Merge branch 'release/v10.0.0'

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
       subcommands: |
         python3 scripts/download_wasm.py
         npm install
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       findex-cloud-version: 0.3.1
 
   lint:
@@ -34,7 +34,7 @@ jobs:
     with:
       subcommands: |
         npm test
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       kms-jwe-key:
         '{"kty": "OKP","d": "MPEVJwdRqGM_qhJOUb5hR0Xr9EvwMLZGnkf-eDj5fU8","use": "enc","crv": "X25519","kid": "DX3GC+Fx3etxfRJValQNbqaB0gs=","x":
         "gdF-1TtAjsFqNWr9nwhGUlFG38qrDUqYgcILgtYrpTY","alg": "ECDH-ES"}'
@@ -48,19 +48,19 @@ jobs:
     needs: test
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop
     with:
-      branch: v3.1.2
-      kms-version: 4.11.3
+      branch: develop
+      kms-version: ghcr.io/cosmian/kms:4.13.0
 
   cloudproof_java:
     needs: test
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_java_in_docker.yml@develop
     with:
-      branch: fix/kmip_serialization
+      branch: develop
       target: x86_64-unknown-linux-gnu
       extension: so
       destination: linux-x86-64
       os: ubuntu-20.04
-      kms-version: 4.11.3
+      kms-version: ghcr.io/cosmian/kms:4.13.0
       findex-cloud-version: 0.3.1
       copy_fresh_build: false
       copy_regression_files: |
@@ -74,7 +74,7 @@ jobs:
     with:
       branch: develop
       target: x86_64-unknown-linux-gnu
-      kms-version: 4.11.3
+      kms-version: ghcr.io/cosmian/kms:4.13.0
       findex-cloud-version: 0.3.1
       copy_fresh_build: false
       copy_regression_files: |
@@ -107,7 +107,7 @@ jobs:
         sleep 5
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       findex-cloud-version: 0.3.1
 
   example_reactjs:
@@ -123,7 +123,7 @@ jobs:
         sleep 5
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       findex-cloud-version: 0.3.1
 
   example_browser:
@@ -137,7 +137,7 @@ jobs:
         python3 -m http.server &
         sleep 3
         node test.mjs
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       findex-cloud-version: 0.3.1
 
   example_webpack:
@@ -159,7 +159,7 @@ jobs:
         cd examples/nodejs
         npm install
         node test.mjs 10
-      kms-version: 4.11.3
+      kms-version: 4.13.0
       findex-cloud-version: 0.3.1
     secrets: inherit
 

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## [10.0.0] - 2024-03-13
+
+### Features
+
+- Upgrade to CoverCrypt `14.0.0`:
+  - Support Covercrypt KMS edit policy capability
+  - Replace KMS `rotate` with `rekey` and `prune`
+
 ## [9.7.0] - 2024-01-29
 
 ### Features

docker-compose.yml

@@ -5,7 +5,7 @@ version: "3"
 services:
   kms:
     container_name: kms
-    image: ghcr.io/cosmian/kms:4.11.3
+    image: ghcr.io/cosmian/kms:4.13.0
     ports:
       - 9998:9998
     environment:

examples/webpack/index.js

@@ -30,7 +30,10 @@ const policy = new Policy([
     ],
     false,
   ),
-])(async () => {
+])
+
+// TODO: check if this function is actually tested
+await (async () => {
   const client = new KmsClient(
     `http://${process.env.KMS_HOST || "localhost"}:9998`,
   )
@@ -176,7 +179,7 @@ const policy = new Policy([
     await client.retrieveCoverCryptUserDecryptionKey(mediumSecretMkgUserKeyUid)
 
   // Now revoke the MKG attribute - all active keys will be rekeyed
-  client.rotateCoverCryptAttributes(privateMasterKeyUID, ["Department::MKG"])
+  client.rekeyCoverCryptAccessPolicy(privateMasterKeyUID, ["Department::MKG"])
 
   // retrieve the rekeyed public key
   const rekeyedPublicKey = await client.retrieveCoverCryptPublicMasterKey(

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cloudproof_js",
-  "version": "9.7.0",
+  "version": "10.0.0",
   "license": "MIT",
   "description": "Cosmian Cloudproof javascript client library",
   "author": "Bruno Grieder<[email protected]>, Pauline Hochard<[email protected]>, Emmanuel Coste<[email protected]>, Thibaud Dauce<[email protected]>",
@@ -41,7 +41,7 @@
   "dependencies": {
     "base64-js": "^1.5.1",
     "better-sqlite3": "^8.0.1",
-    "cloudproof_kms_js": "3.1.2",
+    "cloudproof_kms_js": "4.0.0",
     "dotenv": "^16.3.1",
     "jose": "^4.14.4",
     "process": "^0.11.10",

scripts/download_wasm.py

@@ -71,6 +71,6 @@ def download_wasm(version: str) -> bool:
 
 
 if __name__ == '__main__':
-    RET = download_wasm('v2.4.0')
+    RET = download_wasm('v3.0.0')
     if RET is False and getenv('GITHUB_ACTIONS'):
-        download_wasm('last_build/fix/rename_findex_traits')
+        download_wasm('last_build/feature/covercrypt_rekey')

src/cover_crypt/init.ts

@@ -6,7 +6,6 @@ import {
   CoverCryptKeyGeneration,
   generateMasterKeys,
   generateUserSecretKey,
-  rotateAttributes,
 } from "./key_generation"
 
 let initialized: Promise<void> | undefined
@@ -35,7 +34,6 @@ export async function CoverCrypt() {
 
     generateMasterKeys,
     generateUserSecretKey,
-    rotateAttributes,
 
     CoverCryptKeyGeneration,
     CoverCryptHybridDecryption,

src/cover_crypt/key_generation.ts

@@ -2,7 +2,6 @@
 import {
   webassembly_generate_master_keys,
   webassembly_generate_user_secret_key,
-  webassembly_rotate_attributes,
 } from "../pkg/cover_crypt/cloudproof_cover_crypt"
 import { fromBeBytes } from "../utils/utils"
 import { Policy } from "./interfaces/policy"
@@ -63,19 +62,6 @@ export class CoverCryptKeyGeneration {
   ): Uint8Array {
     return generateUserSecretKey(masterSecretKeyBytes, accessPolicy, policy)
   }
-
-  /**
-   * Rotate attributes in the given policy
-   *
-   * Note: this does NOT refresh the keys
-   * @param {string[]} attributes to rotate
-   * e.g. ["Department::MKG" , "Department::FIN"]
-   * @param {Policy} policy the policy
-   * @returns {Policy} the updated policy
-   */
-  public rotateAttributes(attributes: string[], policy: Policy): Policy {
-    return rotateAttributes(attributes, policy)
-  }
 }
 
 /**
@@ -113,21 +99,3 @@ export function generateUserSecretKey(
 
   return userSecretKey
 }
-
-/**
- * Rotate attributes in the given policy
- *
- * Note: this does NOT refresh the keys
- * @param {string[]} attributes to rotate
- * e.g. ["Department::MKG" , "Department::FIN"]
- * @param {Policy} policy the policy
- * @returns {Policy} the updated policy
- */
-export function rotateAttributes(attributes: string[], policy: Policy): Policy {
-  const newPolicyBytes = webassembly_rotate_attributes(
-    attributes,
-    policy.toBytes(),
-  )
-
-  return Policy.fromBytes(newPolicyBytes)
-}

tests/KMS.test.ts

@@ -361,17 +361,16 @@ test(
       expect(cleartext).toEqual(plaintext)
     }
 
-    // rotate
-    const rotatedPolicy = await client.rotateCoverCryptAttributes(mskID, [
-      "Department::FIN",
-      "Department::MKG",
-    ])
+    // rekey
+    await client.rekeyCoverCryptAccessPolicy(
+      mskID,
+      "Department::FIN || Department::MKG",
+    )
 
-    const rotatedMsk = await client.retrieveCoverCryptSecretMasterKey(mskID)
-    expect(rotatedMsk.bytes()).not.toEqual(msk.bytes())
-    const rotatedMpk = await client.retrieveCoverCryptPublicMasterKey(mpkID)
-    expect(rotatedMpk.bytes()).not.toEqual(mpk.bytes())
-    expect(policy.toBytes()).not.toEqual(rotatedPolicy.toBytes())
+    const rekeyedMsk = await client.retrieveCoverCryptSecretMasterKey(mskID)
+    expect(rekeyedMsk.bytes()).not.toEqual(msk.bytes())
+    const rekeyedMpk = await client.retrieveCoverCryptPublicMasterKey(mpkID)
+    expect(rekeyedMpk.bytes()).not.toEqual(mpk.bytes())
 
     // encryption
     const plaintext2 = new TextEncoder().encode("abcdefgh")
@@ -493,7 +492,7 @@ test(
 )
 
 test(
-  "Key rotation security when importing with tempered access policy",
+  "Key rekey security when importing with tempered access policy",
   async () => {
     const { Policy, PolicyAxis } = await CoverCrypt()
 
@@ -543,20 +542,16 @@ test(
       return await client?.coverCryptDecrypt(temperedUserKeyID, ciphertext)
     }).rejects.toThrow()
 
-    await client.rotateCoverCryptAttributes(mskID, ["Security::TopSecret"])
+    await client.rekeyCoverCryptAccessPolicy(mskID, "Security::TopSecret")
 
     await expect(async () => {
       return await client?.coverCryptDecrypt(userKeyID, ciphertext)
     }).rejects.toThrow()
 
-    // After rekeying, the temperedUserKey get access to new and old TopSecret key
-    {
-      const { plaintext } = await client.coverCryptDecrypt(
-        temperedUserKeyID,
-        ciphertext,
-      )
-      expect(plaintext).toEqual(plaintext)
-    }
+    // After rekeying, the temperedUserKey gains no access to TopSecret
+    await expect(async () => {
+      return await client.coverCryptDecrypt(temperedUserKeyID, ciphertext)
+    }).rejects.toThrow()
 
     const newCiphertext = await client.coverCryptEncrypt(
       mpkID,
@@ -568,18 +563,18 @@ test(
       return await client?.coverCryptDecrypt(userKeyID, newCiphertext)
     }).rejects.toThrow()
 
-    // TODO fix this bug, this should fail (cannot decrypt with the tempered user key)
-    // await expect(async () => {
-    //   return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext);
-    // }).rejects.toThrow()
+    // Cannot decrypt with the tempered user key)
+    await expect(async () => {
+      return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext)
+    }).rejects.toThrow()
   },
   {
     timeout: 30 * 1000,
   },
 )
 
 test(
-  "Decrypt old ciphertext after rotation",
+  "Decrypt old ciphertext after rekeying",
   async () => {
     const {
       CoverCryptHybridEncryption,
@@ -648,13 +643,10 @@ test(
       oldPlaintext,
     )
 
-    const newPolicyBytes = await client.rotateCoverCryptAttributes(mskID, [
-      "Security::Simple",
-    ])
-    const newPolicy = Policy.fromBytes(newPolicyBytes.toBytes())
+    await client.rekeyCoverCryptAccessPolicy(mskID, "Security::Simple")
     const newPublicKey = await client.retrieveCoverCryptPublicMasterKey(mpkID)
     const newLocalEncryption = new CoverCryptHybridEncryption(
-      newPolicy,
+      policy,
       newPublicKey.bytes(),
     )
     expect(newPublicKey.bytes()).not.toEqual(oldPublicKey.bytes())