feat: support KMS 5.15

Cargo.toml

@@ -49,9 +49,9 @@ cosmian_config_utils = "0.2"
 cosmian_crypto_core = { version = "10.2", default-features = false, features = [
   "ser",
 ] }
-cosmian_findex_cli = { path = "findex-server/crate/cli", version = "0.4.11" }
-cosmian_kms_cli = { path = "kms/crate/cli", version = "5.14.1" }
-test_kms_server = { path = "kms/crate/test_kms_server", version = "5.14.1" }
+cosmian_findex_cli = { path = "findex-server/crate/cli", version = "0.4.12" }
+cosmian_kms_cli = { path = "kms/crate/cli", version = "5.15.0" }
+test_kms_server = { path = "kms/crate/test_kms_server", version = "5.15.0" }
 cosmian_logger = "0.6"
 der = { version = "0.7", default-features = false }
 hex = { version = "0.4", default-features = false }
@@ -92,4 +92,3 @@ libloading = "0.8"
 # Findex deps
 cosmian_findex = "8.0"
 cosmian_sse_memories = "8.0"
-async-sqlite = { version = "=0.4" }

crate/pkcs11/module/Cargo.toml

@@ -15,11 +15,11 @@ doctest = false
 non-fips = []
 
 [dependencies]
-bincode = "1.3.3"
 const-oid = "0.9.6"
 hex = { workspace = true, features = ["std"] }
 log = { workspace = true, default-features = false }
 once_cell = "1.21.3"
+openssl = { workspace = true }
 p256 = { version = "0.13.2", default-features = false, features = [
   "arithmetic",
   "pkcs8",
@@ -28,7 +28,6 @@ p256 = { version = "0.13.2", default-features = false, features = [
 pkcs1 = "0.7.5"
 pkcs11-sys = { workspace = true }
 rand = { workspace = true }
-rsa = "0.9"
 strum_macros = "0.26.4"
 thiserror = { workspace = true }
 cosmian_logger = { workspace = true }

crate/pkcs11/module/src/core/object.rs

@@ -21,13 +21,12 @@ use std::sync::Arc;
 
 use cosmian_logger::debug;
 use log::error;
+use openssl::pkey::PKey;
 use p256::{elliptic_curve::sec1::ToEncodedPoint, pkcs8::der::Encode};
-use pkcs1::EncodeRsaPrivateKey;
 use pkcs11_sys::{
     CK_CERTIFICATE_CATEGORY_UNSPECIFIED, CK_PROFILE_ID, CKC_X_509, CKO_CERTIFICATE, CKO_DATA,
     CKO_PRIVATE_KEY, CKO_PROFILE, CKO_PUBLIC_KEY,
 };
-use rsa::{RsaPrivateKey, pkcs8::DecodePrivateKey, traits::PublicKeyParts};
 
 use crate::{
     ModuleError, ModuleResult,
@@ -164,21 +163,33 @@ impl Object {
                 AttributeType::Label => Some(Attribute::Label("Private Key".to_owned())),
                 AttributeType::Modulus => {
                     let der_bytes = private_key.pkcs8_der_bytes()?;
-                    let sk = RsaPrivateKey::from_pkcs8_der(der_bytes.as_ref()).map_err(|e| {
-                        error!("Failed to fetch the PKCS1 DER bytes: {e:?}");
-                        ModuleError::Cryptography("Failed to fetch the PKCS1 DER bytes".to_owned())
+                    let pkey = PKey::private_key_from_der(der_bytes.as_ref()).map_err(|e| {
+                        error!("Failed to parse RSA private key from PKCS#8 DER: {e:?}");
+                        ModuleError::Cryptography(
+                            "Failed to parse RSA private key from PKCS#8 DER".to_owned(),
+                        )
                     })?;
-                    Some(Attribute::Modulus(sk.n().to_bytes_be()))
+                    let rsa = pkey.rsa().map_err(|e| {
+                        error!("Failed to extract RSA key parameters: {e:?}");
+                        ModuleError::Cryptography("Failed to extract RSA key parameters".to_owned())
+                    })?;
+                    Some(Attribute::Modulus(rsa.n().to_vec()))
                 }
                 AttributeType::NeverExtractable => Some(Attribute::NeverExtractable(true)),
                 AttributeType::Private => Some(Attribute::Private(true)),
                 AttributeType::PublicExponent => {
                     let der_bytes = private_key.pkcs8_der_bytes()?;
-                    let sk = RsaPrivateKey::from_pkcs8_der(der_bytes.as_ref()).map_err(|e| {
-                        error!("Failed to fetch the PKCS1 DER bytes: {e:?}");
-                        ModuleError::Cryptography("Failed to fetch the PKCS1 DER bytes".to_owned())
+                    let pkey = PKey::private_key_from_der(der_bytes.as_ref()).map_err(|e| {
+                        error!("Failed to parse RSA private key from PKCS#8 DER: {e:?}");
+                        ModuleError::Cryptography(
+                            "Failed to parse RSA private key from PKCS#8 DER".to_owned(),
+                        )
+                    })?;
+                    let rsa = pkey.rsa().map_err(|e| {
+                        error!("Failed to extract RSA key parameters: {e:?}");
+                        ModuleError::Cryptography("Failed to extract RSA key parameters".to_owned())
                     })?;
-                    Some(Attribute::PublicExponent(sk.e().to_bytes_be()))
+                    Some(Attribute::PublicExponent(rsa.e().to_vec()))
                 }
                 AttributeType::Sensitive => Some(Attribute::Sensitive(true)),
                 AttributeType::Sign => Some(Attribute::Sign(true)),
@@ -188,16 +199,20 @@ impl Object {
                 AttributeType::Value => match private_key.algorithm() {
                     KeyAlgorithm::Rsa => {
                         let der_bytes = private_key.pkcs8_der_bytes()?;
-                        RsaPrivateKey::from_pkcs8_der(der_bytes.as_ref())
-                            .map(|sk| sk.to_pkcs1_der())
-                            .map_err(|e| {
-                                error!("Failed to fetch the PKCS1 DER bytes: {e:?}");
-                                ModuleError::Cryptography(
-                                    "Failed to fetch the PKCS1 DER bytes".to_owned(),
-                                )
-                            })?
-                            .map(|sd| Attribute::Value(sd.to_bytes().to_vec()))
-                            .ok()
+                        let pkey = PKey::private_key_from_der(der_bytes.as_ref()).map_err(|e| {
+                            error!("Failed to parse RSA private key from PKCS#8 DER: {e:?}");
+                            ModuleError::Cryptography(
+                                "Failed to parse RSA private key from PKCS#8 DER".to_owned(),
+                            )
+                        })?;
+                        let rsa = pkey.rsa().map_err(|e| {
+                            error!("Failed to extract RSA key parameters: {e:?}");
+                            ModuleError::Cryptography(
+                                "Failed to extract RSA key parameters".to_owned(),
+                            )
+                        })?;
+
+                        rsa.private_key_to_der().map(Attribute::Value).ok()
                     }
                     KeyAlgorithm::EccP256
                     | KeyAlgorithm::Secp224k1

crate/pkcs11/module/src/error/mod.rs

@@ -93,8 +93,6 @@ pub enum ModuleError {
     #[error(transparent)]
     Backend(#[from] Box<dyn std::error::Error>),
     #[error(transparent)]
-    Bincode(#[from] Box<bincode::ErrorKind>),
-    #[error(transparent)]
     Pkcs1DerError(#[from] pkcs1::der::Error),
     #[error(transparent)]
     ReadGuardError(#[from] PoisonError<RwLockReadGuard<'static, ObjectsStore>>),
@@ -139,7 +137,6 @@ impl From<ModuleError> for CK_RV {
             ModuleError::Backend(_)
             | ModuleError::AlgorithmNotSupported(_)
             | ModuleError::Default(_)
-            | ModuleError::Bincode(_)
             | ModuleError::FromUtf8(_)
             | ModuleError::FromVecWithNul(_)
             | ModuleError::NullPtr(_)

deny.toml

@@ -70,9 +70,6 @@ feature-depth = 1
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
 ignore = [
-    { id = "RUSTSEC-2023-0071", reason = "rsa: Marvin Attack: potential key recovery through timing side channels" },
-    { id = "RUSTSEC-2024-0436", reason = "A transitive dependency (`paste`) is not maintained anymore; tracked upstream (agnostic-lite) for replacement." },
-    { id = "RUSTSEC-2025-0141", reason = "bincode is used transitively (via cosmian_pkcs11_module); advisory is informational (unmaintained) and there is no safe upgrade available." },
     #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
     #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish
     #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" },
@@ -103,9 +100,6 @@ allow = [
     "BSL-1.0",
     "BUSL-1.1",
     "Unicode-3.0",
-    "OpenSSL",
-    "CDLA-Permissive-2.0",
-    "AGPL-3.0-or-later"
 ]
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the

documentation/docs/cli/main_commands.md

@@ -609,6 +609,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -1386,6 +1388,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -1587,10 +1591,6 @@ Possible values:  `"nist-p192", "nist-p224", "nist-p256", "nist-p384", "nist-p52
 
 `--tag [-t] <TAG>` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times
 
-`--signature-algorithm [-s] <SIGNATURE_ALGORITHM>` The signature algorithm
-
-Possible values:  `"ecdsa-with-sha256", "ecdsa-with-sha384", "ecdsa-with-sha512"` [default: `"ecdsa-with-sha256"`]
-
 `--output-file [-o] <OUTPUT_FILE>` The signature output file path
 
 `--digested <DIGESTED>` Treat input as already-digested data (pre-hash)
@@ -1618,10 +1618,6 @@ Verify an ECDSA signature for a given data file
 
 `--tag [-t] <TAG>` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times
 
-`--signature-algorithm [-s] <SIGNATURE_ALGORITHM>` The signature algorithm
-
-Possible values:  `"ecdsa-with-sha256", "ecdsa-with-sha384", "ecdsa-with-sha512"` [default: `"ecdsa-with-sha256"`]
-
 `--output-file [-o] <OUTPUT_FILE>` Optional output file path
 
 `--digested <DIGESTED>` Treat data input as already-digested (pre-hash)
@@ -2275,6 +2271,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -2496,10 +2494,6 @@ Digital signature supported is RSASSA-PSS
 
 `--tag [-t] <TAG>` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times
 
-`--signature-algorithm [-s] <SIGNATURE_ALGORITHM>` The signature algorithm
-
-Possible values:  `"rsassapss"` [default: `"rsassapss"`]
-
 `--output-file [-o] <OUTPUT_FILE>` The signature output file path
 
 `--digested <DIGESTED>` Treat input as already-digested data (pre-hash)
@@ -2527,10 +2521,6 @@ Verify an RSASSA-PSS signature for a given data file
 
 `--tag [-t] <TAG>` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times
 
-`--signature-algorithm [-s] <SIGNATURE_ALGORITHM>` The signature algorithm
-
-Possible values:  `"rsassapss"` [default: `"rsassapss"`]
-
 `--output-file [-o] <OUTPUT_FILE>` Optional output file path
 
 `--digested <DIGESTED>` Treat data input as already-digested (pre-hash)
@@ -2635,6 +2625,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -2837,6 +2829,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -3133,6 +3127,8 @@ The possible wrapping algorithms are
     - `rsa-aes-key-wrap` (CKM-RSA-AES-KEY-WRP)
     - `rsa-pkcs-v15` (CKM-RSA v1.5)
 
+Possible values:  `"aes-key-wrap-padding", "nist-key-wrap", "aes-gcm", "rsa-pkcs-v15-sha1", "rsa-pkcs-v15", "rsa-oaep-sha1", "rsa-oaep", "rsa-aes-key-wrap-sha1", "rsa-aes-key-wrap"`
+
 `--authenticated-additional-data [-d] <AUTHENTICATED_ADDITIONAL_DATA>` Authenticated encryption additional data Only available for AES GCM wrapping
 
 
@@ -3294,7 +3290,7 @@ Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-cbc", "aes-xts", "aes-gc
 
 `--key-encryption-algorithm [-e] <KEY_ENCRYPTION_ALGORITHM>` The optional key encryption algorithm used to encrypt the data encryption key.
 
-Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-xts", "aes-gcm-siv", "rfc5649"`
+Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-xts", "aes-gcm-siv", "rfc3394", "rfc5649"`
 
 `--tag [-t] <TAG>` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times
 
@@ -3329,7 +3325,7 @@ Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-cbc", "aes-xts", "aes-gc
 
 `--key-encryption-algorithm [-e] <KEY_ENCRYPTION_ALGORITHM>` The optional key encryption algorithm used to decrypt the data encryption key.
 
-Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-xts", "aes-gcm-siv", "rfc5649"`
+Possible values:  `"chacha20-poly1305", "aes-gcm", "aes-xts", "aes-gcm-siv", "rfc3394", "rfc5649"`
 
 `--output-file [-o] <OUTPUT_FILE>` The encrypted output file path
 

documentation/docs/index.md

@@ -38,6 +38,7 @@ By leveraging Cosmian CLI, users can seamlessly integrate advanced cryptographic
 
 | CLI version | KMS version      | Findex server version |
 | ----------- | ---------------- | --------------------- |
+| 1.8.0       | 5.15.0           | 0.4.12                 |
 | 1.7.1       | 5.14.1           | 0.4.11                 |
 | 1.7.0       | 5.14.0           | 0.4.10                 |
 | 1.6.0       | 5.13.*           | 0.4.*                 |