public/kms
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: PKCS11 provider library (#208)

Browse source 
* attempt at vendoring openssl for josekit

* update readme

* Try without vendored for josekit in client

* more doc for windows

* ci: Run binaries in clean env also in debug mode (#215)

* ci: run binaries in clean env. also in debug mode

* ci: increase size of tmp files

* ci: test ckms without openssl

* ci: test ckms without openssl

* ci: fix windows build

* ci: only build server just after openssl build

* fix(ckms): remove println on CreateKeyPairAction

* added pkcs11 provider

* refactored export and import into the client

* refactored encodings to client

* unused deps

* move logging init to pkcs11

* key data objects

* batching exports

* batch operations beta

* refactoing of tests

* fixed tests

* fixed test server

* code beta

* switching to the git version of  native-pkcs11

* cargo fmt

* pyo3 fix

* license reference fix

* rlib fix

* native-pkcs11 feature fix

* native-pkcs11 feature fix

* rlib fix

* test data fixes

* feature import fix

* native pkcs11 custom-function-list feature

* Documentation

* documentation fixes

* documentation improvements

* zero-trust doc

* build instructions

* more windows fixes

* rebae on branch 105-removal-of-openssl-in-the-cli

* refacto almost done

* clippy fixes

* update FUNC_LIST

* fixed version of native-pkcs11

* documentation

* cargo fmt

* cargo fmt

* fixed tests server imports

* fixed import

* review fixes

* docs: fix dead links

* fix: remove useless deps of test_server

* fix: disable doc test for new subcrates

* fix: cargo audit

* fix: test_server build

* doc fix

* github build pkcs11 lib

* artifacts fix

* fix: artifacts in debug

* fix: artifacts in debug - windows

* fix: artifacts in debug - windows - not for pkcs11

* linux build doc

* fix: pkcs11 windows build

---------

Co-authored-by: ThibsG <thibsg@pm.me>
Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>
Co-authored-by: Manuthor <manu.coste@gmail.com>
This commit is contained in:
Bruno Grieder 2024-03-25 15:08:19 +01:00 committed by GitHub
parent 5620f95535
commit 18e16f7fd4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
204 changed files with 3300 additions and 1651 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.cargo/config.toml
View file

@ -27,3 +27,11 @@ deps = "udeps --workspace --all-targets --all-features --backend depinfo"
# "-C",
# "target_cpu=native",
# ]
# On Windows, the linker may exceed its number of allowed symbols
# This is likely going to require nightly
# see https://github.com/rust-lang/rust/issues/53014#issuecomment-646149774
[target.aarch64-pc-windows-msvc]
rustflags = "-Zshare-generics=off"
[target.x86_64-pc-windows-msvc]
rustflags = "-Zshare-generics=off"

29
.github/workflows/build_all.yml vendored
View file

@ -21,6 +21,8 @@ jobs:
cargo build
cd ../server
cargo build
cd ../pkcs11
cargo build
cd ../..
# Check binaries
@ -31,6 +33,7 @@ jobs:
artifacts: |
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
rhel9-tests:
uses: ./.github/workflows/build_rhel9.yml
@ -44,6 +47,8 @@ jobs:
cargo build
cd ../server
cargo build
cd ../pkcs11
cargo build
cd ../..
# Check binaries
@ -54,6 +59,7 @@ jobs:
artifacts: |
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
fips-centos7-test:
uses: ./.github/workflows/build_centos7.yml
@ -67,9 +73,10 @@ jobs:
cargo build --features fips
cd ../server
cargo build --features fips
cd ../pkcs11
cargo build
cd ../..
# Check binaries
target/debug/ckms -h
target/debug/cosmian_kms_server -h
@ -79,6 +86,7 @@ jobs:
/usr/local/openssl
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
ubuntu-20-tests:
uses: ./.github/workflows/build_generic.yml
@ -93,6 +101,8 @@ jobs:
cargo build
cd ../server
cargo build
cd ../pkcs11
cargo build
cd ../..
# Check binaries
@ -103,6 +113,7 @@ jobs:
artifacts: |
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
fips-ubuntu-20-tests:
uses: ./.github/workflows/build_generic.yml
@ -117,6 +128,8 @@ jobs:
cargo build --features fips
cd ../server
cargo build --features fips
cd ../pkcs11
cargo build
cd ../..
# Check binaries
@ -128,6 +141,7 @@ jobs:
/usr/local/openssl
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
ubuntu-22-tests:
uses: ./.github/workflows/build_generic.yml
@ -143,6 +157,8 @@ jobs:
ldd ../../target/debug/ckms | grep ssl && exit 1
cd ../server
cargo build
cd ../pkcs11
cargo build
cd ../..
# Check binaries
@ -153,6 +169,7 @@ jobs:
artifacts: |
target/debug/ckms
target/debug/cosmian_kms_server
target/debug/libckms_pkcs11.so
windows-tests:
uses: ./.github/workflows/build_generic.yml
@ -167,6 +184,12 @@ jobs:
# build only `ckms`
cd crate/cli
cargo build --target x86_64-pc-windows-gnu
# The `pkcs11` crate build FAILS on debug with:
# /usr/bin/x86_64-w64-mingw32-ld: error: export ordinal too large: 85394
# build pkcs11 provider
# cd ../pkcs11
# cargo build --target x86_64-pc-windows-gnu
cd ../..
sudo mkdir -p /usr/local/openssl
@ -178,6 +201,7 @@ jobs:
artifacts: |
target/x86_64-pc-windows-gnu/debug/ckms.exe
target/x86_64-pc-windows-gnu/debug/cosmian_kms_server.exe
# target/x86_64-pc-windows-gnu/debug/ckms_pkcs11.dll
mac-tests:
uses: ./.github/workflows/build_generic.yml
@ -193,6 +217,8 @@ jobs:
cd crate/cli
cargo build --target x86_64-apple-darwin
otool -L ../../target/x86_64-apple-darwin/debug/ckms | grep openssl && exit 1
cd ../pkcs11
cargo build --target x86_64-apple-darwin
cd ../server
cargo build --target x86_64-apple-darwin
cd ../..
@ -203,3 +229,4 @@ jobs:
artifacts: |
target/x86_64-apple-darwin/debug/ckms
target/x86_64-apple-darwin/debug/cosmian_kms_server
target/x86_64-apple-darwin/debug/libckms_pkcs11.dylib

26
.github/workflows/build_all_release.yml vendored
View file

@ -21,6 +21,8 @@ jobs:
cargo build --release
cd ../server
cargo build --release
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -29,6 +31,7 @@ jobs:
artifacts: |
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
rhel9:
uses: ./.github/workflows/build_rhel9.yml
@ -42,6 +45,8 @@ jobs:
cargo build --release
cd ../server
cargo build --release
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -50,6 +55,7 @@ jobs:
artifacts: |
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
fips-centos7:
uses: ./.github/workflows/build_centos7.yml
@ -63,6 +69,8 @@ jobs:
cargo build --release --features fips
cd ../server
cargo build --release --features fips
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -72,6 +80,7 @@ jobs:
/usr/local/openssl
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
ubuntu-20:
uses: ./.github/workflows/build_generic.yml
@ -86,6 +95,8 @@ jobs:
cargo build --release
cd ../server
cargo build --release
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -94,6 +105,7 @@ jobs:
artifacts: |
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
fips-ubuntu-20:
uses: ./.github/workflows/build_generic.yml
@ -108,6 +120,8 @@ jobs:
cargo build --release --features fips
cd ../server
cargo build --release --features fips
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -117,6 +131,7 @@ jobs:
/usr/local/openssl
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
ubuntu-22:
uses: ./.github/workflows/build_generic.yml
@ -132,6 +147,8 @@ jobs:
ldd ../../target/release/ckms | grep ssl && exit 1
cd ../server
cargo build --release
cd ../pkcs11
cargo build --release
cd ../..
# Check binaries
@ -140,6 +157,7 @@ jobs:
artifacts: |
target/release/ckms
target/release/cosmian_kms_server
target/release/libckms_pkcs11.so
windows:
uses: ./.github/workflows/build_generic.yml
@ -154,6 +172,10 @@ jobs:
# build only `ckms`
cd crate/cli
cargo build --release --target x86_64-pc-windows-gnu
# build pkcs11 provider
cd ../pkcs11
cargo build --release --target x86_64-pc-windows-gnu
cd ../..
sudo mkdir -p /usr/local/openssl
@ -165,6 +187,7 @@ jobs:
artifacts: |
target/x86_64-pc-windows-gnu/release/ckms.exe
target/x86_64-pc-windows-gnu/release/cosmian_kms_server.exe
target/x86_64-pc-windows-gnu/release/ckms_pkcs11.dll
mac:
uses: ./.github/workflows/build_generic.yml
@ -180,6 +203,8 @@ jobs:
cd crate/cli
cargo build --release --target x86_64-apple-darwin
otool -L ../../target/x86_64-apple-darwin/release/ckms | grep openssl && exit 1
cd ../pkcs11
cargo build --release --target x86_64-apple-darwin
cd ../server
cargo build --release --target x86_64-apple-darwin
cd ../..
@ -190,6 +215,7 @@ jobs:
artifacts: |
target/x86_64-apple-darwin/release/ckms
target/x86_64-apple-darwin/release/cosmian_kms_server
target/x86_64-apple-darwin/release/libckms_pkcs11.dylib
cosmian_vm:
needs:

4
.gitignore vendored
View file

@ -14,5 +14,5 @@ crate/cli/*.sqlite
.idea/
rustc-ice*.txt
crate/cli/cosmian-kms/sqlite-data
cosmian-kms/sqlite-data
# this directory may contain sqlite data when the KMS is launched locally
**/cosmian-kms/sqlite-data

3
.pre-commit-config.yaml
View file

@ -24,6 +24,7 @@ repos:
exclude_types:
- yaml
- markdown
exclude: documentation/theme_overrides/assets
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.32.2
@ -37,6 +38,7 @@ repos:
--disable=MD029,
--disable=MD041,
--disable=MD046,
--fix,
]
exclude: documentation/docs
@ -65,6 +67,7 @@ repos:
rev: v1.13.1
hooks:
- id: typos
exclude: documentation/docs/images/google_cse.drawio.svg|crate/test_server/src/test_jwt.rs|crate/pkcs11/documentation/veracrypt_ckms.svg|crate/client/test_data/configs/kms.bad|crate/test_server/certificates/|crate/client/test_data/configs/
- repo: https://github.com/Lucas-C/pre-commit-hooks
rev: v1.3.1

327
Cargo.lock generated
View file

@ -422,6 +422,30 @@ version = "1.0.79"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca"
[[package]]
name = "apple-security-framework"
version = "2.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07831f002eaa83d94f7e2c1300f3268a8f949c35a41dd99faceb6575c191d871"
dependencies = [
"apple-security-framework-sys",
"bitflags 2.4.2",
"core-foundation",
"core-foundation-sys",
"libc",
"num-bigint",
]
[[package]]
name = "apple-security-framework-sys"
version = "2.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09acfa027e87e9f590474e9ef19d0f12158bf1c72af80ac76806f17e84959a42"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]]
name = "arbitrary"
version = "1.3.2"
@ -490,9 +514,9 @@ dependencies = [
[[package]]
name = "assert_cmd"
version = "2.0.13"
version = "2.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00ad3f3a942eee60335ab4342358c161ee296829e0d16ff42fc1d6cb07815467"
checksum = "ed72493ac66d5804837f480ab3766c72bdfab91a65e565fc54fa9e42db0073a8"
dependencies = [
"anstyle",
"bstr",
@ -601,6 +625,15 @@ version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
[[package]]
name = "bincode"
version = "1.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad"
dependencies = [
"serde",
]
[[package]]
name = "bitflags"
version = "1.3.2"
@ -741,7 +774,7 @@ dependencies = [
"num-traits",
"serde",
"wasm-bindgen",
"windows-targets 0.52.0",
"windows-targets 0.52.4",
]
[[package]]
@ -755,6 +788,27 @@ dependencies = [
"zeroize",
]
[[package]]
name = "ckms_pkcs11"
version = "4.13.5"
dependencies = [
"cosmian_kmip",
"cosmian_kms_client",
"cosmian_logger",
"etcetera",
"kms_test_server",
"native-pkcs11",
"native-pkcs11-traits",
"serde_json",
"sha3",
"thiserror",
"tokio",
"tracing",
"tracing-error",
"tracing-subscriber",
"zeroize",
]
[[package]]
name = "clap"
version = "4.4.18"
@ -1100,7 +1154,7 @@ dependencies = [
"serde",
"serde_json",
"sha3",
"strum",
"strum 0.25.0",
"thiserror",
"time",
"tracing",
@ -1125,16 +1179,16 @@ dependencies = [
"cosmian_kms_server",
"der",
"env_logger",
"kms_test_server",
"oauth2",
"openssl",
"pem",
"predicates",
"regex",
"reqwest",
"rustls 0.21.10",
"serde",
"serde_json",
"strum",
"strum 0.25.0",
"tempfile",
"thiserror",
"tokio",
@ -1151,16 +1205,22 @@ name = "cosmian_kms_client"
version = "4.13.5"
dependencies = [
"base64 0.21.7",
"cloudproof",
"cosmian_kmip",
"der",
"http",
"log",
"pem",
"reqwest",
"rustls 0.21.10",
"serde",
"serde_json",
"thiserror",
"tracing",
"url",
"webpki-roots 0.22.6",
"x509-cert",
"zeroize",
]
[[package]]
@ -2056,7 +2116,7 @@ dependencies = [
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows-core",
"windows-core 0.52.0",
]
[[package]]
@ -2158,6 +2218,20 @@ dependencies = [
"cpufeatures",
]
[[package]]
name = "kms_test_server"
version = "4.13.5"
dependencies = [
"actix-server",
"base64 0.21.7",
"cosmian_kmip",
"cosmian_kms_client",
"cosmian_kms_server",
"serde_json",
"tokio",
"tracing",
]
[[package]]
name = "language-tags"
version = "0.3.2"
@ -2308,9 +2382,9 @@ dependencies = [
[[package]]
name = "mio"
version = "0.8.10"
version = "0.8.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09"
checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
dependencies = [
"libc",
"log",
@ -2318,6 +2392,85 @@ dependencies = [
"windows-sys 0.48.0",
]
[[package]]
name = "native-pkcs11"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
dependencies = [
"log",
"native-pkcs11-core",
"native-pkcs11-keychain",
"native-pkcs11-traits",
"native-pkcs11-windows",
"once_cell",
"pkcs11-sys",
"thiserror",
"tracing",
"tracing-error",
"tracing-journald",
"tracing-subscriber",
]
[[package]]
name = "native-pkcs11-core"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
dependencies = [
"bincode",
"log",
"native-pkcs11-keychain",
"native-pkcs11-traits",
"native-pkcs11-windows",
"once_cell",
"p256",
"pkcs1",
"pkcs11-sys",
"serde",
"strum 0.26.2",
"strum_macros 0.26.2",
"thiserror",
"tracing",
]
[[package]]
name = "native-pkcs11-keychain"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
dependencies = [
"apple-security-framework",
"apple-security-framework-sys",
"core-foundation",
"native-pkcs11-traits",
"p256",
"rand",
"rsa",
"spki",
"thiserror",
"tracing",
"tracing-error",
"x509-cert",
]
[[package]]
name = "native-pkcs11-traits"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
dependencies = [
"once_cell",
"rand",
"x509-cert",
"zeroize",
]
[[package]]
name = "native-pkcs11-windows"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
dependencies = [
"native-pkcs11-traits",
"windows",
]
[[package]]
name = "native-tls"
version = "0.2.11"
@ -2734,6 +2887,11 @@ dependencies = [
"spki",
]
[[package]]
name = "pkcs11-sys"
version = "0.2.17"
source = "git+https://github.com/Cosmian/native-pkcs11.git?rev=402000cef7763e72c82231f069a8dc8bad847ab8#402000cef7763e72c82231f069a8dc8bad847ab8"
[[package]]
name = "pkcs5"
version = "0.7.1"
@ -3380,18 +3538,18 @@ checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0"
[[package]]
name = "serde"
version = "1.0.196"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "870026e60fa08c69f064aa766c10f10b1d62db9ccd4d0abb206472bee0ce3b32"
checksum = "3fb1c873e1b9b056a4dc4c0c198b24c3ffa059243875552b2bd0933b1aee4ce2"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.196"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33c85360c95e7d137454dc81d9a4ed2b8efd8fbe19cee57357b32b9771fccb67"
checksum = "7eb0b34b42edc17f6b7cac84a52a1c5f0e1bb2227e997ca9011ea3dd34e8610b"
dependencies = [
"proc-macro2",
"quote",
@ -3800,9 +3958,15 @@ version = "0.25.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "290d54ea6f91c969195bdbcd7442c8c2a2ba87da8bf60a7ee86a235d4bc1e125"
dependencies = [
"strum_macros",
"strum_macros 0.25.3",
]
[[package]]
name = "strum"
version = "0.26.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d8cec3501a5194c432b2b7976db6b7d10ec95c253208b45f83f7136aa985e29"
[[package]]
name = "strum_macros"
version = "0.25.3"
@ -3816,6 +3980,19 @@ dependencies = [
"syn 2.0.48",
]
[[package]]
name = "strum_macros"
version = "0.26.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c6cf59daf282c0a494ba14fd21610a0325f9f90ec9d1231dea26bcb1d696c946"
dependencies = [
"heck",
"proc-macro2",
"quote",
"rustversion",
"syn 2.0.48",
]
[[package]]
name = "subtle"
version = "2.5.0"
@ -3903,18 +4080,18 @@ checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
[[package]]
name = "thiserror"
version = "1.0.56"
version = "1.0.58"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad"
checksum = "03468839009160513471e86a034bb2c5c0e4baae3b43f79ffc55c4a5427b3297"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.56"
version = "1.0.58"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471"
checksum = "c61f3ba182994efc43764a46c018c347bc492c79f024e705f46567b418f6d4f7"
dependencies = [
"proc-macro2",
"quote",
@ -4189,6 +4366,27 @@ dependencies = [
"valuable",
]
[[package]]
name = "tracing-error"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d686ec1c0f384b1277f097b2f279a2ecc11afe8c133c1aabf036a27cb4cd206e"
dependencies = [
"tracing",
"tracing-subscriber",
]
[[package]]
name = "tracing-journald"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba316a74e8fc3c3896a850dba2375928a9fa171b085ecddfc7c054d39970f3fd"
dependencies = [
"libc",
"tracing-core",
"tracing-subscriber",
]
[[package]]
name = "tracing-log"
version = "0.2.0"
@ -4381,6 +4579,12 @@ version = "0.11.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
[[package]]
name = "wasite"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
[[package]]
name = "wasm-bindgen"
version = "0.2.90"
@ -4497,9 +4701,13 @@ checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
[[package]]
name = "whoami"
version = "1.4.1"
version = "1.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50"
checksum = "a44ab49fad634e88f55bf8f9bb3abd2f27d7204172a112c7c9987e01c1c94ea9"
dependencies = [
"redox_syscall",
"wasite",
]
[[package]]
name = "winapi"
@ -4523,13 +4731,42 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows"
version = "0.54.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9252e5725dbed82865af151df558e754e4a3c2c30818359eb17465f1346a1b49"
dependencies = [
"windows-core 0.54.0",
"windows-targets 0.52.4",
]
[[package]]
name = "windows-core"
version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
dependencies = [
"windows-targets 0.52.0",
"windows-targets 0.52.4",
]
[[package]]
name = "windows-core"
version = "0.54.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "12661b9c89351d684a50a8a643ce5f608e20243b9fb84687800163429f161d65"
dependencies = [
"windows-result",
"windows-targets 0.52.4",
]
[[package]]
name = "windows-result"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd19df78e5168dfb0aedc343d1d1b8d422ab2db6756d2dc3fef75035402a3f64"
dependencies = [
"windows-targets 0.52.4",
]
[[package]]
@ -4547,7 +4784,7 @@ version = "0.52.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [
"windows-targets 0.52.0",
"windows-targets 0.52.4",
]
[[package]]
@ -4567,17 +4804,17 @@ dependencies = [
[[package]]
name = "windows-targets"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd"
checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b"
dependencies = [
"windows_aarch64_gnullvm 0.52.0",
"windows_aarch64_msvc 0.52.0",
"windows_i686_gnu 0.52.0",
"windows_i686_msvc 0.52.0",
"windows_x86_64_gnu 0.52.0",
"windows_x86_64_gnullvm 0.52.0",
"windows_x86_64_msvc 0.52.0",
"windows_aarch64_gnullvm 0.52.4",
"windows_aarch64_msvc 0.52.4",
"windows_i686_gnu 0.52.4",
"windows_i686_msvc 0.52.4",
"windows_x86_64_gnu 0.52.4",
"windows_x86_64_gnullvm 0.52.4",
"windows_x86_64_msvc 0.52.4",
]
[[package]]
@ -4588,9 +4825,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea"
checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9"
[[package]]
name = "windows_aarch64_msvc"
@ -4600,9 +4837,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
[[package]]
name = "windows_aarch64_msvc"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef"
checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675"
[[package]]
name = "windows_i686_gnu"
@ -4612,9 +4849,9 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
[[package]]
name = "windows_i686_gnu"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313"
checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3"
[[package]]
name = "windows_i686_msvc"
@ -4624,9 +4861,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
[[package]]
name = "windows_i686_msvc"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a"
checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02"
[[package]]
name = "windows_x86_64_gnu"
@ -4636,9 +4873,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
[[package]]
name = "windows_x86_64_gnu"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd"
checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03"
[[package]]
name = "windows_x86_64_gnullvm"
@ -4648,9 +4885,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e"
checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177"
[[package]]
name = "windows_x86_64_msvc"
@ -4660,9 +4897,9 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
[[package]]
name = "windows_x86_64_msvc"
version = "0.52.0"
version = "0.52.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04"
checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8"
[[package]]
name = "winnow"

24
Cargo.toml
View file

@ -1,18 +1,27 @@
[workspace]
default-members = ["crate/cli", "crate/server"]
default-members = ["crate/cli", "crate/server", "crate/pkcs11"]
members = [
"crate/cli",
"crate/client",
"crate/kmip",
"crate/server",
"crate/pyo3",
"crate/logger",
"crate/cli",
"crate/client",
"crate/kmip",
"crate/server",
"crate/logger",
"crate/pyo3",
"crate/pkcs11",
"crate/test_server",
]
# Do that if you don't want to enable `dev` feature by default due to the `dev-dependencies` of the cli.
# For more details, read: https://doc.rust-lang.org/cargo/reference/resolver.html#feature-resolver-version-2
# note: resolver defaults to 2 in 2021 edition crate, but defaults to 1 in virtual workspace
resolver = "2"
[workspace.package]
edition = "2021"
rust-version = "1.71.0"
authors = ["Bruno Grieder <bruno.grieder@cosmian.com>", "Emmanuel Coste <emmanuel.coste@cosmian.com>"]
license = "Business Source License 1.1"
repository = "https://github.com/Cosmian/kms"
[profile.release]
lto = true
strip = true
@ -32,6 +41,7 @@ opt-level = 0
[workspace.dependencies]
actix-rt = "2.9"
actix-server = { version = "2.3", default-features = false }
actix-web = { version = "4.5", default-features = false }
base64 = "0.21"
chrono = "0.4"

0
LICENSE.md → LICENSE
View file

91
README.md
View file

@ -2,7 +2,7 @@
![Build status](https://github.com/Cosmian/kms/actions/workflows/ci.yml/badge.svg?branch=main)
Cosmian KMS is an open-source implementation of a high-performance, massively scalable, **Key
Cosmian KMS is an implementation of a high-performance, massively scalable, **Key
Management System** that presents some unique features, such as
- the ability to run in a public cloud - or any zero-trust environment - using application-level
@ -10,36 +10,33 @@ Management System** that presents some unique features, such as
see [Redis-Findex](https://docs.cosmian.com/cosmian_key_management_system/replicated_mode/))
- a JSON KMIP 2.1 compliant interface
- support for object tagging to easily manage keys and secrets
- a full-featured command line
- a full-featured command line and graphical
interface ([CLI](https://docs.cosmian.com/cosmian_key_management_system/cli/cli/))
- Python, Javascript, Dart, Rust, C/C++ and Java clients (see the `cloudproof` libraries
on [Cosmian Github](https://github.com/Cosmian))
- FIPS 140-2 mode gated behind the feature `fips`
- support of Google Client Side Encryption (CSE)
- support of Microsoft Double Key Encryption (DKE)
- out of the box support of
[Google Workspace Client Side Encryption (CSE)](https://support.google.com/a/answer/14326936?fl=1&sjid=15335080317297331676-NA)
- out of the box support
of [Microsoft Double Key Encryption (DKE)](https://learn.microsoft.com/en-us/purview/double-key-encryption)
- [Veracrypt](https://veracrypt.fr/en/Home.html) disk encryption support
It has extensive [documentation](https://docs.cosmian.com/cosmian_key_management_system/) and is
also available packaged as docker images (`docker pull ghcr.io/cosmian/kms`) to get you started
quickly.
The KMS has an extensive
online [documentation](https://docs.cosmian.com/cosmian_key_management_system/)
The KMS can manage keys and secrets used with a comprehensive list of common (AES, ECIES, ...) and
Cosmian advanced cryptographic stacks such as [Covercrypt](https://github.com/Cosmian/cover_crypt).
Keys can be wrapped and unwrapped using ECIES or RFC5649.
## Table of contents
<!-- the TOC is automatically refreshed by the pre-commit hook `markdown-toc` -->
<!-- unless required, do not edit labels `toc` and `tocstop` -->
Keys can be wrapped and unwrapped using RSA, ECIES or RFC5649/AES KWP.
<!-- toc -->
- [Quick start](#quick-start)
- [Repository content](#repository-content)
- [Building the KMS](#building-the-kms)
* [Linux](#linux)
* [MacOS](#macos)
* [Windows](#windows)
* [Cargo build](#cargo-build)
* [Build the Docker container](#build-the-docker-container)
* [Linux](#linux)
* [MacOS](#macos)
* [Windows](#windows)
* [Build the Docker container](#build-the-docker-container)
- [Setup as a `Supervisor` service](#setup-as-a-supervisor-service)
- [Server parameters](#server-parameters)
- [Use the KMS inside a Cosmian VM on SEV/TDX](#use-the-kms-inside-a-cosmian-vm-on-sevtdx)
@ -49,6 +46,22 @@ Keys can be wrapped and unwrapped using ECIES or RFC5649.
<!-- tocstop -->
## Quick start
Pre-built binaries [are available](https://package.cosmian.com/kms/4.13.5/)
for Linux, MacOS and Windows, as well as Docker images. Tu run the server binary, OpenSSL must be
available in your path (see "building the KMS" below for details); other binaries do not have this
requirement.
Using Docker, to quick-start a Cosmian KMS server on `http://localhost:9998` that stores its data
inside the container, simply run the following command:
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.13.5
```
See the [documentation](https://docs.cosmian.com/cosmian_key_management_system/) for more.
## Repository content
The server is written in [Rust](https://www.rust-lang.org/) and is broken down into several
@ -70,14 +83,26 @@ directory.
## Building the KMS
The KMS must be built against a local installation of OpenSSL 3. This is required to support FIPS
mode.
To avoid the *additive feature* issues, the main artifacts - the CLI, the KMS server and the
PKCS11 provider - should directly be built using `cargo build --release`within their own crate, not
from the project root.
In addition, the KMS server must be built against a local installation of OpenSSL 3. Other
artifacts do not have this requirement.
### Linux
Unless you require a FIPS certified cryptographic module, the distribution provided OpenSSL should
be
sufficient and the builder should find it automatically.
be sufficient.
You need to have the development packages of openssl installed. On Ubuntu, you can install them
with:
```sh
sudo apt install libssl-dev
```
You may also need to install the `pkg-config` package (on Ubuntu server typically).
### MacOS
@ -92,13 +117,12 @@ to the OpenSSL installation directory.
### Windows
Install Visual Studio Community with the C++ workload and clang support.
Install perl from [Strawberry Perl](http://strawberryperl.com/).
1. Install Visual Studio Community with the C++ workload and clang support.
2. Install Strawberry Perl.
3. Install `vcpkg` following
[these instructions](https://github.com/Microsoft/vcpkg#quick-start-windows)
Install `vcpkg` following
[these instructions](https://github.com/Microsoft/vcpkg#quick-start-windows)
Then install OpenSSL 3:
4. Then install OpenSSL 3:
```powershell
vcpkg.exe install openssl[fips]
@ -110,15 +134,8 @@ $env:OPENSSL_DIR="<vcpkg>\installed\<archi>>"
where `<vcpkg>` is the path to the vcpkg installation directory,
and `<archi>` is the architecture e.g `x64-windows`, `arm64-windows`, etc..
Then add `<vcpkg>\installed\<archi>\bin` to the `PATH` environment variable if you want to run the
KMS server from the command line.
### Cargo build
```sh
cargo build --no-default-features
cargo test --no-default-features
```
To run the server from the command line, add `<vcpkg>\installed\<archi>\bin` to the `PATH`
environment variable.
### Build the Docker container

6
crate/cli/Cargo.toml
View file

@ -2,7 +2,7 @@
name = "cosmian_kms_cli"
version = "4.13.5"
edition = "2021"
license-file = "../../LICENSE.md"
license-file = "../../LICENSE"
description = "CLI used to manage the Cosmian KMS."
[[bin]]
@ -40,7 +40,6 @@ env_logger = { workspace = true }
oauth2 = "4.4"
pem = "3.0"
reqwest = { workspace = true }
rustls = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
strum = { workspace = true, features = ["std", "derive", "strum_macros"] }
@ -54,12 +53,13 @@ zeroize = { workspace = true }
[dev-dependencies]
actix-rt = { workspace = true }
actix-server = { version = "2.3", default-features = false }
actix-server = { workspace = true }
assert_cmd = "2.0"
const-oid = { version = "0.9", features = ["db"] }
cosmian_kms_server = { path = "../server", features = [
"insecure",
], default-features = false }
kms_test_server = { path = "../test_server" }
openssl = { workspace = true }
predicates = "3.0"
regex = { version = "1.10", default-features = false }

14
crate/cli/src/actions/access.rs
View file

@ -2,7 +2,7 @@ use clap::Parser;
use cosmian_kms_client::{
access::{Access, ObjectOperationType},
cosmian_kmip::kmip::kmip_types::UniqueIdentifier,
KmsRestClient,
KmsClient,
};
use crate::error::{result::CliResultHelper, CliError};
@ -18,7 +18,7 @@ pub enum AccessAction {
}
impl AccessAction {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Grant(action) => action.run(kms_rest_client).await?,
Self::Revoke(action) => action.run(kms_rest_client).await?,
@ -55,7 +55,7 @@ pub struct GrantAccess {
}
impl GrantAccess {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let access = Access {
unique_identifier: Some(UniqueIdentifier::TextString(self.object_uid.clone())),
user_id: self.user.clone(),
@ -100,7 +100,7 @@ pub struct RevokeAccess {
}
impl RevokeAccess {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let access = Access {
unique_identifier: Some(UniqueIdentifier::TextString(self.object_uid.clone())),
user_id: self.user.clone(),
@ -133,7 +133,7 @@ pub struct ListAccessesGranted {
}
impl ListAccessesGranted {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let accesses = kms_rest_client
.list_access(&self.object_uid)
.await
@ -158,7 +158,7 @@ impl ListAccessesGranted {
pub struct ListOwnedObjects;
impl ListOwnedObjects {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let objects = kms_rest_client
.list_owned_objects()
.await
@ -180,7 +180,7 @@ impl ListOwnedObjects {
pub struct ListAccessRightsObtained;
impl ListAccessRightsObtained {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let objects = kms_rest_client
.list_access_rights_obtained()
.await

6
crate/cli/src/actions/certificates/certify.rs
View file

@ -10,10 +10,10 @@ use cosmian_kms_client::{
LinkedObjectIdentifier, UniqueIdentifier,
},
},
KmsRestClient,
read_bytes_from_file, KmsClient,
};
use crate::{actions::shared::utils::read_bytes_from_file, error::CliError};
use crate::error::CliError;
/// Certify a Certificate Signing Request or a Public key to create a X509 certificate.
///
@ -77,7 +77,7 @@ pub struct CertifyAction {
}
impl CertifyAction {
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
if self.certificate_signing_request.is_none() && self.public_key_id_to_certify.is_none() {
return Err(CliError::Default(
"Either a certificate signing request or a public key to certify must be provided"

5
crate/cli/src/actions/certificates/decrypt_certificate.rs
View file

@ -3,11 +3,10 @@ use std::{fs::File, io::prelude::*, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::kmip::{kmip_operations::Decrypt, kmip_types::UniqueIdentifier},
KmsRestClient,
read_bytes_from_file, KmsClient,
};
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -41,7 +40,7 @@ pub struct DecryptCertificateAction {
}
impl DecryptCertificateAction {
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
// Read the file to decrypt
let ciphertext = read_bytes_from_file(&self.input_file)?;

4
crate/cli/src/actions/certificates/destroy_certificate.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::destroy, cli_bail, error::CliError};
@ -27,7 +27,7 @@ pub struct DestroyCertificateAction {
}
impl DestroyCertificateAction {
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
let id = if let Some(certificate_id) = &self.certificate_id {
certificate_id.clone()
} else if let Some(tags) = &self.tags {

5
crate/cli/src/actions/certificates/encrypt_certificate.rs
View file

@ -3,12 +3,11 @@ use std::{fs::File, io::prelude::*, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::kmip::{kmip_operations::Encrypt, kmip_types::UniqueIdentifier},
KmsRestClient,
read_bytes_from_file, KmsClient,
};
use zeroize::Zeroizing;
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -43,7 +42,7 @@ pub struct EncryptCertificateAction {
}
impl EncryptCertificateAction {
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
// Read the file to encrypt
let data = Zeroizing::from(read_bytes_from_file(&self.input_file)?);

17
crate/cli/src/actions/certificates/export_certificate.rs
View file

@ -2,20 +2,13 @@ use std::path::PathBuf;
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::kmip::{
kmip_objects::Object, kmip_types::KeyFormatType, ttlv::serializer::to_ttlv,
},
KmsRestClient,
export_object,
kmip::{kmip_objects::Object, kmip_types::KeyFormatType, ttlv::serializer::to_ttlv},
write_bytes_to_file, write_json_object_to_file, write_kmip_object_to_file, KmsClient,
};
use tracing::trace;
use crate::{
actions::shared::utils::{
export_object, write_bytes_to_file, write_json_object_to_file, write_kmip_object_to_file,
},
cli_bail,
error::CliError,
};
use crate::{cli_bail, error::CliError};
#[derive(clap::ValueEnum, Debug, Clone, PartialEq, Eq)]
pub enum CertificateExportFormat {
@ -85,7 +78,7 @@ pub struct ExportCertificateAction {
impl ExportCertificateAction {
/// Export a certificate from the KMS
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
trace!("Export certificate: {:?}", self);
let object_id: String = if let Some(object_id) = &self.unique_id {

16
crate/cli/src/actions/certificates/import_certificate.rs
View file

@ -9,20 +9,14 @@ use cosmian_kms_client::{
Attributes, CertificateType, KeyFormatType, LinkType, LinkedObjectIdentifier,
},
},
KmsRestClient,
import_object, read_bytes_from_file, read_object_from_json_ttlv_file, KmsClient,
};
use der::{Decode, DecodePem, Encode};
use tracing::{debug, trace};
use x509_cert::Certificate;
use zeroize::Zeroizing;
use crate::{
actions::shared::{
import_key::build_private_key_from_der_bytes,
utils::{import_object, read_bytes_from_file, read_object_from_json_ttlv_file},
},
error::CliError,
};
use crate::{actions::shared::import_key::build_private_key_from_der_bytes, error::CliError};
const MOZILLA_CCADB: &str =
"https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites";
@ -106,7 +100,7 @@ pub struct ImportCertificateAction {
}
impl ImportCertificateAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
debug!("CLI: entering import certificate");
//generate the leaf certificate attributes if links are specified
@ -247,7 +241,7 @@ impl ImportCertificateAction {
}
/// Import the certificate, the chain and the associated private key
async fn import_pkcs12(&self, kms_rest_client: &KmsRestClient) -> Result<String, CliError> {
async fn import_pkcs12(&self, kms_rest_client: &KmsClient) -> Result<String, CliError> {
let pkcs12_bytes = Zeroizing::from(read_bytes_from_file(&self.get_certificate_file()?)?);
// Create a KMIP private key from the PKCS12 private key
@ -287,7 +281,7 @@ impl ImportCertificateAction {
/// linking the child to the parent with `Link` of `LinkType::CertificateLink`
async fn import_chain(
&self,
kms_rest_client: &KmsRestClient,
kms_rest_client: &KmsClient,
mut objects: Vec<Object>,
replace_existing: bool,
leaf_certificate_attributes: Option<Attributes>,

4
crate/cli/src/actions/certificates/mod.rs
View file

@ -1,5 +1,5 @@
use clap::Subcommand;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
pub use export_certificate::CertificateExportFormat;
pub use import_certificate::CertificateInputFormat;
@ -34,7 +34,7 @@ pub enum CertificatesCommands {
}
impl CertificatesCommands {
pub async fn process(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, client_connector: &KmsClient) -> Result<(), CliError> {
match self {
Self::Certify(action) => action.run(client_connector).await,
// Self::Create(action) => action.run(client_connector).await,

4
crate/cli/src/actions/certificates/revoke_certificate.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::revoke, cli_bail, error::CliError};
@ -30,7 +30,7 @@ pub struct RevokeCertificateAction {
}
impl RevokeCertificateAction {
pub async fn run(&self, client_connector: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, client_connector: &KmsClient) -> Result<(), CliError> {
let id = if let Some(certificate_id) = &self.certificate_id {
certificate_id.clone()
} else if let Some(tags) = &self.tags {

14
crate/cli/src/actions/cover_crypt/decrypt.rs
View file

@ -6,14 +6,11 @@ use cosmian_kms_client::{
crypto::generic::kmip_requests::build_decryption_request,
kmip::{kmip_operations::DecryptedData, kmip_types::CryptographicAlgorithm},
},
KmsRestClient,
read_bytes_from_file, read_bytes_from_files_to_bulk, write_bulk_decrypted_data,
write_single_decrypted_data, KmsClient,
};
use crate::{
actions::shared::utils::{
read_bytes_from_file, read_bytes_from_files_to_bulk, write_bulk_decrypted_data,
write_single_decrypted_data,
},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -47,7 +44,7 @@ pub struct DecryptAction {
}
impl DecryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file(s) to decrypt
let (cryptographic_algorithm, data) = if self.input_files.len() > 1 {
(
@ -107,13 +104,14 @@ impl DecryptAction {
&metadata_and_cleartext.plaintext,
&self.input_files,
self.output_file.as_ref(),
)
)?
} else {
write_single_decrypted_data(
&metadata_and_cleartext.plaintext,
&self.input_files[0],
self.output_file.as_ref(),
)
)?
}
Ok(())
}
}

14
crate/cli/src/actions/cover_crypt/encrypt.rs
View file

@ -6,14 +6,11 @@ use cosmian_kms_client::{
crypto::generic::kmip_requests::build_encryption_request,
kmip::kmip_types::CryptographicAlgorithm,
},
KmsRestClient,
read_bytes_from_file, read_bytes_from_files_to_bulk, write_bulk_encrypted_data,
write_single_encrypted_data, KmsClient,
};
use crate::{
actions::shared::utils::{
read_bytes_from_file, read_bytes_from_files_to_bulk, write_bulk_encrypted_data,
write_single_encrypted_data,
},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -53,7 +50,7 @@ pub struct EncryptAction {
}
impl EncryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file(s) to encrypt
let (cryptographic_algorithm, mut data) = if self.input_files.len() > 1 {
(
@ -105,9 +102,10 @@ impl EncryptAction {
// Write the encrypted data
if cryptographic_algorithm == CryptographicAlgorithm::CoverCryptBulk {
write_bulk_encrypted_data(&data, &self.input_files, self.output_file.as_ref())
write_bulk_encrypted_data(&data, &self.input_files, self.output_file.as_ref())?
} else {
write_single_encrypted_data(&data, &self.input_files[0], self.output_file.as_ref())
write_single_encrypted_data(&data, &self.input_files[0], self.output_file.as_ref())?
}
Ok(())
}
}

4
crate/cli/src/actions/cover_crypt/keys/create_key_pair.rs
View file

@ -3,7 +3,7 @@ use std::path::PathBuf;
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::cover_crypt::kmip_requests::build_create_master_keypair_request,
KmsRestClient,
KmsClient,
};
use crate::{
@ -64,7 +64,7 @@ pub struct CreateMasterKeyPairAction {
}
impl CreateMasterKeyPairAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Parse the json policy file
let policy = if let Some(specs_file) = &self.policy_specifications_file {
policy_from_json_file(specs_file)?

4
crate/cli/src/actions/cover_crypt/keys/create_user_key.rs
View file

@ -2,7 +2,7 @@ use clap::Parser;
use cloudproof::reexport::cover_crypt::abe_policy::AccessPolicy;
use cosmian_kms_client::{
cosmian_kmip::crypto::cover_crypt::kmip_requests::build_create_user_decryption_private_key_request,
KmsRestClient,
KmsClient,
};
use crate::error::{result::CliResultHelper, CliError};
@ -62,7 +62,7 @@ pub struct CreateUserKeyAction {
}
impl CreateUserKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Verify boolean expression in self.access_policy
AccessPolicy::from_boolean_expression(&self.access_policy)
.with_context(|| "bad access policy syntax")?;

4
crate/cli/src/actions/cover_crypt/keys/destroy_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::destroy, cli_bail, error::CliError};
@ -29,7 +29,7 @@ pub struct DestroyKeyAction {
}
impl DestroyKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

4
crate/cli/src/actions/cover_crypt/keys/mod.rs
View file

@ -1,5 +1,5 @@
use clap::Subcommand;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::{
create_key_pair::CreateMasterKeyPairAction,
@ -39,7 +39,7 @@ pub enum KeysCommands {
}
impl KeysCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::CreateMasterKeyPair(action) => action.run(kms_rest_client).await?,
Self::CreateUserKey(action) => action.run(kms_rest_client).await?,

6
crate/cli/src/actions/cover_crypt/keys/rekey.rs
View file

@ -3,7 +3,7 @@ use cosmian_kms_client::{
cosmian_kmip::crypto::cover_crypt::{
attributes::RekeyEditAction, kmip_requests::build_rekey_keypair_request,
},
KmsRestClient,
KmsClient,
};
use crate::{
@ -38,7 +38,7 @@ pub struct RekeyAction {
}
impl RekeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {
@ -97,7 +97,7 @@ pub struct PruneAction {
}
impl PruneAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

4
crate/cli/src/actions/cover_crypt/keys/revoke_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::revoke, cli_bail, error::CliError};
@ -34,7 +34,7 @@ pub struct RevokeKeyAction {
}
impl RevokeKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

14
crate/cli/src/actions/cover_crypt/mod.rs
View file

@ -1,10 +1,5 @@
pub(crate) mod decrypt;
pub(crate) mod encrypt;
pub(crate) mod keys;
pub(crate) mod policy;
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{
actions::cover_crypt::{
@ -13,6 +8,11 @@ use crate::{
error::CliError,
};
pub(crate) mod decrypt;
pub(crate) mod encrypt;
pub(crate) mod keys;
pub(crate) mod policy;
/// Manage Covercrypt keys and policies. Rotate attributes. Encrypt and decrypt data.
#[derive(Parser)]
pub enum CovercryptCommands {
@ -25,7 +25,7 @@ pub enum CovercryptCommands {
}
impl CovercryptCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Policy(command) => command.process(kms_rest_client).await?,
Self::Keys(command) => command.process(kms_rest_client).await?,

30
crate/cli/src/actions/cover_crypt/policy.rs
View file

@ -16,13 +16,10 @@ use cosmian_kms_client::{
ttlv::{deserializer::from_ttlv, TTLV},
},
},
KmsRestClient,
export_object, read_bytes_from_file, read_from_json_file, write_json_object_to_file, KmsClient,
};
use crate::{
actions::shared::utils::{
export_object, read_bytes_from_file, read_from_json_file, write_json_object_to_file,
},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -61,7 +58,7 @@ pub enum PolicyCommands {
}
impl PolicyCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::View(action) => action.run(kms_rest_client).await?,
Self::Specs(action) => action.run(kms_rest_client).await?,
@ -148,7 +145,7 @@ async fn recover_policy(
key_id: Option<&str>,
key_file: Option<&PathBuf>,
unwrap: bool,
kms_rest_client: &KmsRestClient,
kms_rest_client: &KmsClient,
) -> Result<Policy, CliError> {
// Recover the KMIP Object
let object: Object = if let Some(key_id) = key_id {
@ -191,7 +188,7 @@ pub struct SpecsAction {
policy_specs_file: PathBuf,
}
impl SpecsAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Recover the policy
let policy = recover_policy(
self.key_id.as_deref(),
@ -202,7 +199,7 @@ impl SpecsAction {
.await?;
let specs: HashMap<String, Vec<String>> = policy.try_into()?;
// save the policy to the specifications file
write_json_object_to_file(&specs, &self.policy_specs_file)
Ok(write_json_object_to_file(&specs, &self.policy_specs_file)?)
}
}
@ -231,7 +228,7 @@ pub struct BinaryAction {
policy_binary_file: PathBuf,
}
impl BinaryAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Recover the policy
let policy = recover_policy(
self.key_id.as_deref(),
@ -241,7 +238,10 @@ impl BinaryAction {
)
.await?;
// save the policy to the binary file
write_json_object_to_file(&policy, &self.policy_binary_file)
Ok(write_json_object_to_file(
&policy,
&self.policy_binary_file,
)?)
}
}
@ -270,7 +270,7 @@ pub struct ViewAction {
detailed: bool,
}
impl ViewAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Recover the policy
let policy = recover_policy(
self.key_id.as_deref(),
@ -315,7 +315,7 @@ pub struct AddAttributeAction {
tags: Option<Vec<String>>,
}
impl AddAttributeAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {
@ -375,7 +375,7 @@ pub struct RenameAttributeAction {
tags: Option<Vec<String>>,
}
impl RenameAttributeAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {
@ -427,7 +427,7 @@ pub struct DisableAttributeAction {
tags: Option<Vec<String>>,
}
impl DisableAttributeAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {
@ -480,7 +480,7 @@ pub struct RemoveAttributeAction {
tags: Option<Vec<String>>,
}
impl RemoveAttributeAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.secret_key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

6
crate/cli/src/actions/elliptic_curves/decrypt.rs
View file

@ -2,11 +2,11 @@ use std::{fs::File, io::Write, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -40,7 +40,7 @@ pub struct DecryptAction {
}
impl DecryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to decrypt
let data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to decrypt")?;

6
crate/cli/src/actions/elliptic_curves/encrypt.rs
View file

@ -2,11 +2,11 @@ use std::{fs::File, io::Write, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -41,7 +41,7 @@ pub struct EncryptAction {
}
impl EncryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to encrypt
let mut data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to encrypt")?;

4
crate/cli/src/actions/elliptic_curves/keys/create_key_pair.rs
View file

@ -4,7 +4,7 @@ use cosmian_kms_client::{
crypto::elliptic_curves::kmip_requests::create_ec_key_pair_request,
kmip::kmip_types::RecommendedCurve,
},
KmsRestClient,
KmsClient,
};
use crate::error::{result::CliResultHelper, CliError};
@ -73,7 +73,7 @@ pub struct CreateKeyPairAction {
}
impl CreateKeyPairAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let create_key_pair_request = create_ec_key_pair_request(&self.tags, self.curve.into())?;
// Query the KMS with your kmip data and get the key pair ids

4
crate/cli/src/actions/elliptic_curves/keys/destroy_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::destroy, cli_bail, error::CliError};
@ -26,7 +26,7 @@ pub struct DestroyKeyAction {
}
impl DestroyKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

4
crate/cli/src/actions/elliptic_curves/keys/mod.rs
View file

@ -1,5 +1,5 @@
use clap::Subcommand;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::{
create_key_pair::CreateKeyPairAction, destroy_key::DestroyKeyAction,
@ -31,7 +31,7 @@ pub enum KeysCommands {
}
impl KeysCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Create(action) => action.run(kms_rest_client).await?,
Self::Export(action) => action.run(kms_rest_client).await?,

4
crate/cli/src/actions/elliptic_curves/keys/revoke_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::revoke, cli_bail, error::CliError};
@ -28,7 +28,7 @@ pub struct RevokeKeyAction {
}
impl RevokeKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

16
crate/cli/src/actions/elliptic_curves/mod.rs
View file

@ -1,17 +1,17 @@
#[cfg(not(feature = "fips"))]
mod decrypt;
#[cfg(not(feature = "fips"))]
mod encrypt;
mod keys;
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::keys::KeysCommands;
#[cfg(not(feature = "fips"))]
use self::{decrypt::DecryptAction, encrypt::EncryptAction};
use crate::error::CliError;
#[cfg(not(feature = "fips"))]
mod decrypt;
#[cfg(not(feature = "fips"))]
mod encrypt;
mod keys;
/// Manage elliptic curve keys. Encrypt and decrypt data using ECIES.
#[derive(Parser)]
pub enum EllipticCurveCommands {
@ -24,7 +24,7 @@ pub enum EllipticCurveCommands {
}
impl EllipticCurveCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Keys(command) => command.process(kms_rest_client).await?,
#[cfg(not(feature = "fips"))]

5
crate/cli/src/actions/login.rs
View file

@ -11,6 +11,7 @@ use actix_web::{
App, HttpResponse, HttpServer,
};
use clap::Parser;
use cosmian_kms_client::ClientConf;
use oauth2::{
basic::BasicClient, http, AuthUrl, ClientId, ClientSecret, CsrfToken, HttpRequest,
PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, Scope, TokenUrl,
@ -22,7 +23,7 @@ use reqwest::{
use serde::Deserialize;
use url::Url;
use crate::{cli_bail, config::CliConf, error::CliError};
use crate::{cli_bail, error::CliError};
/// Login to the Identity Provider of the KMS server using the `OAuth2` authorization code flow.
///
@ -43,7 +44,7 @@ pub struct LoginAction;
impl LoginAction {
pub async fn process(&self, conf_path: &PathBuf) -> Result<(), CliError> {
let mut conf = CliConf::load(conf_path)?;
let mut conf = ClientConf::load(conf_path)?;
let oauth2_conf = conf
.oauth2_conf
.as_ref()

5
crate/cli/src/actions/logout.rs
View file

@ -1,8 +1,9 @@
use std::path::PathBuf;
use clap::Parser;
use cosmian_kms_client::ClientConf;
use crate::{config::CliConf, error::CliError};
use crate::error::CliError;
/// Logout from the Identity Provider.
///
@ -13,7 +14,7 @@ pub struct LogoutAction;
impl LogoutAction {
pub async fn process(&self, conf_path: &PathBuf) -> Result<(), CliError> {
let mut conf = CliConf::load(conf_path)?;
let mut conf = ClientConf::load(conf_path)?;
conf.kms_access_token = None;
conf.save(conf_path)?;

4
crate/cli/src/actions/new_database.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::error::{result::CliResultHelper, CliError};
@ -19,7 +19,7 @@ use crate::error::{result::CliResultHelper, CliError};
pub struct NewDatabaseAction;
impl NewDatabaseAction {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Query the KMS to get a new database
let token = kms_rest_client
.new_database()

10
crate/cli/src/actions/rsa/decrypt.rs
View file

@ -2,14 +2,12 @@ use std::{fs::File, io::Write, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::{
rsa::{EncryptionAlgorithm, HashFn},
shared::utils::read_bytes_from_file,
},
actions::rsa::{EncryptionAlgorithm, HashFn},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -66,7 +64,7 @@ pub struct DecryptAction {
}
impl DecryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to decrypt
let data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to decrypt")?;

10
crate/cli/src/actions/rsa/encrypt.rs
View file

@ -2,14 +2,12 @@ use std::{fs::File, io::Write, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::{
rsa::{EncryptionAlgorithm, HashFn},
shared::utils::read_bytes_from_file,
},
actions::rsa::{EncryptionAlgorithm, HashFn},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -67,7 +65,7 @@ pub struct EncryptAction {
}
impl EncryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to encrypt
let mut data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to encrypt")?;

4
crate/cli/src/actions/rsa/keys/create_key_pair.rs
View file

@ -1,6 +1,6 @@
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::rsa::kmip_requests::create_rsa_key_pair_request, KmsRestClient,
cosmian_kmip::crypto::rsa::kmip_requests::create_rsa_key_pair_request, KmsClient,
};
use crate::error::{result::CliResultHelper, CliError};
@ -32,7 +32,7 @@ pub struct CreateKeyPairAction {
}
impl CreateKeyPairAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let create_key_pair_request = create_rsa_key_pair_request(&self.tags, self.key_size)?;
// Query the KMS with your kmip data and get the key pair ids

4
crate/cli/src/actions/rsa/keys/destroy_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::destroy, cli_bail, error::CliError};
@ -26,7 +26,7 @@ pub struct DestroyKeyAction {
}
impl DestroyKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

4
crate/cli/src/actions/rsa/keys/mod.rs
View file

@ -1,5 +1,5 @@
use clap::Subcommand;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::{
create_key_pair::CreateKeyPairAction, destroy_key::DestroyKeyAction,
@ -31,7 +31,7 @@ pub enum KeysCommands {
}
impl KeysCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Create(action) => action.run(kms_rest_client).await?,
Self::Export(action) => action.run(kms_rest_client).await?,

4
crate/cli/src/actions/rsa/keys/revoke_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::revoke, cli_bail, error::CliError};
@ -28,7 +28,7 @@ pub struct RevokeKeyAction {
}
impl RevokeKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

12
crate/cli/src/actions/rsa/mod.rs
View file

@ -1,16 +1,16 @@
mod decrypt;
mod encrypt;
mod keys;
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::kmip::kmip_types::{CryptographicAlgorithm, HashingAlgorithm},
KmsRestClient,
KmsClient,
};
use self::{decrypt::DecryptAction, encrypt::EncryptAction, keys::KeysCommands};
use crate::error::CliError;
mod decrypt;
mod encrypt;
mod keys;
/// Manage RSA keys.
#[derive(Parser)]
pub enum RsaCommands {
@ -21,7 +21,7 @@ pub enum RsaCommands {
}
impl RsaCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Keys(command) => command.process(kms_rest_client).await?,
Self::Encrypt(action) => action.run(kms_rest_client).await?,

14
crate/cli/src/actions/shared/export_key.rs
View file

@ -2,17 +2,11 @@ use std::path::PathBuf;
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::{kmip::kmip_types::KeyFormatType, result::KmipResultHelper},
KmsRestClient,
cosmian_kmip::kmip::kmip_types::KeyFormatType, der_to_pem, export_object, write_bytes_to_file,
write_kmip_object_to_file, ClientResultHelper, KmsClient,
};
use crate::{
actions::shared::utils::{
der_to_pem, export_object, write_bytes_to_file, write_kmip_object_to_file,
},
cli_bail,
error::CliError,
};
use crate::{cli_bail, error::CliError};
#[derive(clap::ValueEnum, Debug, Clone, PartialEq, Eq)]
pub enum ExportKeyFormat {
@ -112,7 +106,7 @@ pub struct ExportKeyAction {
impl ExportKeyAction {
/// Export a key from the KMS
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

33
crate/cli/src/actions/shared/get_attributes.rs
View file

@ -3,18 +3,15 @@ use std::{collections::HashMap, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::kmip::{
extra::{tagging::VENDOR_ATTR_TAG, VENDOR_ID_COSMIAN},
kmip_operations::{GetAttributes, GetAttributesResponse},
kmip_types::{
AttributeReference, LinkType, Tag, UniqueIdentifier, VendorAttributeReference,
},
kmip_types::{AttributeReference, LinkType, Tag, UniqueIdentifier},
},
KmsRestClient,
write_bytes_to_file, KmsClient,
};
use serde_json::Value;
use tracing::debug;
use crate::{actions::shared::utils::write_bytes_to_file, cli_bail, error::CliError};
use crate::{cli_bail, error::CliError};
#[derive(clap::ValueEnum, Debug, Clone, PartialEq, Eq, Hash)]
pub enum AttributeTag {
@ -54,7 +51,7 @@ const ALL_ATTRIBUTE_TAGS: [AttributeTag; 12] = [
#[derive(Parser, Debug)]
#[clap(verbatim_doc_comment)]
pub struct GetAttributesAction {
/// The key unique identifier of the cryptographic object.
/// The unique identifier of the cryptographic object.
/// If not specified, tags should be specified
#[clap(long = "id", short = 'i', group = "id-tags")]
id: Option<String>,
@ -81,13 +78,13 @@ pub struct GetAttributesAction {
}
impl GetAttributesAction {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.id {
key_id.clone()
} else if let Some(tags) = &self.tags {
serde_json::to_string(&tags)?
} else {
cli_bail!("Either --key-id or one or more --tag must be specified")
cli_bail!("Either --id or one or more --tag must be specified")
};
let mut references: Vec<AttributeReference> = Vec::with_capacity(self.attribute_tags.len());
@ -127,10 +124,7 @@ impl GetAttributesAction {
references.push(AttributeReference::Standard(Tag::Certificate));
}
AttributeTag::Tags => {
references.push(AttributeReference::Vendor(VendorAttributeReference {
vendor_identification: VENDOR_ID_COSMIAN.to_string(),
attribute_name: VENDOR_ATTR_TAG.to_string(),
}));
references.push(AttributeReference::tags_reference());
}
}
}
@ -244,14 +238,11 @@ impl GetAttributesAction {
}
}
AttributeTag::Tags => {
if let Some(v) =
attributes.get_vendor_attribute_value(VENDOR_ID_COSMIAN, VENDOR_ATTR_TAG)
{
results.insert(
"tags".to_string(),
serde_json::from_slice::<Value>(v).unwrap_or_default(),
);
}
let tags = attributes.get_tags();
results.insert(
"tags".to_string(),
serde_json::to_value(tags).unwrap_or_default(),
);
}
}
}

13
crate/cli/src/actions/shared/import_key.rs
View file

@ -9,17 +9,12 @@ use cosmian_kms_client::{
Attributes, CryptographicAlgorithm, KeyFormatType, LinkType, LinkedObjectIdentifier,
},
},
KmsRestClient,
import_object, objects_from_pem, read_bytes_from_file, read_object_from_json_ttlv_bytes,
KmsClient,
};
use zeroize::Zeroizing;
use super::utils::objects_from_pem;
use crate::{
actions::shared::utils::{
import_object, read_bytes_from_file, read_object_from_json_ttlv_bytes,
},
error::CliError,
};
use crate::error::CliError;
#[derive(clap::ValueEnum, Debug, Clone)]
pub enum ImportKeyFormat {
@ -108,7 +103,7 @@ pub struct ImportKeyAction {
}
impl ImportKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// read the key file
let bytes = Zeroizing::from(read_bytes_from_file(&self.key_file)?);
let object = match &self.key_format {

4
crate/cli/src/actions/shared/locate.rs
View file

@ -11,7 +11,7 @@ use cosmian_kms_client::{
Attributes, CryptographicAlgorithm, KeyFormatType, LinkType, LinkedObjectIdentifier,
},
},
KmsRestClient,
KmsClient,
};
use strum::IntoEnumIterator;
@ -76,7 +76,7 @@ pub struct LocateObjectsAction {
impl LocateObjectsAction {
/// Export a key from the KMS
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let mut attributes = Attributes::default();
if let Some(crypto_algo) = self.cryptographic_algorithm {

6
crate/cli/src/actions/shared/unwrap_key.rs
View file

@ -7,13 +7,11 @@ use cosmian_kms_client::{
crypto::{symmetric::create_symmetric_key_kmip_object, wrap::unwrap_key_block},
kmip::kmip_types::CryptographicAlgorithm,
},
export_object, read_object_from_json_ttlv_file, write_kmip_object_to_file, KmsClient,
KmsRestClient,
};
use crate::{
actions::shared::utils::{
export_object, read_object_from_json_ttlv_file, write_kmip_object_to_file,
},
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -70,7 +68,7 @@ pub struct UnwrapKeyAction {
impl UnwrapKeyAction {
/// Export a key from the KMS
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// read the key file
let mut object = read_object_from_json_ttlv_file(&self.key_file_in)?;

4
crate/cli/src/actions/shared/utils/destroy_utils.rs
View file

@ -1,6 +1,6 @@
use cosmian_kms_client::{
cosmian_kmip::kmip::{kmip_operations::Destroy, kmip_types::UniqueIdentifier},
KmsRestClient,
KmsClient,
};
use crate::{
@ -8,7 +8,7 @@ use crate::{
error::{result::CliResultHelper, CliError},
};
pub async fn destroy(kms_rest_client: &KmsRestClient, key_id: &str) -> Result<(), CliError> {
pub async fn destroy(kms_rest_client: &KmsClient, key_id: &str) -> Result<(), CliError> {
// Create the kmip query
let destroy_query = Destroy {
unique_identifier: Some(UniqueIdentifier::TextString(key_id.to_string())),

85
crate/cli/src/actions/shared/utils/export_utils.rs
View file

@ -1,85 +0,0 @@
use cosmian_kms_client::{
cosmian_kmip::kmip::{
kmip_data_structures::KeyWrappingSpecification,
kmip_objects::Object,
kmip_operations::{Export, Get},
kmip_types::{
Attributes, EncryptionKeyInformation, KeyFormatType, UniqueIdentifier, WrappingMethod,
},
},
KmsRestClient,
};
use crate::error::{result::CliResultHelper, CliError};
/// Export an Object from the KMS
///
/// # Arguments
/// * `kms_rest_client` - The KMS client connector
/// * `object_id` - The KMS object id
/// * `unwrap` - Unwrap the object if it is wrapped
/// * `wrapping_key_id` - The wrapping key id to wrap the key, may be the PKCS#12 password
/// * `allow_revoked` - Allow the export of a revoked object
///
/// `wrapping_key_id` is ignored if `unwrap` is true
///
/// # Returns
/// * The exported object and the Export attributes (None for Get)
///
/// # Errors
/// * If the KMS cannot be reached
/// * If the object cannot be exported
/// * If the object cannot be written to a file
pub async fn export_object(
kms_rest_client: &KmsRestClient,
object_id: &str,
unwrap: bool,
wrapping_key_id: Option<&str>,
allow_revoked: bool,
key_format_type: Option<KeyFormatType>,
) -> Result<(Object, Option<Attributes>), CliError> {
// If an unwrapping key is specified, generate the key (un)wrapping specification
let key_wrapping_specification: Option<KeyWrappingSpecification> = if unwrap {
None
} else {
wrapping_key_id.map(|id| KeyWrappingSpecification {
wrapping_method: WrappingMethod::Encrypt,
encryption_key_information: Some(EncryptionKeyInformation {
unique_identifier: UniqueIdentifier::TextString(id.to_string()),
cryptographic_parameters: None,
}),
..KeyWrappingSpecification::default()
})
};
let (object, object_type, attributes) = if allow_revoked {
//use the KMIP export function to get revoked objects
let export_response = kms_rest_client
.export(Export::new(
object_id,
unwrap,
key_wrapping_specification,
key_format_type,
))
.await
.with_context(|| "Export")?;
(
export_response.object,
export_response.object_type,
Some(export_response.attributes),
)
} else {
// Query the KMS with your kmip data and get the key pair ids
let get_response = kms_rest_client
.get(Get::new(
UniqueIdentifier::TextString(object_id.to_string()),
unwrap,
key_wrapping_specification,
key_format_type,
))
.await
.with_context(|| "Get")?;
(get_response.object, get_response.object_type, None)
};
// Return the object after post fixing the object type
Ok((Object::post_fix(object_type, object), attributes))
}

15
crate/cli/src/actions/shared/utils/mod.rs
View file

@ -1,14 +1,5 @@
mod destroy_utils;
mod encodings;
mod export_utils;
#[allow(dead_code)]
mod file_utils;
mod import_utils;
mod revoke_utils;
pub(crate) use destroy_utils::destroy;
pub(crate) use encodings::{der_to_pem, objects_from_pem};
pub(crate) use export_utils::export_object;
pub(crate) use file_utils::*;
pub(crate) use import_utils::import_object;
pub(crate) use revoke_utils::revoke;
mod destroy_utils;
mod revoke_utils;

4
crate/cli/src/actions/shared/utils/revoke_utils.rs
View file

@ -3,7 +3,7 @@ use cosmian_kms_client::{
crypto::generic::kmip_requests::build_revoke_key_request,
kmip::kmip_types::RevocationReason,
},
KmsRestClient,
KmsClient,
};
use crate::{
@ -12,7 +12,7 @@ use crate::{
};
pub async fn revoke(
kms_rest_client: &KmsRestClient,
kms_rest_client: &KmsClient,
key_id: &str,
revocation_reason: &str,
) -> Result<(), CliError> {

8
crate/cli/src/actions/shared/wrap_key.rs
View file

@ -12,14 +12,12 @@ use cosmian_kms_client::{
kmip_data_structures::KeyWrappingSpecification, kmip_types::CryptographicAlgorithm,
},
},
export_object, read_object_from_json_ttlv_file, write_kmip_object_to_file, KmsClient,
KmsRestClient,
};
use crate::{
actions::shared::{
utils::{export_object, read_object_from_json_ttlv_file, write_kmip_object_to_file},
SYMMETRIC_WRAPPING_KEY_SIZE,
},
actions::shared::SYMMETRIC_WRAPPING_KEY_SIZE,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -65,7 +63,7 @@ pub struct WrapKeyAction {
}
impl WrapKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// read the key file
let mut object = read_object_from_json_ttlv_file(&self.key_file_in)?;

6
crate/cli/src/actions/symmetric/decrypt.rs
View file

@ -2,11 +2,11 @@ use std::{fs::File, io::Write, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_decryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -46,7 +46,7 @@ pub struct DecryptAction {
}
impl DecryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to decrypt
let mut data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to decrypt")?;

6
crate/cli/src/actions/symmetric/encrypt.rs
View file

@ -2,11 +2,11 @@ use std::{fs::File, io::prelude::*, path::PathBuf};
use clap::Parser;
use cosmian_kms_client::{
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, KmsRestClient,
cosmian_kmip::crypto::generic::kmip_requests::build_encryption_request, read_bytes_from_file,
KmsClient,
};
use crate::{
actions::shared::utils::read_bytes_from_file,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -47,7 +47,7 @@ pub struct EncryptAction {
}
impl EncryptAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
// Read the file to encrypt
let data = read_bytes_from_file(&self.input_file)
.with_context(|| "Cannot read bytes from the file to encrypt")?;

5
crate/cli/src/actions/symmetric/keys/create_key.rs
View file

@ -5,11 +5,10 @@ use cosmian_kms_client::{
crypto::symmetric::{create_symmetric_key_kmip_object, symmetric_key_create_request},
kmip::kmip_types::CryptographicAlgorithm,
},
KmsRestClient,
import_object, KmsClient,
};
use crate::{
actions::shared::utils::import_object,
cli_bail,
error::{result::CliResultHelper, CliError},
};
@ -63,7 +62,7 @@ pub struct CreateKeyAction {
}
impl CreateKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let mut key_bytes = None;
let number_of_bits = if let Some(key_b64) = &self.wrap_key_b64 {
let bytes = general_purpose::STANDARD

4
crate/cli/src/actions/symmetric/keys/destroy_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::destroy, cli_bail, error::CliError};
@ -23,7 +23,7 @@ pub struct DestroyKeyAction {
}
impl DestroyKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

4
crate/cli/src/actions/symmetric/keys/mod.rs
View file

@ -1,5 +1,5 @@
use clap::Subcommand;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::{
create_key::CreateKeyAction, destroy_key::DestroyKeyAction, revoke_key::RevokeKeyAction,
@ -30,7 +30,7 @@ pub enum KeysCommands {
}
impl KeysCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Create(action) => action.run(kms_rest_client).await?,
Self::Export(action) => action.run(kms_rest_client).await?,

4
crate/cli/src/actions/symmetric/keys/revoke_key.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::{actions::shared::utils::revoke, cli_bail, error::CliError};
@ -25,7 +25,7 @@ pub struct RevokeKeyAction {
}
impl RevokeKeyAction {
pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn run(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let id = if let Some(key_id) = &self.key_id {
key_id.clone()
} else if let Some(tags) = &self.tags {

12
crate/cli/src/actions/symmetric/mod.rs
View file

@ -1,13 +1,13 @@
mod decrypt;
mod encrypt;
mod keys;
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use self::{decrypt::DecryptAction, encrypt::EncryptAction, keys::KeysCommands};
use crate::error::CliError;
mod decrypt;
mod encrypt;
mod keys;
/// Manage symmetric keys. Encrypt and decrypt data.
#[derive(Parser)]
pub enum SymmetricCommands {
@ -18,7 +18,7 @@ pub enum SymmetricCommands {
}
impl SymmetricCommands {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
match self {
Self::Keys(command) => command.process(kms_rest_client).await?,
Self::Encrypt(action) => action.run(kms_rest_client).await?,

4
crate/cli/src/actions/version.rs
View file

@ -1,5 +1,5 @@
use clap::Parser;
use cosmian_kms_client::KmsRestClient;
use cosmian_kms_client::KmsClient;
use crate::error::{result::CliResultHelper, CliError};
@ -9,7 +9,7 @@ use crate::error::{result::CliResultHelper, CliError};
pub struct ServerVersionAction;
impl ServerVersionAction {
pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
pub async fn process(&self, kms_rest_client: &KmsClient) -> Result<(), CliError> {
let version = kms_rest_client
.version()
.await

32
crate/cli/src/error/mod.rs
View file

@ -4,10 +4,10 @@ use std::{array::TryFromSliceError, str::Utf8Error};
use assert_cmd::cargo::CargoError;
use cosmian_kms_client::{
cosmian_kmip::{
error::KmipError,
kmip::{kmip_operations::ErrorReason, ttlv::error::TtlvError},
KmipError,
},
RestClientError,
ClientError,
};
use pem::PemError;
use thiserror::Error;
@ -84,12 +84,6 @@ impl CliError {
}
}
impl From<&KmipError> for CliError {
fn from(e: &KmipError) -> Self {
Self::KmipError(ErrorReason::Invalid_Attribute, e.to_string())
}
}
impl From<TtlvError> for CliError {
fn from(e: TtlvError) -> Self {
Self::KmipError(ErrorReason::Codec_Error, e.to_string())
@ -102,18 +96,18 @@ impl From<der::Error> for CliError {
}
}
impl From<cloudproof::reexport::crypto_core::CryptoCoreError> for CliError {
fn from(e: cloudproof::reexport::crypto_core::CryptoCoreError) -> Self {
Self::Cryptographic(e.to_string())
}
}
impl From<cloudproof::reexport::crypto_core::reexport::pkcs8::Error> for CliError {
fn from(e: cloudproof::reexport::crypto_core::reexport::pkcs8::Error) -> Self {
Self::Conversion(e.to_string())
}
}
impl From<cloudproof::reexport::cover_crypt::Error> for CliError {
fn from(e: cloudproof::reexport::cover_crypt::Error) -> Self {
Self::InvalidRequest(e.to_string())
}
}
impl From<TryFromSliceError> for CliError {
fn from(e: TryFromSliceError) -> Self {
Self::Conversion(e.to_string())
@ -132,12 +126,6 @@ impl From<serde_json::Error> for CliError {
}
}
impl From<cloudproof::reexport::cover_crypt::Error> for CliError {
fn from(e: cloudproof::reexport::cover_crypt::Error) -> Self {
Self::InvalidRequest(e.to_string())
}
}
impl From<Utf8Error> for CliError {
fn from(e: Utf8Error) -> Self {
Self::Default(e.to_string())
@ -188,8 +176,8 @@ impl From<base64::DecodeError> for CliError {
}
}
impl From<RestClientError> for CliError {
fn from(e: RestClientError) -> Self {
impl From<ClientError> for CliError {
fn from(e: ClientError) -> Self {
Self::KmsClientError(e.to_string())
}
}

8
crate/cli/src/error/result.rs
View file

@ -37,6 +37,10 @@ where
}
impl<T> CliResultHelper<T> for Option<T> {
fn reason(self, reason: ErrorReason) -> CliResult<T> {
self.ok_or_else(|| CliError::Default(reason.to_string()))
}
fn context(self, context: &str) -> CliResult<T> {
self.ok_or_else(|| CliError::Default(context.to_string()))
}
@ -48,8 +52,4 @@ impl<T> CliResultHelper<T> for Option<T> {
{
self.ok_or_else(|| CliError::Default(format!("{}", op())))
}
fn reason(self, reason: ErrorReason) -> CliResult<T> {
self.ok_or_else(|| CliError::Default(reason.to_string()))
}
}

1
crate/cli/src/lib.rs
View file

@ -1,5 +1,4 @@
pub mod actions;
pub mod config;
pub mod error;
#[cfg(test)]

6
crate/cli/src/main.rs
View file

@ -17,9 +17,9 @@ use cosmian_kms_cli::{
symmetric::SymmetricCommands,
version::ServerVersionAction,
},
config::CliConf,
error::CliError,
};
use cosmian_kms_client::ClientConf;
#[derive(Parser)]
#[command(author, version, about, long_about = None)]
@ -90,13 +90,13 @@ async fn main_() -> Result<(), CliError> {
return Ok(())
}
let conf_path = CliConf::location(opts.conf)?;
let conf_path = ClientConf::location(opts.conf)?;
match opts.command {
CliCommands::Login(action) => action.process(&conf_path).await?,
CliCommands::Logout(action) => action.process(&conf_path).await?,
command => {
let conf = CliConf::load(&conf_path)?;
let conf = ClientConf::load(&conf_path)?;
let kms_rest_client = conf.initialize_kms_client()?;
match command {

198
crate/cli/src/tests/access.rs
View file

@ -1,15 +1,15 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::{symmetric::create_key::create_symmetric_key, utils::recover_cmd_logs};
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
shared::{destroy, export_key, revoke},
symmetric::encrypt_decrypt::run_encrypt_decrypt_test,
utils::{start_default_test_kms_server, ONCE},
PROG_NAME,
},
};
@ -123,12 +123,12 @@ fn list_accesses_rights_obtained(cli_conf_path: &str) -> Result<String, CliError
#[tokio::test]
pub async fn test_ownership_and_grant() -> Result<(), CliError> {
// the client conf will use the owner cert
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// the owner should have access
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -139,12 +139,12 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
)?;
// the owner can encrypt and decrypt
run_encrypt_decrypt_test(&ctx.owner_cli_conf_path, &key_id)?;
run_encrypt_decrypt_test(&ctx.owner_client_conf_path, &key_id)?;
// the user should not be able to export
assert!(
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -156,22 +156,22 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
.is_err()
);
// the user should not be able to encrypt or decrypt
assert!(run_encrypt_decrypt_test(&ctx.user_cli_conf_path, &key_id).is_err());
assert!(run_encrypt_decrypt_test(&ctx.user_client_conf_path, &key_id).is_err());
// the user should not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant encrypt and decrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["encrypt"],
)?;
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["decrypt"],
@ -181,7 +181,7 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
// the user should still not be able to export
assert!(
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -194,16 +194,16 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
);
// the user should now be able to encrypt or decrypt
run_encrypt_decrypt_test(&ctx.user_cli_conf_path, &key_id)?;
run_encrypt_decrypt_test(&ctx.user_client_conf_path, &key_id)?;
// the user should still not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should still not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant encrypt and decrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
@ -212,7 +212,7 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
// switch to user
// the user should now be able to export
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -222,14 +222,14 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
false,
)?;
// the user should still not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should still not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant revoke access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["revoke"],
@ -237,12 +237,12 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
// switch to user
// the user should now be able to revoke the key
revoke(&ctx.user_cli_conf_path, "sym", &key_id, "user revoke")?;
revoke(&ctx.user_client_conf_path, "sym", &key_id, "user revoke")?;
// switch back to owner
// grant destroy access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["destroy"],
@ -250,20 +250,20 @@ pub async fn test_ownership_and_grant() -> Result<(), CliError> {
// switch to user
// destroy the key
destroy(&ctx.user_cli_conf_path, "sym", &key_id)?;
destroy(&ctx.user_client_conf_path, "sym", &key_id)?;
Ok(())
}
#[tokio::test]
pub async fn test_grant_error() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// bad operation
assert!(
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["BAD_OP"],
@ -274,7 +274,7 @@ pub async fn test_grant_error() -> Result<(), CliError> {
// bad object ID
assert!(
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"BAD ID",
"user.client@acme.com",
&["get"]
@ -285,7 +285,7 @@ pub async fn test_grant_error() -> Result<(), CliError> {
// grant to my self
assert!(
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"owner.client@acme.com",
&["get"]
@ -299,13 +299,13 @@ pub async fn test_grant_error() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_revoke_access() -> Result<(), CliError> {
// the client conf will use the owner cert
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
/* // the user should not be able to export
assert!(
export(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -320,7 +320,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
// switch back to owner
// grant encrypt and decrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
@ -329,7 +329,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
// switch to user
// the user should now be able to export
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -342,7 +342,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
// switch back to owner
// revoke access to user
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
@ -351,7 +351,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
// the user should not be able to export anymore
assert!(
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -367,7 +367,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
// switch back to owner
assert!(
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["BAD"]
@ -376,7 +376,7 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
);
assert!(
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"BAD KEY",
"user.client@acme.com",
&["get"]
@ -385,72 +385,72 @@ pub async fn test_revoke_access() -> Result<(), CliError> {
);
// this will not error
revoke_access(&ctx.owner_cli_conf_path, &key_id, "BAD USER", &["get"])?;
revoke_access(&ctx.owner_client_conf_path, &key_id, "BAD USER", &["get"])?;
Ok(())
}
#[tokio::test]
pub async fn test_list_access_rights() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// grant encrypt and decrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
)?;
// the owner can list access rights granted
let owner_list = list_access(&ctx.owner_cli_conf_path, &key_id)?;
let owner_list = list_access(&ctx.owner_client_conf_path, &key_id)?;
print!("owner list {owner_list}");
assert!(owner_list.contains("user.client@acme.com: {get}"));
// The user is not the owner and thus should not be able to list accesses on this object
assert!(list_access(&ctx.user_cli_conf_path, &key_id).is_err());
assert!(list_access(&ctx.user_client_conf_path, &key_id).is_err());
Ok(())
}
#[tokio::test]
pub async fn test_list_access_rights_error() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
assert!(list_access(&ctx.user_cli_conf_path, "BAD KEY").is_err());
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
assert!(list_access(&ctx.user_client_conf_path, "BAD KEY").is_err());
Ok(())
}
#[tokio::test]
pub async fn test_list_owned_objects() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// grant encrypt and decrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
)?;
// the owner should have the object in the list
let owner_list = list_owned_objects(&ctx.owner_cli_conf_path)?;
let owner_list = list_owned_objects(&ctx.owner_client_conf_path)?;
assert!(owner_list.contains(&key_id));
// The user is not the owner and thus should not have the object in the list
let user_list = list_owned_objects(&ctx.user_cli_conf_path)?;
let user_list = list_owned_objects(&ctx.user_client_conf_path)?;
assert!(!user_list.contains(&key_id));
// create a key using the user
let user_key_id = gen_key(&ctx.user_cli_conf_path)?;
let user_key_id = gen_key(&ctx.user_client_conf_path)?;
// the user should have the object in the list
let user_list = list_owned_objects(&ctx.user_cli_conf_path)?;
let user_list = list_owned_objects(&ctx.user_client_conf_path)?;
assert!(user_list.contains(&user_key_id));
// The 'owner' is not the owner of this object and thus should not have the object in the list
let owner_list = list_owned_objects(&ctx.owner_cli_conf_path)?;
let owner_list = list_owned_objects(&ctx.owner_client_conf_path)?;
assert!(!owner_list.contains(&user_key_id));
// ... but the list should still contain the other key
assert!(owner_list.contains(&key_id));
@ -460,32 +460,32 @@ pub async fn test_list_owned_objects() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_access_right_obtained() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!list.contains(&key_id));
// grant get access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get"],
)?;
// the user should have the "get" access granted
let list = list_accesses_rights_obtained(&ctx.user_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.user_client_conf_path)?;
println!("user list {list}");
assert!(list.contains(&key_id));
assert!(list.contains("get"));
// the owner has not been granted access rights on this object (it owns it)
let list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!list.contains(&key_id));
// the owner should have the object in the list
let owner_list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let owner_list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!owner_list.contains(&key_id));
Ok(())
@ -494,12 +494,12 @@ pub async fn test_access_right_obtained() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
// the client conf will use the owner cert
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// the owner should have access
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -510,12 +510,12 @@ pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
)?;
// the owner can encrypt and decrypt
run_encrypt_decrypt_test(&ctx.owner_cli_conf_path, &key_id)?;
run_encrypt_decrypt_test(&ctx.owner_client_conf_path, &key_id)?;
// the user should not be able to export
assert!(
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -527,22 +527,22 @@ pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
.is_err()
);
// the user should not be able to encrypt or decrypt
assert!(run_encrypt_decrypt_test(&ctx.user_cli_conf_path, &key_id).is_err());
assert!(run_encrypt_decrypt_test(&ctx.user_client_conf_path, &key_id).is_err());
// the user should not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant encrypt and decrypt access to user
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["encrypt"])?;
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["decrypt"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["encrypt"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["decrypt"])?;
// switch to user
// the user should still not be able to export
assert!(
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -555,20 +555,20 @@ pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
);
// the user should now be able to encrypt or decrypt
run_encrypt_decrypt_test(&ctx.user_cli_conf_path, &key_id)?;
run_encrypt_decrypt_test(&ctx.user_client_conf_path, &key_id)?;
// the user should still not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should still not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant encrypt and decrypt access to user
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["get"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["get"])?;
// switch to user
// the user should now be able to export
export_key(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
"sym",
&key_id,
"/tmp/output.json",
@ -578,25 +578,25 @@ pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
false,
)?;
// the user should still not be able to revoke the key
assert!(revoke(&ctx.user_cli_conf_path, "sym", &key_id, "failed revoke").is_err());
assert!(revoke(&ctx.user_client_conf_path, "sym", &key_id, "failed revoke").is_err());
// the user should still not be able to destroy the key
assert!(destroy(&ctx.user_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.user_client_conf_path, "sym", &key_id).is_err());
// switch back to owner
// grant revoke access to user
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["revoke"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["revoke"])?;
// switch to user
// the user should now be able to revoke the key
revoke(&ctx.user_cli_conf_path, "sym", &key_id, "user revoke")?;
revoke(&ctx.user_client_conf_path, "sym", &key_id, "user revoke")?;
// switch back to owner
// grant destroy access to user
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["destroy"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["destroy"])?;
// switch to user
// destroy the key
destroy(&ctx.user_cli_conf_path, "sym", &key_id)?;
destroy(&ctx.user_client_conf_path, "sym", &key_id)?;
Ok(())
}
@ -604,37 +604,37 @@ pub async fn test_ownership_and_grant_wildcard_user() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_access_right_obtained_using_wildcard() -> Result<(), CliError> {
// std::env::set_var("RUST_LOG", "cosmian_kms_server=debug");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// the owner should not have access rights (it owns it)
let list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!list.contains(&key_id));
// grant get access to the wildcard user
grant_access(&ctx.owner_cli_conf_path, &key_id, "*", &["get"])?;
grant_access(&ctx.owner_client_conf_path, &key_id, "*", &["get"])?;
// grant encrypt access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["encrypt"],
)?;
// the user should have the "get" access granted
let list = list_accesses_rights_obtained(&ctx.user_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.user_client_conf_path)?;
println!("user list {list}");
assert!(list.contains(&key_id));
assert!(list.contains("get"));
assert!(list.contains("encrypt"));
// the owner has not been granted access rights on this object (it owns it)
let list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!list.contains(&key_id));
// the owner should have the object in the list
let owner_list = list_accesses_rights_obtained(&ctx.owner_cli_conf_path)?;
let owner_list = list_accesses_rights_obtained(&ctx.owner_client_conf_path)?;
assert!(!owner_list.contains(&key_id));
Ok(())
@ -642,40 +642,40 @@ pub async fn test_access_right_obtained_using_wildcard() -> Result<(), CliError>
#[tokio::test]
pub async fn test_grant_multiple_operations() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let key_id = gen_key(&ctx.owner_cli_conf_path)?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let key_id = gen_key(&ctx.owner_client_conf_path)?;
// grant multiple access to user
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get", "revoke", "create", "create"], // double `create` will be dedupe
)?;
// the owner can list access rights granted
let owner_list = list_access(&ctx.owner_cli_conf_path, &key_id)?;
let owner_list = list_access(&ctx.owner_client_conf_path, &key_id)?;
assert!(owner_list.contains("user.client@acme.com: {create, get, revoke}"));
// revoke multiple access to user
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get", "revoke", "get"], // double `get` will be dedupe
)?;
let owner_list = list_access(&ctx.owner_cli_conf_path, &key_id)?;
let owner_list = list_access(&ctx.owner_client_conf_path, &key_id)?;
assert!(owner_list.contains("user.client@acme.com: {create}"));
// revoke same, nothing changed
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&key_id,
"user.client@acme.com",
&["get", "revoke", "get"], // double `get` will be dedupe
)?;
let owner_list = list_access(&ctx.owner_cli_conf_path, &key_id)?;
let owner_list = list_access(&ctx.owner_client_conf_path, &key_id)?;
assert!(owner_list.contains("user.client@acme.com: {create}"));
Ok(())

33
crate/cli/src/tests/auth_tests.rs
View file

@ -1,17 +1,18 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::start_test_server_with_options;
use super::utils::recover_cmd_logs;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{access::SUB_COMMAND, utils::start_test_server_with_options, PROG_NAME},
tests::{access::SUB_COMMAND, PROG_NAME},
};
fn run_cli_command(owner_cli_conf_path: &str) {
fn run_cli_command(owner_client_conf_path: &str) {
let mut cmd = Command::cargo_bin(PROG_NAME).expect(" cargo bin failed");
cmd.env(KMS_CLI_CONF_ENV, owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, owner_client_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
cmd.arg(SUB_COMMAND).args(vec!["owned"]);
recover_cmd_logs(&mut cmd);
@ -23,24 +24,24 @@ pub async fn test_all_authentications() -> Result<(), CliError> {
// let us not make other test cases fail
const PORT: u16 = 9999;
// plaintext no auth
let ctx = start_test_server_with_options(PORT, false, false, false).await;
run_cli_command(&ctx.owner_cli_conf_path);
ctx.stop_server().await;
let ctx = start_test_server_with_options(PORT, false, false, false).await?;
run_cli_command(&ctx.owner_client_conf_path);
ctx.stop_server().await?;
// plaintext token auth
let ctx = start_test_server_with_options(PORT, true, false, false).await;
run_cli_command(&ctx.owner_cli_conf_path);
ctx.stop_server().await;
let ctx = start_test_server_with_options(PORT, true, false, false).await?;
run_cli_command(&ctx.owner_client_conf_path);
ctx.stop_server().await?;
// tls token auth
let ctx = start_test_server_with_options(PORT, true, true, false).await;
run_cli_command(&ctx.owner_cli_conf_path);
ctx.stop_server().await;
let ctx = start_test_server_with_options(PORT, true, true, false).await?;
run_cli_command(&ctx.owner_client_conf_path);
ctx.stop_server().await?;
// tls client cert auth
let ctx = start_test_server_with_options(PORT, false, true, true).await;
run_cli_command(&ctx.owner_cli_conf_path);
ctx.stop_server().await;
let ctx = start_test_server_with_options(PORT, false, true, true).await?;
run_cli_command(&ctx.owner_client_conf_path);
ctx.stop_server().await?;
Ok(())
}

58
crate/cli/src/tests/certificates/certify.rs
View file

@ -1,11 +1,15 @@
use std::{path::PathBuf, process::Command};
use assert_cmd::cargo::CommandCargoExt;
use cosmian_kms_client::cosmian_kmip::kmip::{
kmip_objects::Object,
kmip_types::{Attributes, LinkType},
ttlv::{deserializer::from_ttlv, TTLV},
use cosmian_kms_client::{
cosmian_kmip::kmip::{
kmip_objects::Object,
kmip_types::{Attributes, LinkType},
ttlv::{deserializer::from_ttlv, TTLV},
},
read_from_json_file, read_object_from_json_ttlv_file, KMS_CLI_CONF_ENV,
};
use kms_test_server::{start_default_test_kms_server, ONCE};
use openssl::{nid::Nid, x509::X509};
use tempfile::TempDir;
use uuid::Uuid;
@ -14,15 +18,11 @@ use x509_parser::{der_parser::oid, prelude::*};
#[cfg(not(feature = "fips"))]
use crate::tests::{elliptic_curve::create_key_pair::create_ec_key_pair, shared::export_key};
use crate::{
actions::{
certificates::{CertificateExportFormat, CertificateInputFormat},
shared::utils::{read_from_json_file, read_object_from_json_ttlv_file},
},
config::KMS_CLI_CONF_ENV,
actions::certificates::{CertificateExportFormat, CertificateInputFormat},
error::CliError,
tests::{
certificates::{export::export_certificate, import::import_certificate},
utils::{extract_uids::extract_uid, recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::{extract_uids::extract_uid, recover_cmd_logs},
PROG_NAME,
},
};
@ -106,11 +106,11 @@ async fn test_certify_a_csr() -> Result<(), CliError> {
let tmp_path = tmp_dir.path();
// log_init("cosmian_kms_server=debug");
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// import Root CA
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/ca.crt",
CertificateInputFormat::Pem,
@ -125,7 +125,7 @@ async fn test_certify_a_csr() -> Result<(), CliError> {
// import Intermediate p12
let issuer_private_key_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -140,7 +140,7 @@ async fn test_certify_a_csr() -> Result<(), CliError> {
// Certify the CSR with the intermediate CA
let certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some("test_data/certificates/csr/leaf.csr".to_owned()),
None,
None,
@ -155,7 +155,7 @@ async fn test_certify_a_csr() -> Result<(), CliError> {
// export the certificate
let exported_cert_file = tmp_path.join("exported_cert.json");
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_id,
exported_cert_file.to_str().unwrap(),
Some(CertificateExportFormat::JsonTtlv),
@ -192,7 +192,7 @@ async fn test_certify_a_csr() -> Result<(), CliError> {
// export the intermediate certificate
let exported_intermediate_cert_file = tmp_path.join("exported_intermediate_cert.json");
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_link,
exported_intermediate_cert_file.to_str().unwrap(),
Some(CertificateExportFormat::Pem),
@ -214,11 +214,11 @@ async fn test_certify_a_csr_with_extensions() -> Result<(), CliError> {
let tmp_path = tmp_dir.path();
// log_init("cosmian_kms_server=debug");
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// import Root CA
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/ca.crt",
CertificateInputFormat::Pem,
@ -233,7 +233,7 @@ async fn test_certify_a_csr_with_extensions() -> Result<(), CliError> {
// import Intermediate p12
let issuer_private_key_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -248,7 +248,7 @@ async fn test_certify_a_csr_with_extensions() -> Result<(), CliError> {
// Certify the CSR with the intermediate CA
let certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some("test_data/certificates/csr/leaf.csr".to_owned()),
None,
None,
@ -263,7 +263,7 @@ async fn test_certify_a_csr_with_extensions() -> Result<(), CliError> {
// export the certificate
let exported_cert_file = tmp_path.join("exported_cert.json");
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_id,
exported_cert_file.to_str().unwrap(),
Some(CertificateExportFormat::JsonTtlv),
@ -375,11 +375,11 @@ async fn test_certify_a_csr_with_extensions() -> Result<(), CliError> {
async fn certify_a_public_key_test() -> Result<(), CliError> {
// log_init("cosmian_kms_server=debug");
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// import Root CA
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/ca.crt",
CertificateInputFormat::Pem,
@ -394,7 +394,7 @@ async fn certify_a_public_key_test() -> Result<(), CliError> {
// import Intermediate p12
let issuer_private_key_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -409,11 +409,11 @@ async fn certify_a_public_key_test() -> Result<(), CliError> {
// create a Ed25519 Key Pair
let (_private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "ed25519", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "ed25519", &[])?;
// Certify the public key with the intermediate CA
let certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
Some(public_key_id),
Some("C = FR, ST = IdF, L = Paris, O = AcmeTest, CN = kmserver.acme.com".to_string()),
@ -433,7 +433,7 @@ async fn certify_a_public_key_test() -> Result<(), CliError> {
// export the certificate
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_id,
tmp_exported.to_str().unwrap(),
Some(CertificateExportFormat::JsonTtlv),
@ -472,7 +472,7 @@ async fn certify_a_public_key_test() -> Result<(), CliError> {
.unwrap();
// export the intermediate certificate
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_link,
tmp_exported_intermediate.to_str().unwrap(),
Some(CertificateExportFormat::Pem),
@ -485,7 +485,7 @@ async fn certify_a_public_key_test() -> Result<(), CliError> {
.get_link(LinkType::PublicKeyLink)
.unwrap();
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&public_key_link,
tmp_exported_pubkey.to_str().unwrap(),

49
crate/cli/src/tests/certificates/encrypt.rs
View file

@ -1,6 +1,8 @@
use std::{fs, path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::{read_bytes_from_file, KMS_CLI_CONF_ENV};
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use tracing::debug;
use uuid::Uuid;
@ -9,14 +11,13 @@ use super::SUB_COMMAND;
use crate::{
actions::{
certificates::CertificateInputFormat,
shared::{import_key::ImportKeyFormat, utils::read_bytes_from_file, ExportKeyFormat},
shared::{import_key::ImportKeyFormat, ExportKeyFormat},
},
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
certificates::import::import_certificate,
shared::{export_key, import_key},
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::recover_cmd_logs,
PROG_NAME,
},
};
@ -83,7 +84,7 @@ pub fn decrypt(
// #[tokio::test]
// async fn test_certificate_encrypt_decrypt_certify() -> Result<(), CliError> {
// let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
// let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// // create a temp dir
// let tmp_dir = TempDir::new()?;
// let tmp_path = tmp_dir.path();
@ -98,7 +99,7 @@ pub fn decrypt(
// assert!(!output_file.exists());
//
// let certificate_id = certify(
// &ctx.owner_cli_conf_path,
// &ctx.owner_client_conf_path,
// "CA",
// Some("My server".to_string()),
// None,
@ -107,7 +108,7 @@ pub fn decrypt(
// )?;
//
// encrypt(
// &ctx.owner_cli_conf_path,
// &ctx.owner_client_conf_path,
// input_file.to_str().unwrap(),
// &certificate_id,
// Some(output_file.to_str().unwrap()),
@ -120,7 +121,7 @@ pub fn decrypt(
// &format!("_cert_uid={certificate_id}"),
// ];
// let ids = locate(
// &ctx.owner_cli_conf_path,
// &ctx.owner_client_conf_path,
// Some(priv_key_tags),
// Some("ECDH"),
// None,
@ -131,7 +132,7 @@ pub fn decrypt(
//
// // the user key should be able to decrypt the file
// decrypt(
// &ctx.owner_cli_conf_path,
// &ctx.owner_client_conf_path,
// output_file.to_str().unwrap(),
// &private_key_id,
// Some(recovered_file.to_str().unwrap()),
@ -154,7 +155,7 @@ async fn test_certificate_import_encrypt(
key_path: &str,
tags: &[&str],
) -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -168,7 +169,7 @@ async fn test_certificate_import_encrypt(
debug!("\n\nImport Key");
let private_key_id = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&format!("test_data/certificates/{key_path}"),
Some(ImportKeyFormat::Pem),
@ -182,7 +183,7 @@ async fn test_certificate_import_encrypt(
)?;
let root_certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/{ca_path}"),
CertificateInputFormat::Pem,
@ -196,7 +197,7 @@ async fn test_certificate_import_encrypt(
)?;
let _subca_certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/{subca_path}"),
CertificateInputFormat::Pem,
@ -210,7 +211,7 @@ async fn test_certificate_import_encrypt(
)?;
let certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/{cert_path}"),
CertificateInputFormat::Pem,
@ -225,7 +226,7 @@ async fn test_certificate_import_encrypt(
debug!("\n\nEncrypt With Certificate");
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
input_file.to_str().unwrap(),
&certificate_id,
Some(output_file.to_str().unwrap()),
@ -235,7 +236,7 @@ async fn test_certificate_import_encrypt(
debug!("\n\nDecrypt");
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
Some(recovered_file.to_str().unwrap()),
@ -265,7 +266,7 @@ async fn test_certificate_import_ca_and_encrypt_using_x25519() -> Result<(), Cli
async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
// log_init("cosmian_kms_cli=info,cosmian_kms_server=debug");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -283,7 +284,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nImport Private key");
let private_key_id = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&format!("test_data/certificates/openssl/{filename}-private-key.pem"),
Some(ImportKeyFormat::Pem),
@ -298,7 +299,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nImport Certificate");
let certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/openssl/{filename}-cert.pem"),
CertificateInputFormat::Pem,
@ -313,7 +314,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nEncrypt with certificate");
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
input_file.to_str().unwrap(),
&certificate_id,
Some(output_file.to_str().unwrap()),
@ -327,7 +328,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
.unwrap()
.to_owned();
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
&private_key_wrapped,
@ -339,7 +340,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nImport a wrapped Private key but unwrap it into server");
import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_wrapped,
Some(ImportKeyFormat::JsonTtlv),
@ -351,7 +352,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nImport a wrapped Private key but let is save it `as registered` into server");
let wrapped_private_key_uid = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_wrapped,
Some(ImportKeyFormat::JsonTtlv),
@ -368,7 +369,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
.unwrap()
.to_owned();
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&wrapped_private_key_uid,
&private_key_wrapped_as_is,
@ -381,7 +382,7 @@ async fn import_encrypt_decrypt(filename: &str) -> Result<(), CliError> {
debug!("\n\nDecrypt using Private key");
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
Some(recovered_file.to_str().unwrap()),

46
crate/cli/src/tests/certificates/export.rs
View file

@ -1,11 +1,15 @@
use std::process::Command;
use assert_cmd::prelude::CommandCargoExt;
use cosmian_kms_client::cosmian_kmip::kmip::{
kmip_objects::Object,
kmip_types::{Attributes, KeyFormatType, LinkType},
ttlv::{deserializer::from_ttlv, TTLV},
use cosmian_kms_client::{
kmip::{
kmip_objects::Object,
kmip_types::{Attributes, KeyFormatType, LinkType},
ttlv::{deserializer::from_ttlv, TTLV},
},
read_from_json_file, read_object_from_json_ttlv_file, KMS_CLI_CONF_ENV,
};
use kms_test_server::{start_default_test_kms_server, ONCE};
use openssl::pkcs12::Pkcs12;
use tempfile::TempDir;
use uuid::Uuid;
@ -13,17 +17,11 @@ use uuid::Uuid;
use crate::{
actions::{
certificates::{CertificateExportFormat, CertificateInputFormat},
shared::{
utils::{read_from_json_file, read_object_from_json_ttlv_file},
ExportKeyFormat::JsonTtlv,
},
shared::ExportKeyFormat::JsonTtlv,
},
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
certificates::import::import_certificate,
shared::export_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
certificates::import::import_certificate, shared::export_key, utils::recover_cmd_logs,
PROG_NAME,
},
};
@ -33,14 +31,17 @@ async fn test_import_export_p12_25519() {
//load the PKCS#12 file
let p12_bytes = include_bytes!("../../../test_data/certificates/another_p12/server.p12");
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE
.get_or_try_init(start_default_test_kms_server)
.await
.unwrap();
//parse the PKCS#12 with openssl
let p12 = Pkcs12::from_der(p12_bytes).unwrap();
let parsed_p12 = p12.parse2("secret").unwrap();
//import the certificate
let imported_p12_sk = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/another_p12/server.p12",
CertificateInputFormat::Pkcs12,
@ -66,7 +67,7 @@ async fn test_import_export_p12_25519() {
// export the private key
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&imported_p12_sk,
tmp_exported_sk.to_str().unwrap(),
@ -89,7 +90,7 @@ async fn test_import_export_p12_25519() {
// export the certificate
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&certificate_id,
tmp_exported_cert.to_str().unwrap(),
Some(CertificateExportFormat::JsonTtlv),
@ -114,7 +115,7 @@ async fn test_import_export_p12_25519() {
// export the chain - there should be only one certificate in the chain
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&issuer_id,
tmp_exported_cert.to_str().unwrap(),
Some(CertificateExportFormat::JsonTtlv),
@ -152,7 +153,7 @@ async fn test_import_export_p12_25519() {
// export the pkcs12
export_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&imported_p12_sk,
tmp_exported_cert_p12.to_str().unwrap(),
Some(CertificateExportFormat::Pkcs12),
@ -210,14 +211,17 @@ async fn test_import_p12_rsa() {
//load the PKCS#12 file
let p12_bytes = include_bytes!("../../../test_data/certificates/csr/intermediate.p12");
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE
.get_or_try_init(start_default_test_kms_server)
.await
.unwrap();
//parse the PKCS#12 with openssl
let p12 = Pkcs12::from_der(p12_bytes).unwrap();
let parsed_p12 = p12.parse2("secret").unwrap();
//import the certificate
let imported_p12_sk = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -234,7 +238,7 @@ async fn test_import_p12_rsa() {
// export the private key
let key_file = tmp_path.join("exported_p12_sk.json");
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&imported_p12_sk,
key_file.to_str().unwrap(),

19
crate/cli/src/tests/certificates/get_attributes.rs
View file

@ -1,20 +1,21 @@
use kms_test_server::{start_default_test_kms_server, ONCE};
use crate::{
actions::{certificates::CertificateInputFormat, shared::AttributeTag},
tests::{
certificates::import::import_certificate,
shared::get_attributes,
utils::{start_default_test_kms_server, ONCE},
},
tests::{certificates::import::import_certificate, shared::get_attributes},
};
#[tokio::test]
async fn test_get_attributes_p12() {
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE
.get_or_try_init(start_default_test_kms_server)
.await
.unwrap();
//import the certificate
let imported_p12_sk_uid = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -30,7 +31,7 @@ async fn test_get_attributes_p12() {
//get the attributes of the private key and check that they are correct
let attributes = get_attributes(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&imported_p12_sk_uid,
&[
AttributeTag::KeyFormatType,
@ -53,7 +54,7 @@ async fn test_get_attributes_p12() {
//get the attributes of the certificate and check that they are correct
let attributes = get_attributes(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
intermediate_certificate_id,
&[
AttributeTag::KeyFormatType,

18
crate/cli/src/tests/certificates/import.rs
View file

@ -1,16 +1,14 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use crate::{
actions::certificates::CertificateInputFormat,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{
extract_uids::extract_imported_key_id, recover_cmd_logs, start_default_test_kms_server,
ONCE,
},
utils::{extract_uids::extract_imported_key_id, recover_cmd_logs},
PROG_NAME,
},
};
@ -87,11 +85,11 @@ pub fn import_certificate(
#[tokio::test]
pub async fn test_certificate_import_different_format() -> Result<(), CliError> {
// Create a test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// import as TTLV JSON
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/exported_certificate_ttlv.json",
CertificateInputFormat::JsonTtlv,
@ -106,7 +104,7 @@ pub async fn test_certificate_import_different_format() -> Result<(), CliError>
// import as PEM
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/ca.crt",
CertificateInputFormat::Pem,
@ -121,7 +119,7 @@ pub async fn test_certificate_import_different_format() -> Result<(), CliError>
// import a chain
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/mozilla_IncludedRootsPEM.txt",
CertificateInputFormat::Chain,
@ -136,7 +134,7 @@ pub async fn test_certificate_import_different_format() -> Result<(), CliError>
// import a PKCS12
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/p12/output.p12",
CertificateInputFormat::Pkcs12,

35
crate/cli/src/tests/certificates/quick_cert.rs
View file

@ -6,18 +6,19 @@ use std::{
};
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use tracing::debug;
use super::SUB_COMMAND;
use crate::{
actions::certificates::{CertificateExportFormat, CertificateInputFormat},
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
certificates::{import::import_certificate, openssl::check_certificate},
shared::locate,
utils::{extract_uids::extract_uid, recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::{extract_uids::extract_uid, recover_cmd_logs},
PROG_NAME,
},
};
@ -197,7 +198,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.into_path();
// let tmp_path = std::path::Path::new("./");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let ca = "RootCA/SubCA";
let hierarchical_depth = ca.split('/').count();
let tags = &["certificate"];
@ -206,7 +207,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
{
let subject = "My server".to_owned();
let certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
ca,
Some(subject),
None,
@ -215,7 +216,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
)?;
// Count the number of KMIP objects created
let ids = locate(&ctx.owner_cli_conf_path, Some(tags), None, None, None)?;
let ids = locate(&ctx.owner_client_conf_path, Some(tags), None, None, None)?;
// Expected 3 kmip objects per certificate (including public and private keys):
// - 1 public key, 1 private key and 1 certificate for the root CA
// - 1 public key, 1 private key and 1 certificate for the sub CA
@ -227,7 +228,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
{
let subject = "My server Number 2".to_owned();
let _certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
ca,
Some(subject),
None,
@ -236,7 +237,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
)?;
}
let ids = locate(&ctx.owner_cli_conf_path, Some(tags), None, None, None)?;
let ids = locate(&ctx.owner_client_conf_path, Some(tags), None, None, None)?;
// Expected 3 more kmip objects:
// - 1 public key, 1 private key and 1 certificate for this new certificate
assert_eq!(ids.len(), 3 * (hierarchical_depth + 2));
@ -245,7 +246,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
debug!("\n\n\ntest_certify: export");
let export_filename = tmp_path.join("output.p12").to_str().unwrap().to_owned();
export(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
None,
&certificate_id,
@ -261,7 +262,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
// Export certificate as PEM only
let export_filename = tmp_path.join("cert.pem").to_str().unwrap().to_owned();
export(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
None,
&certificate_id,
@ -277,7 +278,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
// Export certificate as RAW KMIP TTLV
let export_filename = tmp_path.join("ttlv.json").to_str().unwrap().to_owned();
export(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
None,
&certificate_id,
@ -290,7 +291,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
// Export root CA certificate as PEM only
let export_filename = tmp_path.join("root.pem").to_str().unwrap().to_owned();
export(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
Some(&["_cert", "_cert_ca=RootCA"]),
&certificate_id,
@ -306,7 +307,7 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
// Export sub CA certificate as PEM only
let export_filename = tmp_path.join("subca.pem").to_str().unwrap().to_owned();
export(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
Some(&["_cert", "_cert_ca=SubCA"]),
&certificate_id,
@ -321,12 +322,12 @@ pub async fn test_certify_with_subject_cn() -> Result<(), CliError> {
// Revoke it
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
&certificate_id,
"cert revocation test",
)?;
destroy(&ctx.owner_cli_conf_path, SUB_COMMAND, &certificate_id).unwrap();
destroy(&ctx.owner_client_conf_path, SUB_COMMAND, &certificate_id).unwrap();
}
Ok(())
@ -339,7 +340,7 @@ pub async fn test_certify_with_csr() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let _tmp_path = tmp_dir.into_path();
// let tmp_path = std::path::Path::new("./");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let ca = "RootCA/SubCA";
let _hierarchical_depth = ca.split('/').count();
let tags = &["certificate"];
@ -347,7 +348,7 @@ pub async fn test_certify_with_csr() -> Result<(), CliError> {
// import the intermediate certificate
{
import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
"test_data/certificates/csr/intermediate.p12",
CertificateInputFormat::Pkcs12,
@ -367,7 +368,7 @@ pub async fn test_certify_with_csr() -> Result<(), CliError> {
{
let _subject = "My server";
let _certificate_id = certify(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
ca,
None,
Some(csr),

14
crate/cli/src/tests/certificates/validate.rs
View file

@ -1,19 +1,17 @@
use std::path::PathBuf;
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use tracing::debug;
use crate::{
actions::certificates::CertificateInputFormat,
error::CliError,
tests::{
certificates::{encrypt::encrypt, import::import_certificate},
utils::{start_default_test_kms_server, ONCE},
},
tests::certificates::{encrypt::encrypt, import::import_certificate},
};
async fn import_revoked_certificate_encrypt(curve_name: &str) -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -31,7 +29,7 @@ async fn import_revoked_certificate_encrypt(curve_name: &str) -> Result<(), CliE
debug!("\n\nImport Certificate");
let root_certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/openssl/{curve_name}-cert.pem"),
CertificateInputFormat::Pem,
@ -46,7 +44,7 @@ async fn import_revoked_certificate_encrypt(curve_name: &str) -> Result<(), CliE
debug!("\n\nImport Certificate");
let certificate_id = import_certificate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"certificates",
&format!("test_data/certificates/openssl/{curve_name}-revoked.crt"),
CertificateInputFormat::Pem,
@ -62,7 +60,7 @@ async fn import_revoked_certificate_encrypt(curve_name: &str) -> Result<(), CliE
debug!("\n\nEncrypt with certificate");
assert!(
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
input_file.to_str().unwrap(),
&certificate_id,
Some(output_file.to_str().unwrap()),

14
crate/cli/src/tests/cover_crypt/conf.rs
View file

@ -1,23 +1,21 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{generate_invalid_conf, start_default_test_kms_server, ONCE};
use predicates::prelude::*;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{generate_invalid_conf, recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
},
tests::{utils::recover_cmd_logs, PROG_NAME},
};
#[tokio::test]
pub async fn test_bad_conf() -> Result<(), CliError> {
// log_init("cosmian_kms_server=info,cosmian_kms_cli=debug");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let invalid_conf_path = generate_invalid_conf(&ctx.owner_cli_conf);
let invalid_conf_path = generate_invalid_conf(&ctx.owner_client_conf);
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, invalid_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
@ -54,7 +52,7 @@ pub async fn test_bad_conf() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_secrets_group_id_bad() -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
let _ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, "test_data/configs/kms_bad_secret.bad");

72
crate/cli/src/tests/cover_crypt/encrypt_decrypt.rs
View file

@ -1,18 +1,18 @@
use std::{fs, path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::{read_bytes_from_file, KMS_CLI_CONF_ENV};
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use crate::{
actions::shared::utils::read_bytes_from_file,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
cover_crypt::{
master_key_pair::create_cc_master_key_pair,
user_decryption_keys::create_user_decryption_key, SUB_COMMAND,
},
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::recover_cmd_logs,
PROG_NAME,
},
};
@ -87,7 +87,7 @@ pub fn decrypt(
#[tokio::test]
async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -100,14 +100,14 @@ async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
assert!(!output_file.exists());
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::MKG && Security Level::Confidential",
@ -117,7 +117,7 @@ async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
// create a user decryption key
let user_ok_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
@ -125,7 +125,7 @@ async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
&user_ok_key_id,
Some(recovered_file.to_str().unwrap()),
@ -139,14 +139,14 @@ async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
// this user key should not be able to decrypt the file
let user_ko_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::FIN && Security Level::Top Secret",
&[],
)?;
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
&user_ko_key_id,
Some(recovered_file.to_str().unwrap()),
@ -160,7 +160,7 @@ async fn test_encrypt_decrypt_using_object_ids() -> Result<(), CliError> {
#[tokio::test]
async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -187,14 +187,14 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
assert!(!output_file3.exists());
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[
input_file1.to_str().unwrap(),
input_file2.to_str().unwrap(),
@ -212,7 +212,7 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
// create a user decryption key
let user_ok_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
@ -220,7 +220,7 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[
output_file1.to_str().unwrap(),
output_file2.to_str().unwrap(),
@ -250,14 +250,14 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
// this user key should not be able to decrypt the file
let user_ko_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::FIN && Security Level::Top Secret",
&[],
)?;
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file1.to_str().unwrap()],
&user_ko_key_id,
Some(recovered_file1.to_str().unwrap()),
@ -272,7 +272,7 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
assert!(!recovered_file2.exists());
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file2.to_str().unwrap()],
&user_ok_key_id,
// output file names will be based on input file name with '.rec' extension
@ -291,7 +291,7 @@ async fn test_encrypt_decrypt_bulk_using_object_ids() -> Result<(), CliError> {
#[tokio::test]
async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -304,14 +304,14 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
assert!(!output_file.exists());
let (_master_private_key_id, _master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&["tag"],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
"[\"tag\"]",
"Department::MKG && Security Level::Confidential",
@ -321,7 +321,7 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// create a user decryption key
let user_ok_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"[\"tag\"]",
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&["tag"],
@ -329,7 +329,7 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
"[\"tag\"]",
Some(recovered_file.to_str().unwrap()),
@ -343,14 +343,14 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// decrypt fails because two keys with same tag exist
let _user_ko_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"[\"tag\"]",
"Department::FIN && Security Level::Top Secret",
&["tag"],
)?;
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
"[\"tag\"]",
Some(recovered_file.to_str().unwrap()),
@ -361,14 +361,14 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// this user key should not be able to decrypt the file
let _user_ko_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"[\"tag\"]",
"Department::FIN && Security Level::Top Secret",
&["tag_ko"],
)?;
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
"[\"tag_ko\"]",
Some(recovered_file.to_str().unwrap()),
@ -381,7 +381,7 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
assert!(!recovered_file.exists());
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file.to_str().unwrap()],
&user_ok_key_id,
Some(recovered_file.to_str().unwrap()),
@ -394,7 +394,7 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
#[tokio::test]
async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -421,14 +421,14 @@ async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
assert!(!output_file3.exists());
let (_master_private_key_id, _master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&["tag_bulk"],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[
input_file1.to_str().unwrap(),
input_file2.to_str().unwrap(),
@ -446,7 +446,7 @@ async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
// create a user decryption key
let user_ok_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"[\"tag_bulk\"]",
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&["tag_bulk"],
@ -454,7 +454,7 @@ async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[
output_file1.to_str().unwrap(),
output_file2.to_str().unwrap(),
@ -484,14 +484,14 @@ async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
// decrypt fails because two keys with same tag exist
let _user_ko_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"[\"tag_bulk\"]",
"Department::FIN && Security Level::Top Secret",
&["tag_bulk"],
)?;
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file1.to_str().unwrap()],
"[\"tag_bulk\"]",
Some(recovered_file1.to_str().unwrap()),
@ -506,7 +506,7 @@ async fn test_encrypt_decrypt_bulk_using_tags() -> Result<(), CliError> {
assert!(!recovered_file2.exists());
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file2.to_str().unwrap()],
&user_ok_key_id,
// output file names will be based on input file name with '.rec' extension

17
crate/cli/src/tests/cover_crypt/master_key_pair.rs
View file

@ -1,15 +1,16 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::SUB_COMMAND;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{
extract_uids::{extract_private_key, extract_public_key},
recover_cmd_logs, start_default_test_kms_server, ONCE,
recover_cmd_logs,
},
PROG_NAME,
},
@ -56,16 +57,16 @@ pub fn create_cc_master_key_pair(
#[tokio::test]
pub async fn test_create_master_key_pair() -> Result<(), CliError> {
// from specs
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
//from binary
create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-binary",
"test_data/policy.bin",
&[],
@ -75,10 +76,10 @@ pub async fn test_create_master_key_pair() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_create_master_key_pair_error() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let err = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/notfound.json",
&[],
@ -88,7 +89,7 @@ pub async fn test_create_master_key_pair_error() -> Result<(), CliError> {
assert!(err.to_string().contains("ERROR: could not open the file"));
let err = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-binary",
"test_data/policy.bad",
&[],

57
crate/cli/src/tests/cover_crypt/policy.rs
View file

@ -1,11 +1,12 @@
use std::{path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use predicates::prelude::*;
use tempfile::TempDir;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
cover_crypt::{
@ -14,16 +15,16 @@ use crate::{
user_decryption_keys::create_user_decryption_key,
SUB_COMMAND,
},
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::recover_cmd_logs,
PROG_NAME,
},
};
#[tokio::test]
async fn test_view_policy() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_client_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
cmd.arg(SUB_COMMAND).args(vec![
"policy",
@ -39,7 +40,7 @@ async fn test_view_policy() -> Result<(), CliError> {
.stdout(predicate::str::contains("R&D"));
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_client_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
cmd.arg(SUB_COMMAND).args(vec![
"policy",
@ -60,9 +61,9 @@ async fn test_view_policy() -> Result<(), CliError> {
#[tokio::test]
async fn test_create_policy() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_client_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
cmd.arg(SUB_COMMAND).args(vec![
"policy",
@ -86,7 +87,7 @@ pub async fn rename(
attribute: &str,
new_name: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -114,7 +115,7 @@ pub async fn add(
master_private_key_id: &str,
new_attribute: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -141,7 +142,7 @@ pub async fn disable(
master_private_key_id: &str,
attribute: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -168,7 +169,7 @@ pub async fn remove(
master_private_key_id: &str,
attribute: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -192,7 +193,7 @@ pub async fn remove(
#[tokio::test]
async fn test_edit_policy() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -204,20 +205,20 @@ async fn test_edit_policy() -> Result<(), CliError> {
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_decryption_key = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::MKG && Security Level::Confidential",
@ -227,7 +228,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[cipher_file.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -236,7 +237,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// Rename MKG to Marketing
rename(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::MKG",
"Marketing",
@ -245,7 +246,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// the user key should still be able to decrypt marketing file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[cipher_file.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -254,7 +255,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// Adding new attribute "Department::Sales"
add(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::Sales",
)
@ -262,7 +263,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// Encrypt message for the new attribute
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::Sales && Security Level::Confidential",
@ -272,7 +273,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// Create a new user key with access to both the new and the renamed attribute
let sales_mkg_user_decryption_key = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::Sales || Department::Marketing) && Security Level::Confidential",
&[],
@ -281,7 +282,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// finance and marketing user can not decrypt the sales file
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[new_cipher_file.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -292,7 +293,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// sales and marketing user can decrypt the sales file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[new_cipher_file.to_str().unwrap()],
&sales_mkg_user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -301,7 +302,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// disable attribute Sales
disable(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::Sales",
)
@ -310,7 +311,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// can no longer encrypt for this attribute
assert!(
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::Sales && Security Level::Confidential",
@ -322,7 +323,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// can still decrypt existing sales files
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[new_cipher_file.to_str().unwrap()],
&sales_mkg_user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -331,7 +332,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// remove attribute Sales
remove(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::Sales",
)
@ -340,7 +341,7 @@ async fn test_edit_policy() -> Result<(), CliError> {
// can no longer decrypt message for this attribute
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[new_cipher_file.to_str().unwrap()],
&sales_mkg_user_decryption_key,
Some(recovered_file.to_str().unwrap()),

60
crate/cli/src/tests/cover_crypt/rekey.rs
View file

@ -1,10 +1,11 @@
use std::{path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
cover_crypt::{
@ -15,7 +16,7 @@ use crate::{
},
shared::{export_key, import_key},
symmetric::create_key::create_symmetric_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::recover_cmd_logs,
PROG_NAME,
},
};
@ -25,7 +26,7 @@ pub async fn rekey(
master_private_key_id: &str,
access_policy: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -52,7 +53,7 @@ pub async fn prune(
master_private_key_id: &str,
access_policy: &str,
) -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, cli_conf_path);
@ -76,17 +77,17 @@ pub async fn prune(
#[tokio::test]
async fn test_rekey_error() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, _master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let _user_decryption_key = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
@ -95,7 +96,7 @@ async fn test_rekey_error() -> Result<(), CliError> {
// bad attributes
assert!(
rekey(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"bad_access_policy"
)
@ -106,7 +107,7 @@ async fn test_rekey_error() -> Result<(), CliError> {
// bad keys
assert!(
rekey(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"bad_key",
"Department::MKG || Department::FIN"
)
@ -120,11 +121,12 @@ async fn test_rekey_error() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// create a symmetric key
let symmetric_key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let symmetric_key_id =
create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// export a wrapped key
let exported_wrapped_key_file = tmp_path.join("exported_wrapped_master_private.key");
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
&master_private_key_id,
exported_wrapped_key_file.to_str().unwrap(),
@ -135,7 +137,7 @@ async fn test_rekey_error() -> Result<(), CliError> {
)?;
// import it wrapped
let wrapped_key_id = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
&exported_wrapped_key_file.to_string_lossy(),
None,
@ -147,7 +149,7 @@ async fn test_rekey_error() -> Result<(), CliError> {
// Rekeying wrapped keys is not allowed
assert!(
rekey(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&wrapped_key_id,
"Department::MKG || Department::FIN"
)
@ -160,7 +162,7 @@ async fn test_rekey_error() -> Result<(), CliError> {
#[tokio::test]
async fn test_rekey_prune() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -172,20 +174,20 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_decryption_key = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::MKG && Security Level::Confidential",
@ -195,7 +197,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_before.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -205,7 +207,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// export the user_decryption_key
let exported_user_decryption_key_file = tmp_path.join("exported_user_decryption.key");
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
&user_decryption_key,
exported_user_decryption_key_file.to_str().unwrap(),
@ -217,7 +219,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// rekey the attributes
rekey(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::MKG || Department::FIN",
)
@ -225,7 +227,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// encrypt again after rekeying
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&master_public_key_id,
"Department::MKG && Security Level::Confidential",
@ -235,7 +237,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// the user key should be able to decrypt the new file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_after.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -243,7 +245,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
)?;
// ... and the old file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_before.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -252,7 +254,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// import the non rotated user_decryption_key
let old_user_decryption_key = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
SUB_COMMAND,
&exported_user_decryption_key_file.to_string_lossy(),
None,
@ -264,7 +266,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// the imported user key should not be able to decrypt the new file
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_after.to_str().unwrap()],
&old_user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -274,7 +276,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
);
// ... but should decrypt the old file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_before.to_str().unwrap()],
&old_user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -283,7 +285,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// prune the attributes
prune(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"Department::MKG || Department::FIN",
)
@ -291,7 +293,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// the user key should be able to decrypt the new file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_after.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),
@ -301,7 +303,7 @@ async fn test_rekey_prune() -> Result<(), CliError> {
// but no longer the old file
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[output_file_before.to_str().unwrap()],
&user_decryption_key,
Some(recovered_file.to_str().unwrap()),

21
crate/cli/src/tests/cover_crypt/user_decryption_keys.rs
View file

@ -1,16 +1,15 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::SUB_COMMAND;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
cover_crypt::master_key_pair::create_cc_master_key_pair,
utils::{
extract_uids::extract_user_key, recover_cmd_logs, start_default_test_kms_server, ONCE,
},
utils::{extract_uids::extract_user_key, recover_cmd_logs},
PROG_NAME,
},
};
@ -52,11 +51,11 @@ pub fn create_user_decryption_key(
#[tokio::test]
pub async fn test_user_decryption_key() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, _) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
@ -64,7 +63,7 @@ pub async fn test_user_decryption_key() -> Result<(), CliError> {
// and a user key
let user_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
@ -76,11 +75,11 @@ pub async fn test_user_decryption_key() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_user_decryption_key_error() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, _) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
@ -88,7 +87,7 @@ pub async fn test_user_decryption_key_error() -> Result<(), CliError> {
// bad attributes
let err = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top SecretZZZZZZ",
&[],
@ -102,7 +101,7 @@ pub async fn test_user_decryption_key_error() -> Result<(), CliError> {
// bad master private key
let err = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"BAD_KEY",
"(Department::MKG || Department::FIN) && Security Level::Top SecretZZZZZZ",
&[],

9
crate/cli/src/tests/elliptic_curve/create_key_pair.rs
View file

@ -1,15 +1,16 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::SUB_COMMAND;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{
extract_uids::{extract_private_key, extract_public_key},
recover_cmd_logs, start_default_test_kms_server, ONCE,
recover_cmd_logs,
},
PROG_NAME,
},
@ -55,7 +56,7 @@ pub fn create_ec_key_pair(
#[tokio::test]
pub async fn test_create_key_pair() -> Result<(), CliError> {
// from specs
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &["tag1", "tag2"])?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &["tag1", "tag2"])?;
Ok(())
}

24
crate/cli/src/tests/elliptic_curve/encrypt_decrypt.rs
View file

@ -1,18 +1,16 @@
use std::{fs, path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::{read_bytes_from_file, KMS_CLI_CONF_ENV};
use kms_test_server::{start_default_test_kms_server, ONCE};
use predicates::prelude::*;
use tempfile::TempDir;
use super::SUB_COMMAND;
use crate::{
actions::shared::utils::read_bytes_from_file,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
elliptic_curve::create_key_pair::create_ec_key_pair,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
elliptic_curve::create_key_pair::create_ec_key_pair, utils::recover_cmd_logs, PROG_NAME,
},
};
@ -81,7 +79,7 @@ pub fn decrypt(
#[tokio::test]
async fn test_encrypt_decrypt_using_ids() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -94,10 +92,10 @@ async fn test_encrypt_decrypt_using_ids() -> Result<(), CliError> {
assert!(!output_file.exists());
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&public_key_id,
Some(output_file.to_str().unwrap()),
@ -106,7 +104,7 @@ async fn test_encrypt_decrypt_using_ids() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
Some(recovered_file.to_str().unwrap()),
@ -123,7 +121,7 @@ async fn test_encrypt_decrypt_using_ids() -> Result<(), CliError> {
#[tokio::test]
async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -136,10 +134,10 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
assert!(!output_file.exists());
let (_private_key_id, _public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &["tag_ec"])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &["tag_ec"])?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
"[\"tag_ec\"]",
Some(output_file.to_str().unwrap()),
@ -148,7 +146,7 @@ async fn test_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
"[\"tag_ec\"]",
Some(recovered_file.to_str().unwrap()),

56
crate/cli/src/tests/new_database.rs
View file

@ -1,30 +1,27 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::{write_json_object_to_file, KMS_CLI_CONF_ENV};
use kms_test_server::{
generate_invalid_conf, start_default_test_kms_server, start_test_server_with_options, ONCE,
};
use predicates::prelude::*;
use tempfile::TempDir;
use crate::{
actions::shared::utils::write_json_object_to_file,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
shared::export_key,
symmetric::create_key::create_symmetric_key,
utils::{
create_new_database, generate_invalid_conf, recover_cmd_logs,
start_default_test_kms_server, start_test_server_with_options, ONCE,
},
shared::export_key, symmetric::create_key::create_symmetric_key, utils::recover_cmd_logs,
PROG_NAME,
},
};
#[tokio::test]
pub async fn test_new_database() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_client_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
cmd.arg("new-database");
recover_cmd_logs(&mut cmd);
@ -37,9 +34,9 @@ pub async fn test_new_database() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_secrets_bad() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let bad_conf_path = generate_invalid_conf(&ctx.owner_cli_conf);
let bad_conf_path = generate_invalid_conf(&ctx.owner_client_conf);
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, bad_conf_path);
@ -56,7 +53,7 @@ pub async fn test_secrets_bad() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_conf_does_not_exist() -> Result<(), CliError> {
ONCE.get_or_init(start_default_test_kms_server).await;
ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, "test_data/configs/kms_bad_group_id.bad");
@ -70,14 +67,14 @@ pub async fn test_conf_does_not_exist() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_secrets_key_bad() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_cli_conf_path);
cmd.env(KMS_CLI_CONF_ENV, &ctx.owner_client_conf_path);
cmd.arg("ec").args(vec!["keys", "create"]);
cmd.assert().success();
let invalid_conf_path = generate_invalid_conf(&ctx.owner_cli_conf);
let invalid_conf_path = generate_invalid_conf(&ctx.owner_client_conf);
let mut cmd = Command::cargo_bin(PROG_NAME)?;
cmd.env(KMS_CLI_CONF_ENV, invalid_conf_path);
cmd.env("RUST_LOG", "cosmian_kms_cli=info");
@ -96,14 +93,14 @@ async fn test_multiple_databases() -> Result<(), CliError> {
let tmp_path = tmp_dir.path();
// init the test server
// since we are going to rewrite the conf, use a different port
let ctx = start_test_server_with_options(9997, true, false, false).await;
let ctx = start_test_server_with_options(9997, true, false, false).await?;
// create a symmetric key in the default encrypted database
let key_1 = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_1 = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// export the key 1
// Export
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_1,
tmp_path.join("output.export").to_str().unwrap(),
@ -114,20 +111,21 @@ async fn test_multiple_databases() -> Result<(), CliError> {
)?;
// create a new encrypted database
let new_database_secret = create_new_database(&ctx.owner_cli_conf_path)?;
let kms_client = ctx.owner_client_conf.initialize_kms_client()?;
let new_database_secret = kms_client.new_database().await?;
// update the CLI conf
let mut new_conf = ctx.owner_cli_conf.clone();
let mut new_conf = ctx.owner_client_conf.clone();
new_conf.kms_database_secret = Some(new_database_secret);
write_json_object_to_file(&new_conf, &ctx.owner_cli_conf_path)
write_json_object_to_file(&new_conf, &ctx.owner_client_conf_path)
.expect("Can't write the new conf");
// create a symmetric key in the default encrypted database
let key_2 = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_2 = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// export the key 1
// Export
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_2,
tmp_path.join("output.export").to_str().unwrap(),
@ -138,11 +136,11 @@ async fn test_multiple_databases() -> Result<(), CliError> {
)?;
// go back to original conf
write_json_object_to_file(&ctx.owner_cli_conf, &ctx.owner_cli_conf_path)
write_json_object_to_file(&ctx.owner_client_conf, &ctx.owner_client_conf_path)
.expect("Can't rewrite the original conf");
// we should be able to export key_1 again
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_1,
tmp_path.join("output.export").to_str().unwrap(),
@ -153,11 +151,11 @@ async fn test_multiple_databases() -> Result<(), CliError> {
)?;
// go to new conf
write_json_object_to_file(&new_conf, &ctx.owner_cli_conf_path)
write_json_object_to_file(&new_conf, &ctx.owner_client_conf_path)
.expect("Can't rewrite the new conf");
// we should be able to export key_2 again
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_2,
tmp_path.join("output.export").to_str().unwrap(),
@ -168,6 +166,6 @@ async fn test_multiple_databases() -> Result<(), CliError> {
)?;
// stop that server
ctx.stop_server().await;
ctx.stop_server().await?;
Ok(())
}

9
crate/cli/src/tests/rsa/create_key_pair.rs
View file

@ -1,15 +1,16 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::SUB_COMMAND;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{
extract_uids::{extract_private_key, extract_public_key},
recover_cmd_logs, start_default_test_kms_server, ONCE,
recover_cmd_logs,
},
PROG_NAME,
},
@ -54,7 +55,7 @@ pub async fn test_rsa_create_key_pair() -> Result<(), CliError> {
// log_init("trace");
// from specs
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
create_rsa_4096_bits_key_pair(&ctx.owner_cli_conf_path, &["tag1", "tag2"])?;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
create_rsa_4096_bits_key_pair(&ctx.owner_client_conf_path, &["tag1", "tag2"])?;
Ok(())
}

44
crate/cli/src/tests/rsa/encrypt_decrypt.rs
View file

@ -1,21 +1,17 @@
use std::{fs, path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::{read_bytes_from_file, KMS_CLI_CONF_ENV};
use kms_test_server::{start_default_test_kms_server, ONCE};
use predicates::prelude::*;
use tempfile::TempDir;
use super::SUB_COMMAND;
use crate::{
actions::{
rsa::{EncryptionAlgorithm, HashFn},
shared::utils::read_bytes_from_file,
},
config::KMS_CLI_CONF_ENV,
actions::rsa::{EncryptionAlgorithm, HashFn},
error::CliError,
tests::{
rsa::create_key_pair::create_rsa_4096_bits_key_pair,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
rsa::create_key_pair::create_rsa_4096_bits_key_pair, utils::recover_cmd_logs, PROG_NAME,
},
};
@ -124,7 +120,7 @@ async fn test_rsa_encrypt_decrypt_using_ckm_rsa_pkcs_oaep() -> Result<(), CliErr
// log_init(
// "cosmian_kms_cli=trace,cosmian_kms_server=trace,cosmian_kms_utils=trace,cosmian_kmip=trace",
// );
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -138,12 +134,12 @@ async fn test_rsa_encrypt_decrypt_using_ckm_rsa_pkcs_oaep() -> Result<(), CliErr
assert!(!output_file.exists());
let (private_key_id, public_key_id) =
create_rsa_4096_bits_key_pair(&ctx.owner_cli_conf_path, &[])?;
create_rsa_4096_bits_key_pair(&ctx.owner_client_conf_path, &[])?;
println!("private_key_id: {private_key_id}");
println!("public_key_id: {public_key_id}");
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&public_key_id,
EncryptionAlgorithm::CkmRsaPkcsOaep,
@ -154,7 +150,7 @@ async fn test_rsa_encrypt_decrypt_using_ckm_rsa_pkcs_oaep() -> Result<(), CliErr
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::CkmRsaPkcsOaep,
@ -167,7 +163,7 @@ async fn test_rsa_encrypt_decrypt_using_ckm_rsa_pkcs_oaep() -> Result<(), CliErr
// the user key should NOT be able to decrypt with another algorithm
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::RsaOaepAes128Gcm,
@ -181,7 +177,7 @@ async fn test_rsa_encrypt_decrypt_using_ckm_rsa_pkcs_oaep() -> Result<(), CliErr
// ... or another hash function
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::CkmRsaPkcsOaep,
@ -204,7 +200,7 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
// log_init(
// "cosmian_kms_cli=trace,cosmian_kms_server=trace,cosmian_kms_utils=trace,cosmian_kmip=trace",
// );
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -218,12 +214,12 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
assert!(!output_file.exists());
let (private_key_id, public_key_id) =
create_rsa_4096_bits_key_pair(&ctx.owner_cli_conf_path, &[])?;
create_rsa_4096_bits_key_pair(&ctx.owner_client_conf_path, &[])?;
println!("private_key_id: {private_key_id}");
println!("public_key_id: {public_key_id}");
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
&public_key_id,
EncryptionAlgorithm::RsaOaepAes128Gcm,
@ -234,7 +230,7 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::RsaOaepAes128Gcm,
@ -247,7 +243,7 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
// the user key should NOT be able to decrypt with another algorithm
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::CkmRsaPkcsOaep,
@ -261,7 +257,7 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
// ... or another hash function
assert!(
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
&private_key_id,
EncryptionAlgorithm::RsaOaepAes128Gcm,
@ -281,7 +277,7 @@ async fn test_rsa_encrypt_decrypt_using_rsa_oaep_aes128gcm() -> Result<(), CliEr
#[tokio::test]
async fn test_rsa_encrypt_decrypt_using_tags() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// create a temp dir
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
@ -294,10 +290,10 @@ async fn test_rsa_encrypt_decrypt_using_tags() -> Result<(), CliError> {
assert!(!output_file.exists());
let (_private_key_id, _public_key_id) =
create_rsa_4096_bits_key_pair(&ctx.owner_cli_conf_path, &["tag_rsa"])?;
create_rsa_4096_bits_key_pair(&ctx.owner_client_conf_path, &["tag_rsa"])?;
encrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&[input_file.to_str().unwrap()],
"[\"tag_rsa\"]",
EncryptionAlgorithm::CkmRsaPkcsOaep,
@ -308,7 +304,7 @@ async fn test_rsa_encrypt_decrypt_using_tags() -> Result<(), CliError> {
// the user key should be able to decrypt the file
decrypt(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
output_file.to_str().unwrap(),
"[\"tag_rsa\"]",
EncryptionAlgorithm::CkmRsaPkcsOaep,

111
crate/cli/src/tests/shared/destroy.rs
View file

@ -1,6 +1,8 @@
use std::process::Command;
use assert_cmd::prelude::CommandCargoExt;
use cosmian_kms_client::{read_object_from_json_ttlv_file, KMS_CLI_CONF_ENV};
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
#[cfg(not(feature = "fips"))]
@ -8,15 +10,13 @@ use crate::tests::cover_crypt::{
master_key_pair::create_cc_master_key_pair, user_decryption_keys::create_user_decryption_key,
};
use crate::{
actions::shared::utils::read_object_from_json_ttlv_file,
cli_bail,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
elliptic_curve::create_key_pair::create_ec_key_pair,
shared::{export::export_key, revoke::revoke},
symmetric::create_key::create_symmetric_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::recover_cmd_logs,
PROG_NAME,
},
};
@ -88,65 +88,70 @@ fn assert_destroyed(cli_conf_path: &str, key_id: &str) -> Result<(), CliError> {
#[tokio::test]
async fn test_destroy_symmetric_key() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// syn
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "sym", &key_id).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "sym", &key_id).is_err());
// revoke then destroy
revoke(&ctx.owner_cli_conf_path, "sym", &key_id, "revocation test")?;
destroy(&ctx.owner_cli_conf_path, "sym", &key_id)?;
revoke(
&ctx.owner_client_conf_path,
"sym",
&key_id,
"revocation test",
)?;
destroy(&ctx.owner_client_conf_path, "sym", &key_id)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &key_id)
assert_destroyed(&ctx.owner_client_conf_path, &key_id)
}
#[tokio::test]
async fn test_destroy_ec_key() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// destroy via private key
{
// syn
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "ec", &private_key_id).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "ec", &private_key_id).is_err());
// revoke then destroy
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
"revocation test",
)?;
// destroy via the private key
destroy(&ctx.owner_cli_conf_path, "ec", &private_key_id)?;
destroy(&ctx.owner_client_conf_path, "ec", &private_key_id)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &private_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &public_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &private_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &public_key_id)?;
}
// destroy via public key
{
// syn
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "ec", &public_key_id).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "ec", &public_key_id).is_err());
println!("OK. revoking");
// revoke then destroy
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&public_key_id,
"revocation test",
@ -155,11 +160,11 @@ async fn test_destroy_ec_key() -> Result<(), CliError> {
println!("OK. destroying");
// destroy via the private key
destroy(&ctx.owner_cli_conf_path, "ec", &public_key_id)?;
destroy(&ctx.owner_client_conf_path, "ec", &public_key_id)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &private_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &public_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &private_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &public_key_id)?;
}
Ok(())
@ -169,130 +174,130 @@ async fn test_destroy_ec_key() -> Result<(), CliError> {
#[tokio::test]
async fn test_destroy_cover_crypt() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// check revocation of all keys when the private key is destroyed
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "cc", &master_private_key_id).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "cc", &master_private_key_id).is_err());
// revoke then destroy
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_private_key_id,
"revocation test",
)?;
destroy(&ctx.owner_cli_conf_path, "cc", &master_private_key_id)?;
destroy(&ctx.owner_client_conf_path, "cc", &master_private_key_id)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &master_private_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &master_public_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_destroyed(&ctx.owner_cli_conf_path, &user_key_id_2)?;
assert_destroyed(&ctx.owner_client_conf_path, &master_private_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &master_public_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &user_key_id_1)?;
assert_destroyed(&ctx.owner_client_conf_path, &user_key_id_2)?;
}
// check revocation of all keys when the public key is destroyed
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "cc", &master_public_key_id).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "cc", &master_public_key_id).is_err());
// revoke then destroy
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_public_key_id,
"revocation test",
)?;
destroy(&ctx.owner_cli_conf_path, "cc", &master_public_key_id)?;
destroy(&ctx.owner_client_conf_path, "cc", &master_public_key_id)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &master_private_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &master_public_key_id)?;
assert_destroyed(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_destroyed(&ctx.owner_cli_conf_path, &user_key_id_2)?;
assert_destroyed(&ctx.owner_client_conf_path, &master_private_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &master_public_key_id)?;
assert_destroyed(&ctx.owner_client_conf_path, &user_key_id_1)?;
assert_destroyed(&ctx.owner_client_conf_path, &user_key_id_2)?;
}
// check that revoking a user key, does not destroy anything else
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
// destroy should not work when not revoked
assert!(destroy(&ctx.owner_cli_conf_path, "cc", &user_key_id_1).is_err());
assert!(destroy(&ctx.owner_client_conf_path, "cc", &user_key_id_1).is_err());
// revoke then destroy
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&user_key_id_1,
"revocation test",
)?;
destroy(&ctx.owner_cli_conf_path, "cc", &user_key_id_1)?;
destroy(&ctx.owner_client_conf_path, "cc", &user_key_id_1)?;
// assert
assert_destroyed(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_destroyed(&ctx.owner_client_conf_path, &user_key_id_1)?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -300,7 +305,7 @@ async fn test_destroy_cover_crypt() -> Result<(), CliError> {
// should able to Get the Master Keys and user key 2
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_private_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -313,7 +318,7 @@ async fn test_destroy_cover_crypt() -> Result<(), CliError> {
);
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_public_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -326,7 +331,7 @@ async fn test_destroy_cover_crypt() -> Result<(), CliError> {
);
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&user_key_id_2,
tmp_path.join("output.export").to_str().unwrap(),

72
crate/cli/src/tests/shared/export.rs
View file

@ -3,16 +3,22 @@ use std::path::Path;
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::cosmian_kmip::kmip::kmip_types::KeyFormatType;
use cosmian_kms_client::{
kmip::kmip_types::KeyFormatType, read_bytes_from_file, read_object_from_json_ttlv_file,
KMS_CLI_CONF_ENV,
};
#[cfg(not(feature = "fips"))]
use cosmian_kms_client::cosmian_kmip::{
use cosmian_kms_client::{
kmip::{
kmip_data_structures::KeyMaterial,
kmip_types::{CryptographicAlgorithm, RecommendedCurve},
},
openssl::pad_be_bytes,
pad_be_bytes,
};
#[cfg(not(feature = "fips"))]
use kms_test_server::TestsContext;
use kms_test_server::{start_default_test_kms_server, ONCE};
#[cfg(not(feature = "fips"))]
use openssl::pkey::{Id, PKey};
use tempfile::TempDir;
@ -22,20 +28,10 @@ use crate::tests::cover_crypt::{
};
#[cfg(not(feature = "fips"))]
use crate::tests::elliptic_curve::create_key_pair::create_ec_key_pair;
#[cfg(not(feature = "fips"))]
use crate::tests::utils::TestsContext;
use crate::{
actions::shared::{
utils::{read_bytes_from_file, read_object_from_json_ttlv_file},
ExportKeyFormat,
},
config::KMS_CLI_CONF_ENV,
actions::shared::ExportKeyFormat,
error::CliError,
tests::{
symmetric::create_key::create_symmetric_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
},
tests::{symmetric::create_key::create_symmetric_key, utils::recover_cmd_logs, PROG_NAME},
};
#[allow(clippy::too_many_arguments)]
@ -98,14 +94,14 @@ pub async fn test_export_sym() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a symmetric key
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// Export as default (JsonTTLV with Raw Key Format Type)
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -123,7 +119,7 @@ pub async fn test_export_sym() -> Result<(), CliError> {
// Export the bytes only
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
tmp_path.join("output.export.bytes").to_str().unwrap(),
@ -138,7 +134,7 @@ pub async fn test_export_sym() -> Result<(), CliError> {
// wrong export format
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
tmp_path.join("output.export.bytes").to_str().unwrap(),
@ -159,13 +155,13 @@ pub async fn test_export_sym_allow_revoked() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a symmetric key
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// Export
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -185,11 +181,11 @@ pub async fn test_export_covercrypt() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, _master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
@ -209,7 +205,7 @@ pub async fn test_export_covercrypt() -> Result<(), CliError> {
)?;
let user_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
@ -229,7 +225,7 @@ pub async fn test_export_covercrypt() -> Result<(), CliError> {
) -> Result<(), CliError> {
// Export the key
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -247,7 +243,7 @@ pub async fn test_export_covercrypt() -> Result<(), CliError> {
// Export the key bytes only
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
key_id,
tmp_path.join("output.export.bytes").to_str().unwrap(),
@ -271,11 +267,11 @@ pub async fn test_export_error_cover_crypt() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// key does not exist
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
"does_not_exist",
tmp_path.join("output.export").to_str().unwrap(),
@ -289,7 +285,7 @@ pub async fn test_export_error_cover_crypt() -> Result<(), CliError> {
// generate a new master key pair
let (master_private_key_id, _master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
@ -297,7 +293,7 @@ pub async fn test_export_error_cover_crypt() -> Result<(), CliError> {
// Export to non existing dir
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_private_key_id,
"/does_not_exist/output.export",
@ -319,17 +315,17 @@ pub async fn test_export_x25519() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new key pair
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "x25519", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "x25519", &[])?;
//
// Private Key
//
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -367,7 +363,7 @@ pub async fn test_export_x25519() -> Result<(), CliError> {
// Export the bytes only
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
tmp_path.join("output.export.bytes").to_str().unwrap(),
@ -388,7 +384,7 @@ pub async fn test_export_x25519() -> Result<(), CliError> {
// Public Key
//
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&public_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -422,7 +418,7 @@ pub async fn test_export_x25519() -> Result<(), CliError> {
// Export the bytes only
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&public_key_id,
tmp_path.join("output.export.bytes").to_str().unwrap(),

2
crate/cli/src/tests/shared/get_attributes.rs
View file

@ -1,11 +1,11 @@
use std::{collections::HashMap, process::Command};
use assert_cmd::cargo::CommandCargoExt;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use serde_json::Value;
use crate::{
actions::shared::AttributeTag,
config::KMS_CLI_CONF_ENV,
error::{result::CliResultHelper, CliError},
tests::{utils::recover_cmd_logs, PROG_NAME},
};

34
crate/cli/src/tests/shared/import.rs
View file

@ -1,10 +1,13 @@
use std::{path::PathBuf, process::Command};
use assert_cmd::prelude::*;
use cosmian_kms_client::cosmian_kmip::kmip::kmip_types::CryptographicAlgorithm;
use cosmian_kms_client::{
cosmian_kmip::kmip::kmip_types::CryptographicAlgorithm, read_object_from_json_ttlv_file,
KMS_CLI_CONF_ENV,
};
#[cfg(not(feature = "fips"))]
use crate::tests::utils::{start_default_test_kms_server, ONCE};
use kms_test_server::{start_default_test_kms_server, ONCE};
#[cfg(not(feature = "fips"))]
use crate::tests::{
cover_crypt::master_key_pair::create_cc_master_key_pair,
@ -12,8 +15,7 @@ use crate::tests::{
symmetric::create_key::create_symmetric_key,
};
use crate::{
actions::shared::{import_key::ImportKeyFormat, utils::read_object_from_json_ttlv_file},
config::KMS_CLI_CONF_ENV,
actions::shared::import_key::ImportKeyFormat,
error::CliError,
tests::{
shared::export::export_key,
@ -82,10 +84,10 @@ pub fn import_key(
#[cfg(not(feature = "fips"))]
#[tokio::test]
pub async fn test_import_cover_crypt() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let uid: String = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
"test_data/ttlv_public_key.json",
None,
@ -99,7 +101,7 @@ pub async fn test_import_cover_crypt() -> Result<(), CliError> {
// reimporting the same key with the same id should fail
assert!(
import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
"test_data/ttlv_public_key.json",
None,
@ -113,7 +115,7 @@ pub async fn test_import_cover_crypt() -> Result<(), CliError> {
//...unless we force it with replace_existing
let uid_: String = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
"test_data/ttlv_public_key.json",
None,
@ -131,17 +133,17 @@ pub async fn test_import_cover_crypt() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_generate_export_import() -> Result<(), CliError> {
// log_init("cosmian_kms_server=debug,cosmian_kms_utils=debug");
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// Covercrypt import/export test
let (private_key_id, _public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
export_import_test(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&private_key_id,
CryptographicAlgorithm::CoverCrypt,
@ -149,18 +151,18 @@ pub async fn test_generate_export_import() -> Result<(), CliError> {
// Test import/export of an EC Key Pair
let (private_key_id, _public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
export_import_test(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
CryptographicAlgorithm::ECDH,
)?;
// generate a symmetric key
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
export_import_test(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
CryptographicAlgorithm::AES,

18
crate/cli/src/tests/shared/import_export_encodings.rs
View file

@ -1,18 +1,18 @@
use std::path::PathBuf;
use cosmian_kms_client::read_bytes_from_file;
use kms_test_server::{start_default_test_kms_server, TestsContext, ONCE};
use crate::{
actions::shared::{import_key::ImportKeyFormat, utils::read_bytes_from_file, ExportKeyFormat},
actions::shared::{import_key::ImportKeyFormat, ExportKeyFormat},
error::CliError,
tests::{
shared::{export_key, import_key},
utils::{start_default_test_kms_server, TestsContext, ONCE},
},
tests::shared::{export_key, import_key},
};
#[tokio::test]
async fn test_import_export_encodings() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
test_pems(
&ctx,
@ -60,7 +60,7 @@ fn test_pems(
) -> Result<(), CliError> {
// import the key
let key_uid = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
key_file_path,
Some(ImportKeyFormat::Pem),
@ -74,7 +74,7 @@ fn test_pems(
// export the key
let export_key_file = tempfile::NamedTempFile::new()?;
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&key_uid,
export_key_file.path().to_str().unwrap(),
@ -88,7 +88,7 @@ fn test_pems(
// Get the key
let get_key_file = tempfile::NamedTempFile::new()?;
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&key_uid,
get_key_file.path().to_str().unwrap(),

54
crate/cli/src/tests/shared/import_export_wrapping.rs
View file

@ -4,28 +4,30 @@ use cloudproof::reexport::crypto_core::{
};
#[cfg(not(feature = "fips"))]
use cosmian_kms_client::cosmian_kmip::crypto::elliptic_curves::operation::create_x25519_key_pair;
use cosmian_kms_client::cosmian_kmip::{
crypto::{symmetric::create_symmetric_key_kmip_object, wrap::unwrap_key_block},
kmip::{
kmip_objects::Object,
kmip_types::{
CryptographicAlgorithm, CryptographicUsageMask, LinkType, UniqueIdentifier,
WrappingMethod,
use cosmian_kms_client::{
cosmian_kmip::{
crypto::{symmetric::create_symmetric_key_kmip_object, wrap::unwrap_key_block},
kmip::{
kmip_objects::Object,
kmip_types::{
CryptographicAlgorithm, CryptographicUsageMask, LinkType, UniqueIdentifier,
WrappingMethod,
},
},
},
read_object_from_json_ttlv_file, write_kmip_object_to_file,
};
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
use tracing::debug;
use crate::{
actions::shared::utils::{read_object_from_json_ttlv_file, write_kmip_object_to_file},
error::CliError,
tests::{
cover_crypt::master_key_pair::create_cc_master_key_pair,
elliptic_curve,
shared::{export::export_key, import::import_key},
symmetric,
utils::{start_default_test_kms_server, ONCE},
},
};
@ -35,7 +37,7 @@ pub async fn test_import_export_wrap_rfc_5649() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// Generate a symmetric wrapping key
let wrap_key_path = tmp_path.join("wrap.key");
let mut rng = CsRng::from_entropy();
@ -47,7 +49,7 @@ pub async fn test_import_export_wrap_rfc_5649() -> Result<(), CliError> {
// import the wrapping key
println!("importing wrapping key");
let wrap_key_uid = import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
wrap_key_path.to_str().unwrap(),
None,
@ -60,13 +62,13 @@ pub async fn test_import_export_wrap_rfc_5649() -> Result<(), CliError> {
// test CC
println!("testing Covercrypt keys");
let (private_key_id, _public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&private_key_id,
&wrap_key_uid,
@ -76,12 +78,12 @@ pub async fn test_import_export_wrap_rfc_5649() -> Result<(), CliError> {
// test ec
println!("testing ec keys");
let (private_key_id, _public_key_id) = elliptic_curve::create_key_pair::create_ec_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"nist-p256",
&[],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
&wrap_key_uid,
@ -91,14 +93,14 @@ pub async fn test_import_export_wrap_rfc_5649() -> Result<(), CliError> {
// test sym
println!("testing symmetric keys");
let key_id = symmetric::create_key::create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
None,
None,
&[] as &[&str],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
&wrap_key_uid,
@ -116,7 +118,7 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
let tmp_dir = TempDir::new()?;
let tmp_path = tmp_dir.path();
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// Generate a symmetric wrapping key
let wrap_private_key_uid = "wrap_private_key_uid";
let wrap_public_key_uid = "wrap_public_key_uid";
@ -131,7 +133,7 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
let wrap_private_key_path = tmp_path.join("wrap.private.key");
write_kmip_object_to_file(wrap_key_pair.private_key(), &wrap_private_key_path)?;
import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
wrap_private_key_path.to_str().unwrap(),
None,
@ -144,7 +146,7 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
let wrap_public_key_path = tmp_path.join("wrap.public.key");
write_kmip_object_to_file(wrap_key_pair.public_key(), &wrap_public_key_path)?;
import_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
wrap_public_key_path.to_str().unwrap(),
None,
@ -156,13 +158,13 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
// test CC
let (private_key_id, _public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&private_key_id,
wrap_public_key_uid,
@ -171,12 +173,12 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
debug!("testing EC keys");
let (private_key_id, _public_key_id) = elliptic_curve::create_key_pair::create_ec_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"nist-p256",
&[],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
wrap_public_key_uid,
@ -185,14 +187,14 @@ pub async fn test_import_export_wrap_ecies() -> Result<(), CliError> {
debug!("testing symmetric keys");
let key_id = symmetric::create_key::create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
None,
None,
&[] as &[&str],
)?;
test_import_export_wrap_private_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"sym",
&key_id,
wrap_public_key_uid,

0
crate/cli/src/tests/shared/jwe.rs Normal file
View file

90
crate/cli/src/tests/shared/locate.rs
View file

@ -1,6 +1,8 @@
use std::process::Command;
use assert_cmd::prelude::*;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
#[cfg(not(feature = "fips"))]
use crate::tests::{
@ -11,13 +13,10 @@ use crate::tests::{
},
};
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
elliptic_curve::create_key_pair::create_ec_key_pair,
symmetric::create_key::create_symmetric_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
symmetric::create_key::create_symmetric_key, utils::recover_cmd_logs, PROG_NAME,
},
};
@ -67,11 +66,11 @@ pub fn locate(
#[tokio::test]
pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&["test_cc"],
@ -79,7 +78,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
None,
None,
@ -92,7 +91,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// Locate with cryptographic algorithm
// this should be case insensitive
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
Some("coVerCRypt"),
None,
@ -104,7 +103,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// locate using the key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
None,
None,
@ -113,7 +112,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
assert_eq!(ids.len(), 1);
assert!(ids.contains(&master_private_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
None,
None,
@ -124,7 +123,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
//locate using tags and cryptographic algorithm and key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
Some("CoverCrypt"),
None,
@ -135,14 +134,14 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// generate a user key
let user_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&["test_cc", "another_tag"],
)?;
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
None,
None,
@ -154,7 +153,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
assert!(ids.contains(&user_key_id));
//locate using tags and cryptographic algorithm and key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc"]),
Some("CoverCrypt"),
None,
@ -164,7 +163,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
assert!(ids.contains(&master_private_key_id));
assert!(ids.contains(&user_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc", "another_tag"]),
Some("CoverCrypt"),
None,
@ -175,7 +174,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
// test using system Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc", "_uk"]),
None,
None,
@ -184,7 +183,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
assert_eq!(ids.len(), 1);
assert!(ids.contains(&user_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc", "_sk"]),
None,
None,
@ -193,7 +192,7 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
assert_eq!(ids.len(), 1);
assert!(ids.contains(&master_private_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_cc", "_pk"]),
None,
None,
@ -208,15 +207,15 @@ pub async fn test_locate_cover_crypt() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new key pair
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &["test_ec"])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &["test_ec"])?;
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec"]),
None,
None,
@ -229,7 +228,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
// Locate with cryptographic algorithm
// this should be case insensitive
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec"]),
Some("Ec"),
None,
@ -241,7 +240,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
// locate using the key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec"]),
None,
None,
@ -250,7 +249,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
assert_eq!(ids.len(), 1);
assert!(ids.contains(&private_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec"]),
None,
None,
@ -261,7 +260,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
//locate using tags and cryptographic algorithm and key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec"]),
Some("eC"),
None,
@ -272,7 +271,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
// test using system Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec", "_sk"]),
None,
None,
@ -281,7 +280,7 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
assert_eq!(ids.len(), 1);
assert!(ids.contains(&private_key_id));
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_ec", "_pk"]),
None,
None,
@ -296,14 +295,15 @@ pub async fn test_locate_elliptic_curve() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new key
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &["test_sym"])?;
let key_id =
create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &["test_sym"])?;
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_sym"]),
None,
None,
@ -315,7 +315,7 @@ pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
// Locate with cryptographic algorithm
// this should be case insensitive
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_sym"]),
Some("Aes"),
None,
@ -326,7 +326,7 @@ pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
// locate using the key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_sym"]),
None,
None,
@ -337,7 +337,7 @@ pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
//locate using tags and cryptographic algorithm and key format type
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_sym"]),
Some("AES"),
None,
@ -348,7 +348,7 @@ pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
// test using system Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_sym", "_kk"]),
None,
None,
@ -364,11 +364,11 @@ pub async fn test_locate_symmetric_key() -> Result<(), CliError> {
#[tokio::test]
pub async fn test_locate_grant() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&["test_grant"],
@ -376,7 +376,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_grant"]),
None,
None,
@ -389,7 +389,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// Locate with cryptographic algorithm
// this should be case insensitive
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_grant"]),
Some("coVerCRypt"),
None,
@ -401,14 +401,14 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// generate a user key
let user_key_id = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&["test_grant", "another_tag"],
)?;
// Locate with Tags
let ids = locate(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(&["test_grant"]),
None,
None,
@ -421,7 +421,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// the user should not be able to locate anything
let ids = locate(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
Some(&["test_grant"]),
None,
None,
@ -431,7 +431,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// Grant access to the user decryption key
grant_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&user_key_id,
"user.client@acme.com",
&["encrypt"],
@ -439,7 +439,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// The user should be able to locate the user key and only that one
let ids = locate(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
Some(&["test_grant"]),
None,
None,
@ -450,7 +450,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
//revoke the access
revoke_access(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&user_key_id,
"user.client@acme.com",
&["encrypt"],
@ -458,7 +458,7 @@ pub async fn test_locate_grant() -> Result<(), CliError> {
// the user should no more be able to locate the key
let ids = locate(
&ctx.user_cli_conf_path,
&ctx.user_client_conf_path,
Some(&["test_grant"]),
None,
None,

14
crate/cli/src/tests/shared/mod.rs
View file

@ -1,3 +1,10 @@
pub use destroy::destroy;
pub use export::export_key;
pub use get_attributes::get_attributes;
pub use import::import_key;
pub use locate::locate;
pub use revoke::revoke;
mod destroy;
mod export;
mod get_attributes;
@ -9,10 +16,3 @@ mod locate;
mod revoke;
#[cfg(all(not(feature = "fips"), feature = "openssl"))]
mod wrap_unwrap;
pub use destroy::destroy;
pub use export::export_key;
pub use get_attributes::get_attributes;
pub use import::import_key;
pub use locate::locate;
pub use revoke::revoke;

91
crate/cli/src/tests/shared/revoke.rs
View file

@ -1,6 +1,8 @@
use std::process::Command;
use assert_cmd::prelude::CommandCargoExt;
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use tempfile::TempDir;
#[cfg(not(feature = "fips"))]
@ -8,14 +10,10 @@ use crate::tests::cover_crypt::{
master_key_pair::create_cc_master_key_pair, user_decryption_keys::create_user_decryption_key,
};
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
elliptic_curve::create_key_pair::create_ec_key_pair,
shared::export::export_key,
symmetric::create_key::create_symmetric_key,
utils::{recover_cmd_logs, start_default_test_kms_server, ONCE},
PROG_NAME,
elliptic_curve::create_key_pair::create_ec_key_pair, shared::export::export_key,
symmetric::create_key::create_symmetric_key, utils::recover_cmd_logs, PROG_NAME,
},
};
@ -82,59 +80,64 @@ fn assert_revoker(cli_conf_path: &str, key_id: &str) -> Result<(), CliError> {
#[tokio::test]
async fn test_revoke_symmetric_key() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// syn
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// revoke
revoke(&ctx.owner_cli_conf_path, "sym", &key_id, "revocation test")?;
revoke(
&ctx.owner_client_conf_path,
"sym",
&key_id,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &key_id)
assert_revoker(&ctx.owner_client_conf_path, &key_id)
}
#[tokio::test]
async fn test_revoke_ec_key() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// revoke via private key
{
// syn
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
// revoke via the private key
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&private_key_id,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &private_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &public_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &private_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &public_key_id)?;
}
// revoke via public key
{
// syn
let (private_key_id, public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
// revoke via the private key
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"ec",
&public_key_id,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &private_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &public_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &private_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &public_key_id)?;
}
Ok(())
@ -144,115 +147,115 @@ async fn test_revoke_ec_key() -> Result<(), CliError> {
#[tokio::test]
async fn test_revoke_cover_crypt() -> Result<(), CliError> {
// init the test server
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// check revocation of all keys when the private key is revoked
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_private_key_id,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &master_private_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &master_public_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_revoker(&ctx.owner_cli_conf_path, &user_key_id_2)?;
assert_revoker(&ctx.owner_client_conf_path, &master_private_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &master_public_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &user_key_id_1)?;
assert_revoker(&ctx.owner_client_conf_path, &user_key_id_2)?;
}
// check revocation of all keys when the public key is revoked
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_public_key_id,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &master_private_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &master_public_key_id)?;
assert_revoker(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_revoker(&ctx.owner_cli_conf_path, &user_key_id_2)?;
assert_revoker(&ctx.owner_client_conf_path, &master_private_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &master_public_key_id)?;
assert_revoker(&ctx.owner_client_conf_path, &user_key_id_1)?;
assert_revoker(&ctx.owner_client_conf_path, &user_key_id_2)?;
}
// check that revoking a user key, does not revoke anything else
{
// generate a new master key pair
let (master_private_key_id, master_public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
)?;
let user_key_id_1 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
let user_key_id_2 = create_user_decryption_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
&master_private_key_id,
"(Department::MKG || Department::FIN) && Security Level::Top Secret",
&[],
)?;
revoke(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&user_key_id_1,
"revocation test",
)?;
// assert
assert_revoker(&ctx.owner_cli_conf_path, &user_key_id_1)?;
assert_revoker(&ctx.owner_client_conf_path, &user_key_id_1)?;
// create a temp dir
let tmp_dir = TempDir::new()?;
@ -260,7 +263,7 @@ async fn test_revoke_cover_crypt() -> Result<(), CliError> {
// should able to Get the Master Keys and user key 2
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_private_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -273,7 +276,7 @@ async fn test_revoke_cover_crypt() -> Result<(), CliError> {
);
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&master_public_key_id,
tmp_path.join("output.export").to_str().unwrap(),
@ -286,7 +289,7 @@ async fn test_revoke_cover_crypt() -> Result<(), CliError> {
);
assert!(
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"cc",
&user_key_id_2,
tmp_path.join("output.export").to_str().unwrap(),

32
crate/cli/src/tests/shared/wrap_unwrap.rs
View file

@ -9,22 +9,22 @@ use cloudproof::reexport::crypto_core::{
reexport::rand_core::{RngCore, SeedableRng},
CsRng,
};
use cosmian_kms_client::cosmian_kmip::kmip::kmip_types::{EncodingOption, WrappingMethod};
use cosmian_kmip::kmip::kmip_types::{EncodingOption, WrappingMethod};
use cosmian_kms_client::{
cosmian_kmip::kmip::kmip_types::{EncodingOption, WrappingMethod},
read_object_from_json_ttlv_file, KMS_CLI_CONF_ENV,
};
use kms_test_server::{start_default_test_kms_server, TestsContext, ONCE};
use tempfile::TempDir;
use crate::{
actions::shared::utils::read_object_from_json_ttlv_file,
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
cover_crypt::master_key_pair::create_cc_master_key_pair,
elliptic_curve::create_key_pair::create_ec_key_pair,
shared::export::export_key,
symmetric::create_key::create_symmetric_key,
utils::{
extract_uids::extract_wrapping_key, recover_cmd_logs, start_default_test_kms_server,
TestsContext, ONCE,
},
utils::{extract_uids::extract_wrapping_key, recover_cmd_logs},
PROG_NAME,
},
};
@ -131,11 +131,11 @@ pub fn unwrap(
#[tokio::test]
pub async fn test_password_wrap_import() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
// CC
let (private_key_id, _public_key_id) = create_cc_master_key_pair(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
"--policy-specifications",
"test_data/policy_specifications.json",
&[],
@ -144,11 +144,11 @@ pub async fn test_password_wrap_import() -> Result<(), CliError> {
// EC
let (private_key_id, _public_key_id) =
create_ec_key_pair(&ctx.owner_cli_conf_path, "nist-p256", &[])?;
create_ec_key_pair(&ctx.owner_client_conf_path, "nist-p256", &[])?;
password_wrap_import_test(ctx, "ec", &private_key_id)?;
// syn
let key_id = create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
let key_id = create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
password_wrap_import_test(ctx, "sym", &key_id)?;
Ok(())
@ -164,7 +164,7 @@ pub fn password_wrap_import_test(
// Export
let key_file = temp_dir.path().join("master_private.key");
export_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
sub_command,
private_key_id,
key_file.to_str().unwrap(),
@ -180,7 +180,7 @@ pub fn password_wrap_import_test(
//wrap and unwrap using a password
{
let b64_wrapping_key = wrap(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
sub_command,
&key_file,
None,
@ -201,7 +201,7 @@ pub fn password_wrap_import_test(
);
assert_ne!(wrapped_object.key_block()?.key_bytes()?, key_bytes);
unwrap(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
sub_command,
&key_file,
None,
@ -222,7 +222,7 @@ pub fn password_wrap_import_test(
rng.fill_bytes(&mut key);
let key_b64 = general_purpose::STANDARD.encode(&key);
wrap(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
sub_command,
&key_file,
None,
@ -244,7 +244,7 @@ pub fn password_wrap_import_test(
);
assert_ne!(wrapped_object.key_block()?.key_bytes()?, key_bytes);
unwrap(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
sub_command,
&key_file,
None,

31
crate/cli/src/tests/symmetric/create_key.rs
View file

@ -6,13 +6,14 @@ use cloudproof::reexport::crypto_core::{
reexport::rand_core::{RngCore, SeedableRng},
CsRng,
};
use cosmian_kms_client::KMS_CLI_CONF_ENV;
use kms_test_server::{start_default_test_kms_server, ONCE};
use super::SUB_COMMAND;
use crate::{
config::KMS_CLI_CONF_ENV,
error::CliError,
tests::{
utils::{extract_uids::extract_uid, recover_cmd_logs, start_default_test_kms_server, ONCE},
utils::{extract_uids::extract_uid, recover_cmd_logs},
PROG_NAME,
},
};
@ -65,17 +66,17 @@ pub fn create_symmetric_key(
#[tokio::test]
pub async fn test_create_symmetric_key() -> Result<(), CliError> {
let ctx = ONCE.get_or_init(start_default_test_kms_server).await;
let ctx = ONCE.get_or_try_init(start_default_test_kms_server).await?;
let mut rng = CsRng::from_entropy();
let mut key = vec![0u8; 32];
// AES
{
// AES 256 bit key
create_symmetric_key(&ctx.owner_cli_conf_path, None, None, None, &[])?;
create_symmetric_key(&ctx.owner_client_conf_path, None, None, None, &[])?;
// AES 128 bit key
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(128),
None,
None,
@ -85,7 +86,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
rng.fill_bytes(&mut key);
let key_b64 = general_purpose::STANDARD.encode(&key);
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
Some(&key_b64),
None,
@ -97,7 +98,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
{
// ChaCha20 256 bit key
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
None,
Some("chacha20"),
@ -105,7 +106,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
)?;
// ChaCha20 128 bit key
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(128),
None,
Some("chacha20"),
@ -117,7 +118,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
rng.fill_bytes(&mut key);
let key_b64 = general_purpose::STANDARD.encode(&key);
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
Some(&key_b64),
Some("chacha20"),
@ -129,7 +130,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
{
// ChaCha20 256 bit salt
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
None,
Some("sha3"),
@ -137,28 +138,28 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
)?;
// ChaCha20 salts
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(224),
None,
Some("sha3"),
&[] as &[&str],
)?;
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(256),
None,
Some("sha3"),
&[] as &[&str],
)?;
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(384),
None,
Some("sha3"),
&[] as &[&str],
)?;
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
Some(512),
None,
Some("sha3"),
@ -170,7 +171,7 @@ pub async fn test_create_symmetric_key() -> Result<(), CliError> {
rng.fill_bytes(&mut salt);
let key_b64 = general_purpose::STANDARD.encode(&salt);
create_symmetric_key(
&ctx.owner_cli_conf_path,
&ctx.owner_client_conf_path,
None,
Some(&key_b64),
Some("sha3"),

Some files were not shown because too many files have changed in this diff Show more