chore: Merge tag '4.23.0' into develop

feat: add KMS UI

.gitignore

@@ -20,4 +20,3 @@ node_modules/
 **/cosmian-kms/sqlite-data*
 run.sh
 .aider/
-ui/

.pre-commit-config.yaml

@@ -7,7 +7,7 @@
 
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-exclude: documentation/pandoc|documentation/overrides|crate/server/src/tests/test_utils.rs|.pre-commit-config.yaml|crate/server/src/routes/google_cse/jwt.rs|crate/server/src/routes/google_cse/python/openssl|documentation/docs/google_cse|crate/pkcs11/sys|documentation/docs/drawings|test_data|documentation/docs/benchmarks.md|crate/hsm/proteccio/driver
+exclude: documentation/pandoc|documentation/overrides|crate/server/src/tests/test_utils.rs|.pre-commit-config.yaml|crate/server/src/routes/google_cse/jwt.rs|crate/server/src/routes/google_cse/python/openssl|documentation/docs/google_cse|crate/pkcs11/sys|documentation/docs/drawings|test_data|documentation/docs/benchmarks.md|crate/hsm/proteccio/driver|crate/server/ui
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
     rev: v4.0.0

CHANGELOG.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.23.0] - 2025-04-10
+
+### 🚀 Features
+
+- Add digest and MAC KMIP operations ([#370](https://github.com/Cosmian/kms/pull/370))
+- Upgrade Covercrypt to v15 ([#382](https://github.com/Cosmian/kms/pull/382))
+- Add CBC encryption mode ([#395](https://github.com/Cosmian/kms/pull/395))
+- Add UI ([#391](https://github.com/Cosmian/kms/pull/391))
+
+### 🐛 Bug Fixes
+
+- Shrink docker images size using slim-bullseye base image ([#377](https://github.com/Cosmian/kms/pull/377))
+- Clean unneeded test files ([#392](https://github.com/Cosmian/kms/pull/392))
+- RUSTSEC-2025-0009: `ring`: Some AES functions may panic when overflow checking is enabled.
+- RUSTSEC-2025-0022: `openssl`: Use-After-Free in Md::fetch and Cipher::fetch
+
+### 🚜 Refactor
+
+- Move all CLI relative crates on <https://github.com/Cosmian/client> ([#383](https://github.com/Cosmian/kms/pull/383))
+
+### 📚 Documentation
+
+- Fix Google expected X509 extensions
+
+### 🧪 Testing
+
+- Add HSM tests using Utimaco simulator ([#380](https://github.com/Cosmian/kms/pull/380))
+
+### ⚙️ Miscellaneous Tasks
+
+- Reuse generic Github workflows ([#401](https://github.com/Cosmian/kms/pull/401))
+
 ## [4.22.1] - 2025-02-04
 
 ### 🧪 CI

Cargo.lock

@@ -1152,7 +1152,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
 [[package]]
 name = "cosmian_cli"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "actix-rt",
  "actix-server",
@@ -1319,7 +1319,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_findex_client"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "base64 0.22.1",
  "cosmian_crypto_core 10.0.1",
@@ -1407,7 +1407,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kmip"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "bitflags 2.8.0",
  "chrono",
@@ -1428,7 +1428,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_access"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "cosmian_kmip",
  "serde",
@@ -1436,7 +1436,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_base_hsm"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "async-trait",
  "cosmian_kms_interfaces",
@@ -1452,7 +1452,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_client"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "cosmian_crypto_core 10.0.1",
  "cosmian_http_client",
@@ -1469,7 +1469,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_client_utils"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "base64 0.22.1",
  "clap",
@@ -1487,7 +1487,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_crypto"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "aes-gcm-siv",
  "argon2",
@@ -1510,7 +1510,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_interfaces"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "async-trait",
  "cosmian_kmip",
@@ -1523,7 +1523,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_server"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "actix-cors",
  "actix-files",
@@ -1585,7 +1585,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_kms_server_database"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "async-trait",
  "clap",
@@ -1626,7 +1626,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_pkcs11"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "cosmian_kms_client",
  "cosmian_logger",
@@ -1649,7 +1649,7 @@ dependencies = [
 
 [[package]]
 name = "cosmian_pkcs11_module"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "bincode",
  "const-oid",
@@ -4023,7 +4023,7 @@ dependencies = [
 
 [[package]]
 name = "proteccio_pkcs11_loader"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "cosmian_kms_base_hsm",
  "cosmian_kms_interfaces",
@@ -5271,7 +5271,7 @@ checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
 
 [[package]]
 name = "test_findex_server"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "actix-server",
  "cosmian_findex_client",
@@ -5285,7 +5285,7 @@ dependencies = [
 
 [[package]]
 name = "test_kms_server"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "actix-server",
  "base64 0.22.1",
@@ -5852,7 +5852,7 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
 [[package]]
 name = "utimaco_pkcs11_loader"
-version = "4.22.1"
+version = "4.23.0"
 dependencies = [
  "cosmian_kms_base_hsm",
  "cosmian_kms_interfaces",

Cargo.toml

@@ -22,7 +22,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "4.22.1"
+version = "4.23.0"
 edition = "2021"
 rust-version = "1.71.0"
 authors = [

Dockerfile

@@ -1,9 +1,9 @@
 #
 # KMS server
 #
-FROM rust:1.85.0-bullseye AS builder
+FROM rust:1.85.0-bookworm AS builder
 
-LABEL version="4.22.1"
+LABEL version="4.23.0"
 LABEL name="Cosmian KMS docker container"
 
 ENV OPENSSL_DIR=/usr/local/openssl
@@ -23,17 +23,15 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then export ARCHITECTURE=x86_64; e
 
 # Conditional cargo build based on FIPS argument
 RUN if [ "$FIPS" = "true" ]; then \
-    FEATURES="fips" bash .github/scripts/build_ui.sh; \
     cargo build -p cosmian_cli -p cosmian_kms_server --release --no-default-features --features="fips"; \
     else \
-    bash .github/scripts/build_ui.sh; \
     cargo build -p cosmian_cli -p cosmian_kms_server --release --no-default-features; \
     fi
 
 #
 # KMS server
 #
-FROM debian:bullseye-slim AS kms-server
+FROM debian:bookworm-slim AS kms-server
 
 COPY --from=builder /root/kms/crate/server/ui                   /usr/local/cosmian/ui
 COPY --from=builder /root/kms/target/release/cosmian_kms        /usr/bin/cosmian_kms

README.md

@@ -61,7 +61,7 @@ The KMS has extensive online [documentation](https://docs.cosmian.com/key_manage
 
 ## Quick start
 
-Pre-built binaries [are available](https://package.cosmian.com/kms/4.22.1/)
+Pre-built binaries [are available](https://package.cosmian.com/kms/4.23.0/)
 for Linux, MacOS, and Windows, as well as Docker images. To run the server binary, OpenSSL must be
 available in your path (see "building the KMS" below for details); other binaries do not have this
 requirement.

cli

@@ -1 +1 @@
-Subproject commit 26bd496a894483760efc21f8bcb2393ad2d0208d
+Subproject commit 5836b7c260acc61242be66fc6cc8d13fc654882c

crate/server/ui/dist/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" href="/ui/assets/cropped-favicon-cosmian-32x32-BVkavOsn.png" sizes="32x32" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Cosmian KMS</title>
+    <script type="module" crossorigin src="/ui/assets/index-D0IgDctm.js"></script>
+    <link rel="stylesheet" crossorigin href="/ui/assets/index-BzFVru8x.css">
+  </head>
+  <body>
+    <div id="root" class="h-screen"></div>
+  </body>
+</html>

documentation/docs/fips.md

@@ -16,7 +16,7 @@ The OpenSSL FIPS provider is certified under
   when used on Red Hat Enterprise Linux 9 (RHEL 9)
 
 Cosmian
-produces [pre-built Ubuntu 22.04 FIPS mode binaries](https://package.cosmian.com/kms/4.22.1/ubuntu-22.04/)
+produces [pre-built Ubuntu 22.04 FIPS mode binaries](https://package.cosmian.com/kms/4.23.0/ubuntu-22.04/)
 and docker containers of the KMS (on gcr.io).
 
 Alternatively, you can build the FIPS mode version from source, using the `--features fips` flag:

documentation/docs/index.md

@@ -44,11 +44,11 @@ Please refer to the list of [supported algorithms](./algorithms.md).
 
 The **Cosmian KMS** is packaged as:
 
-- [Debian](https://package.cosmian.com/kms/4.22.1/ubuntu-22.04/) or [RPM](https://package.cosmian.com/kms/4.22.1/rhel9/)
+- [Debian](https://package.cosmian.com/kms/4.23.0/ubuntu-22.04/) or [RPM](https://package.cosmian.com/kms/4.23.0/rhel9/)
   package
 - Docker [image](https://github.com/Cosmian/kms/pkgs/container/kms)
   and [FIPS image](https://github.com/Cosmian/kms/pkgs/container/kms)
-- Pre-built [binaries](https://package.cosmian.com/kms/4.22.1/) for multiple operating systems (Linux, Windows, MacOS)
+- Pre-built [binaries](https://package.cosmian.com/kms/4.23.0/) for multiple operating systems (Linux, Windows, MacOS)
 
 ## Client CLI
 
@@ -58,7 +58,7 @@ or decryption.
 
 The **[Cosmian CLI](../cosmian_cli/index.md)** is packaged as:
 
-- [Debian](https://package.cosmian.com/kms/4.22.1/ubuntu-22.04/) or [RPM](https://package.cosmian.com/kms/4.22.1/rhel9/)
+- [Debian](https://package.cosmian.com/kms/4.23.0/ubuntu-22.04/) or [RPM](https://package.cosmian.com/kms/4.23.0/rhel9/)
   package
 - Pre-built [binaries](https://package.cosmian.com/cli/) for multiple operating systems (Linux, Windows, MacOS)
 

documentation/docs/installation/installation_getting_started.md

@@ -46,16 +46,16 @@ For high availability and scalability, please refer to the [high availability gu
 
     ```sh
     sudo apt update && sudo apt install -y wget
-    wget https://package.cosmian.com/kms/4.22.1/ubuntu-22.04/cosmian-kms-server_4.22.1-1_amd64.deb
-    sudo apt install ./cosmian-kms-server_4.22.1-1_amd64.deb
+    wget https://package.cosmian.com/kms/4.23.0/ubuntu-22.04/cosmian-kms-server_4.23.0-1_amd64.deb
+    sudo apt install ./cosmian-kms-server_4.23.0-1_amd64.deb
     cosmian_kms --version
     ```
 
     Or install the FIPS version:
 
     ```sh
-    wget https://package.cosmian.com/kms/4.22.1/ubuntu-22.04/cosmian-kms-server-fips_4.22.1-1_amd64.deb
-    sudo apt install ./cosmian-kms-server-fips_4.22.1-1_amd64.deb
+    wget https://package.cosmian.com/kms/4.23.0/ubuntu-22.04/cosmian-kms-server-fips_4.23.0-1_amd64.deb
+    sudo apt install ./cosmian-kms-server-fips_4.23.0-1_amd64.deb
     cosmian_kms --version
     ```
 
@@ -74,16 +74,16 @@ For high availability and scalability, please refer to the [high availability gu
 
     ```sh
     sudo apt update && sudo apt install -y wget
-    wget https://package.cosmian.com/kms/4.22.1/ubuntu-24.04/cosmian-kms-server_4.22.1-1_amd64.deb
-    sudo apt install ./cosmian-kms-server_4.22.1-1_amd64.deb
+    wget https://package.cosmian.com/kms/4.23.0/ubuntu-24.04/cosmian-kms-server_4.23.0-1_amd64.deb
+    sudo apt install ./cosmian-kms-server_4.23.0-1_amd64.deb
     cosmian_kms --version
     ```
 
     Or install the FIPS version:
 
     ```sh
-    wget https://package.cosmian.com/kms/4.22.1/ubuntu-24.04/cosmian-kms-server-fips_4.22.1-1_amd64.deb
-    sudo apt install ./cosmian-kms-server-fips_4.22.1-1_amd64.deb
+    wget https://package.cosmian.com/kms/4.23.0/ubuntu-24.04/cosmian-kms-server-fips_4.23.0-1_amd64.deb
+    sudo apt install ./cosmian-kms-server-fips_4.23.0-1_amd64.deb
     cosmian_kms --version
     ```
 
@@ -102,8 +102,8 @@ For high availability and scalability, please refer to the [high availability gu
 
     ```sh
     sudo dnf update && dnf install -y wget
-    wget https://package.cosmian.com/kms/4.22.1/rhel9/cosmian_kms_server-4.22.1-1.x86_64.rpm
-    sudo dnf install ./cosmian_kms_server-4.22.1-1.x86_64.rpm
+    wget https://package.cosmian.com/kms/4.23.0/rhel9/cosmian_kms_server-4.23.0-1.x86_64.rpm
+    sudo dnf install ./cosmian_kms_server-4.23.0-1.x86_64.rpm
     cosmian_kms --version
     ```
 
@@ -112,7 +112,7 @@ For high availability and scalability, please refer to the [high availability gu
     On ARM MacOS, download the build archive and extract it:
 
     ```sh
-    wget https://package.cosmian.com/kms/4.22.1/macos_arm-release.zip
+    wget https://package.cosmian.com/kms/4.23.0/macos_arm-release.zip
     unzip macos_arm-release.zip
     cp ./macos_arm-release/Users/runner/work/kms/kms/target/aarch64-apple-darwin/release/cosmian_kms /usr/local/bin/
     chmod u+x /usr/local/bin/cosmian_kms
@@ -122,7 +122,7 @@ For high availability and scalability, please refer to the [high availability gu
     On Intel MacOS, download the build archive and extract it:
 
     ```sh
-    wget https://package.cosmian.com/kms/4.22.1/macos_intel-release.zip
+    wget https://package.cosmian.com/kms/4.23.0/macos_intel-release.zip
     unzip macos_intel-release.zip
     cp ./macos_intel-release/Users/runner/work/kms/kms/target/x86_64-apple-darwin/release/cosmian_kms /usr/local/bin/
     chmod u+x /usr/local/bin/cosmian_kms
@@ -134,7 +134,7 @@ For high availability and scalability, please refer to the [high availability gu
     On Windows, download the build archive:
 
     ```sh
-     https://package.cosmian.com/kms/4.22.1/windows-release.zip
+     https://package.cosmian.com/kms/4.23.0/windows-release.zip
     ```
 
     Extract the cosmian_kms from:

documentation/docs/installation/marketplace_guide.md

@@ -150,7 +150,7 @@ journalctl -u cosmian_vm_agent
 
 ```console
 $ curl --insecure https://${COSMIAN_VM_IP_ADDR}/version
-"4.22.1"
+"4.23.0"
 ```
 
 !!! info "Why `--allow-insecure-tls` and `--insecure` flags?"

version

@@ -1 +1 @@
-"4.22.1"
+"4.23.0"