updgrade fifiixedss

service/internal/security/config.go

@@ -34,13 +34,11 @@ func (k *KASConfigDupe) consolidate() {
 	consolidated := make([]CurrentKeyFor, 0, len(k.Keyring)/2) //nolint:mnd // There are at most two of each of the new kind of keys.
 	for _, key := range k.Keyring {
 		if j, ok := seen[key.KID]; ok {
-			if key.Legacy {
-				consolidated[j].Legacy = true
-			} else {
-				consolidated[j].Active = key.Active
-			}
+			consolidated[j].Legacy = consolidated[j].Legacy || key.Legacy
+			consolidated[j].Active = consolidated[j].Active || !key.Legacy
 		} else {
 			seen[key.KID] = len(consolidated)
+			key.Active = !key.Legacy
 			consolidated = append(consolidated, key)
 		}
 	}

service/internal/security/config_test.go

@@ -64,7 +64,7 @@ func TestMarshalTo(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "upgrade2024H2",
+			name: "upgrade2024H2A",
 			config: CryptoConfig2024{
 				Standard: Standard{
 					Keys: []KeyPairInfo{
@@ -75,8 +75,10 @@ func TestMarshalTo(t *testing.T) {
 			},
 			input: map[string]any{
 				"keyring": []map[string]any{
-					{"alg": "rsa:2048", "kid": "rsa1", "private": "rsa1_private.pem", "cert": "rsa1_public.pem", "active": true, "legacy": true},
-					{"alg": "ec:secp256r1", "kid": "ec1", "private": "ec1_private.pem", "cert": "ec1_public.pem", "active": true, "legacy": true},
+					{"alg": "rsa:2048", "kid": "rsa1"},
+					{"alg": "ec:secp256r1", "kid": "ec1"},
+					{"alg": "rsa:2048", "kid": "rsa1", "legacy": true},
+					{"alg": "ec:secp256r1", "kid": "ec1", "legacy": true},
 				},
 			},
 			expected: KASConfigDupe{
@@ -87,6 +89,65 @@ func TestMarshalTo(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "upgrade2024H2A",
+			config: CryptoConfig2024{
+				Standard: Standard{
+					Keys: []KeyPairInfo{
+						{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem"},
+						{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem"},
+					},
+				},
+			},
+			input: map[string]any{
+				"keyring": []map[string]any{
+					{"alg": "rsa:2048", "kid": "rsa1"},
+					{"alg": "ec:secp256r1", "kid": "ec1"},
+				},
+			},
+			expected: KASConfigDupe{
+				Keyring: []CurrentKeyFor{
+					{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem", Active: true, Legacy: false},
+					{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem", Active: true, Legacy: false},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "upgrade2024H2B",
+			config: CryptoConfig2024{
+				Standard: Standard{
+					Keys: []KeyPairInfo{
+						{Algorithm: "ec:secp256r1", KID: "ec2", Private: "ec2_private.pem", Certificate: "ec2_public.pem"},
+						{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem"},
+						{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem"},
+						{Algorithm: "rsa:2048", KID: "rsa3", Private: "rsa3_private.pem", Certificate: "rsa3_public.pem"},
+						{Algorithm: "rsa:2048", KID: "rsa2", Private: "rsa2_private.pem", Certificate: "rsa2_public.pem"},
+						{Algorithm: "ec:secp256r1", KID: "ec3", Private: "ec3_private.pem", Certificate: "ec3_public.pem"},
+					},
+				},
+			},
+			input: map[string]any{
+				"keyring": []map[string]any{
+					{"alg": "rsa:2048", "kid": "rsa1"},
+					{"alg": "ec:secp256r1", "kid": "ec1", "legacy": true},
+					{"alg": "ec:secp256r1", "kid": "ec1"},
+					{"alg": "rsa:2048", "kid": "rsa2", "legacy": true},
+					{"alg": "ec:secp256r1", "kid": "ec2", "legacy": true},
+				},
+			},
+			expected: KASConfigDupe{
+				Keyring: []CurrentKeyFor{
+					{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem", Active: true, Legacy: false},
+					{Algorithm: "rsa:2048", KID: "rsa2", Private: "rsa2_private.pem", Certificate: "rsa2_public.pem", Active: false, Legacy: true},
+					{Algorithm: "rsa:2048", KID: "rsa3", Private: "rsa3_private.pem", Certificate: "rsa3_public.pem", Active: false, Legacy: false},
+					{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem", Active: true, Legacy: true},
+					{Algorithm: "ec:secp256r1", KID: "ec2", Private: "ec2_private.pem", Certificate: "ec2_public.pem", Active: false, Legacy: true},
+					{Algorithm: "ec:secp256r1", KID: "ec3", Private: "ec3_private.pem", Certificate: "ec3_public.pem", Active: false, Legacy: false},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "invalid input confusing",
 			config: CryptoConfig2024{
@@ -117,7 +178,7 @@ func TestMarshalTo(t *testing.T) {
 			var result KASConfigDupe
 			err = mapstructure.Decode(tt.input, &result)
 			require.NoError(t, err)
-			assert.Equal(t, tt.expected, result)
+			assert.ElementsMatch(t, tt.expected.Keyring, result.Keyring)
 		})
 	}
 }

test/tdf-roundtrips.bats

@@ -122,6 +122,7 @@
 wait_for_green() {
   limit=5
   for i in $(seq 1 $limit); do
+
     grpcurl "localhost:8080" "grpc.health.v1.Health.Check"
     if [ "$(grpcurl "localhost:8080" "grpc.health.v1.Health.Check" | jq -e -r .status)" = SERVING ]; then
       return 0
@@ -266,7 +267,7 @@ setup_file() {
     cp opentdf.yaml opentdf-test-backup.yaml.bak
   fi
   openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=kas" -keyout kas-r1-private.pem -out kas-r1-cert.pem -days 365
-  openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=kas" -keyout kas-r1-private.pem -out kas-r1-cert.pem -days 365
+  openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=kas" -keyout kas-r2-private.pem -out kas-r2-cert.pem -days 365
   openssl ecparam -name prime256v1 >ecparams.tmp
   openssl req -x509 -nodes -newkey ec:ecparams.tmp -subj "/CN=kas" -keyout kas-e1-private.pem -out kas-e1-cert.pem -days 365
   openssl req -x509 -nodes -newkey ec:ecparams.tmp -subj "/CN=kas" -keyout kas-e2-private.pem -out kas-e2-cert.pem -days 365