Microsoft DKE + refactoring of utils/crypto

.github/workflows/main.yml

@@ -42,3 +42,18 @@ jobs:
 
   python_and_docker:
     uses: ./.github/workflows/build_and_test_docker_image.yml
+
+  public_documentation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Deploy documentation in staging
+        if: ${{ github.ref_name == 'develop' }}
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: staging.yml
+          repo: Cosmian/public_documentation
+          ref: develop
+          token: ${{ secrets.PAT_TOKEN }}

.pre-commit-config.yaml

@@ -52,6 +52,7 @@ repos:
     hooks:
       - id: markdown-link-check
         args: [-q]
+        exclude: documentation/docs/ms_dke/ms_dke.md
 
   - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt
     rev: 0.2.2
@@ -108,6 +109,7 @@ repos:
       - id: debug-statements
       - id: destroyed-symlinks
       - id: detect-private-key
+        exclude: crate/server/src/tests/ms_dke
       - id: double-quote-string-fixer
       - id: end-of-file-fixer
       - id: file-contents-sorter

CHANGELOG.md

@@ -8,6 +8,11 @@ All notable changes to this project will be documented in this file.
 
 - Generalize the refresh of JWKS in the middleware [#150](https://github.com/Cosmian/kms/pull/150).
 - CI speed up [#173](https://github.com/Cosmian/kms/pull/173).
+- Add support for Microsoft Double Key Encryption (DKE) endpoints [#170](https://github.com/Cosmian/kms/pull/170).
+- Re-organized crypto package by algorithm, removed duplicated code [#170](https://github.com/Cosmian/kms/pull/170).
+- Add support for FIPS mode for the ckms client [#170](https://github.com/Cosmian/kms/pull/170).
+- Documented TOML configuration file for the KMS server [#170](https://github.com/Cosmian/kms/pull/170).
+- Overall improvements to the documentation on algorithms and FIPS mode [#170](https://github.com/Cosmian/kms/pull/170).
 
 ## [4.11.3] - 2024-01-26
 
@@ -45,7 +50,7 @@ All notable changes to this project will be documented in this file.
 ### Features
 
 - X509 v3 extensions support [#120](https://github.com/Cosmian/kms/issues/120)
-- Dynamic salt for password derivation, resolving issue #124 [#128](https://github.com/Cosmian/kms/issues/128)
+- Dynamic salt for password derivation, resolving issue [#124](https://github.com/Cosmian/kms/issues/124) [#128](https://github.com/Cosmian/kms/issues/128)
 - Support Cosmian VM [#129](https://github.com/Cosmian/kms/issues/129)
 - Make rsa oaep aes a generalized encryption system for use in all kms and not only for key wrapping [#130](https://github.com/Cosmian/kms/issues/130)
 - ECIES implementation for Hybrid Encryption [#134](https://github.com/Cosmian/kms/issues/134)

Cargo.toml

@@ -81,6 +81,7 @@ reqwest = { version = "0.11.22", features = [
   "native-tls",
   "rustls-tls",
   "stream",
+  "blocking",
 ] }
 rustls = { version = "0.21", features = ["dangerous_configuration"] }
 serde = { version = "1.0", features = ["derive"] }

README.md

@@ -172,7 +172,7 @@ Then run the entrypoint script.
 
 The `etc/app/server.toml` file contains:
 
-```
+```toml
 [http]
 port = 3000
 hostname = "0.0.0.0"

crate/cli/Cargo.toml

@@ -32,7 +32,6 @@ cosmian_logger = { path = "../logger" }
 der = { workspace = true }
 oauth2 = "4.4"
 pem = "3.0"
-rand = "0.8"
 reqwest = { workspace = true }
 rustls = { workspace = true }
 serde = { workspace = true }

crate/cli/src/actions/certificates/decrypt_certificate.rs

@@ -1,10 +1,7 @@
 use std::{fs::File, io::prelude::*, path::PathBuf};
 
 use clap::Parser;
-use cosmian_kmip::kmip::{
-    kmip_operations::{Decrypt, DecryptedData},
-    kmip_types::UniqueIdentifier,
-};
+use cosmian_kmip::kmip::{kmip_operations::Decrypt, kmip_types::UniqueIdentifier};
 use cosmian_kms_client::KmsRestClient;
 
 use crate::{
@@ -71,23 +68,20 @@ impl DecryptCertificateAction {
             .decrypt(decrypt_request)
             .await
             .with_context(|| "Can't execute the query on the kms server")?;
-
-        let metadata_and_cleartext: DecryptedData = decrypt_response
+        let plaintext = decrypt_response
             .data
-            .context("The plain data are empty")?
-            .as_slice()
-            .try_into()?;
+            .context("Decrypt with certificate: the plaintext is empty")?;
 
         // Write the decrypted file
         let output_file = self
             .output_file
             .clone()
             .unwrap_or_else(|| self.input_file.clone().with_extension(".plain"));
         let mut buffer =
-            File::create(&output_file).with_context(|| "Fail to write the plain file")?;
+            File::create(&output_file).with_context(|| "Fail to write the plaintext file")?;
         buffer
-            .write_all(&metadata_and_cleartext.plaintext)
-            .with_context(|| "Fail to write the plain file")?;
+            .write_all(&plaintext)
+            .with_context(|| "Fail to write the plaintext file")?;
 
         println!("The decrypted file is available at {:?}", &output_file);
 

crate/cli/src/actions/certificates/import_certificate.rs

@@ -10,6 +10,7 @@ use cosmian_kms_client::KmsRestClient;
 use der::{Decode, DecodePem, Encode};
 use tracing::{debug, trace};
 use x509_cert::Certificate;
+use zeroize::Zeroizing;
 
 use crate::{
     actions::shared::{
@@ -243,7 +244,7 @@ impl ImportCertificateAction {
 
     /// Import the certificate, the chain and the associated private key
     async fn import_pkcs12(&self, kms_rest_client: &KmsRestClient) -> Result<String, CliError> {
-        let pkcs12_bytes = read_bytes_from_file(&self.get_certificate_file()?)?;
+        let pkcs12_bytes = Zeroizing::from(read_bytes_from_file(&self.get_certificate_file()?)?);
 
         // Create a KMIP private key from the PKCS12 private key
         let private_key = build_private_key_from_der_bytes(KeyFormatType::PKCS12, pkcs12_bytes);

crate/cli/src/actions/cover_crypt/decrypt.rs

@@ -80,6 +80,7 @@ impl DecryptAction {
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),
             Some(cryptographic_algorithm),
+            None,
         );
 
         tracing::debug!("{decrypt_request:?}");

crate/cli/src/actions/cover_crypt/encrypt.rs

@@ -84,6 +84,7 @@ impl EncryptAction {
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),
             Some(cryptographic_algorithm),
+            None,
         )?;
 
         tracing::debug!("{encrypt_request:?}");

crate/cli/src/actions/elliptic_curves/decrypt.rs

@@ -1,7 +1,6 @@
 use std::{fs::File, io::Write, path::PathBuf};
 
 use clap::Parser;
-use cosmian_kmip::kmip::kmip_operations::DecryptedData;
 use cosmian_kms_client::KmsRestClient;
 use cosmian_kms_utils::crypto::generic::kmip_requests::build_decryption_request;
 
@@ -64,19 +63,17 @@ impl DecryptAction {
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),
             None,
+            None,
         );
 
         // Query the KMS with your kmip data and get the key pair ids
         let decrypt_response = kms_rest_client
             .decrypt(decrypt_request)
             .await
             .with_context(|| "Can't execute the query on the kms server")?;
-
-        let metadata_and_cleartext: DecryptedData = decrypt_response
+        let plaintext = decrypt_response
             .data
-            .context("The plain data is empty")?
-            .as_slice()
-            .try_into()?;
+            .context("Decrypt with elliptic curve: the plaintext is empty")?;
 
         // Write the decrypted file
         let output_file = self
@@ -86,7 +83,7 @@ impl DecryptAction {
         let mut buffer =
             File::create(&output_file).with_context(|| "Fail to write the plain file")?;
         buffer
-            .write_all(&metadata_and_cleartext.plaintext)
+            .write_all(&plaintext)
             .with_context(|| "Fail to write the plain file")?;
 
         println!("The decrypted file is available at {output_file:?}");

crate/cli/src/actions/elliptic_curves/encrypt.rs

@@ -64,6 +64,7 @@ impl EncryptAction {
                 .as_deref()
                 .map(|s| s.as_bytes().to_vec()),
             None,
+            None,
         )?;
 
         // Query the KMS with your kmip data and get the key pair ids

crate/cli/src/actions/elliptic_curves/keys/create_key_pair.rs

@@ -1,21 +1,67 @@
 use clap::Parser;
 use cosmian_kmip::kmip::kmip_types::RecommendedCurve;
 use cosmian_kms_client::KmsRestClient;
-use cosmian_kms_utils::crypto::elliptic_curves::kmip_requests::create_curve_25519_key_pair_request;
+use cosmian_kms_utils::crypto::elliptic_curves::kmip_requests::create_ec_key_pair_request;
 
 use crate::error::{result::CliResultHelper, CliError};
 
-/// Create a new X25519 key pair
+#[derive(clap::ValueEnum, Debug, Clone, Copy)]
+pub enum Curve {
+    #[cfg(not(feature = "fips"))]
+    NistP192,
+    NistP224,
+    NistP256,
+    NistP384,
+    NistP521,
+    #[cfg(not(feature = "fips"))]
+    X25519,
+    #[cfg(not(feature = "fips"))]
+    Ed25519,
+    #[cfg(not(feature = "fips"))]
+    X448,
+    #[cfg(not(feature = "fips"))]
+    Ed448,
+}
+
+impl From<Curve> for RecommendedCurve {
+    fn from(curve: Curve) -> RecommendedCurve {
+        match curve {
+            #[cfg(not(feature = "fips"))]
+            Curve::NistP192 => RecommendedCurve::P192,
+            Curve::NistP224 => RecommendedCurve::P224,
+            Curve::NistP256 => RecommendedCurve::P256,
+            Curve::NistP384 => RecommendedCurve::P384,
+            Curve::NistP521 => RecommendedCurve::P521,
+            #[cfg(not(feature = "fips"))]
+            Curve::X25519 => RecommendedCurve::CURVE25519,
+            #[cfg(not(feature = "fips"))]
+            Curve::Ed25519 => RecommendedCurve::CURVEED25519,
+            #[cfg(not(feature = "fips"))]
+            Curve::X448 => RecommendedCurve::CURVE448,
+            #[cfg(not(feature = "fips"))]
+            Curve::Ed448 => RecommendedCurve::CURVEED448,
+        }
+    }
+}
+
+/// Create an elliptic curve key pair
 ///
 ///  - The public is used to encrypt
 ///      and can be safely shared.
 ///  - The private key is used to decrypt
 ///      and must be kept secret.
 ///
+/// Run this subcommand with --help to see the list of supported curves.
+/// Defaults to NIST P256
+///
 /// Tags can later be used to retrieve the keys. Tags are optional.
 #[derive(Parser)]
 #[clap(verbatim_doc_comment)]
 pub struct CreateKeyPairAction {
+    /// The elliptic curve
+    #[clap(long = "curve", short = 'c', default_value = "nist-p256")]
+    curve: Curve,
+
     /// The tag to associate with the master key pair.
     /// To specify multiple tags, use the option multiple times.
     #[clap(long = "tag", short = 't', value_name = "TAG")]
@@ -24,8 +70,7 @@ pub struct CreateKeyPairAction {
 
 impl CreateKeyPairAction {
     pub async fn run(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
-        let create_key_pair_request =
-            create_curve_25519_key_pair_request(&self.tags, RecommendedCurve::CURVE25519)?;
+        let create_key_pair_request = create_ec_key_pair_request(&self.tags, self.curve.into())?;
 
         // Query the KMS with your kmip data and get the key pair ids
         let create_key_pair_response = kms_rest_client

crate/cli/src/actions/elliptic_curves/mod.rs

@@ -1,27 +1,35 @@
+#[cfg(not(feature = "fips"))]
 mod decrypt;
+#[cfg(not(feature = "fips"))]
 mod encrypt;
 mod keys;
 
 use clap::Parser;
 use cosmian_kms_client::KmsRestClient;
 
-use self::{decrypt::DecryptAction, encrypt::EncryptAction, keys::KeysCommands};
+use self::keys::KeysCommands;
+#[cfg(not(feature = "fips"))]
+use self::{decrypt::DecryptAction, encrypt::EncryptAction};
 use crate::error::CliError;
 
 /// Manage elliptic curve keys. Encrypt and decrypt data using ECIES.
 #[derive(Parser)]
 pub enum EllipticCurveCommands {
     #[command(subcommand)]
     Keys(KeysCommands),
+    #[cfg(not(feature = "fips"))]
     Encrypt(EncryptAction),
+    #[cfg(not(feature = "fips"))]
     Decrypt(DecryptAction),
 }
 
 impl EllipticCurveCommands {
     pub async fn process(&self, kms_rest_client: &KmsRestClient) -> Result<(), CliError> {
         match self {
             Self::Keys(command) => command.process(kms_rest_client).await?,
+            #[cfg(not(feature = "fips"))]
             Self::Encrypt(action) => action.run(kms_rest_client).await?,
+            #[cfg(not(feature = "fips"))]
             Self::Decrypt(action) => action.run(kms_rest_client).await?,
         };
         Ok(())

crate/cli/src/actions/mod.rs

@@ -1,5 +1,6 @@
 pub mod access;
 pub mod certificates;
+#[cfg(not(feature = "fips"))]
 pub mod cover_crypt;
 pub mod elliptic_curves;
 pub mod login;