public/kms
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: Merge tag '4.10.1' into develop

Browse source 
fix: mkdocs formatting and disable autoformat with pre-commit
This commit is contained in:
Manuthor 2023-12-12 17:36:31 +01:00
commit 36bd22ef97
35 changed files with 2235 additions and 2165 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.pre-commit-config.yaml
View file

@ -38,6 +38,7 @@ repos:
--disable=MD041,
--disable=MD046,
]
exclude: documentation/docs
- repo: https://github.com/Lucas-C/pre-commit-hooks-nodejs
rev: v1.1.2

6
CHANGELOG.md
View file

@ -2,6 +2,12 @@
All notable changes to this project will be documented in this file.
## [4.10.1] - 2023-12-12
### Documentation
- Fix mkdocs formatting
## [4.10.0] - 2023-12-11
### Features

14
Cargo.lock generated
View file

@ -1145,7 +1145,7 @@ dependencies = [
[[package]]
name = "cosmian_kmip"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"bitflags 2.4.1",
"chrono",
@ -1167,7 +1167,7 @@ dependencies = [
[[package]]
name = "cosmian_kms_cli"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"actix-rt",
"actix-server",
@ -1209,7 +1209,7 @@ dependencies = [
[[package]]
name = "cosmian_kms_client"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"base64 0.21.5",
"cosmian_kmip",
@ -1233,7 +1233,7 @@ dependencies = [
[[package]]
name = "cosmian_kms_python"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"cloudproof",
"cosmian_kmip",
@ -1249,7 +1249,7 @@ dependencies = [
[[package]]
name = "cosmian_kms_server"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"acme-lib",
"actix-cors",
@ -1301,7 +1301,7 @@ dependencies = [
[[package]]
name = "cosmian_kms_utils"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"argon2",
"cloudproof",
@ -1316,7 +1316,7 @@ dependencies = [
[[package]]
name = "cosmian_logger"
version = "4.10.0"
version = "4.10.1"
dependencies = [
"tracing",
"tracing-subscriber",

2
Dockerfile
View file

@ -1,6 +1,6 @@
FROM ubuntu:22.04 as builder
LABEL version="4.10.0"
LABEL version="4.10.1"
LABEL name="Cosmian KMS docker container"
ARG FEATURES

2
crate/cli/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kms_cli"
version = "4.10.0"
version = "4.10.1"
edition = "2021"
license-file = "../../LICENSE.md"
description = "CLI used to manage the Cosmian KMS."

2
crate/client/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kms_client"
version = "4.10.0"
version = "4.10.1"
authors = ["Bruno Grieder <bruno.grieder@cosmian.com>"]
edition = "2021"
license-file = "../../LICENSE.md"

2
crate/kmip/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kmip"
version = "4.10.0"
version = "4.10.1"
edition = "2021"
license-file = "../../LICENSE.md"

2
crate/logger/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_logger"
version = "4.10.0"
version = "4.10.1"
authors = ["Emmanuel Coste <emmanuel.coste@cosmian.com>"]
edition = "2021"
license-file = "../../LICENSE.md"

2
crate/pyo3/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kms_python"
version = "4.10.0"
version = "4.10.1"
authors = ["Hugo Rosenkranz-Costa <hugo.rosenkranz@cosmian.com>"]
edition = "2021"
license-file = "../../LICENSE.md"

2
crate/server/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kms_server"
version = "4.10.0"
version = "4.10.1"
authors = ["Bruno Grieder <bruno.grieder@cosmian.com>"]
edition = "2021"
license-file = "../../LICENSE.md"

4
crate/server/src/routes/google_cse/python/README.md
View file

@ -28,12 +28,12 @@ python cse_cmd.py -h
b. The wrapped private key file should have a json object with
two required fields:
```json
```json
{
'kacls_url': 'url of kacls configured in CSE Admin Console',
'wrapped_private_key': 'wrapped private key bytes'
}
```
```
2. Create a directory for storing all certificates in p7 pem format.

2
crate/utils/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "cosmian_kms_utils"
version = "4.10.0"
version = "4.10.1"
authors = ["Bruno Grieder <bruno.grieder@cosmian.com>"]
edition = "2021"
license-file = "../../LICENSE.md"

4
documentation/docs/authentication.md
View file

@ -26,7 +26,7 @@ The server must be started using TLS, and the certificate used to verify the cli
!!! info "Example client TLS authentication."
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0 \
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1 \
--https-p12-file kms.server.p12 --https-p12-password password \
--authority-cert-file verifier.cert.pem
```
@ -65,7 +65,7 @@ The KMS server JWT authentication is configured using three command line options
Below is an example of a JWT configuration for the KMS server using Google as the authorization server.
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0 \
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1 \
--jwt-issuer-uri=https://accounts.google.com \
--jwks-uri=https://www.googleapis.com/oauth2/v3/certs \
--jwt-audience=cosmian_kms

49
documentation/docs/authorization.md
View file

@ -22,9 +22,9 @@ The supported KMIP operations are: `get`, `export`, `encrypt`, `decrypt`, `impor
=== "ckms"
```
➜ ckms access grant --help
Grant another user an access right to an object.
```
➜ ckms access grant --help
Grant another user an access right to an object.
This command can only be called by the owner of the object.
@ -48,7 +48,8 @@ Grant another user an access right to an object.
```
=== "REST"
`POST` to the `/access/grant` endpoint with the JSON object:
`POST` to the `/access/grant` endpoint with the JSON object:
```json
{
@ -71,10 +72,10 @@ Grant another user an access right to an object.
An owner of an object can revoke an access right to a specific user for a given operation on a given object at any time.
=== "ckms"
```
➜ ckms access revoke --help
Revoke another user access right to an object.
```
➜ ckms access revoke --help
Revoke another user access right to an object.
This command can only be called by the owner of the object.
@ -96,7 +97,8 @@ Revoke another user access right to an object.
```
=== "REST"
`POST` to the `/access/revoke` endpoint with the JSON object:
`POST` to the `/access/revoke` endpoint with the JSON object:
```json
{
@ -120,9 +122,9 @@ The owner of an object can list all the access rights that have been granted to
=== "ckms"
```
➜ ckms access list --help
List the access rights granted on an object to other users.
```
➜ ckms access list --help
List the access rights granted on an object to other users.
This command can only be called by the owner of the object. Returns a list of users and the operations they have been granted access to.
@ -138,7 +140,8 @@ List the access rights granted on an object to other users.
```
=== "REST"
`GET` to the `/access/list/{object_unique_id}` endpoint:
`GET` to the `/access/list/{object_unique_id}` endpoint:
The response is a JSON array:
@ -159,10 +162,10 @@ A user can list all the objects it owns (i.e. the objects it created using eithe
or `Import` KMIP operations).
=== "ckms"
```
➜ ckms access owned --help
List the objects owned by the calling user.
```
➜ ckms access owned --help
List the objects owned by the calling user.
Owners of objects can perform any operation on these objects and can grant access rights on any of these operations to any other user.
@ -174,7 +177,8 @@ List the objects owned by the calling user.
```
=== "REST"
`GET` to the `/access/owned` endpoint:
`GET` to the `/access/owned` endpoint:
The response is a JSON array:
@ -201,9 +205,9 @@ A user can list all the access rights that have been granted to it by object own
=== "ckms"
```
➜ ckms access obtained --help
List the access rights obtained by the calling user
```
➜ ckms access obtained --help
List the access rights obtained by the calling user
Returns a list of objects, their state, their owner and the accesses rights granted on the object
@ -215,20 +219,21 @@ List the access rights obtained by the calling user
```
=== "REST"
`GET` to the `/access/obtained` endpoint:
`GET` to the `/access/obtained` endpoint:
The response is a JSON array:
```json
[
{
{
"object_id": "the object unique identifier",
"owner_id": "the user identifier of the owner of the object",
"state": "<state>",
"operations": [ <operation type> ]
"attributes": "<attributes>",
"is_wrapped": "<wrapped_state>"
}
}
]
```

2
documentation/docs/bootstrap.md
View file

@ -11,7 +11,7 @@ When [running in a zero-trust environment](./zero_trust.md) inside a confidentia
To start the KMS server in bootstrap mode, use the `--use-bootstrap-server` option:
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0 \
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1 \
--use-bootstrap-server
```

2
documentation/docs/cli/cli.md
View file

@ -1,7 +1,7 @@
The `ckms` binary is a command line interface (CLI) used to manage cryptographic objects inside the KMS.
!!! info "Download ckms"
Please download the latest version of the CLI for your Operating System from the [Cosmian public packages repository](https://package.cosmian.com/kms/4.10.0/)
Please download the latest version of the CLI for your Operating System from the [Cosmian public packages repository](https://package.cosmian.com/kms/4.10.1/)
#### Configuration

2
documentation/docs/google_cse/google_cse.md
View file

@ -44,7 +44,7 @@ Assuming Google is the Identity Provider, the KMS should be started with the fol
For example, if you are using the docker image, you can run the following command:
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0 \
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1 \
--jwt-issuer-uri=https://accounts.google.com \
--jwks-uri=https://www.googleapis.com/oauth2/v3/certs \
--google-cse-kacls-url=https://cse.example.com/google_cse

6
documentation/docs/high_availability_mode.md
View file

@ -53,7 +53,7 @@ e.g.
```sh
docker run --rm -p 9998:9998 \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
--database-type=postgresql \
--database-url=postgres://kms_user:kms_password@pgsql-server:5432/kms
@ -68,7 +68,7 @@ Example:
```sh
docker run --rm -p 9998:9998 \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
--database-type=redis-findex \
--database-url=redis://localhost:6379 \
--redis-master-password password \
@ -105,7 +105,7 @@ Say the certificate is called `cert.p12` and is in a directory called `/certific
```sh
docker run --rm -p 9998:9998 \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
-v /certificate/cert.p12:/root/cosmian-kms/cert.p12 \
--database-type=mysql \
--database-url=mysql://mysql_server:3306/kms \

8
documentation/docs/index.md
View file

@ -6,7 +6,7 @@ The Cosmian KMS is designed to [operate in **zero-trust** environments](./zero_t
To quick-start a Cosmian KMS server on `http://localhost:9998` that stores its data inside the container, simply run
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1
```
Check the Cosmian KMS server version
@ -15,7 +15,7 @@ The Cosmian KMS is designed to [operate in **zero-trust** environments](./zero_t
curl http://localhost:9998/version
```
Alternatively KMS binaries are also available on [Cosmian packages](https://package.cosmian.com/kms/4.10.0/).
Alternatively KMS binaries are also available on [Cosmian packages](https://package.cosmian.com/kms/4.10.1/).
#### Open source
@ -83,7 +83,7 @@ The KMS has an easy-to-use command line interface client built for many operatin
The KMS server is available as a Docker image on the [Cosmian public Docker repository](https://github.com/Cosmian/kms/pkgs/container/kms).
Raw binaries for multiple operating systems are also available on the [Cosmian public packages repository](https://package.cosmian.com/kms/4.10.0/)
Raw binaries for multiple operating systems are also available on the [Cosmian public packages repository](https://package.cosmian.com/kms/4.10.1/)
#### Integrated with Cloudproof libraries
@ -100,7 +100,7 @@ Just like the [`ckms` Command Line Interface](./cli/cli.md), the KMS server has
that can be accessed using the `--help` command line option.
```sh
docker run --rm ghcr.io/cosmian/kms:4.10.0 --help
docker run --rm ghcr.io/cosmian/kms:4.10.1 --help
```
The options are enabled on the docker command line or using the environment variables listed in the options help.

200
documentation/docs/kmip_2_1/_certify.md
View file

@ -47,28 +47,25 @@ Note: the `ckms` client converts the CSR from PEM TO DER before creating the JSO
server.
=== "Request"
```json
{
"tag": "Certify",
"type": "Structure",
"value": [
{
"tag": "CertificateRequestType",
"type": "Enumeration",
"value": "PEM"
},
{
"tag": "CertificateRequestValue",
"type": "ByteString",
// the PKCS#10 Certificate Signing Request DER bytes encoded in hex
"value": "2D2D2D2D2D424547494E20434552544946494341544520524551554553542D2D2D2D2D0A4D494944704443434167774341514177587A454C4D416B474131554542684D43526C49784444414B42674E564241674D41306C6B526A454F4D417747413155450A427777465547467961584D784544414F42674E5642416F4D42304E7663323170595734784444414B42674E564241734D4131496D524445534D424147413155450A4177774A5647567A6443424D5A57466D4D4949426F6A414E42676B71686B6947397730424151454641414F43415938414D49494269674B4341594541773045470A575355754F4E59526C5A3077506139524A7057416C577351515A5050675350786E354D5777464E4F383671676856666378314C387169515079315147687172320A764F766D577A366D752F59772F5663366E44644744694B54555564537341305167566474643770366B71317341393071364C30416E63384D384D46392F6F536F0A7145642F6C4F436774744F6D55667842566C314B6D7146434146464854786E4B5737387954332F3438386B57373952516B6D41367733416246377361787639500A706843365A634F76514F6836644D42326E4E6C574C67537670312B3948674455635956394D53575A6D2B376C524F5468552B41676433363364355A57574F41470A495659544E5A2F6E746B69705270717251352B7356694863752F4E4F544D757733524C632F575347736D6A594E57616465304C6D2F58685032684D67416D6F350A306474792B36307970437342573269504A6652755152743342644249632B3971637946326176786C457431414446556A49726B305353516F39774A45313953440A68534A414A33782B4D31466C6D4C2B34464832726E69777555615A6F6844506938567542367A634430747732524F664471586A2F5A4B356C7A4A6D745A6B53790A5636704B54485035737558372B6A3848324A35554A496F46487A44484764674E315A724C3570773563305A6D65634B516D5756796F394854614B364641674D420A414147674144414E42676B71686B6947397730424151734641414F4341594541594236615738625549306361466443356939334F376542345530535A414745740A612F546B5133486C764456364F2B327A64735042304F4672385262355171784134776A3843536579466C7A775666497172756A48457831557150706E2B7932720A4C6C397236754C7257725A753568664C767749752B774C6A617644425662354E2B7159536548357643334A582B4652385A64787A6B5754776465464C6F4273340A434749456D46494D2F2B666E79676E6B4C455254566B6738337339534B44736838316772755438302F6135365649636D656E373470584830514641615368766F0A7A52486F7670766A5631735A416265595365796B69564E53497179734166594A33327168744173366E5367796751637A546773756A4F746C63776653432B71550A497A4D623932325A654B5445427A7A3859326351394D6245714850787276664B5A675A4A43306B57342F482B736F2B5659776A684956337048705842527944640A6359637275732B434D335A416A456439585A6C39466D37454555736E346D7459486F497541394167756949425152596B473469726863524E5449377A36755A2B0A77544E724D792B47646B436B5271424256714146374E3473696931356E334E716A3535637257452F642F38316B574E36495943504448586C4F38756B4A6E4B750A30524E6A4B52656551624377596B72464C7A4F5A677342674E6C626E364263470A2D2D2D2D2D454E4420434552544946494341544520524551554553542D2D2D2D2D0A"
},
{
"tag": "Attributes",
"tag": "Certify",
"type": "Structure",
"value": [
{
"tag": "Link",
"tag": "CertificateRequestType",
"type": "Enumeration",
"value": "PEM"
},
{
"tag": "CertificateRequestValue",
"type": "ByteString",
// the PKCS#10 Certificate Signing Request DER bytes encoded in hex
"value": "2D2D2D2D2D424547494E20434552544946494341544520524551554553542D2D2D2D2D0A4D494944704443434167774341514177587A454C4D416B474131554542684D43526C49784444414B42674E564241674D41306C6B526A454F4D417747413155450A427777465547467961584D784544414F42674E5642416F4D42304E7663323170595734784444414B42674E564241734D4131496D524445534D424147413155450A4177774A5647567A6443424D5A57466D4D4949426F6A414E42676B71686B6947397730424151454641414F43415938414D49494269674B4341594541773045470A575355754F4E59526C5A3077506139524A7057416C577351515A5050675350786E354D5777464E4F383671676856666378314C387169515079315147687172320A764F766D577A366D752F59772F5663366E44644744694B54555564537341305167566474643770366B71317341393071364C30416E63384D384D46392F6F536F0A7145642F6C4F436774744F6D55667842566C314B6D7146434146464854786E4B5737387954332F3438386B57373952516B6D41367733416246377361787639500A706843365A634F76514F6836644D42326E4E6C574C67537670312B3948674455635956394D53575A6D2B376C524F5468552B41676433363364355A57574F41470A495659544E5A2F6E746B69705270717251352B7356694863752F4E4F544D757733524C632F575347736D6A594E57616465304C6D2F58685032684D67416D6F350A306474792B36307970437342573269504A6652755152743342644249632B3971637946326176786C457431414446556A49726B305353516F39774A45313953440A68534A414A33782B4D31466C6D4C2B34464832726E69777555615A6F6844506938567542367A634430747732524F664471586A2F5A4B356C7A4A6D745A6B53790A5636704B54485035737558372B6A3848324A35554A496F46487A44484764674E315A724C3570773563305A6D65634B516D5756796F394854614B364641674D420A414147674144414E42676B71686B6947397730424151734641414F4341594541594236615738625549306361466443356939334F376542345530535A414745740A612F546B5133486C764456364F2B327A64735042304F4672385262355171784134776A3843536579466C7A775666497172756A48457831557150706E2B7932720A4C6C397236754C7257725A753568664C767749752B774C6A617644425662354E2B7159536548357643334A582B4652385A64787A6B5754776465464C6F4273340A434749456D46494D2F2B666E79676E6B4C455254566B6738337339534B44736838316772755438302F6135365649636D656E373470584830514641615368766F0A7A52486F7670766A5631735A416265595365796B69564E53497179734166594A33327168744173366E5367796751637A546773756A4F746C63776653432B71550A497A4D623932325A654B5445427A7A3859326351394D6245714850787276664B5A675A4A43306B57342F482B736F2B5659776A684956337048705842527944640A6359637275732B434D335A416A456439585A6C39466D37454555736E346D7459486F497541394167756949425152596B473469726863524E5449377A36755A2B0A77544E724D792B47646B436B5271424256714146374E3473696931356E334E716A3535637257452F642F38316B574E36495943504448586C4F38756B4A6E4B750A30524E6A4B52656551624377596B72464C7A4F5A677342674E6C626E364263470A2D2D2D2D2D454E4420434552544946494341544520524551554553542D2D2D2D2D0A"
},
{
"tag": "Attributes",
"type": "Structure",
"value": [
{
@ -76,70 +73,76 @@ server.
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "PrivateKeyLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// The issuer private key unique identifier
"value": "854d7914-3b1d-461a-a2dd-7aad27043b56"
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "PrivateKeyLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// The issuer private key unique identifier
"value": "854d7914-3b1d-461a-a2dd-7aad27043b56"
}
]
}
]
}
]
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "Certificate"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "requested_validity_days"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// 365 as a string in UTF-8 bytes encoded in hex
"value": "333635"
}
]
"tag": "ObjectType",
"type": "Enumeration",
"value": "Certificate"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "requested_validity_days"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// 365 as a string in UTF-8 bytes encoded in hex
"value": "333635"
}
]
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MyCert"] as UTF-8 bytes encoded in hex
"value": "5B224D7943657274225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MyCert"] as UTF-8 bytes encoded in hex
"value": "5B224D7943657274225D"
}
]
}
]
}
@ -147,25 +150,23 @@ server.
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "CertifyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "b7225902-a035-45e6-a3d2-fa65c0ca7af1"
"tag": "CertifyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "b7225902-a035-45e6-a3d2-fa65c0ca7af1"
}
]
}
]
}
```
```
#### Example - Public key
@ -181,12 +182,13 @@ ckms certificates certify -p 45e56e67-d813-468f-9116-4d1e611a1828 -k 854d7914-3b
-d 365 -t "Bob" --subject-name "C=FR, ST=IdF, L=Paris, O=AcmeTest, CN=bob@acme.com"
```
Please note the following in the JSON TTLV of the reauest:
Please note the following in the JSON TTLV of the request:
- the various Subject Name fields that are set for the certificate
- the Subject Name issuer fields are ignored: they will be copied from the certificate linked to the issuer private key
=== "Request"
```json
{
"tag": "Certify",
@ -435,20 +437,20 @@ Please note the following in the JSON TTLV of the reauest:
}
]
}
```
```
=== "Response"
```json
{
"tag": "CertifyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "974b3a79-25a8-4ace-bdd9-70f5b07695c9"
}
]
}
```
{
"tag": "CertifyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "974b3a79-25a8-4ace-bdd9-70f5b07695c9"
}
]
}
```

310
documentation/docs/kmip_2_1/_create.md
View file

@ -28,68 +28,71 @@ ckms sym keys create --tag MySymmetricKey
```
=== "Request"
```json
{
"tag": "Create",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "Attributes",
"tag": "Create",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "VendorAttributes",
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MySymmetricKey"] in hex
"value": "5B224D7953796D6D65747269634B6579225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MySymmetricKey"] in hex
"value": "5B224D7953796D6D65747269634B6579225D"
}
]
}
]
}
@ -97,30 +100,28 @@ ckms sym keys create --tag MySymmetricKey
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "CreateResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
"tag": "CreateResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
}
]
}
]
}
```
```
#### Example - Covercrypt User Decryption Key
@ -141,103 +142,106 @@ Please note:
- The access policy is encoded in hex.
=== "Request"
```json
{
"tag": "Create",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "Attributes",
"tag": "Create",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "ParentLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the master secret key unique identifier
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
}
]
}
]
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "VendorAttributes",
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_access_policy"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// Security Level::Confidential && (Department::FIN || Department::HR) in hex
"value": "5365637572697479204C6576656C3A3A436F6E666964656E7469616C20262620284465706172746D656E743A3A46494E207C7C204465706172746D656E743A3A485229"
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "ParentLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the master secret key unique identifier
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
}
]
}
]
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_access_policy"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// Security Level::Confidential && (Department::FIN || Department::HR) in hex
"value": "5365637572697479204C6576656C3A3A436F6E666964656E7469616C20262620284465706172746D656E743A3A46494E207C7C204465706172746D656E743A3A485229"
}
]
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MyUserKey"] in hex
"value": "5B224D79557365724B6579225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// ["MyUserKey"] in hex
"value": "5B224D79557365724B6579225D"
}
]
}
]
}
@ -245,27 +249,25 @@ Please note:
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "CreateResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "df871e79-0923-47cd-9078-bbec83287c85"
"tag": "CreateResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "df871e79-0923-47cd-9078-bbec83287c85"
}
]
}
]
}
```
```

291
documentation/docs/kmip_2_1/_create_key_pair.md
View file

@ -38,79 +38,82 @@ ckms ec keys create
```
=== "Request"
```json
{
"tag": "CreateKeyPair",
"type": "Structure",
"value": [
{
"tag": "CommonAttributes",
"tag": "CreateKeyPair",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "ECDH"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 253
},
{
"tag": "CryptographicDomainParameters",
"tag": "CommonAttributes",
"type": "Structure",
"value": [
{
"tag": "QLength",
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "ECDH"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 253
},
{
"tag": "RecommendedCurve",
"tag": "CryptographicDomainParameters",
"type": "Structure",
"value": [
{
"tag": "QLength",
"type": "Integer",
"value": 253
},
{
"tag": "RecommendedCurve",
"type": "Enumeration",
"value": "CURVE25519"
}
]
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CURVE25519"
}
]
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "ECPrivateKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
"value": "ECPrivateKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
//The hex encoded tag ["MyECKeyPair"]
"value": "5B224D7945434B657950616972225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
//The hex encoded tag ["MyECKeyPair"]
"value": "5B224D7945434B657950616972225D"
}
]
}
]
}
@ -118,30 +121,29 @@ ckms ec keys create
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "CreateKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "1ac18648-ab17-4755-97a3-7a24b8198b97"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "52573030-0fed-4c67-b311-ceac944b2afc"
"tag": "CreateKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "1ac18648-ab17-4755-97a3-7a24b8198b97"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "52573030-0fed-4c67-b311-ceac944b2afc"
}
]
}
]
}
```
```
#### Example -Covercrypt Master Key Pair
@ -251,74 +253,77 @@ ckms cc keys create-master-key-pair -s policy_specifications.json
```
=== "Request"
```json
{
"tag": "CreateKeyPair",
"type": "Structure",
"value": [
{
"tag": "CommonAttributes",
"tag": "CreateKeyPair",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"tag": "CommonAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_policy"
},
{
"tag": "AttributeValue",
"type": "ByteString",
//The hex encoded policy
"value": "7B2276657273696F6E223A225632222C226C6173745F6174747269627574655F76616C7565223A372C2264696D656E73696F6E73223A7B225365637572697479204C6576656C223A7B226F72646572223A5B2250726F746563746564222C22436F6E666964656E7469616C222C22546F7020536563726574225D2C2261747472696275746573223A7B22436F6E666964656E7469616C223A7B22726F746174696F6E5F76616C756573223A5B365D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C22546F7020536563726574223A7B22726F746174696F6E5F76616C756573223A5B375D2C22656E6372797074696F6E5F68696E74223A22487962726964697A6564222C2277726974655F737461747573223A22456E637279707444656372797074227D2C2250726F746563746564223A7B22726F746174696F6E5F76616C756573223A5B355D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D7D7D2C224465706172746D656E74223A7B226F72646572223A6E756C6C2C2261747472696275746573223A7B224D4B47223A7B22726F746174696F6E5F76616C756573223A5B335D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C2246494E223A7B22726F746174696F6E5F76616C756573223A5B345D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C22522644223A7B22726F746174696F6E5F76616C756573223A5B315D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C224852223A7B22726F746174696F6E5F76616C756573223A5B325D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D7D7D7D7D"
}
]
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_policy"
},
{
"tag": "AttributeValue",
"type": "ByteString",
//The hex encoded policy
"value": "7B2276657273696F6E223A225632222C226C6173745F6174747269627574655F76616C7565223A372C2264696D656E73696F6E73223A7B225365637572697479204C6576656C223A7B226F72646572223A5B2250726F746563746564222C22436F6E666964656E7469616C222C22546F7020536563726574225D2C2261747472696275746573223A7B22436F6E666964656E7469616C223A7B22726F746174696F6E5F76616C756573223A5B365D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C22546F7020536563726574223A7B22726F746174696F6E5F76616C756573223A5B375D2C22656E6372797074696F6E5F68696E74223A22487962726964697A6564222C2277726974655F737461747573223A22456E637279707444656372797074227D2C2250726F746563746564223A7B22726F746174696F6E5F76616C756573223A5B355D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D7D7D2C224465706172746D656E74223A7B226F72646572223A6E756C6C2C2261747472696275746573223A7B224D4B47223A7B22726F746174696F6E5F76616C756573223A5B335D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C2246494E223A7B22726F746174696F6E5F76616C756573223A5B345D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C22522644223A7B22726F746174696F6E5F76616C756573223A5B315D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D2C224852223A7B22726F746174696F6E5F76616C756573223A5B325D2C22656E6372797074696F6E5F68696E74223A22436C6173736963222C2277726974655F737461747573223A22456E637279707444656372797074227D7D7D7D7D"
}
]
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
"value": "5B5D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
"value": "5B5D"
}
]
}
]
}
@ -326,27 +331,25 @@ ckms cc keys create-master-key-pair -s policy_specifications.json
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "CreateKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
"tag": "CreateKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
}
]
}
]
}
```
```

171
documentation/docs/kmip_2_1/_decrypt.md
View file

@ -33,66 +33,68 @@ Corresponding `ckms` CLI command:
ckms sym decrypt /tmp/encrypted.bin -t MySymmetricKey
```
where `/tmp/encrypted.bin` contains the a concatenation of the the nounce, the encryped and the authentication tag
where `/tmp/encrypted.bin` contains the a concatenation of the the nonce, the encrypted and the authentication tag
in that order.
The JSON TTLV request the same information as in the [`Encrypt` Response](./_encrypt.md):
- the encrypted data
- the nounce: 12 bytes
- the nonce: 12 bytes
- the authentication tag: 16 bytes
=== "Request"
```json
{
"tag": "Decrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MySymmetricKey\"]"
},
{
"tag": "Data",
"type": "ByteString",
"value": "40D59A0735811135749A507FDEB3"
},
{
"tag": "IvCounterNonce",
"type": "ByteString",
"value": "DBDD622A64F7D65E75894B1B"
},
{
"tag": "AuthenticatedEncryptionTag",
"type": "ByteString",
"value": "50FCE680540BD3E96EFA9218A2F1009D"
}
]
}
```
```json
{
"tag": "Decrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MySymmetricKey\"]"
},
{
"tag": "Data",
"type": "ByteString",
"value": "40D59A0735811135749A507FDEB3"
},
{
"tag": "IvCounterNonce",
"type": "ByteString",
"value": "DBDD622A64F7D65E75894B1B"
},
{
"tag": "AuthenticatedEncryptionTag",
"type": "ByteString",
"value": "50FCE680540BD3E96EFA9218A2F1009D"
}
]
}
```
=== "Response"
```json
{
"tag": "DecryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes in hex
"value": "48656C6C6F2C20776F726C64210A"
"tag": "DecryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes in hex
"value": "48656C6C6F2C20776F726C64210A"
}
]
}
]
}
```
```
#### Example - Covercrypt
@ -110,54 +112,55 @@ ckms cc decrypt /tmp/encrypted.bin -t MyUserKey
```
=== "Request"
```json
{
"tag": "Decrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MyUserKey\"]"
},
{
"tag": "CryptographicParameters",
"tag": "Decrypt",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MyUserKey\"]"
},
{
"tag": "CryptographicParameters",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
}
]
},
{
"tag": "Data",
"type": "ByteString",
"value": "AEA6CF824612448B8445CAF46F9D987161706DAD6E43DFD1A57DD0F39869DC39A68096657A3EDC03CBC619D563744D2CC9819B6A9AB9A3893FD27F452F49A244A8CAA42279C4705D4D3A9E04D2B7887F0100D947F27D27BBD1D06F5A65087F73B8AAB617568761273282D4C14770FFCBA47200D02DDB4C48E1028DC5C50DE860A10A26E35AC405EFE6405486B56E9968594471075687D7BF6935BD003D"
}
]
},
{
"tag": "Data",
"type": "ByteString",
"value": "AEA6CF824612448B8445CAF46F9D987161706DAD6E43DFD1A57DD0F39869DC39A68096657A3EDC03CBC619D563744D2CC9819B6A9AB9A3893FD27F452F49A244A8CAA42279C4705D4D3A9E04D2B7887F0100D947F27D27BBD1D06F5A65087F73B8AAB617568761273282D4C14770FFCBA47200D02DDB4C48E1028DC5C50DE860A10A26E35AC405EFE6405486B56E9968594471075687D7BF6935BD003D"
}
]
}
```
```
=== "Response"
```json
{
"tag": "DecryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "df871e79-0923-47cd-9078-bbec83287c85"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes in hex
"value": "0048656C6C6F2C20776F726C64210A"
"tag": "DecryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "df871e79-0923-47cd-9078-bbec83287c85"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes in hex
"value": "0048656C6C6F2C20776F726C64210A"
}
]
}
]
}
```
```

51
documentation/docs/kmip_2_1/_destroy.md
View file

@ -19,36 +19,37 @@ Destroying key `f54f14a3-5639-4054-8c23-54af891669db`:
Corresponding `ckms` command:
```shell
ckms sym keys destroy -k f54f14a3-5639-4054-8c23-54af891669d
```
ckms sym keys destroy -k f54f14a3-5639-4054-8c23-54af891669d
```
=== "Request"
```json
{
"tag": "Destroy",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
}
]
}
```
```json
{
"tag": "Destroy",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
}
]
}
```
=== "Response"
```json
{
"tag": "DestroyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
"tag": "DestroyResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
}
]
}
]
}
```
```

169
documentation/docs/kmip_2_1/_encrypt.md
View file

@ -40,65 +40,67 @@ ckms sym encrypt -k 027cced1-ff2b-4bd3-a200-db1041583bd /tmp/hello_world.txt
Please note that the response contains:
- the encrypted data
- the nounce: 12 bytes
- the nonce: 12 bytes
- the authentication tag: 16 bytes
=== "Request"
```json
{
"tag": "Encrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes
"value": "48656C6C6F2C20776F726C64210A"
}
]
}
```
```json
{
"tag": "Encrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
// Hello, world! as UTF-8 bytes
"value": "48656C6C6F2C20776F726C64210A"
}
]
}
```
=== "Response"
```json
{
"tag": "EncryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
"value": "40D59A0735811135749A507FDEB3"
},
{
"tag": "IvCounterNonce",
"type": "ByteString",
"value": "DBDD622A64F7D65E75894B1B"
},
{
"tag": "AuthenticatedEncryptionTag",
"type": "ByteString",
"value": "50FCE680540BD3E96EFA9218A2F1009D"
"tag": "EncryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Data",
"type": "ByteString",
"value": "40D59A0735811135749A507FDEB3"
},
{
"tag": "IvCounterNonce",
"type": "ByteString",
"value": "DBDD622A64F7D65E75894B1B"
},
{
"tag": "AuthenticatedEncryptionTag",
"type": "ByteString",
"value": "50FCE680540BD3E96EFA9218A2F1009D"
}
]
}
]
}
```
```
#### Example - Covercrypt
Encrypting the text `Hello, world!` with the Covercrypt master public key `0fd1f684-156c-4ca6-adc2-0a6f4b620463`
(go to [Create Key Paire](./_create_key_pair.md) to see how to create the mater key pair) and attributes `Security Level::Confidential && Department::FIN`.
(go to [Create Key Pair](./_create_key_pair.md) to see how to create the mater key pair) and attributes `Security Level::Confidential && Department::FIN`.
Corresponding `ckms` CLI command:
@ -116,53 +118,54 @@ In the request, please note that the `Data` parameter contains:
- the bytes to encrypt: `Hello, world!` as UTF-8 bytes
=== "Request"
```json
{
"tag": "Encrypt",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
},
{
"tag": "CryptographicParameters",
"tag": "Encrypt",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
},
{
"tag": "CryptographicParameters",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
}
]
},
{
"tag": "Data",
"type": "ByteString",
"value": "2F5365637572697479204C6576656C3A3A436F6E666964656E7469616C202626204465706172746D656E743A3A46494E0048656C6C6F2C20776F726C64210A"
}
]
},
{
"tag": "Data",
"type": "ByteString",
"value": "2F5365637572697479204C6576656C3A3A436F6E666964656E7469616C202626204465706172746D656E743A3A46494E0048656C6C6F2C20776F726C64210A"
}
]
}
```
```
=== "Response"
```json
{
"tag": "EncryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
},
{
"tag": "Data",
"type": "ByteString",
"value": "AEA6CF824612448B8445CAF46F9D987161706DAD6E43DFD1A57DD0F39869DC39A68096657A3EDC03CBC619D563744D2CC9819B6A9AB9A3893FD27F452F49A244A8CAA42279C4705D4D3A9E04D2B7887F0100D947F27D27BBD1D06F5A65087F73B8AAB617568761273282D4C14770FFCBA47200D02DDB4C48E1028DC5C50DE860A10A26E35AC405EFE6405486B56E9968594471075687D7BF6935BD003D"
"tag": "EncryptResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
},
{
"tag": "Data",
"type": "ByteString",
"value": "AEA6CF824612448B8445CAF46F9D987161706DAD6E43DFD1A57DD0F39869DC39A68096657A3EDC03CBC619D563744D2CC9819B6A9AB9A3893FD27F452F49A244A8CAA42279C4705D4D3A9E04D2B7887F0100D947F27D27BBD1D06F5A65087F73B8AAB617568761273282D4C14770FFCBA47200D02DDB4C48E1028DC5C50DE860A10A26E35AC405EFE6405486B56E9968594471075687D7BF6935BD003D"
}
]
}
]
}
```
```

162
documentation/docs/kmip_2_1/_export.md
View file

@ -49,111 +49,113 @@ ckms sym keys export -t "MySymmetricKey" /tmp/sym_key.json --allow-revoked
```
=== "Request"
```json
{
"tag": "Export",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MySymmetricKey\"]"
},
{
"tag": "KeyWrapType",
"type": "Enumeration",
"value": "AsRegistered"
}
]
}
```
=== "Response"
```json
{
"tag": "GetResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Object",
"tag": "Export",
"type": "Structure",
"value": [
{
"tag": "KeyBlock",
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "[\"MySymmetricKey\"]"
},
{
"tag": "KeyWrapType",
"type": "Enumeration",
"value": "AsRegistered"
}
]
}
```
=== "Response"
```json
{
"tag": "GetResponse",
"type": "Structure",
"value": [
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Object",
"type": "Structure",
"value": [
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "Raw"
},
{
"tag": "KeyValue",
"tag": "KeyBlock",
"type": "Structure",
"value": [
{
"tag": "KeyMaterial",
"type": "ByteString",
"value": "0B3E539510BABD291BB9FEC2A390C833B05465F33374575CE4AAFFABD5E93020"
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "Raw"
},
{
"tag": "Attributes",
"tag": "KeyValue",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
"tag": "KeyMaterial",
"type": "ByteString",
"value": "0B3E539510BABD291BB9FEC2A390C833B05465F33374575CE4AAFFABD5E93020"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SymmetricKey"
}
]
}
]
},
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
}
]
},
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
}
]
}
]
}
]
}
```
```

934
documentation/docs/kmip_2_1/_get.md
View file

File diff suppressed because it is too large Load diff

476
documentation/docs/kmip_2_1/_get_attributes.md
View file

@ -19,7 +19,7 @@ Get the attributes of a symmetric key by its unique identifier `027cced1-ff2b-4b
Corresponding `ckms` CLI command:
```bash
ckms get-attributes -i 027cced1-ff2b-4bd3-a200-db1041583bdc
ckms get-attributes -i 027cced1-ff2b-4bd3-a200-db1041583bdc
```
The request has an empty `AttributeReference` structure, which means that all
@ -36,89 +36,93 @@ array with value
```
=== "Request"
```json
{
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "Attributes",
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SplitKey"
},
{
"tag": "VendorAttributes",
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "AES"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "CryptographicUsageMask",
"type": "Integer",
"value": 2108
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentSymmetricKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "SplitKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// This is the hex value of a JSON array of system and user tags: ["MySymmetricKey","_kk"]
"value": "5B224D7953796D6D65747269634B6579222C225F6B6B225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// This is the hex value of a JSON array of system and user tags: ["MySymmetricKey","_kk"]
"value": "5B224D7953796D6D65747269634B6579222C225F6B6B225D"
}
]
}
]
}
@ -126,9 +130,7 @@ array with value
}
]
}
]
}
```
```
### Example - A NIST P-256 private key
@ -137,7 +139,7 @@ Get the attributes of a NIST P-256 private key.
Corresponding `ckms` CLI command:
```bash
ckms get-attributes -i 927adccb-f59a-4cc9-a9e3-1eeb958c601f
ckms get-attributes -i 927adccb-f59a-4cc9-a9e3-1eeb958c601f
```
The request has an empty `AttributeReference` structure, which means that
@ -149,101 +151,105 @@ In the response, please note:
- the `tag` is the hex encoded value of a JSON array with value `["_sk"]`, the system tag for a private key
=== "Request"
```json
{
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "927adccb-f59a-4cc9-a9e3-1eeb958c601f"
},
{
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "927adccb-f59a-4cc9-a9e3-1eeb958c601f"
},
{
"tag": "Attributes",
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "ECDH"
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "927adccb-f59a-4cc9-a9e3-1eeb958c601f"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "927adccb-f59a-4cc9-a9e3-1eeb958c601f"
},
{
"tag": "CryptographicDomainParameters",
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "QLength",
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "ECDH"
},
{
"tag": "CryptographicLength",
"type": "Integer",
"value": 256
},
{
"tag": "RecommendedCurve",
"tag": "CryptographicDomainParameters",
"type": "Structure",
"value": [
{
"tag": "QLength",
"type": "Integer",
"value": 256
},
{
"tag": "RecommendedCurve",
"type": "Enumeration",
// the curve
"value": "P256"
}
]
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
// the curve
"value": "P256"
}
]
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "TransparentECPrivateKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
"value": "TransparentECPrivateKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoded value of a JSON array of system tag: ["_sk"]
"value": "5B225F736B225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoded value of a JSON array of system tag: ["_sk"]
"value": "5B225F736B225D"
}
]
}
]
}
@ -251,9 +257,7 @@ In the response, please note:
}
]
}
]
}
```
```
### Example - A certificate imported as part of a PKCS#12 container
@ -264,7 +268,7 @@ intermediate certificate imported as part of the same container.
Corresponding `ckms` CLI command:
```bash
ckms get-attributes -i d2f4e937-dda9-4a86-bbe8-c866646a612f
ckms get-attributes -i d2f4e937-dda9-4a86-bbe8-c866646a612f
```
The request has an empty `AttributeReference` structure, which means that all attributes are requested.
@ -276,7 +280,7 @@ Please note in the response:
- the presence of all the system and user tags associated with the certificate. This is the hex encoded value of a
JSON array with value
```json
```json
[
"_cert",
"_cert_cn=My server",
@ -285,117 +289,121 @@ Please note in the response:
"_cert_issuer=0c9028bc-c518-40d3-8362-12a1edfddab0",
"_cert_sk=bf614d45-5a3e-49b9-95c0-5586d3c0d17b"
]
```
=== "Request"
```json
{
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
},
{
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
=== "Request"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
},
{
"tag": "Attributes",
"tag": "GetAttributes",
"type": "Structure",
"value": [
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "X509"
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
},
{
"tag": "Link",
"tag": "AttributeReference",
"type": "Structure",
"value": []
}
]
}
```
=== "Response"
```json
{
"tag": "GetAttributesResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
},
{
"tag": "Attributes",
"type": "Structure",
"value": [
{
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "PrivateKeyLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the private key
"value": "bf614d45-5a3e-49b9-95c0-5586d3c0d17b"
}
]
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "X509"
},
{
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "CertificateLink"
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "PrivateKeyLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the private key
"value": "bf614d45-5a3e-49b9-95c0-5586d3c0d17b"
}
]
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the intermediate certificate, which is the issuer of the certificate
"value": "0c9028bc-c518-40d3-8362-12a1edfddab0"
"tag": "Link",
"type": "Structure",
"value": [
{
"tag": "LinkType",
"type": "Enumeration",
"value": "CertificateLink"
},
{
"tag": "LinkedObjectIdentifier",
"type": "TextString",
// the intermediate certificate, which is the issuer of the certificate
"value": "0c9028bc-c518-40d3-8362-12a1edfddab0"
}
]
}
]
}
]
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "Certificate"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "Certificate"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// This is the hex encoded value of a JSON array of system and user tags
"value": "5B225F63657274222C225F636572745F636E3D4D7920736572766572222C225F636572745F73706B693D36353565303430393938383461663363636133653362313164393038626238666432373237306263222C224D79504B43533132222C225F636572745F6973737565723D30633930323862632D633531382D343064332D383336322D313261316564666464616230222C225F636572745F736B3D62663631346434352D356133652D343962392D393563302D353538366433633064313762225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// This is the hex encoded value of a JSON array of system and user tags
"value": "5B225F63657274222C225F636572745F636E3D4D7920736572766572222C225F636572745F73706B693D36353565303430393938383461663363636133653362313164393038626238666432373237306263222C224D79504B43533132222C225F636572745F6973737565723D30633930323862632D633531382D343064332D383336322D313261316564666464616230222C225F636572745F736B3D62663631346434352D356133652D343962392D393563302D353538366433633064313762225D"
}
]
}
]
}
@ -403,6 +411,4 @@ Please note in the response:
}
]
}
]
}
```
```

1089
documentation/docs/kmip_2_1/_import.md
View file

File diff suppressed because it is too large Load diff

224
documentation/docs/kmip_2_1/_locate.md
View file

@ -87,17 +87,14 @@ Multiple tags can be used locate objects; a JSON array of tags is used to specif
serialized to hex.
=== "Request"
```json
{
"tag": "Locate",
"type": "Structure",
"value": [
{
"tag": "Attributes",
"tag": "Locate",
"type": "Structure",
"value": [
{
"tag": "VendorAttributes",
"tag": "Attributes",
"type": "Structure",
"value": [
{
@ -105,20 +102,26 @@ serialized to hex.
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoding of ["_kk"]
"value": "5B225F6B6B225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoding of ["_kk"]
"value": "5B225F6B6B225D"
}
]
}
]
}
@ -126,71 +129,70 @@ serialized to hex.
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "LocateResponse",
"type": "Structure",
"value": [
{
"tag": "LocatedItems",
"type": "Integer",
"value": 8
},
{
"tag": "UniqueIdentifier",
"tag": "LocateResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
"tag": "LocatedItems",
"type": "Integer",
"value": 8
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "1a35b3be-1a1a-4798-a3aa-d9fc67298461"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "5dc81bb2-648f-485f-b804-c6ea45467056"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "6ce69a21-5b4b-470a-84e7-0e1385947527"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "ad9ba3be-93c7-4fac-a271-ef186fd645ce"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "bac520f6-461f-40e5-b8f2-7927d8ae310b"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "da5844b6-4d29-46b8-a657-9dfd449f8560"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "ebddca55-6027-4c86-ac1f-6b38dcfd6ead"
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "027cced1-ff2b-4bd3-a200-db1041583bdc"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "1a35b3be-1a1a-4798-a3aa-d9fc67298461"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "5dc81bb2-648f-485f-b804-c6ea45467056"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "6ce69a21-5b4b-470a-84e7-0e1385947527"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "ad9ba3be-93c7-4fac-a271-ef186fd645ce"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "bac520f6-461f-40e5-b8f2-7927d8ae310b"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "da5844b6-4d29-46b8-a657-9dfd449f8560"
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "ebddca55-6027-4c86-ac1f-6b38dcfd6ead"
}
]
}
]
}
]
}
```
```
### Example - A certificate by Common Name or Private Key Link
@ -200,7 +202,7 @@ details.
Corresponding `ckms` CLI command:
```bash
ckms locate --certificate-cn "My server"
ckms locate --certificate-cn "My server"
```
Using a JSON TTLV request, to search a certificate with CN `My server`, set the `tag` value to the hex encoding of
@ -212,17 +214,14 @@ To search a certificate by linked to private key `9550c6f3-ac11-4db8-b54f-a0514b
the hex encoding of `["_cert_sk=9550c6f3-ac11-4db8-b54f-a0514b68c897"]`.
=== "Request"
```json
{
"tag": "Locate",
"type": "Structure",
"value": [
{
"tag": "Attributes",
"tag": "Locate",
"type": "Structure",
"value": [
{
"tag": "VendorAttributes",
"tag": "Attributes",
"type": "Structure",
"value": [
{
@ -230,20 +229,26 @@ the hex encoding of `["_cert_sk=9550c6f3-ac11-4db8-b54f-a0514b68c897"]`.
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoding of ["_cert_cn=My server"]
"value": "5B225F636572745F636E3D4D7920736572766572225D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "tag"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoding of ["_cert_cn=My server"]
"value": "5B225F636572745F636E3D4D7920736572766572225D"
}
]
}
]
}
@ -251,33 +256,32 @@ the hex encoding of `["_cert_sk=9550c6f3-ac11-4db8-b54f-a0514b68c897"]`.
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "LocateResponse",
"type": "Structure",
"value": [
{
"tag": "LocatedItems",
"type": "Integer",
"value": 1
},
{
"tag": "UniqueIdentifier",
"tag": "LocateResponse",
"type": "Structure",
"value": [
{
"tag": "LocatedItems",
"type": "Integer",
"value": 1
},
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "d2f4e937-dda9-4a86-bbe8-c866646a612f"
}
]
}
]
}
]
}
```
```

118
documentation/docs/kmip_2_1/_re-key_key_pair.md
View file

@ -52,64 +52,67 @@ an array of the attributes that must be rotated:
}
```
Then hex encode the JSON and addit as a `VendorAttribute` with name `cover_crypt_policy_edit_action` to the `Re-Key
Then hex encode the JSON and add it as a `VendorAttribute` with name `cover_crypt_policy_edit_action` to the `Re-Key
Key Pair` request.
The Private Key Unique Identifier of the Master Secret Key must be passed in the reauest.
The Private Key Unique Identifier of the Master Secret Key must be passed in the request.
=== "Request"
```json
{
"tag": "ReKeyKeyPair",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "PrivateKeyAttributes",
"tag": "ReKeyKeyPair",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"tag": "PrivateKeyAttributes",
"type": "Structure",
"value": [
{
"tag": "CryptographicAlgorithm",
"type": "Enumeration",
"value": "CoverCrypt"
},
{
"tag": "KeyFormatType",
"type": "Enumeration",
"value": "CoverCryptSecretKey"
},
{
"tag": "ObjectType",
"type": "Enumeration",
"value": "PrivateKey"
},
{
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_policy_edit_action"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoded JSON object {"RotateAttributes":["Security Level::Confidential"]}
"value": "7B22526F7461746541747472696275746573223A5B225365637572697479204C6576656C3A3A436F6E666964656E7469616C225D7D"
"tag": "VendorAttributes",
"type": "Structure",
"value": [
{
"tag": "VendorIdentification",
"type": "TextString",
"value": "cosmian"
},
{
"tag": "AttributeName",
"type": "TextString",
"value": "cover_crypt_policy_edit_action"
},
{
"tag": "AttributeValue",
"type": "ByteString",
// hex encoded JSON object {"RotateAttributes":["Security Level::Confidential"]}
"value": "7B22526F7461746541747472696275746573223A5B225365637572697479204C6576656C3A3A436F6E666964656E7469616C225D7D"
}
]
}
]
}
@ -117,27 +120,26 @@ The Private Key Unique Identifier of the Master Secret Key must be passed in the
}
]
}
]
}
```
```
=== "Response"
```json
{
"tag": "ReKeyKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
"tag": "ReKeyKeyPairResponse",
"type": "Structure",
"value": [
{
"tag": "PrivateKeyUniqueIdentifier",
"type": "TextString",
"value": "b652a48a-a48c-4dc1-bd7e-cf0e5126b7b9"
},
{
"tag": "PublicKeyUniqueIdentifier",
"type": "TextString",
"value": "0fd1f684-156c-4ca6-adc2-0a6f4b620463"
}
]
}
]
}
```
```

60
documentation/docs/kmip_2_1/_revoke.md
View file

@ -26,41 +26,43 @@ Revoking key `f54f14a3-5639-4054-8c23-54af891669db` with reason `key was comprom
Corresponding `ckms` CLI command:
```bash
ckms sym keys revoke -k f54f14a3-5639-4054-8c23-54af891669db "key was compromised"
ckms sym keys revoke -k f54f14a3-5639-4054-8c23-54af891669db "key was compromised"
```
=== "Request"
```json
{
"tag": "Revoke",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
},
{
"tag": "RevocationReason",
"type": "TextString",
"value": "key was compromised"
}
]
}
```
```json
{
"tag": "Revoke",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
},
{
"tag": "RevocationReason",
"type": "TextString",
"value": "key was compromised"
}
]
}
```
=== "Response"
```json
{
"tag": "RevokeResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
"tag": "RevokeResponse",
"type": "Structure",
"value": [
{
"tag": "UniqueIdentifier",
"type": "TextString",
"value": "f54f14a3-5639-4054-8c23-54af891669db"
}
]
}
]
}
```
```

25
documentation/docs/single_server_mode.md
View file

@ -9,7 +9,7 @@ This configuration also supports user encrypted databases, a secure way to store
To run in single server mode, using the defaults, run the container as follows:
```sh
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1
```
The KMS will be available on `http://localhost:9998`, and the server will store its data inside the container in the `/root/cosmian-kms/sqlite-data` directory.
@ -21,7 +21,7 @@ To persist data between restarts, map the `/root/cosmian-kms/sqlite-data` path t
```sh
docker run --rm -p 9998:9998 \
-v cosmian-kms:/root/cosmian-kms/sqlite-data \
--name kms ghcr.io/cosmian/kms:4.10.0
--name kms ghcr.io/cosmian/kms:4.10.1
```
### Using user encrypted databases
@ -31,7 +31,7 @@ To start the KMS server with user encrypted SQLite databases, pass the `--databa
```sh
docker run --rm -p 9998:9998 \
-v cosmian-kms:/root/cosmian-kms/sqlite-data \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
--database-type=sqlite-enc
```
@ -39,10 +39,13 @@ docker run --rm -p 9998:9998 \
Before using an encrypted database, you must create it by calling the `POST /new_database` endpoint. The call will return a secret
=== "ckms"
```sh
ckms new-database
```
=== "curl"
```sh
➜ curl -X POST https://my-server:9998/new_database
"eyJncm91cF9pZCI6MzE0ODQ3NTQzOTU4OTM2Mjk5OTY2ODU4MTY1NzE0MTk0MjU5NjUyLCJrZXkiOiIzZDAyNzg3YjUyZGY5OTYzNGNkOTVmM2QxODEyNDk4YTRiZWU1Nzc1NmM5NDI0NjdhZDI5ZTYxZjFmMmM0OWViIn0="%
@ -57,20 +60,22 @@ Once an encrypted database is created, the secret must be passed in every subseq
Passing the correct secret "auto-selects" the correct encrypted database: multiple encrypted databases can be used concurrently on the same KMS server.
=== "ckms"
The secret must be set in `kms_database_secret` property of the CLI `kms.json` configuration file.
```json
{
"kms_server_url": "https://my-server:9998",
"kms_database_secret": "eyJncm91cF9pZCI6MzE0ODQ3NTQzOTU4OTM2Mjk5OTY2ODU4MTY1NzE0MTk0MjU5NjUyLCJrZXkiOiIzZDAyNzg3YjUyZGY5OTYzNGNkOTVmM2QxODEyNDk4YTRiZWU1Nzc1NmM5NDI0NjdhZDI5ZTYxZjFmMmM0OWViIn0="
}
{
"kms_server_url": "https://my-server:9998",
"kms_database_secret": "eyJncm91cF9pZCI6MzE0ODQ3NTQzOTU4OTM2Mjk5OTY2ODU4MTY1NzE0MTk0MjU5NjUyLCJrZXkiOiIzZDAyNzg3YjUyZGY5OTYzNGNkOTVmM2QxODEyNDk4YTRiZWU1Nzc1NmM5NDI0NjdhZDI5ZTYxZjFmMmM0OWViIn0="
}
```
=== "curl"
The secret must be passed using a `KmsDatabaseSecret` HTTP header, e.g.
```sh
curl \
-H "KmsDatabaseSecret: eyJncm91cF9pZCI6MzE0ODQ3NTQzOTU4OTM2Mjk5OTY2ODU4MTY1NzE0MTk0MjU5NjUyLCJrZXkiOiIzZDAyNzg3YjUyZGY5OTYzNGNkOTVmM2QxODEyNDk4YTRiZWU1Nzc1NmM5NDI0NjdhZDI5ZTYxZjFmMmM0OWViIn0=" \
http://localhost:9998/objects/owned
curl \
-H "KmsDatabaseSecret: eyJncm91cF9pZCI6MzE0ODQ3NTQzOTU4OTM2Mjk5OTY2ODU4MTY1NzE0MTk0MjU5NjUyLCJrZXkiOiIzZDAyNzg3YjUyZGY5OTYzNGNkOTVmM2QxODEyNDk4YTRiZWU1Nzc1NmM5NDI0NjdhZDI5ZTYxZjFmMmM0OWViIn0=" \
http://localhost:9998/objects/owned
```

4
documentation/docs/tls.md
View file

@ -29,7 +29,7 @@ Say the certificate is called `server.mydomain.com.p12`, is protected by the pas
```sh
docker run --rm -p 443:9998 \
-v /certificate/server.mydomain.com.p12:/root/cosmian-kms/server.mydomain.com.p12 \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
--database-type=mysql \
--database-url=mysql://mysql_server:3306/kms \
--https-p12-file=server.mydomain.com.p12 \
@ -67,7 +67,7 @@ Example:
docker run --rm -p 443:9998 \
-v cosmian-kms:/root/cosmian-kms/sqlite-data \
-v cosmian-kms-certs:/root/cosmian-kms/certbot-ssl \
--name kms ghcr.io/cosmian/kms:4.10.0 \
--name kms ghcr.io/cosmian/kms:4.10.1 \
--database-type=sqlite-enc \
--use-certbot \
--certbot-server-name server.mydomain.com \

2
documentation/docs/zero_trust.md
View file

@ -37,7 +37,7 @@ The KMS servers must be installed in confidential VMs and started in bootstrap m
- To start the database server in bootstrap mode, use the `-use-bootstrap-server` option (see [bootstrap](./bootstrap.md) from more details) on the docker started in the confidential VM :
```bash
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.0 --use-bootstrap-server
docker run -p 9998:9998 --name kms ghcr.io/cosmian/kms:4.10.1 --use-bootstrap-server
```
- To use the TLS generation using LetsEncrypt inside the confidential VM add the arguments described in [tls](./tls.md#using-the-certificates-bot)