HSM for BaseHsm {
Ok(())
}
+ /// Sets `CKA_START_DATE` and `CKA_END_DATE` on the key identified by `key_id`. Pass `None` to clear a date.
+ async fn set_key_dates(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ start_date: Option,
+ end_date: Option,
+ ) -> InterfaceResult<()> {
+ let slot = self.get_slot(slot_id)?;
+ let session = slot.open_session(true)?;
+ let handle = session.get_object_handle(key_id)?;
+ session.set_key_dates(handle, start_date, end_date)?;
+ Ok(())
+ }
+
+ /// Sets `CKA_LABEL` on the key identified by `key_id`.
+ async fn set_key_label(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ label: &str,
+ ) -> InterfaceResult<()> {
+ let slot = self.get_slot(slot_id)?;
+ let session = slot.open_session(true)?;
+ let handle = session.get_object_handle(key_id)?;
+ session.set_label(handle, label)?;
+ Ok(())
+ }
+
fn hsm_lib(&self) -> Option<&dyn std::any::Any> {
Some(self.hsm_lib())
}
diff --git a/crate/hsm/base_hsm/src/session/session_impl.rs b/crate/hsm/base_hsm/src/session/session_impl.rs
index 29fa4e73d4..a6660d3401 100644
--- a/crate/hsm/base_hsm/src/session/session_impl.rs
+++ b/crate/hsm/base_hsm/src/session/session_impl.rs
@@ -50,16 +50,16 @@ use cosmian_kms_interfaces::{
};
use cosmian_logger::{debug, trace};
use pkcs11_sys::{
- CK_AES_GCM_PARAMS, CK_ATTRIBUTE, CK_BBOOL, CK_FALSE, CK_KEY_TYPE, CK_MECHANISM,
+ CK_AES_GCM_PARAMS, CK_ATTRIBUTE, CK_BBOOL, CK_DATE, CK_FALSE, CK_KEY_TYPE, CK_MECHANISM,
CK_MECHANISM_TYPE, CK_OBJECT_CLASS, CK_OBJECT_HANDLE, CK_RSA_PKCS_MGF_TYPE,
CK_RSA_PKCS_OAEP_PARAMS, CK_SESSION_HANDLE, CK_TRUE, CK_ULONG, CKA_CLASS, CKA_COEFFICIENT,
- CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_ID, CKA_KEY_TYPE, CKA_LABEL, CKA_MODULUS, CKA_PRIME_1,
- CKA_PRIME_2, CKA_PRIVATE_EXPONENT, CKA_PUBLIC_EXPONENT, CKA_SENSITIVE, CKA_VALUE,
- CKA_VALUE_LEN, CKG_MGF1_SHA1, CKG_MGF1_SHA256, CKG_MGF1_SHA384, CKG_MGF1_SHA512, CKK_AES,
- CKK_RSA, CKK_VENDOR_DEFINED, CKM_AES_CBC, CKM_AES_GCM, CKM_RSA_PKCS, CKM_RSA_PKCS_OAEP,
- CKM_SHA_1, CKM_SHA1_RSA_PKCS, CKM_SHA256, CKM_SHA256_RSA_PKCS, CKM_SHA384, CKM_SHA384_RSA_PKCS,
- CKM_SHA512, CKM_SHA512_RSA_PKCS, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
- CKO_VENDOR_DEFINED, CKR_ATTRIBUTE_SENSITIVE, CKR_OBJECT_HANDLE_INVALID, CKR_OK,
+ CKA_END_DATE, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_ID, CKA_KEY_TYPE, CKA_LABEL, CKA_MODULUS,
+ CKA_PRIME_1, CKA_PRIME_2, CKA_PRIVATE_EXPONENT, CKA_PUBLIC_EXPONENT, CKA_SENSITIVE,
+ CKA_START_DATE, CKA_VALUE, CKA_VALUE_LEN, CKG_MGF1_SHA1, CKG_MGF1_SHA256, CKG_MGF1_SHA384,
+ CKG_MGF1_SHA512, CKK_AES, CKK_RSA, CKK_VENDOR_DEFINED, CKM_AES_CBC, CKM_AES_GCM, CKM_RSA_PKCS,
+ CKM_RSA_PKCS_OAEP, CKM_SHA_1, CKM_SHA1_RSA_PKCS, CKM_SHA256, CKM_SHA256_RSA_PKCS, CKM_SHA384,
+ CKM_SHA384_RSA_PKCS, CKM_SHA512, CKM_SHA512_RSA_PKCS, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY,
+ CKO_SECRET_KEY, CKO_VENDOR_DEFINED, CKR_ATTRIBUTE_SENSITIVE, CKR_OBJECT_HANDLE_INVALID, CKR_OK,
CKZ_DATA_SPECIFIED,
};
use rand::{TryRng, rngs::SysRng};
@@ -1730,6 +1730,235 @@ impl Session {
Ok(Some(()))
}
+ /// Parse a `CK_DATE` (8-byte ASCII "YYYYMMDD") into a `time::Date`.
+ /// Returns `None` if the date is empty/zeroed.
+ fn parse_ck_date(date: CK_DATE) -> Option {
+ let year_str = std::str::from_utf8(&date.year).ok()?;
+ let month_str = std::str::from_utf8(&date.month).ok()?;
+ let day_str = std::str::from_utf8(&date.day).ok()?;
+ let year: i32 = year_str.trim().parse().ok()?;
+ let month: u8 = month_str.trim().parse().ok()?;
+ let day: u8 = day_str.trim().parse().ok()?;
+ if year == 0 && month == 0 && day == 0 {
+ return None;
+ }
+ let month = time::Month::try_from(month).ok()?;
+ time::Date::from_calendar_date(year, month, day).ok()
+ }
+
+ /// Read `CKA_START_DATE` and `CKA_END_DATE` from a key handle.
+ /// Returns `(start_date, end_date)`. Attributes that are absent or empty
+ /// (zeroed) are returned as `None`.
+ fn get_key_dates(
+ &self,
+ key_handle: CK_OBJECT_HANDLE,
+ ) -> HResult<(Option, Option)> {
+ let mut start_date = CK_DATE {
+ year: [0; 4],
+ month: [0; 2],
+ day: [0; 2],
+ };
+ let mut end_date = CK_DATE {
+ year: [0; 4],
+ month: [0; 2],
+ day: [0; 2],
+ };
+ let mut template = vec![
+ CK_ATTRIBUTE {
+ type_: CKA_START_DATE,
+ pValue: (&raw mut start_date).cast::(),
+ ulValueLen: CK_ULONG::try_from(size_of::())?,
+ },
+ CK_ATTRIBUTE {
+ type_: CKA_END_DATE,
+ pValue: (&raw mut end_date).cast::(),
+ ulValueLen: CK_ULONG::try_from(size_of::())?,
+ },
+ ];
+ // If the HSM doesn't support these attributes, just return None for both
+ if self
+ .call_get_attributes(key_handle, &mut template)?
+ .is_none()
+ {
+ return Ok((None, None));
+ }
+ // Check if the returned length is 0 (attribute present but empty)
+ let start = if template.first().is_none_or(|t| t.ulValueLen == 0) {
+ None
+ } else {
+ Self::parse_ck_date(start_date)
+ };
+ let end = if template.get(1).is_none_or(|t| t.ulValueLen == 0) {
+ None
+ } else {
+ Self::parse_ck_date(end_date)
+ };
+ Ok((start, end))
+ }
+
+ /// Format a `time::Date` into a `CK_DATE` (8-byte ASCII "YYYYMMDD").
+ fn format_ck_date(date: time::Date) -> CK_DATE {
+ let year = date.year();
+ let month: u8 = date.month().into();
+ let day = date.day();
+ // These format! calls always produce exactly the right number of bytes
+ let mut year_bytes = [b'0'; 4];
+ let mut month_bytes = [b'0'; 2];
+ let mut day_bytes = [b'0'; 2];
+ let year_str = format!("{year:04}");
+ let month_str = format!("{month:02}");
+ let day_str = format!("{day:02}");
+ year_bytes.copy_from_slice(year_str.as_bytes().get(..4).unwrap_or(&[b'0'; 4]));
+ month_bytes.copy_from_slice(month_str.as_bytes().get(..2).unwrap_or(&[b'0'; 2]));
+ day_bytes.copy_from_slice(day_str.as_bytes().get(..2).unwrap_or(&[b'0'; 2]));
+ CK_DATE {
+ year: year_bytes,
+ month: month_bytes,
+ day: day_bytes,
+ }
+ }
+
+ /// Set `CKA_START_DATE` and/or `CKA_END_DATE` on a key object.
+ /// Passing `None` clears the attribute (sets to empty `CK_DATE`).
+ pub fn set_key_dates(
+ &self,
+ key_handle: CK_OBJECT_HANDLE,
+ start_date: Option,
+ end_date: Option,
+ ) -> HResult<()> {
+ let start_ck = start_date.map_or(
+ CK_DATE {
+ year: [0; 4],
+ month: [0; 2],
+ day: [0; 2],
+ },
+ Self::format_ck_date,
+ );
+ let end_ck = end_date.map_or(
+ CK_DATE {
+ year: [0; 4],
+ month: [0; 2],
+ day: [0; 2],
+ },
+ Self::format_ck_date,
+ );
+
+ let mut template = vec![
+ CK_ATTRIBUTE {
+ type_: CKA_START_DATE,
+ pValue: ptr::addr_of!(start_ck).cast_mut().cast(),
+ ulValueLen: CK_ULONG::try_from(std::mem::size_of::())?,
+ },
+ CK_ATTRIBUTE {
+ type_: CKA_END_DATE,
+ pValue: ptr::addr_of!(end_ck).cast_mut().cast(),
+ ulValueLen: CK_ULONG::try_from(std::mem::size_of::())?,
+ },
+ ];
+
+ #[expect(unsafe_code)]
+ let rv = match self.hsm.C_SetAttributeValue {
+ Some(func) => unsafe {
+ func(
+ self.handle,
+ key_handle,
+ template.as_mut_ptr(),
+ CK_ULONG::try_from(template.len())?,
+ )
+ },
+ None => {
+ return Err(HError::Default(
+ "C_SetAttributeValue not available on library".to_owned(),
+ ));
+ }
+ };
+ if rv != CKR_OK {
+ return Err(HError::Default(format!(
+ "Failed to set key dates for key handle: {key_handle}. Return code: {rv}"
+ )));
+ }
+ Ok(())
+ }
+
+ /// Parse keyset metadata from a `CKA_LABEL` value.
+ ///
+ /// Format: `rotate_name::generation::key_id[::latest]`
+ /// The optional `::latest` suffix is accepted for backward compatibility with
+ /// existing HSM keys but is no longer used; callers determine the latest
+ /// generation by comparing `rotate_generation` values.
+ ///
+ /// Returns `(rotate_name, rotate_generation)`.
+ /// Returns `(None, None)` if the label does not match the format
+ /// (e.g. plain keys whose label is just an identifier).
+ pub(crate) fn parse_label_metadata(label: &str) -> (Option, Option) {
+ // Minimum viable format: "name::gen::keyid" (3 segments)
+ let parts: Vec<&str> = label.splitn(4, "::").collect();
+ if parts.len() < 3 {
+ return (None, None);
+ }
+ let Some(rotate_name) = parts.first() else {
+ return (None, None);
+ };
+ let Some(gen_str) = parts.get(1) else {
+ return (None, None);
+ };
+ let Ok(generation) = gen_str.parse::() else {
+ return (None, None);
+ };
+ (Some((*rotate_name).to_owned()), Some(generation))
+ }
+
+ /// Build the `CKA_LABEL` value for a keyset key.
+ ///
+ /// Format: `rotate_name::generation::key_id` (retired) or
+ /// `rotate_name::generation::key_id::latest` (current latest).
+ // Used by the HSM ReKey flow (Phase 3).
+ #[allow(dead_code)]
+ pub(crate) fn build_keyset_label(
+ rotate_name: &str,
+ generation: i32,
+ key_id: &str,
+ latest: bool,
+ ) -> String {
+ if latest {
+ format!("{rotate_name}::{generation}::{key_id}::latest")
+ } else {
+ format!("{rotate_name}::{generation}::{key_id}")
+ }
+ }
+
+ /// Set `CKA_LABEL` on a key object via `C_SetAttributeValue`.
+ pub fn set_label(&self, key_handle: CK_OBJECT_HANDLE, label: &str) -> HResult<()> {
+ let label_bytes = label.as_bytes();
+ let mut template = vec![CK_ATTRIBUTE {
+ type_: CKA_LABEL,
+ pValue: label_bytes.as_ptr().cast_mut().cast(),
+ ulValueLen: CK_ULONG::try_from(label_bytes.len())?,
+ }];
+ #[expect(unsafe_code)]
+ let rv = match self.hsm.C_SetAttributeValue {
+ Some(func) => unsafe {
+ func(
+ self.handle,
+ key_handle,
+ template.as_mut_ptr(),
+ CK_ULONG::try_from(template.len())?,
+ )
+ },
+ None => {
+ return Err(HError::Default(
+ "C_SetAttributeValue not available on library".to_owned(),
+ ));
+ }
+ };
+ if rv != CKR_OK {
+ return Err(HError::Default(format!(
+ "Failed to set label for key handle: {key_handle}. Return code: {rv}"
+ )));
+ }
+ Ok(())
+ }
+
/// Get the metadata for a key
pub fn get_key_metadata(&self, key_handle: CK_OBJECT_HANDLE) -> HResult> {
let Some(key_type) = self.get_key_type(key_handle)? else {
@@ -1786,6 +2015,8 @@ impl Session {
HError::Default(format!("Failed to convert label to string: {e}"))
})?
};
+ let (start_date, end_date) = self.get_key_dates(key_handle).unwrap_or((None, None));
+ let (rotate_name, rotate_generation) = Self::parse_label_metadata(&label);
Ok(Some(KeyMetadata {
key_type,
key_length_in_bits: usize::try_from(key_size).map_err(|e| {
@@ -1793,6 +2024,10 @@ impl Session {
})? * 8,
sensitive: sensitive == CK_TRUE,
id: label,
+ start_date,
+ end_date,
+ rotate_name,
+ rotate_generation,
}))
}
KeyType::RsaPrivateKey | KeyType::RsaPublicKey => {
@@ -1856,11 +2091,17 @@ impl Session {
label = label.trim().to_owned().add("_pk");
}
let sensitive = sensitive == CK_TRUE;
+ let (start_date, end_date) = self.get_key_dates(key_handle).unwrap_or((None, None));
+ let (rotate_name, rotate_generation) = Self::parse_label_metadata(&label);
Ok(Some(KeyMetadata {
key_type,
key_length_in_bits,
sensitive,
id: label,
+ start_date,
+ end_date,
+ rotate_name,
+ rotate_generation,
}))
}
}
diff --git a/crate/interfaces/Cargo.toml b/crate/interfaces/Cargo.toml
index 437a1f28d2..3bfa71098f 100644
--- a/crate/interfaces/Cargo.toml
+++ b/crate/interfaces/Cargo.toml
@@ -23,6 +23,7 @@ cosmian_logger = { workspace = true }
num-bigint-dig = { workspace = true, features = ["std", "rand", "serde", "zeroize"] }
serde_json = { workspace = true }
thiserror = { workspace = true }
+time = { workspace = true }
zeroize = { workspace = true, default-features = true }
[dev-dependencies]
diff --git a/crate/interfaces/src/crypto_oracle.rs b/crate/interfaces/src/crypto_oracle.rs
index d63cdadf92..08aeab3af5 100644
--- a/crate/interfaces/src/crypto_oracle.rs
+++ b/crate/interfaces/src/crypto_oracle.rs
@@ -15,12 +15,21 @@ use zeroize::Zeroizing;
use crate::{InterfaceError, KeyType, error::InterfaceResult};
-#[derive(Debug)]
+#[derive(Debug, Clone)]
pub struct KeyMetadata {
pub key_type: KeyType,
pub key_length_in_bits: usize,
pub sensitive: bool,
pub id: String,
+ /// PKCS#11 `CKA_START_DATE` — when the key became active.
+ pub start_date: Option,
+ /// PKCS#11 `CKA_END_DATE` — when the key is due for rotation.
+ pub end_date: Option,
+ /// Keyset name parsed from `CKA_LABEL` (`rotate_name::generation::key_id[::latest]`).
+ /// `None` means the key has no keyset membership.
+ pub rotate_name: Option,
+ /// Keyset generation counter parsed from `CKA_LABEL`.
+ pub rotate_generation: Option,
}
#[derive(Debug, Clone, PartialEq, Eq)]
diff --git a/crate/interfaces/src/hsm/hsm_store.rs b/crate/interfaces/src/hsm/hsm_store.rs
index 03c9cbfde0..658bbaf2e5 100644
--- a/crate/interfaces/src/hsm/hsm_store.rs
+++ b/crate/interfaces/src/hsm/hsm_store.rs
@@ -141,8 +141,26 @@ impl ObjectsStore for HsmStore {
let (slot_id, key_id) = parse_uid_with_prefix(uid, &self.prefix)?;
match self.hsm.export(slot_id, key_id.as_bytes()).await {
Ok(Some(hsm_object)) => {
- let owm =
+ let mut owm =
to_object_with_metadata(&hsm_object, uid, self.owner_name(), &self.vendor_id)?;
+ // Enrich attributes with keyset metadata from CKA_LABEL and CKA dates.
+ if let Ok(Some(meta)) = self.hsm.get_key_metadata(slot_id, key_id.as_bytes()).await
+ {
+ let attrs = owm.attributes_mut();
+ attrs.rotate_name = meta.rotate_name;
+ attrs.rotate_generation = meta.rotate_generation;
+ // Reconstruct rotate_interval from CKA_START_DATE / CKA_END_DATE.
+ // HsmStore::update_object is a no-op for KMIP attributes so there is
+ // no persistent KMIP storage for rotate_interval on HSM keys; we
+ // recover it as (end_date − start_date) × 86400 s so that downstream
+ // operations (e.g. auto-rotation re-key) can propagate the schedule.
+ if let (Some(start), Some(end)) = (meta.start_date, meta.end_date) {
+ let days = (end - start).whole_days();
+ if days > 0 {
+ attrs.rotate_interval = Some(days * crate::SECS_PER_DAY);
+ }
+ }
+ }
Ok(Some(owm))
}
Ok(None) => Ok(None),
@@ -378,6 +396,120 @@ impl ObjectsStore for HsmStore {
Ok(uids)
}
+ async fn find_due_for_rotation(
+ &self,
+ now: time::OffsetDateTime,
+ ) -> InterfaceResult> {
+ let today = now.date();
+ let slot_ids = self.hsm.get_available_slot_list().await?;
+ let mut due_uids = Vec::new();
+
+ for slot_id in slot_ids {
+ let found = self
+ .hsm
+ .find(slot_id, HsmObjectFilter::Any)
+ .await
+ .unwrap_or_default();
+ for object_id in found {
+ let Some(meta) = self
+ .hsm
+ .get_key_metadata(slot_id, &object_id)
+ .await
+ .unwrap_or_default()
+ else {
+ continue;
+ };
+ // A key is due for rotation when end_date is set and today >= end_date
+ let Some(end_date) = meta.end_date else {
+ continue;
+ };
+ if today >= end_date {
+ let Ok(object_string) = std::str::from_utf8(&object_id) else {
+ continue;
+ };
+ let uid = format!("{}::{slot_id}::{object_string}", self.prefix);
+ due_uids.push(uid);
+ }
+ }
+ }
+
+ Ok(due_uids)
+ }
+
+ /// Find HSM keys by keyset name, with optional generation and latest filters.
+ ///
+ /// The keyset name is parsed from `CKA_LABEL` which carries the format
+ /// `rotate_name::generation::key_id[::latest]`. This allows keys to be
+ /// addressed by their logical name rather than their physical UID.
+ async fn find_by_rotate_name(
+ &self,
+ name: &str,
+ generation: Option,
+ _owner: &str,
+ ) -> InterfaceResult> {
+ let slot_ids = self.hsm.get_available_slot_list().await?;
+ let mut results = Vec::new();
+
+ for slot_id in slot_ids {
+ let found = self
+ .hsm
+ .find(slot_id, HsmObjectFilter::Any)
+ .await
+ .unwrap_or_default();
+ for object_id in found {
+ let Some(meta) = self
+ .hsm
+ .get_key_metadata(slot_id, &object_id)
+ .await
+ .unwrap_or_default()
+ else {
+ continue;
+ };
+ // Only consider keys that belong to this keyset
+ let Some(ref key_rotate_name) = meta.rotate_name else {
+ continue;
+ };
+ if key_rotate_name != name {
+ continue;
+ }
+ // Optional generation filter
+ if let Some(gen_filter) = generation {
+ if meta.rotate_generation != Some(gen_filter) {
+ continue;
+ }
+ }
+ // Optional latest filter — removed: caller selects max generation instead
+ let Ok(object_string) = std::str::from_utf8(&object_id) else {
+ continue;
+ };
+ let uid = format!("{}::{slot_id}::{object_string}", self.prefix);
+ let attrs = build_keyset_attributes(&meta);
+ results.push((uid, attrs));
+ }
+ }
+
+ Ok(results)
+ }
+
+ async fn set_key_label(&self, uid: &str, label: &str) -> InterfaceResult<()> {
+ let (slot_id, key_id) = parse_uid_with_prefix(uid, &self.prefix)?;
+ self.hsm
+ .set_key_label(slot_id, key_id.as_bytes(), label)
+ .await
+ }
+
+ async fn set_key_rotation_dates(
+ &self,
+ uid: &str,
+ start_date: Option,
+ end_date: Option,
+ ) -> InterfaceResult<()> {
+ let (slot_id, key_id) = parse_uid_with_prefix(uid, &self.prefix)?;
+ self.hsm
+ .set_key_dates(slot_id, key_id.as_bytes(), start_date, end_date)
+ .await
+ }
+
/// Count all non-destroyed objects on this HSM.
///
/// On an HSM every object present in a slot is by definition non-destroyed:
@@ -645,6 +777,20 @@ fn build_sensitive_stub_attributes(meta: &KeyMetadata) -> Attributes {
KeyFormatType::PKCS1,
),
};
+ // Reconstruct rotate_interval from CKA_START_DATE / CKA_END_DATE.
+ // HsmStore::update_object is a no-op for KMIP attributes, so this is the only
+ // way to expose the scheduled interval to attribute-only callers (e.g. re-key).
+ let rotate_interval = match (meta.start_date, meta.end_date) {
+ (Some(start), Some(end)) => {
+ let days = (end - start).whole_days();
+ if days > 0 {
+ Some(days * crate::SECS_PER_DAY)
+ } else {
+ None
+ }
+ }
+ _ => None,
+ };
Attributes {
cryptographic_algorithm: Some(algorithm),
cryptographic_length: Some(i32::try_from(meta.key_length_in_bits).unwrap_or_default()),
@@ -652,6 +798,9 @@ fn build_sensitive_stub_attributes(meta: &KeyMetadata) -> Attributes {
cryptographic_usage_mask: Some(usage_mask),
key_format_type: Some(key_format_type),
sensitive: Some(true),
+ rotate_name: meta.rotate_name.clone(),
+ rotate_generation: meta.rotate_generation,
+ rotate_interval,
..Attributes::default()
}
}
@@ -725,6 +874,15 @@ fn build_sensitive_stub_object(meta: &KeyMetadata) -> Object {
}
}
+/// Build an `Attributes` struct populated with keyset metadata from `KeyMetadata`.
+/// Used by `find_by_rotate_name` to return `rotate_name`/`generation`/`latest` to callers.
+fn build_keyset_attributes(meta: &KeyMetadata) -> Attributes {
+ let mut attrs = build_find_attributes(&Some(meta.clone()), &HsmObjectFilter::Any);
+ attrs.rotate_name.clone_from(&meta.rotate_name);
+ attrs.rotate_generation = meta.rotate_generation;
+ attrs
+}
+
fn build_find_attributes(meta: &Option, filter: &HsmObjectFilter) -> Attributes {
let mut attrs = Attributes::default();
if let Some(m) = meta {
@@ -1236,6 +1394,19 @@ mod tests {
len: usize,
) -> InterfaceResult>;
async fn seed_random(&self, slot_id: usize, seed: &[u8]) -> InterfaceResult<()>;
+ async fn set_key_dates(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ start_date: Option,
+ end_date: Option,
+ ) -> InterfaceResult<()>;
+ async fn set_key_label(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ label: &str,
+ ) -> InterfaceResult<()>;
fn hsm_lib(&self) -> Option<&'static dyn std::any::Any> { None }
}
}
diff --git a/crate/interfaces/src/hsm/interface.rs b/crate/interfaces/src/hsm/interface.rs
index 6dedcf5a43..509fe1ddfc 100644
--- a/crate/interfaces/src/hsm/interface.rs
+++ b/crate/interfaces/src/hsm/interface.rs
@@ -336,6 +336,43 @@ pub trait HSM: Send + Sync {
/// can return an error; callers may choose to ignore such errors.
async fn seed_random(&self, slot_id: usize, seed: &[u8]) -> InterfaceResult<()>;
+ /// Set `CKA_START_DATE` and `CKA_END_DATE` on a key object.
+ ///
+ /// These PKCS#11 attributes are used to track rotation scheduling:
+ /// - `start_date` — when the current rotation interval began.
+ /// - `end_date` — when the key is due for rotation.
+ ///
+ /// Passing `None` for either date clears that attribute (sets to empty `CK_DATE`).
+ ///
+ /// # Arguments
+ /// * `slot_id` - the slot ID of the HSM
+ /// * `key_id` - the ID of the key
+ /// * `start_date` - optional start date
+ /// * `end_date` - optional end date
+ async fn set_key_dates(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ start_date: Option,
+ end_date: Option,
+ ) -> InterfaceResult<()>;
+
+ /// Set `CKA_LABEL` on a key object.
+ ///
+ /// The label encodes keyset metadata in the format
+ /// `rotate_name::generation::key_id[::latest]`.
+ ///
+ /// # Arguments
+ /// * `slot_id` - the slot ID of the HSM
+ /// * `key_id` - the `CKA_ID` bytes of the key to update
+ /// * `label` - the new label string to set
+ async fn set_key_label(
+ &self,
+ slot_id: usize,
+ key_id: &[u8],
+ label: &str,
+ ) -> InterfaceResult<()>;
+
/// Get a reference to the underlying PKCS#11 library for direct function calls.
///
/// This method provides access to the raw PKCS#11 library (`HsmLib`) to enable
diff --git a/crate/interfaces/src/lib.rs b/crate/interfaces/src/lib.rs
index 5e75e0c5c7..e17bac19a3 100644
--- a/crate/interfaces/src/lib.rs
+++ b/crate/interfaces/src/lib.rs
@@ -13,9 +13,12 @@ pub use hsm::{
};
pub use stores::{AtomicOperation, ObjectWithMetadata, ObjectsStore, PermissionsStore};
+/// Number of seconds in one day — the finest granularity PKCS#11 `CK_DATE` can represent.
+pub const SECS_PER_DAY: i64 = 24 * 3600;
+
/// Supported cryptographic object types
/// in plugins
-#[derive(Debug, Eq, PartialEq)]
+#[derive(Debug, Clone, Eq, PartialEq)]
pub enum KeyType {
AesKey,
RsaPrivateKey,
diff --git a/crate/interfaces/src/stores/object_with_metadata.rs b/crate/interfaces/src/stores/object_with_metadata.rs
index 97c3f50cc9..6d30249c0d 100644
--- a/crate/interfaces/src/stores/object_with_metadata.rs
+++ b/crate/interfaces/src/stores/object_with_metadata.rs
@@ -1,10 +1,14 @@
use std::fmt::{self, Display, Formatter};
use cosmian_kmip::{
- kmip_0::kmip_types::State,
+ KmipError,
+ kmip_0::kmip_types::{CryptographicUsageMask, ErrorReason, State},
kmip_2_1::{
- kmip_attributes::Attributes, kmip_objects::Object, kmip_types::CryptographicAlgorithm,
+ kmip_attributes::Attributes,
+ kmip_objects::Object,
+ kmip_types::{CryptographicAlgorithm, UsageLimitsUnit},
},
+ time_normalize,
};
/// An object with its metadata such as owner, permissions and state
@@ -93,6 +97,143 @@ impl ObjectWithMetadata {
.and_then(|kb| kb.cryptographic_algorithm().copied())
.or(self.attributes.cryptographic_algorithm)
}
+
+ // ─── Lifecycle predicates ────────────────────────────────────────────────
+
+ /// Determine the effective KMIP state based on stored state and time-based
+ /// transitions (activation / deactivation).
+ ///
+ /// - `PreActive` → `Active` when `activation_date` ≤ now.
+ /// - `Active` → `Deactivated` when `deactivation_date` ≤ now.
+ ///
+ /// Falls back to the stored state if the system clock cannot be read.
+ #[must_use]
+ pub fn effective_state(&self) -> State {
+ let Ok(now) = time_normalize() else {
+ return self.state;
+ };
+ match self.state {
+ State::PreActive => {
+ let activation_date = self.attributes.activation_date.or_else(|| {
+ self.object
+ .attributes()
+ .ok()
+ .and_then(|attrs| attrs.activation_date)
+ });
+ if activation_date.is_some_and(|d| d <= now) {
+ State::Active
+ } else {
+ State::PreActive
+ }
+ }
+ State::Active => {
+ let deactivation_date = self.attributes.deactivation_date.or_else(|| {
+ self.object
+ .attributes()
+ .ok()
+ .and_then(|attrs| attrs.deactivation_date)
+ });
+ if deactivation_date.is_some_and(|d| d <= now) {
+ State::Deactivated
+ } else {
+ State::Active
+ }
+ }
+ other => other,
+ }
+ }
+
+ /// Check whether the current time falls within the KMIP process window
+ /// (`ProcessStartDate`..`ProtectStopDate`).
+ ///
+ /// Returns `true` when usage is allowed (window is open or no window is set).
+ /// Returns `false` when the key is outside its process window.
+ /// Falls back to `true` if the system clock cannot be read.
+ #[must_use]
+ pub fn is_within_process_window(&self) -> bool {
+ if self.effective_state() != State::Active {
+ return true; // window only applies to Active keys
+ }
+ let Ok(attrs) = self.object.attributes() else {
+ return true;
+ };
+ let Ok(now) = time_normalize() else {
+ return true;
+ };
+ let too_early = attrs.process_start_date.is_some_and(|d| now < d);
+ let too_late = attrs.protect_stop_date.is_some_and(|d| now > d);
+ !(too_early || too_late)
+ }
+
+ // ─── Usage predicates ────────────────────────────────────────────────────
+
+ /// Check whether the object's usage mask permits the given operation.
+ ///
+ /// In **lenient** mode a missing mask (`None`) is treated as "allowed",
+ /// which supports legacy Certificates/Public Keys imported without masks.
+ #[must_use]
+ pub fn has_usage_mask(&self, required: CryptographicUsageMask, lenient: bool) -> bool {
+ let attributes = self
+ .object
+ .attributes()
+ .unwrap_or_else(|_| self.attributes());
+ if lenient && attributes.cryptographic_usage_mask.is_none() {
+ return true;
+ }
+ attributes
+ .is_usage_authorized_for(required)
+ .unwrap_or(false)
+ }
+
+ /// Check whether the key's remaining usage budget is sufficient for
+ /// `data_len` bytes of payload.
+ ///
+ /// Returns `true` when no `UsageLimits` are set or the budget is sufficient.
+ #[must_use]
+ pub fn has_usage_budget(&self, data_len: usize) -> bool {
+ let Some(ul) = self.attributes.usage_limits.as_ref() else {
+ return true;
+ };
+ match ul.usage_limits_unit {
+ UsageLimitsUnit::Byte => {
+ let needed = i64::try_from(data_len).unwrap_or(i64::MAX);
+ ul.usage_limits_total >= needed
+ }
+ UsageLimitsUnit::Object | UsageLimitsUnit::Block | UsageLimitsUnit::Operation => {
+ ul.usage_limits_total > 0
+ }
+ }
+ }
+
+ // ─── Enforcement (error-returning) ───────────────────────────────────────
+
+ /// Enforce the KMIP process-window constraints.
+ ///
+ /// An Active key whose current time is before `ProcessStartDate` or after
+ /// `ProtectStopDate` is rejected with `Wrong_Key_Lifecycle_State`.
+ pub fn check_process_window(&self) -> Result<(), KmipError> {
+ if !self.is_within_process_window() {
+ return Err(KmipError::Kmip21(
+ ErrorReason::Wrong_Key_Lifecycle_State,
+ "DENIED".to_owned(),
+ ));
+ }
+ Ok(())
+ }
+
+ /// Enforce `UsageLimits` before a cryptographic operation.
+ ///
+ /// Returns `Err(Permission_Denied)` when the key's remaining usage budget
+ /// is insufficient for the requested `data_len` bytes.
+ pub fn enforce_usage_limits(&self, data_len: usize) -> Result<(), KmipError> {
+ if !self.has_usage_budget(data_len) {
+ return Err(KmipError::Kmip21(
+ ErrorReason::Permission_Denied,
+ "DENIED".to_owned(),
+ ));
+ }
+ Ok(())
+ }
}
impl Display for ObjectWithMetadata {
diff --git a/crate/interfaces/src/stores/objects_store.rs b/crate/interfaces/src/stores/objects_store.rs
index f06cb0c69f..e73784f3ea 100644
--- a/crate/interfaces/src/stores/objects_store.rs
+++ b/crate/interfaces/src/stores/objects_store.rs
@@ -6,6 +6,7 @@ use cosmian_kmip::{
kmip_2_1::{kmip_attributes::Attributes, kmip_objects::Object},
};
use cosmian_logger::warn;
+use time::OffsetDateTime;
use crate::{InterfaceResult, ObjectWithMetadata};
@@ -104,6 +105,73 @@ pub trait ObjectsStore {
vendor_id: &str,
) -> InterfaceResult>;
+ /// Return (uid, state, attributes) for every object whose
+ /// `key_wrapping_data.encryption_key_information.unique_identifier` equals
+ /// `wrapping_key_uid`. Used by key rotation to re-wrap all objects protected by
+ /// the rotated key.
+ ///
+ /// The default implementation returns an empty list; backends that support
+ /// JSON-based object storage should override this with an efficient query.
+ async fn find_wrapped_by(
+ &self,
+ _wrapping_key_uid: &str,
+ _user: &str,
+ ) -> InterfaceResult> {
+ Ok(vec![])
+ }
+
+ /// Return UIDs of all Active objects that have a `rotate_interval > 0` and whose
+ /// next rotation instant is ≤ `now`.
+ ///
+ /// The next rotation instant is computed as:
+ /// - `rotate_date + rotate_interval` (if `rotate_date` is set), or
+ /// - `initial_date + rotate_interval + rotate_offset` (if `rotate_date` is None)
+ ///
+ /// The default implementation returns an empty list; backends should override.
+ async fn find_due_for_rotation(&self, _now: OffsetDateTime) -> InterfaceResult> {
+ Ok(vec![])
+ }
+
+ /// Find objects by their `x-rotate-name` vendor attribute.
+ ///
+ /// Optionally filter by:
+ /// - `generation`: match `x-rotate-generation` exactly
+ /// - `latest`: match `x-rotate-latest` flag
+ /// - `owner`: match the object owner
+ ///
+ /// Returns a list of `(uid, attributes)` pairs.
+ /// The default implementation returns an empty list; backends should override.
+ async fn find_by_rotate_name(
+ &self,
+ _name: &str,
+ _generation: Option,
+ _owner: &str,
+ ) -> InterfaceResult> {
+ Ok(vec![])
+ }
+
+ /// Set the human-readable label on a key object.
+ ///
+ /// For HSM backends this writes `CKA_LABEL` via `C_SetAttributeValue`.
+ /// The SQL backends ignore this call (labels are carried in the KMIP `Name` attribute
+ /// and managed separately). Default: no-op.
+ async fn set_key_label(&self, _uid: &str, _label: &str) -> InterfaceResult<()> {
+ Ok(())
+ }
+
+ /// Rewrite the PKCS#11 rotation dates on an HSM key identified by `uid`.
+ ///
+ /// `start_date` and `end_date` are stored as `CKA_START_DATE` / `CKA_END_DATE`.
+ /// SQL backends ignore this call. Default: no-op.
+ async fn set_key_rotation_dates(
+ &self,
+ _uid: &str,
+ _start_date: Option,
+ _end_date: Option,
+ ) -> InterfaceResult<()> {
+ Ok(())
+ }
+
/// Count all objects that are **not** in a terminal (destroyed) state.
///
/// # Purpose — metrics only
diff --git a/crate/kmip/src/kmip_1_4/kmip_attributes.rs b/crate/kmip/src/kmip_1_4/kmip_attributes.rs
index 8f7022d388..d5d82fe70a 100644
--- a/crate/kmip/src/kmip_1_4/kmip_attributes.rs
+++ b/crate/kmip/src/kmip_1_4/kmip_attributes.rs
@@ -961,6 +961,7 @@ impl TryFrom for Attribute {
| kmip_2_1::kmip_attributes::Attribute::ProtectionPeriod(_)
| kmip_2_1::kmip_attributes::Attribute::ProtectionStorageMasks(_)
| kmip_2_1::kmip_attributes::Attribute::QuantumSafe(_)
+ | kmip_2_1::kmip_attributes::Attribute::RotateAutomatic(_)
| kmip_2_1::kmip_attributes::Attribute::RotateDate(_)
| kmip_2_1::kmip_attributes::Attribute::RotateGeneration(_)
| kmip_2_1::kmip_attributes::Attribute::RotateInterval(_)
diff --git a/crate/kmip/src/kmip_1_4/kmip_operations.rs b/crate/kmip/src/kmip_1_4/kmip_operations.rs
index 6078ea81bb..5d8dd385ba 100644
--- a/crate/kmip/src/kmip_1_4/kmip_operations.rs
+++ b/crate/kmip/src/kmip_1_4/kmip_operations.rs
@@ -274,7 +274,7 @@ pub struct ReKey {
pub unique_identifier: String,
/// Offset from the initialization date of the new key
#[serde(skip_serializing_if = "Option::is_none")]
- pub offset: Option,
+ pub offset: Option,
/// Template attributes for the new key
#[serde(skip_serializing_if = "Option::is_none")]
pub template_attribute: Option,
@@ -322,7 +322,7 @@ pub struct ReKeyKeyPair {
pub private_key_unique_identifier: String,
/// Offset from the initialization date of the new key pair
#[serde(skip_serializing_if = "Option::is_none")]
- pub offset: Option,
+ pub offset: Option,
/// Common template attributes for both public and private key
#[serde(skip_serializing_if = "Option::is_none")]
pub common_template_attribute: Option,
@@ -479,12 +479,19 @@ pub struct CertifyResponse {
/// 4.8 Re-certify
/// This operation requests the server to generate a new Certificate object for an existing public key.
+/// Per KMIP 1.4 §4.8 Table 188, all fields are optional.
#[derive(Serialize, Deserialize, Clone, PartialEq, Eq)]
#[serde(rename_all = "PascalCase")]
pub struct ReCertify {
- pub unique_identifier: String,
- pub certificate_request_type: CertificateRequestType,
- pub certificate_request_value: Vec,
+ /// If omitted, then the ID Placeholder value is used by the server.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub unique_identifier: Option,
+ /// REQUIRED if the Certificate Request is present.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub certificate_request_type: Option,
+ /// A Byte String object with the certificate request.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub certificate_request_value: Option>,
#[serde(skip_serializing_if = "Option::is_none")]
pub template_attribute: Option,
}
@@ -498,6 +505,54 @@ pub struct ReCertifyResponse {
pub template_attribute: Option,
}
+impl From for kmip_2_1::kmip_operations::ReCertify {
+ fn from(recertify: ReCertify) -> Self {
+ let cert_req_type = recertify.certificate_request_type.map(|t| match t {
+ CertificateRequestType::CRMF => kmip_2_1::kmip_types::CertificateRequestType::CRMF,
+ CertificateRequestType::PKCS10 => kmip_2_1::kmip_types::CertificateRequestType::PKCS10,
+ CertificateRequestType::PEM => kmip_2_1::kmip_types::CertificateRequestType::PEM,
+ });
+ Self {
+ unique_identifier: recertify.unique_identifier.map(Into::into),
+ certificate_request_type: cert_req_type,
+ certificate_request_value: recertify.certificate_request_value,
+ offset: None,
+ attributes: recertify.template_attribute.map(Into::into),
+ protection_storage_masks: None,
+ }
+ }
+}
+
+impl TryFrom for ReCertifyResponse {
+ type Error = KmipError;
+
+ fn try_from(value: kmip_2_1::kmip_operations::ReCertifyResponse) -> Result {
+ Ok(Self {
+ unique_identifier: value.unique_identifier.to_string(),
+ template_attribute: None,
+ })
+ }
+}
+
+impl From for ReCertify {
+ fn from(recertify: kmip_2_1::kmip_operations::ReCertify) -> Self {
+ // Per KMIP 1.4 §4.8 Table 188, all fields are optional.
+ // Certificate Request Type is "REQUIRED if the Certificate Request is present".
+ let cert_req_type = recertify.certificate_request_type.map(|t| match t {
+ kmip_2_1::kmip_types::CertificateRequestType::CRMF => CertificateRequestType::CRMF,
+ kmip_2_1::kmip_types::CertificateRequestType::PKCS10 => CertificateRequestType::PKCS10,
+ kmip_2_1::kmip_types::CertificateRequestType::PEM => CertificateRequestType::PEM,
+ });
+ Self {
+ unique_identifier: recertify.unique_identifier.map(|u| u.to_string()),
+ certificate_request_type: cert_req_type,
+ certificate_request_value: recertify.certificate_request_value,
+ template_attribute: None,
+ // KMIP 1.4 does not support offset; it is dropped during downgrade.
+ }
+ }
+}
+
/// 4.9 Locate
/// This operation requests that the server search for one or more Managed Objects.
#[derive(Serialize, Deserialize, Clone, PartialEq, Eq)]
@@ -2647,9 +2702,7 @@ impl TryFrom for kmip_2_1::kmip_operations::Operation {
// }
// Operation::Poll(poll) => Self::Poll(poll.into()),
Operation::Query(query) => Self::Query(query.into()),
- // Operation::ReCertify(recertify) => {
- // Self::ReCertify(recertify.into())
- // }
+ Operation::ReCertify(recertify) => Self::ReCertify(Box::new(recertify.into())),
// Operation::Recover(recover) => {
// Self::Recover(recover.into())
// }
@@ -2803,9 +2856,9 @@ impl TryFrom for Operation {
(*query_response).try_into().context("QueryResponse")?,
))
}
- // Operation::ReCertifyResponse(recertify_response) => {
- // Self::ReCertifyResponse(recertify_response.into())
- // }
+ kmip_2_1::kmip_operations::Operation::ReCertifyResponse(recertify_response) => {
+ Self::ReCertifyResponse(recertify_response.try_into().context("ReCertifyResponse")?)
+ }
// Operation::RecoverResponse(recover_response) => {
// Self::RecoverResponse(recover_response.into())
// }
diff --git a/crate/kmip/src/kmip_2_1/kmip_attributes.rs b/crate/kmip/src/kmip_2_1/kmip_attributes.rs
index ffcbc027f0..972b348c60 100644
--- a/crate/kmip/src/kmip_2_1/kmip_attributes.rs
+++ b/crate/kmip/src/kmip_2_1/kmip_attributes.rs
@@ -366,6 +366,12 @@ pub struct Attributes {
#[serde(skip_serializing_if = "Option::is_none")]
pub revocation_reason: Option,
+ /// If set to True, specifies the Managed Object will be automatically rotated by the server
+ /// using the Rotate Interval via the equivalent of the `ReKey`, `ReKeyKeyPair` or `ReCertify`
+ /// operation performed by the server (KMIP 2.1 §4.48).
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub rotate_automatic: Option,
+
/// The Rotate Date attribute specifies the date and time for the last rotation
/// of a Managed Cryptographic Object. The Rotate Date attribute SHALL be set by
/// the server when the Rotate operation successfully completes.
@@ -381,11 +387,10 @@ pub struct Attributes {
/// The Rotate Interval attribute specifies the interval between rotations of a
/// Managed Cryptographic Object, measured in seconds.
#[serde(skip_serializing_if = "Option::is_none")]
- pub rotate_interval: Option,
+ pub rotate_interval: Option,
- /// The Rotate Latest attribute is a Boolean that indicates whether the latest
- /// rotation time should be recalculated based on the Rotation Interval and
- /// the Initial Date.
+ /// If set to True, specifies the Managed Object is the most recent object of the set of
+ /// rotated Managed Objects. Set by the server when the object is rotated (KMIP 2.1 §4.52).
#[serde(skip_serializing_if = "Option::is_none")]
pub rotate_latest: Option,
@@ -399,7 +404,7 @@ pub struct Attributes {
/// Date and the Rotation Date of a Managed Cryptographic Object, measured in
/// seconds.
#[serde(skip_serializing_if = "Option::is_none")]
- pub rotate_offset: Option,
+ pub rotate_offset: Option,
/// If True then the server SHALL prevent the object value being retrieved
/// (via the Get operation) unless it is wrapped by another key. The server
@@ -728,6 +733,7 @@ impl Attributes {
merge_option_field!(quantum_safe);
merge_option_field!(random_number_generator);
merge_option_field!(revocation_reason);
+ merge_option_field!(rotate_automatic);
merge_option_field!(rotate_date);
merge_option_field!(rotate_generation);
merge_option_field!(rotate_interval);
@@ -946,6 +952,9 @@ impl Display for Attributes {
if let Some(value) = &self.revocation_reason {
writeln!(f, " Revocation Reason: {value}")?;
}
+ if let Some(value) = &self.rotate_automatic {
+ writeln!(f, " Rotate Automatic: {value}")?;
+ }
if let Some(value) = &self.rotate_date {
writeln!(f, " Rotate Date: {value}")?;
}
@@ -1238,6 +1247,10 @@ pub enum Attribute {
/// Managed Object was revoked.
RevocationReason(RevocationReason),
+ /// If set to True, specifies the Managed Object will be automatically rotated by the server
+ /// using the Rotate Interval (KMIP 2.1 §4.48).
+ RotateAutomatic(bool),
+
/// The Rotate Date attribute specifies the date and time for the last rotation
/// of a Managed Cryptographic Object. The Rotate Date attribute SHALL be set by
/// the server when the Rotate operation successfully completes.
@@ -1250,11 +1263,10 @@ pub enum Attribute {
/// The Rotate Interval attribute specifies the interval between rotations of a
/// Managed Cryptographic Object, measured in seconds.
- RotateInterval(i32),
+ RotateInterval(i64),
- /// The Rotate Latest attribute is a Boolean that indicates whether the latest
- /// rotation time should be recalculated based on the Rotation Interval and
- /// the Initial Date.
+ /// If set to True, specifies the Managed Object is the most recent object of the set of
+ /// rotated Managed Objects (KMIP 2.1 §4.52). Set by the server; not modifiable by client.
RotateLatest(bool),
/// The Rotate Name attribute specifies the name of the rotation. This attribute
@@ -1265,7 +1277,7 @@ pub enum Attribute {
/// The Rotate Offset attribute specifies the time offset between the Creation
/// Date and the Rotation Date of a Managed Cryptographic Object, measured in
/// seconds.
- RotateOffset(i32),
+ RotateOffset(i64),
/// If True then the server SHALL prevent the object value being retrieved (via the Get operation) unless it is
/// wrapped by another key. The server SHALL set the value to False if the value is not provided by the
@@ -1471,6 +1483,9 @@ impl From for Vec {
if let Some(revocation_reason) = attributes.revocation_reason {
vec.push(Attribute::RevocationReason(revocation_reason));
}
+ if let Some(rotate_automatic) = attributes.rotate_automatic {
+ vec.push(Attribute::RotateAutomatic(rotate_automatic));
+ }
if let Some(rotate_date) = attributes.rotate_date {
vec.push(Attribute::RotateDate(rotate_date));
}
@@ -1604,6 +1619,7 @@ impl From> for Attributes {
attrs.random_number_generator = Some(value);
}
Attribute::RevocationReason(value) => attrs.revocation_reason = Some(value),
+ Attribute::RotateAutomatic(value) => attrs.rotate_automatic = Some(value),
Attribute::RotateDate(value) => attrs.rotate_date = Some(value),
Attribute::RotateGeneration(value) => attrs.rotate_generation = Some(value),
Attribute::RotateInterval(value) => attrs.rotate_interval = Some(value),
diff --git a/crate/kmip/src/kmip_2_1/kmip_messages.rs b/crate/kmip/src/kmip_2_1/kmip_messages.rs
index 75d0e73646..0703673963 100644
--- a/crate/kmip/src/kmip_2_1/kmip_messages.rs
+++ b/crate/kmip/src/kmip_2_1/kmip_messages.rs
@@ -354,6 +354,9 @@ impl<'de> Deserialize<'de> for RequestMessageBatchItem {
OperationEnumeration::ReKeyKeyPair => {
Operation::ReKeyKeyPair(map.next_value()?)
}
+ OperationEnumeration::ReCertify => {
+ Operation::ReCertify(map.next_value()?)
+ }
x => {
return Err(de::Error::custom(format!(
"Request Message Batch Item: unsupported operation: {x:?}"
@@ -792,6 +795,9 @@ impl<'de> Deserialize<'de> for ResponseMessageBatchItem {
OperationEnumeration::ReKeyKeyPair => {
Operation::ReKeyKeyPairResponse(map.next_value()?)
}
+ OperationEnumeration::ReCertify => {
+ Operation::ReCertifyResponse(map.next_value()?)
+ }
x => {
return Err(de::Error::custom(format!(
"KMIP 2 response message payload: unsupported operation: \
diff --git a/crate/kmip/src/kmip_2_1/kmip_objects.rs b/crate/kmip/src/kmip_2_1/kmip_objects.rs
index 407637ab8e..e0b6d49ffd 100644
--- a/crate/kmip/src/kmip_2_1/kmip_objects.rs
+++ b/crate/kmip/src/kmip_2_1/kmip_objects.rs
@@ -16,12 +16,13 @@ use strum::{Display, VariantNames};
use super::kmip_operations::Base64Display;
use super::{
kmip_attributes::Attributes,
- kmip_data_structures::{KeyBlock, KeyWrappingData},
- kmip_types::{CertificateRequestType, OpaqueDataType, SplitKeyMethod},
+ kmip_data_structures::{KeyBlock, KeyWrappingData, KeyWrappingSpecification},
+ kmip_types::{CertificateRequestType, Digest, OpaqueDataType, SplitKeyMethod},
};
use crate::{
error::KmipError,
- kmip_0::kmip_types::{CertificateType, ErrorReason, SecretDataType},
+ kmip_0::kmip_types::{CertificateType, ErrorReason, SecretDataType, State},
+ time_normalize,
};
/// A Managed Cryptographic Object that is a digital certificate.
@@ -421,6 +422,78 @@ impl Object {
self.key_block()
.is_ok_and(|kb| kb.key_wrapping_data.is_some())
}
+
+ /// Returns the UID of the wrapping (encryption) key embedded in this
+ /// object's `KeyWrappingData`, or `None` if the object is not wrapped.
+ #[must_use]
+ pub fn wrapping_key_uid(&self) -> Option {
+ self.key_wrapping_data()
+ .and_then(|kwd| kwd.encryption_key_information.as_ref())
+ .map(|eki| eki.unique_identifier.to_string())
+ }
+
+ /// Build a [`KeyWrappingSpecification`] from this object's `KeyWrappingData`.
+ ///
+ /// Returns `None` if the object has no key block or is not wrapped.
+ #[must_use]
+ pub fn rewrap_spec(&self) -> Option {
+ let kwd = self.key_wrapping_data()?;
+ Some(KeyWrappingSpecification {
+ wrapping_method: kwd.wrapping_method,
+ encryption_key_information: kwd.encryption_key_information.clone(),
+ mac_or_signature_key_information: kwd.mac_signature_key_information.clone(),
+ attribute_name: None,
+ encoding_option: kwd.encoding_option,
+ })
+ }
+
+ /// Initialize lifecycle attributes on a newly created or imported object.
+ ///
+ /// - No `requested_activation_date` → state `PreActive` (requires explicit
+ /// Activate call or auto-activation via `effective_state()`).
+ /// - `requested_activation_date` ≤ now → state `Active` immediately.
+ /// - `requested_activation_date` > now → state `PreActive`, date stored for
+ /// auto-transition by `effective_state()`.
+ ///
+ /// Sets `digest`, `initial_date`, `original_creation_date`,
+ /// `last_change_date`, and `object_type` on the object's embedded
+ /// attributes. Returns a clone of the final attributes.
+ ///
+ /// The caller must compute the `digest` externally (e.g. via
+ /// `openssl::sha::sha256`) and pass it in.
+ pub fn setup_lifecycle(
+ &mut self,
+ object_type: ObjectType,
+ requested_activation_date: Option,
+ digest: Option,
+ ) -> Result {
+ let now = time_normalize()?;
+ let attributes = self.attributes_mut()?;
+
+ // KMIP semantics: activation_date present and ≤ now → Active,
+ // otherwise PreActive (absent or future date).
+ let activation_allows_active = requested_activation_date.is_some_and(|d| d <= now);
+ let state = if activation_allows_active {
+ State::Active
+ } else {
+ State::PreActive
+ };
+
+ attributes.state = Some(state);
+ attributes.digest = digest;
+ attributes.object_type = Some(object_type);
+ attributes.initial_date = Some(now);
+ attributes.original_creation_date = Some(now);
+ attributes.last_change_date = Some(now);
+ if state == State::Active {
+ attributes.activation_date = Some(now);
+ } else if let Some(future_date) = requested_activation_date {
+ // PreActive with future date: store it so auto-transition works
+ attributes.activation_date = Some(future_date);
+ }
+
+ Ok(attributes.clone())
+ }
}
impl TryFrom<&[u8]> for Object {
diff --git a/crate/kmip/src/kmip_2_1/kmip_operations.rs b/crate/kmip/src/kmip_2_1/kmip_operations.rs
index 924711bc8f..287ba04ba1 100644
--- a/crate/kmip/src/kmip_2_1/kmip_operations.rs
+++ b/crate/kmip/src/kmip_2_1/kmip_operations.rs
@@ -193,6 +193,8 @@ pub enum Operation {
PKCS11Response(PKCS11Response),
Query(Query),
QueryResponse(Box),
+ ReCertify(Box),
+ ReCertifyResponse(ReCertifyResponse),
ReKey(ReKey),
ReKeyKeyPair(Box),
ReKeyKeyPairResponse(ReKeyKeyPairResponse),
@@ -277,6 +279,8 @@ impl Display for Operation {
Self::PKCS11Response(op) => write!(f, "{op}")?,
Self::Query(op) => write!(f, "{op}")?,
Self::QueryResponse(op) => write!(f, "{op}")?,
+ Self::ReCertify(op) => write!(f, "{op}")?,
+ Self::ReCertifyResponse(op) => write!(f, "{op}")?,
Self::ReKey(op) => write!(f, "{op}")?,
Self::ReKeyKeyPair(op) => write!(f, "{op}")?,
Self::ReKeyKeyPairResponse(op) => write!(f, "{op}")?,
@@ -333,6 +337,7 @@ impl Operation {
| Self::ModifyAttributeResponse(_)
| Self::PKCS11Response(_)
| Self::QueryResponse(_)
+ | Self::ReCertifyResponse(_)
| Self::ReKeyKeyPairResponse(_)
| Self::ReKeyResponse(_)
| Self::RegisterResponse(_)
@@ -393,6 +398,7 @@ impl Operation {
}
Self::PKCS11(_) | Self::PKCS11Response(_) => OperationEnumeration::PKCS11,
Self::Query(_) | Self::QueryResponse(_) => OperationEnumeration::Query,
+ Self::ReCertify(_) | Self::ReCertifyResponse(_) => OperationEnumeration::ReCertify,
Self::Register(_) | Self::RegisterResponse(_) => OperationEnumeration::Register,
Self::ReKey(_) | Self::ReKeyResponse(_) => OperationEnumeration::ReKey,
Self::ReKeyKeyPair(_) | Self::ReKeyKeyPairResponse(_) => {
@@ -701,7 +707,7 @@ pub enum InteropFunction {
/// `OperationUndone` in the response, potentially including only the Unique Identifier
/// in the payload as per the KMIP profiles.
///
-/// Reference: #_`Toc6497533L`
+/// Reference:
#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
#[serde(rename_all = "PascalCase")]
pub struct Check {
@@ -1021,6 +1027,66 @@ pub struct CertifyResponse {
impl_display!(CertifyResponse, "CertifyResponse", { req unique_identifier });
+/// `ReCertify`
+///
+/// This operation requests the server to generate a new certificate for an
+/// existing public key whose certificate has expired or is about to expire.
+/// The request contains the Unique Identifier of the existing certificate to be
+/// renewed, an optional certificate request, and optional attributes for the new
+/// certificate.
+///
+/// The server creates a new Certificate object with a fresh Unique Identifier,
+/// sets a `ReplacedObjectLink` on the new certificate pointing to the old one,
+/// and sets a `ReplacementObjectLink` on the old certificate pointing to the new one.
+///
+/// KMIP 2.1 §6.1.45 / KMIP 1.4 §4.8
+#[derive(Clone, Default, Serialize, Deserialize, PartialEq, Eq, Debug)]
+#[serde(rename_all = "PascalCase")]
+pub struct ReCertify {
+ /// The Unique Identifier of the Certificate being renewed.
+ /// If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub unique_identifier: Option,
+ /// An Enumeration object specifying the type of certificate request.
+ /// Required if Certificate Request Value is present.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub certificate_request_type: Option,
+ /// A Byte String object with the certificate request.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub certificate_request_value: Option>,
+ /// An Offset MAY be used to indicate the difference between the Initial Date
+ /// and the Activation Date of the new certificate. Per KMIP 2.1 §6.1.45,
+ /// the new certificate's Activation Date = Initial Date + Offset.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub offset: Option,
+ /// Specifies desired attributes to be associated with the new certificate.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub attributes: Option,
+ /// Specifies all permissible Protection Storage Mask selections for the new
+ /// object.
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub protection_storage_masks: Option,
+}
+
+impl_display!(ReCertify, "ReCertify", {
+ opt unique_identifier,
+ opt certificate_request_type,
+ opt_b64 certificate_request_value,
+ opt offset,
+ opt attributes,
+ opt protection_storage_masks,
+});
+
+/// Response to a `ReCertify` request.
+#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
+#[serde(rename_all = "PascalCase")]
+pub struct ReCertifyResponse {
+ /// The Unique Identifier of the newly created replacement certificate.
+ pub unique_identifier: UniqueIdentifier,
+}
+
+impl_display!(ReCertifyResponse, "ReCertifyResponse", { req unique_identifier });
+
/// Create
///
/// This operation requests the server to generate a new symmetric key or
@@ -2477,7 +2543,7 @@ pub struct ReKey {
// An Interval object indicating the difference between the Initial Date and the Activation Date of the replacement key to be created.
#[serde(skip_serializing_if = "Option::is_none")]
- pub offset: Option,
+ pub offset: Option,
/// Specifies desired attributes to be associated with the new object.
#[serde(skip_serializing_if = "Option::is_none")]
@@ -2542,7 +2608,7 @@ pub struct ReKeyKeyPair {
// An Interval object indicating the difference between the Initial Date and the Activation
// Date of the replacement key pair to be created.
#[serde(skip_serializing_if = "Option::is_none")]
- pub offset: Option,
+ pub offset: Option,
// Specifies desired attributes that apply to both the Private and Public Key Objects.
#[serde(skip_serializing_if = "Option::is_none")]
diff --git a/crate/kmip/src/kmip_2_1/requests/create_key_pair.rs b/crate/kmip/src/kmip_2_1/requests/create_key_pair.rs
index a3ddda49f3..0a6af83a80 100644
--- a/crate/kmip/src/kmip_2_1/requests/create_key_pair.rs
+++ b/crate/kmip/src/kmip_2_1/requests/create_key_pair.rs
@@ -74,6 +74,7 @@ pub fn create_rsa_key_pair_request>>(
object_type: Some(ObjectType::PrivateKey),
unique_identifier: private_key_id,
sensitive: sensitive.then_some(true),
+ activation_date: Some(time_normalize()?),
..Attributes::default()
};
@@ -85,6 +86,7 @@ pub fn create_rsa_key_pair_request>>(
cryptographic_usage_mask: Some(public_key_mask),
key_format_type: Some(KeyFormatType::TransparentRSAPrivateKey),
object_type: Some(ObjectType::PrivateKey),
+ activation_date: Some(time_normalize()?),
..Attributes::default()
};
@@ -217,7 +219,6 @@ pub fn create_ec_key_pair_request>>(
unique_identifier: private_key_id,
sensitive: sensitive.then_some(true),
activation_date: Some(time_normalize()?),
-
..Attributes::default()
};
@@ -233,7 +234,6 @@ pub fn create_ec_key_pair_request>>(
key_format_type: Some(KeyFormatType::TransparentECPublicKey),
object_type: Some(ObjectType::PublicKey),
activation_date: Some(time_normalize()?),
-
..Attributes::default()
};
diff --git a/crate/server/src/config/command_line/clap_config.rs b/crate/server/src/config/command_line/clap_config.rs
index 91cb97339c..5ff1ce75ba 100644
--- a/crate/server/src/config/command_line/clap_config.rs
+++ b/crate/server/src/config/command_line/clap_config.rs
@@ -71,6 +71,8 @@ impl Default for ClapConfig {
aws_xks_config: AwsXksConfig::default(),
kmip_policy: KmipPolicyConfig::default(),
azure_ekm_config: AzureEkmConfig::default(),
+ auto_rotation_check_interval_secs: 0,
+ keyset_warn_depth: 5,
secret_backends: SecretBackendConfig::default(),
}
}
@@ -216,6 +218,19 @@ pub struct ClapConfig {
#[serde(rename = "kmip")]
pub kmip_policy: KmipPolicyConfig,
+ /// Interval in seconds between background auto-rotation checks.
+ /// Set to 0 (default) to disable the auto-rotation background task.
+ /// When enabled, must be at least 60 seconds to avoid excessive database churn.
+ #[clap(long, default_value = "0", verbatim_doc_comment)]
+ pub auto_rotation_check_interval_secs: u64,
+
+ /// Depth at which a successful keyset chain decryption triggers a server-side warning.
+ /// Keyset chain traversal is unbounded (stopped only by cycle detection);
+ /// this threshold emits a warning log so operators can flag stale ciphertexts.
+ /// Default: 5.
+ #[clap(long, default_value = "5", verbatim_doc_comment)]
+ pub keyset_warn_depth: u32,
+
/// Authentication credentials for secret URI resolution backends.
///
/// These are provided via CLI flags or environment variables only —
@@ -681,6 +696,11 @@ impl fmt::Debug for ClapConfig {
x.field("aws_xks_enable", &self.aws_xks_config.aws_xks_enable)
};
let x = x.field("kmip", &self.kmip_policy);
+ let x = x.field(
+ "auto_rotation_check_interval_secs",
+ &self.auto_rotation_check_interval_secs,
+ );
+ let x = x.field("keyset_warn_depth", &self.keyset_warn_depth);
x.finish()
}
diff --git a/crate/server/src/config/params/server_params.rs b/crate/server/src/config/params/server_params.rs
index 4acc2f59a4..1e0535c22d 100644
--- a/crate/server/src/config/params/server_params.rs
+++ b/crate/server/src/config/params/server_params.rs
@@ -167,6 +167,17 @@ pub struct ServerParams {
/// Client-supplied `MaximumItems` is clamped to this value; when absent the cap is
/// applied automatically. Prevents unbounded DB queries and large response payloads.
pub max_locate_items: u32,
+
+ /// Interval in seconds between background auto-rotation checks.
+ /// 0 means disabled.
+ pub auto_rotation_check_interval_secs: u64,
+
+ /// Depth at which a successful keyset chain decryption triggers a warning.
+ /// Keyset chain traversal is unbounded (stopped only by cycle detection); this
+ /// threshold lets operators know when a ciphertext required walking many
+ /// generations to decrypt — a hint that re-encryption with the latest key may
+ /// be beneficial.
+ pub keyset_warn_depth: u32,
}
/// Represents the server parameters.
@@ -432,6 +443,19 @@ impl ServerParams {
crate::config::default_cors_origins(cors_scheme, conf.http.port)
}),
max_locate_items: 1000,
+ auto_rotation_check_interval_secs: {
+ let v = conf.auto_rotation_check_interval_secs;
+ // 0 means disabled; any non-zero value must be at least 60 seconds to avoid
+ // hammering the database with high-frequency key-rotation scans.
+ if v > 0 && v < 60 {
+ return Err(KmsError::ServerError(format!(
+ "auto_rotation_check_interval_secs must be 0 (disabled) or at least 60 \
+ seconds; {v} is too small and would cause excessive database churn"
+ )));
+ }
+ v
+ },
+ keyset_warn_depth: conf.keyset_warn_depth,
};
debug!("{res:#?}");
@@ -656,6 +680,11 @@ impl fmt::Debug for ServerParams {
debug_struct.field("rate_limit_per_second", &self.rate_limit_per_second);
debug_struct.field("cors_allowed_origins", &self.cors_allowed_origins);
debug_struct.field("max_locate_items", &self.max_locate_items);
+ debug_struct.field(
+ "auto_rotation_check_interval_secs",
+ &self.auto_rotation_check_interval_secs,
+ );
+ debug_struct.field("keyset_warn_depth", &self.keyset_warn_depth);
debug_struct.finish()
}
diff --git a/crate/server/src/core/cover_crypt/create_user_decryption_key.rs b/crate/server/src/core/cover_crypt/create_user_decryption_key.rs
index 2a57d05cad..666671fcc2 100644
--- a/crate/server/src/core/cover_crypt/create_user_decryption_key.rs
+++ b/crate/server/src/core/cover_crypt/create_user_decryption_key.rs
@@ -34,7 +34,6 @@ pub(crate) async fn create_user_decryption_key(
create_request: &Create,
owner: &str,
sensitive: bool,
- privileged_users: Option>,
) -> KResult