Feat/crypto jwe api#929
Open
HatemMn wants to merge 19 commits into
Open
Conversation
HatemMn
force-pushed
the
feat/crypto_JWE_api
branch
from
20c6cab to
36c6d69
Compare
Manuthor
force-pushed
the
feat/crypto_JWE_api
branch
2 times, most recently
from
26bf912 to
ce5326e
Compare
This reverts commit bba8366.
…ypto routes Replace string-typed algorithm fields with typed enums (JoseAlgorithm, JoseEncAlgorithm) across all /v1/crypto route handlers. Invalid algorithm values are now rejected at serde deserialization time (400 Bad Request) instead of at handler level (422). - Add JoseAlgorithm enum: Dir, RS256..512, PS256..512, ES256..512, HS256..512, EdDSA (non-fips), MLDSA44 (non-fips) - Add JoseEncAlgorithm enum: A128GCM, A192GCM, A256GCM - Convert jose_to_kmip_params and all helpers to pattern matching - Add custom JsonConfig error handler for consistent JSON error bodies - Update unit tests and bash test expectations (422 -> 400)
Manuthor
force-pushed
the
feat/crypto_JWE_api
branch
from
ce5326e to
e697ea6
Compare
- POST /v1/crypto/keys: generate symmetric (oct), RSA, EC, OKP keys
- DELETE /v1/crypto/keys/{kid}: revoke + destroy with cascade
- Rewrite jose_vectors.rs as generic auto-discovery test runner
- Migrate test vectors: key_spec -> key (JWK request format)
- Add pre-computed signing input to rfc7520_s4_4 KAT vector
- Update REST crypto API documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JOSE stands for JSON Object Signing and Encryption.
It groups together 4 core RFCs:
Another document will be followed: RFC 7519 - which sits on top of JOSE - it uses the JOSE Header and JOSE cryptographic operations, but adds the concept of claims.
In depth details are cited in the related issue : https://github.com/Cosmian/kms/issues/
How this was implemented :
First layer :
crate/server/src/start_kms_server.rsThe new API was registred the same way as other APIs such as CSE, DKE, etc.
Second layer : Hanlers,
routes/crypto/*.rsEach of these handlers :
Each handler does three things, nothing more:
Third layer : translation
This is the only new logic.
The KMS doesn't know what "ES256" is, or what a JOSE alg is. The file
crate/server/src/routes/crypto/algorithm.rstranslates the JOSE specs to a KMIP structFinal layers : KMS Core
Nothing fundamental changes withing the KMS or crypto ops. Most the other diffs are wiring and plumbing and error handling (according to the request in the issue)
Closes #868