feat: Oracle TDE - support wallet migration + clarify doc#912
Merged
feat: Oracle TDE - support wallet migration + clarify doc#912
Conversation
Manuthor
force-pushed
the
fix/improve_tde
branch
from
5c21bf0 to
35b4d58
Compare
- cargo_test.ps1: exclude cosmian_pkcs11_verify from --workspace run to prevent STATUS_STACK_BUFFER_OVERRUN crash caused by a race between the DLL's tokio worker threads and Windows FreeLibrary() when multiple test binaries run in parallel; run cosmian_pkcs11_verify separately in isolation (passes reliably); remove the Get-ChildItem diagnostic line that could fail in vcpkg manifest mode - test_ui.ps1: use RUNNER_TEMP (with local fallback) and kms-stdout.log / kms-stderr.log filenames to match the Upload logs on failure workflow step
Manuthor
force-pushed
the
fix/improve_tde
branch
from
bdf6506 to
39ec9fa
Compare
…c/core and esbuild build scripts (pnpm v10)
Manuthor
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Features
PKCS#11
cosmian_pkcs11_verifydiagnostic binary (crate/clients/pkcs11/loader) that dynamically loadslibcosmian_pkcs11.sovialibloadingand validatesckms.tomlloading and KMS server reachability through the standard PKCS#11 C API (C_GetFunctionList→C_Initialize→C_GetSlotList→C_OpenSession→C_FindObjectsper class →C_Finalize)cosmian_pkcs11deb/rpm packaging with a signed cross-platform ZIP archive (cosmian-pkcs11-<variant>-<link-suffix>_<version>_<os>-<arch>.zip) containinglibcosmian_pkcs11.{so,dylib},cosmian_pkcs11_verify, and the public signing key; ZIP is built by.github/scripts/package/package_pkcs11_zip.sh, signed with GPG, and published topackage.cosmian.comvia thepkcs11-zippackage type in the CI matrixcosmian_pkcs11_verify: passing--token <JWT>causes aC_Login(CKU_USER, pin=<JWT>)call afterC_OpenSession, enabling verification of KMS servers configured withpkcs11_use_pin_as_access_token = true; the token may also be supplied via theCOSMIAN_PKCS11_TOKENenvironment variableCKF_WRITE_PROTECTEDfrom the token info flags inC_GetTokenInfo(Oracle checks this flag before callingC_GenerateKeyduringADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY … MIGRATE); addCKM_AES_KEY_GEN,CKM_AES_CBC,CKM_AES_CBC_PADto the supported mechanism list; return correct flags inC_GetMechanismInfo(CKF_GENERATEforCKM_AES_KEY_GEN,CKF_ENCRYPT | CKF_DECRYPTfor AES-CBC variants)