "${{ inputs.distrib }}" = "ubuntu" ]; then
+            LICENSE="${{ secrets.GCP_KMS_UBUNTU_LICENSE }}"
+          else
+            LICENSE=${{ secrets.GCP_KMS_RHEL_LICENSE }}
+          fi
+
           gcloud beta compute --project=$GCP_DEV_PROJECT images create $NEW_IMAGE_NAME --source-image=$IMAGE_NAME --source-image-project=$GCP_DEV_PROJECT
-          gcloud beta compute --project=$GCP_PUBLIC_PROJECT images create $NEW_IMAGE_NAME --source-image=$IMAGE_NAME --source-image-project=$GCP_DEV_PROJECT
+          gcloud beta compute --project=$GCP_PUBLIC_PROJECT images create $NEW_IMAGE_NAME --source-image=$IMAGE_NAME --source-image-project=$GCP_DEV_PROJECT --licenses=$LICENSE
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.15.0] - 2024-04-08
+
+### Bug Fixes
+
+- Add license to KMS GCP image ([#235](https://github.com/Cosmian/kms/pull/235))
+- Re-enable the validation of JWT Issuer URI
+- Fix CSE error status code, propagating the right status code instead of generic server code error
+
+### Features
+
+- Handle many identity providers in jwt authentification
+- New command line argument `--key-usage` to define key or certificate usage on import
+- Exhaustive verification that the key used to perform cryptographic operations is allowed to do them
+- KMIP object creation can now precisely define the usage of the key it describes
+
 ## [4.14.2] - 2024-04-05
 
 ### Ci

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM ubuntu:22.04 as builder
 
-LABEL version="4.14.2"
+LABEL version="4.15.0"
 LABEL name="Cosmian KMS docker container"
 
 ARG FEATURES

diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ Keys can be wrapped and unwrapped using RSA, ECIES or RFC5649/AES KWP.
 
 ## Quick start
 
-Pre-built binaries [are available](https://package.cosmian.com/kms/4.14.2/)
+Pre-built binaries [are available](https://package.cosmian.com/kms/4.15.0/)
 for Linux, MacOS and Windows, as well as Docker images. Tu run the server binary, OpenSSL must be
 available in your path (see "building the KMS" below for details); other binaries do not have this
 requirement.
@@ -57,7 +57,7 @@ Using Docker, to quick-start a Cosmian KMS server on `http://localhost:9998` tha
 inside the container, simply run the following command:
 
 ```sh
-docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.14.2
+docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.15.0
 ```
 
 See the [documentation](https://docs.cosmian.com/cosmian_key_management_system/) for more.
@@ -304,6 +304,7 @@ This table shows the minimum version correspondence between the various componen
 | 1.1.0-rc2    | 4.13.5, 4.14.0 |
 | 1.1.0-rc3    | 4.14.1         |
 | 1.1.0-rc4    | 4.14.2         |
+| 1.1.0-rc4    | 4.15.0         |
 
 ## Releases
 

diff --git a/crate/cli/Cargo.toml b/crate/cli/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cosmian_kms_cli"
-version = "4.14.2"
+version = "4.15.0"
 edition = "2021"
 license-file = "../../LICENSE"
 description = "CLI used to manage the Cosmian KMS."

diff --git a/crate/cli/src/actions/certificates/import_certificate.rs b/crate/cli/src/actions/certificates/import_certificate.rs
@@ -16,7 +16,13 @@ use tracing::{debug, trace};
 use x509_cert::Certificate;
 use zeroize::Zeroizing;
 
-use crate::{actions::shared::import_key::build_private_key_from_der_bytes, error::CliError};
+use crate::{
+    actions::shared::{
+        import_key::build_private_key_from_der_bytes,
+        utils::{build_usage_mask_from_key_usage, KeyUsage},
+    },
+    error::CliError,
+};
 
 const MOZILLA_CCADB: &str =
     "https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites";
@@ -97,6 +103,10 @@ pub struct ImportCertificateAction {
     /// To specify multiple tags, use the option multiple times.
     #[clap(long = "tag", short = 't', value_name = "TAG")]
     tags: Vec<String>,
+
+    /// For what operations should the certificate be used.
+    #[clap(long = "key-usage")]
+    key_usage: Option<Vec<KeyUsage>>,
 }
 
 impl ImportCertificateAction {
@@ -242,12 +252,18 @@ impl ImportCertificateAction {
 
     /// Import the certificate, the chain and the associated private key
     async fn import_pkcs12(&self, kms_rest_client: &KmsClient) -> Result<String, CliError> {
+        let cryptographic_usage_mask = self
+            .key_usage
+            .as_deref()
+            .and_then(build_usage_mask_from_key_usage);
         let pkcs12_bytes = Zeroizing::from(read_bytes_from_file(&self.get_certificate_file()?)?);
 
         // Create a KMIP private key from the PKCS12 private key
         let private_key = build_private_key_from_der_bytes(KeyFormatType::PKCS12, pkcs12_bytes);
 
         let mut attributes = private_key.attributes().cloned().unwrap_or_default();
+        attributes.set_cryptographic_usage_mask(cryptographic_usage_mask);
+
         if let Some(password) = &self.pkcs12_password {
             attributes.add_link(
                 LinkType::PKCS12PasswordLink,

diff --git a/crate/cli/src/actions/login.rs b/crate/cli/src/actions/login.rs
@@ -255,7 +255,7 @@ impl LoginState {
                         .into_inner()
                         .send(auth_params.into_inner())
                         .unwrap();
-                    HttpResponse::Ok().body("Authentication Success! You can close this window.")
+                    HttpResponse::Ok().body("You can now close this window.")
                 }
 
                 HttpServer::new(move || {
@@ -278,7 +278,7 @@ pub struct OAuthResponse {
     pub access_token: String,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub id_token: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(skip)]
     pub expires_in: Option<u64>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub refresh_token: Option<String>,

diff --git a/crate/cli/src/actions/shared/import_key.rs b/crate/cli/src/actions/shared/import_key.rs
@@ -14,6 +14,7 @@ use cosmian_kms_client::{
 };
 use zeroize::Zeroizing;
 
+use super::utils::{build_usage_mask_from_key_usage, KeyUsage};
 use crate::error::CliError;
 
 #[derive(clap::ValueEnum, Debug, Clone)]
@@ -100,13 +101,21 @@ pub struct ImportKeyAction {
     /// To specify multiple tags, use the option multiple times.
     #[clap(long = "tag", short = 't', value_name = "TAG")]
     tags: Vec<String>,
+
+    /// For what operations should the key be used.
+    #[clap(long = "key-usage")]
+    key_usage: Option<Vec<KeyUsage>>,
 }
 
 impl ImportKeyAction {
     pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
+        let cryptographic_usage_mask = self
+            .key_usage
+            .as_deref()
+            .and_then(build_usage_mask_from_key_usage);
         // read the key file
         let bytes = Zeroizing::from(read_bytes_from_file(&self.key_file)?);
-        let object = match &self.key_format {
+        let mut object = match &self.key_format {
             ImportKeyFormat::JsonTtlv => read_object_from_json_ttlv_bytes(&bytes)?,
             ImportKeyFormat::Pem => read_key_from_pem(&bytes)?,
             ImportKeyFormat::Sec1 => {
@@ -127,27 +136,38 @@ impl ImportKeyAction {
                 build_symmetric_key_from_bytes(CryptographicAlgorithm::ChaCha20, bytes)
             }
         };
+        // Assign CryptographicUsageMask from command line arguments.
+        object
+            .attributes_mut()?
+            .set_cryptographic_usage_mask(cryptographic_usage_mask);
+
         let object_type = object.object_type();
 
-        //generate the import attributes if links are specified
-        let mut import_attributes = None;
+        // Generate the import attributes if links are specified.
+        let mut import_attributes = object
+            .attributes()
+            .unwrap_or(&Attributes {
+                cryptographic_usage_mask,
+                ..Default::default()
+            })
+            .clone();
+
         if let Some(issuer_certificate_id) = &self.certificate_id {
-            let attributes = import_attributes.get_or_insert(Attributes::default());
-            attributes.add_link(
+            //let attributes = import_attributes.get_or_insert(Attributes::default());
+            import_attributes.add_link(
                 LinkType::CertificateLink,
                 LinkedObjectIdentifier::TextString(issuer_certificate_id.clone()),
             );
         };
         if let Some(private_key_id) = &self.private_key_id {
-            let attributes = import_attributes.get_or_insert(Attributes::default());
-            attributes.add_link(
+            //let attributes = import_attributes.get_or_insert(Attributes::default());
+            import_attributes.add_link(
                 LinkType::PrivateKeyLink,
                 LinkedObjectIdentifier::TextString(private_key_id.clone()),
             );
         };
         if let Some(public_key_id) = &self.public_key_id {
-            let attributes = import_attributes.get_or_insert(Attributes::default());
-            attributes.add_link(
+            import_attributes.add_link(
                 LinkType::PublicKeyLink,
                 LinkedObjectIdentifier::TextString(public_key_id.clone()),
             );
@@ -158,7 +178,7 @@ impl ImportKeyAction {
             kms_rest_client,
             self.key_id.clone(),
             object,
-            import_attributes,
+            Some(import_attributes),
             self.unwrap,
             self.replace_existing,
             &self.tags,
@@ -217,7 +237,7 @@ pub(crate) fn build_private_key_from_der_bytes(
             key_compression_type: None,
             key_value: KeyValue {
                 key_material: KeyMaterial::ByteString(bytes),
-                attributes: None,
+                attributes: Some(Box::default()),
             },
             // According to the KMIP spec, the cryptographic algorithm is not required
             // as long as it can be recovered from the Key Format Type or the Key Value.
@@ -242,7 +262,7 @@ fn build_public_key_from_der_bytes(
             key_compression_type: None,
             key_value: KeyValue {
                 key_material: KeyMaterial::ByteString(bytes),
-                attributes: None,
+                attributes: Some(Box::default()),
             },
             // According to the KMIP spec, the cryptographic algorithm is not required
             // as long as it can be recovered from the Key Format Type or the Key Value.
@@ -266,7 +286,7 @@ fn build_symmetric_key_from_bytes(
             key_compression_type: None,
             key_value: KeyValue {
                 key_material: KeyMaterial::TransparentSymmetricKey { key: bytes },
-                attributes: None,
+                attributes: Some(Box::default()),
             },
             cryptographic_algorithm: Some(cryptographic_algorithm),
             cryptographic_length: Some(len),