diff --git a/Cargo.lock b/Cargo.lock index 6b1002be..29bf6c17 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1095,10 +1095,11 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.27" +version = "1.2.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d487aa071b5f64da6f19a3e848e3578944b726ee5a4854b82172f02aa876bfdc" +checksum = "90583009037521a116abf44494efecd645ba48b6622457080f080b85544e2215" dependencies = [ + "find-msvc-tools", "jobserver", "libc", "shlex", @@ -1250,9 +1251,9 @@ dependencies = [ [[package]] name = "cmake" -version = "0.1.54" +version = "0.1.56" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7caa3f9de89ddbe2c607f4101924c5abec803763ae9534e4f4d7d8f84aa81f0" +checksum = "b042e5d8a74ae91bb0961acd039822472ec99f8ab0948cbf6d1369588f8be586" dependencies = [ "cc", ] @@ -1740,6 +1741,7 @@ dependencies = [ "reqwest", "serde", "serde_json", + "sha2", "strum", "thiserror 2.0.12", "time", @@ -1799,9 +1801,11 @@ dependencies = [ "hex", "num-bigint-dig", "openssl", + "p256", "rust-ini", "serde", "serde_json", + "sha2", "thiserror 2.0.12", "uuid", "x509-parser", @@ -2662,6 +2666,12 @@ version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" +[[package]] +name = "find-msvc-tools" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844" + [[package]] name = "flagset" version = "0.4.7" @@ -4684,7 +4694,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d" dependencies = [ "anyhow", - "itertools 0.10.5", + "itertools 0.13.0", "proc-macro2", "quote", "syn", @@ -6902,7 +6912,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] diff --git a/crate/cli/src/tests/kms/attributes/get.rs b/crate/cli/src/tests/kms/attributes/get.rs index 48a90329..224bd93a 100644 --- a/crate/cli/src/tests/kms/attributes/get.rs +++ b/crate/cli/src/tests/kms/attributes/get.rs @@ -1,6 +1,7 @@ use std::{collections::HashMap, process::Command}; use assert_cmd::cargo::CommandCargoExt; +use clap::ValueEnum; use cosmian_kms_cli::reexport::cosmian_kms_client::{ kmip_2_1::kmip_types::Tag, reexport::cosmian_kms_client_utils::attributes_utils::CLinkType, }; @@ -46,7 +47,12 @@ pub(crate) fn get_attributes( for link_type in attribute_link_types { args.push("--link-type".to_owned()); - args.push(link_type.to_string()); + let name = link_type + .to_possible_value() + .expect("valid CLinkType") + .get_name() + .to_string(); + args.push(name); } let mut cmd = Command::cargo_bin(PROG_NAME)?; diff --git a/crate/cli/src/tests/kms/certificates/certify.rs b/crate/cli/src/tests/kms/certificates/certify.rs index bfb74325..6ece1f0a 100644 --- a/crate/cli/src/tests/kms/certificates/certify.rs +++ b/crate/cli/src/tests/kms/certificates/certify.rs @@ -1,6 +1,7 @@ use std::{path::PathBuf, process::Command}; use assert_cmd::cargo::CommandCargoExt; +use clap::ValueEnum; use cosmian_kms_cli::reexport::cosmian_kms_client::{ cosmian_kmip::{ kmip_2_1::{kmip_objects::Object, kmip_types::LinkType}, @@ -91,7 +92,12 @@ pub(crate) fn certify(cli_conf_path: &str, certify_op: CertifyOp) -> CosmianResu } if let Some(algorithm) = certify_op.algorithm { args.push("--algorithm".to_owned()); - args.push(algorithm.to_string()); + let name = algorithm + .to_possible_value() + .expect("valid Algorithm") + .get_name() + .to_string(); + args.push(name); } if let Some(certificate_id) = certify_op.certificate_id { args.push("--certificate-id".to_owned()); diff --git a/crate/cli/src/tests/kms/derive_key/derive_key_tests.rs b/crate/cli/src/tests/kms/derive_key/derive_key_tests.rs index 1e384888..d484ff05 100644 --- a/crate/cli/src/tests/kms/derive_key/derive_key_tests.rs +++ b/crate/cli/src/tests/kms/derive_key/derive_key_tests.rs @@ -1,6 +1,7 @@ use std::process::Command; use assert_cmd::prelude::*; +use clap::ValueEnum; use cosmian_kms_cli::{ actions::kms::{ derive_key::DeriveKeyAction, mac::CHashingAlgorithm, @@ -43,7 +44,12 @@ pub(crate) fn derive_key(cli_conf_path: &str, action: DeriveKeyAction) -> Cosmia let mut args: Vec = vec![ // Algorithm and length are explicit to avoid relying on defaults "--algorithm".to_owned(), - action.algorithm.to_string(), + action + .algorithm + .to_possible_value() + .expect("possible value") + .get_name() + .to_string(), "--length".to_owned(), action.cryptographic_length.to_string(), "--derivation-method".to_owned(), diff --git a/crate/cli/src/tests/kms/elliptic_curve/mod.rs b/crate/cli/src/tests/kms/elliptic_curve/mod.rs index 0043c504..566a0956 100644 --- a/crate/cli/src/tests/kms/elliptic_curve/mod.rs +++ b/crate/cli/src/tests/kms/elliptic_curve/mod.rs @@ -2,6 +2,7 @@ pub(crate) mod create_key_pair; #[cfg(feature = "non-fips")] pub(crate) mod encrypt_decrypt; +pub(crate) mod sign_verify; #[cfg(feature = "non-fips")] pub(crate) const SUB_COMMAND: &str = "ec"; diff --git a/crate/cli/src/tests/kms/elliptic_curve/sign_verify.rs b/crate/cli/src/tests/kms/elliptic_curve/sign_verify.rs new file mode 100644 index 00000000..7af83f86 --- /dev/null +++ b/crate/cli/src/tests/kms/elliptic_curve/sign_verify.rs @@ -0,0 +1,125 @@ +use std::{fs, path::PathBuf, process::Command}; + +use assert_cmd::prelude::*; +use tempfile::TempDir; +use test_kms_server::start_default_test_kms_server; + +use super::SUB_COMMAND; +use crate::{ + config::COSMIAN_CLI_CONF_ENV, + error::{CosmianError, result::CosmianResult}, + tests::{ + PROG_NAME, + kms::{ + KMS_SUBCOMMAND, elliptic_curve::create_key_pair::create_ec_key_pair, + utils::recover_cmd_logs, + }, + save_kms_cli_config, + }, +}; + +/// Sign a file using EC keys via CLI +fn ec_sign( + cli_conf_path: &str, + input_file: &str, + key_id: &str, + output_file: Option<&str>, + digested: bool, +) -> CosmianResult<()> { + let mut cmd = Command::cargo_bin(PROG_NAME)?; + cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path); + + let mut args = vec!["sign", input_file, "--key-id", key_id]; + if digested { + args.push("--digested"); + } + if let Some(output_file) = output_file { + args.push("-o"); + args.push(output_file); + } + + cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args); + let output = recover_cmd_logs(&mut cmd); + if output.status.success() { + let stdout = std::str::from_utf8(&output.stdout)?; + assert!(stdout.contains("Signature written to")); + return Ok(()); + } + + Err(CosmianError::Default( + std::str::from_utf8(&output.stderr)?.to_owned(), + )) +} + +/// Verify a signature using EC keys via CLI +fn ec_sign_verify( + cli_conf_path: &str, + data_file: &str, + signature_file: &str, + key_id: &str, + digested: bool, +) -> CosmianResult<()> { + let mut cmd = Command::cargo_bin(PROG_NAME)?; + cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path); + + let mut args = vec!["sign-verify", data_file, signature_file, "--key-id", key_id]; + if digested { + args.push("--digested"); + } + + cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args); + let output = recover_cmd_logs(&mut cmd); + if output.status.success() { + let stdout = std::str::from_utf8(&output.stdout)?; + assert!(stdout.contains("Signature verification is Valid")); + return Ok(()); + } + + Err(CosmianError::Default( + std::str::from_utf8(&output.stderr)?.to_owned(), + )) +} + +#[tokio::test] +async fn ecdsa_digested_sign_verify_cli() -> CosmianResult<()> { + let ctx = start_default_test_kms_server().await; + let (owner_client_conf_path, _) = save_kms_cli_config(ctx); + + // create a temp dir + let tmp_dir = TempDir::new()?; + let tmp_path = tmp_dir.path(); + + let input_file = PathBuf::from("../../test_data/plain.txt"); + let digest_file = tmp_path.join("plain.sha256"); + let sig_file = tmp_path.join("plain.sha256.ec.sig"); + + // compute SHA-256 digest of input and write to digest_file + let data = std::fs::read(&input_file)?; + let digest = openssl::sha::sha256(&data); + std::fs::write(&digest_file, digest)?; + + let (private_key_id, public_key_id) = + create_ec_key_pair(&owner_client_conf_path, "nist-p256", &[], false)?; + + // Sign digested input + fs::remove_file(&sig_file).ok(); + ec_sign( + &owner_client_conf_path, + digest_file.to_str().unwrap(), + &private_key_id, + Some(sig_file.to_str().unwrap()), + true, + )?; + assert!(sig_file.exists()); + + // Verify digested input + ec_sign_verify( + &owner_client_conf_path, + digest_file.to_str().unwrap(), + sig_file.to_str().unwrap(), + &public_key_id, + true, + )?; + + Ok(()) +} diff --git a/crate/cli/src/tests/kms/rsa/encrypt_decrypt.rs b/crate/cli/src/tests/kms/rsa/encrypt_decrypt.rs index 8020b104..f16a6eb6 100644 --- a/crate/cli/src/tests/kms/rsa/encrypt_decrypt.rs +++ b/crate/cli/src/tests/kms/rsa/encrypt_decrypt.rs @@ -1,6 +1,7 @@ use std::{collections::HashSet, fs, path::PathBuf, process::Command}; use assert_cmd::prelude::*; +use clap::ValueEnum; use cosmian_kms_cli::reexport::cosmian_kms_client::{ read_bytes_from_file, reexport::cosmian_kms_client_utils::rsa_utils::{HashFn, RsaEncryptionAlgorithm}, @@ -43,9 +44,20 @@ pub(crate) fn encrypt( args.push("--key-id"); args.push(public_key_id); args.push("--encryption-algorithm"); - let encryption_algorithm = encryption_algorithm.to_string(); + let encryption_algorithm = encryption_algorithm + .to_possible_value() + .expect("valid RSA algorithm") + .get_name() + .to_string(); args.push(&encryption_algorithm); - let hash_fn_s = hash_fn.map(|h| h.to_string()).unwrap_or_default(); + let hash_fn_s = hash_fn + .map(|h| { + h.to_possible_value() + .expect("valid hash") + .get_name() + .to_string() + }) + .unwrap_or_default(); if hash_fn.is_some() { args.push("--hashing-algorithm"); args.push(&hash_fn_s); @@ -81,9 +93,20 @@ pub(crate) fn decrypt( let mut args = vec!["decrypt", input_file, "--key-id", private_key_id]; args.push("--encryption-algorithm"); - let encryption_algorithm = encryption_algorithm.to_string(); + let encryption_algorithm = encryption_algorithm + .to_possible_value() + .expect("valid RSA algorithm") + .get_name() + .to_string(); args.push(&encryption_algorithm); - let hash_fn_str = hash_fn.map(|h| h.to_string()).unwrap_or_default(); + let hash_fn_str = hash_fn + .map(|h| { + h.to_possible_value() + .expect("valid hash") + .get_name() + .to_string() + }) + .unwrap_or_default(); if hash_fn.is_some() { args.push("--hashing-algorithm"); args.push(&hash_fn_str); diff --git a/crate/cli/src/tests/kms/rsa/mod.rs b/crate/cli/src/tests/kms/rsa/mod.rs index 2bde569c..65fca0bd 100644 --- a/crate/cli/src/tests/kms/rsa/mod.rs +++ b/crate/cli/src/tests/kms/rsa/mod.rs @@ -2,6 +2,7 @@ pub(crate) mod create_key_pair; #[cfg(feature = "non-fips")] pub(crate) mod encrypt_decrypt; +pub(crate) mod sign_verify; #[cfg(feature = "non-fips")] pub(crate) const SUB_COMMAND: &str = "rsa"; diff --git a/crate/cli/src/tests/kms/rsa/sign_verify.rs b/crate/cli/src/tests/kms/rsa/sign_verify.rs new file mode 100644 index 00000000..4c9edc84 --- /dev/null +++ b/crate/cli/src/tests/kms/rsa/sign_verify.rs @@ -0,0 +1,126 @@ +use std::{fs, path::PathBuf, process::Command}; + +use assert_cmd::prelude::*; +use tempfile::TempDir; +use test_kms_server::start_default_test_kms_server; + +use super::SUB_COMMAND; +use crate::{ + config::COSMIAN_CLI_CONF_ENV, + error::{CosmianError, result::CosmianResult}, + tests::{ + PROG_NAME, + kms::{ + KMS_SUBCOMMAND, + rsa::create_key_pair::{RsaKeyPairOptions, create_rsa_key_pair}, + utils::recover_cmd_logs, + }, + save_kms_cli_config, + }, +}; + +/// Sign a file using RSA keys via CLI +fn rsa_sign( + cli_conf_path: &str, + input_file: &str, + key_id: &str, + output_file: Option<&str>, + digested: bool, +) -> CosmianResult<()> { + let mut cmd = Command::cargo_bin(PROG_NAME)?; + cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path); + + let mut args = vec!["sign", input_file, "--key-id", key_id]; + if digested { + args.push("--digested"); + } + if let Some(output_file) = output_file { + args.push("-o"); + args.push(output_file); + } + + cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args); + let output = recover_cmd_logs(&mut cmd); + if output.status.success() { + let stdout = std::str::from_utf8(&output.stdout)?; + assert!(stdout.contains("Signature written to")); + return Ok(()); + } + + Err(CosmianError::Default( + std::str::from_utf8(&output.stderr)?.to_owned(), + )) +} + +/// Verify a signature using RSA keys via CLI +fn rsa_sign_verify( + cli_conf_path: &str, + data_file: &str, + signature_file: &str, + key_id: &str, + digested: bool, +) -> CosmianResult<()> { + let mut cmd = Command::cargo_bin(PROG_NAME)?; + cmd.env(COSMIAN_CLI_CONF_ENV, cli_conf_path); + + let mut args = vec!["sign-verify", data_file, signature_file, "--key-id", key_id]; + if digested { + args.push("--digested"); + } + + cmd.arg(KMS_SUBCOMMAND).arg(SUB_COMMAND).args(args); + let output = recover_cmd_logs(&mut cmd); + if output.status.success() { + let stdout = std::str::from_utf8(&output.stdout)?; + assert!(stdout.contains("Signature verification is Valid")); + return Ok(()); + } + + Err(CosmianError::Default( + std::str::from_utf8(&output.stderr)?.to_owned(), + )) +} + +#[tokio::test] +async fn rsa_digested_sign_verify_cli() -> CosmianResult<()> { + let ctx = start_default_test_kms_server().await; + let (owner_client_conf_path, _) = save_kms_cli_config(ctx); + + // create a temp dir + let tmp_dir = TempDir::new()?; + let tmp_path = tmp_dir.path(); + + let input_file = PathBuf::from("../../test_data/plain.txt"); + let digest_file = tmp_path.join("plain.sha256"); + let sig_file = tmp_path.join("plain.sha256.rs.sig"); + + // compute SHA-256 digest of input and write to digest_file + let data = std::fs::read(&input_file)?; + let digest = openssl::sha::sha256(&data); + std::fs::write(&digest_file, digest)?; + + let (private_key_id, public_key_id) = + create_rsa_key_pair(&owner_client_conf_path, &RsaKeyPairOptions::default())?; + + // Sign digested input + fs::remove_file(&sig_file).ok(); + rsa_sign( + &owner_client_conf_path, + digest_file.to_str().unwrap(), + &private_key_id, + Some(sig_file.to_str().unwrap()), + true, + )?; + assert!(sig_file.exists()); + + // Verify digested input + rsa_sign_verify( + &owner_client_conf_path, + digest_file.to_str().unwrap(), + sig_file.to_str().unwrap(), + &public_key_id, + true, + )?; + + Ok(()) +} diff --git a/crate/cli/src/tests/kms/shared/export.rs b/crate/cli/src/tests/kms/shared/export.rs index 90f0c27e..d55beed4 100644 --- a/crate/cli/src/tests/kms/shared/export.rs +++ b/crate/cli/src/tests/kms/shared/export.rs @@ -3,6 +3,7 @@ use std::path::Path; use std::process::Command; use assert_cmd::prelude::*; +use clap::ValueEnum; #[cfg(feature = "non-fips")] use cosmian_kms_cli::reexport::cosmian_kms_client::{ kmip_0::kmip_types::BlockCipherMode, @@ -102,7 +103,12 @@ pub(crate) fn export_key(params: ExportKeyParams) -> CosmianResult<()> { } if let Some(wrapping_algorithm) = ¶ms.wrapping_algorithm { args.push("--wrapping-algorithm".to_owned()); - args.push(wrapping_algorithm.to_string()); + let name = wrapping_algorithm + .to_possible_value() + .expect("valid wrapping algorithm") + .get_name() + .to_string(); + args.push(name); } let mut cmd = Command::cargo_bin(PROG_NAME)?; diff --git a/crate/cli/src/tests/kms/shared/export_import.rs b/crate/cli/src/tests/kms/shared/export_import.rs index 3f79803b..4fa46b2b 100644 --- a/crate/cli/src/tests/kms/shared/export_import.rs +++ b/crate/cli/src/tests/kms/shared/export_import.rs @@ -39,7 +39,7 @@ pub(crate) async fn test_wrap_on_export_unwrap_on_import() -> CosmianResult<()> // Export and import the key with different block cipher modes for wrapping_algorithm in [WrappingAlgorithm::AesGCM, WrappingAlgorithm::NistKeyWrap] { - debug!("wrapping algorithm: {wrapping_algorithm}",); + debug!("wrapping algorithm: {:?}", wrapping_algorithm); export_key(ExportKeyParams { cli_conf_path: user_client_conf_path.clone(), sub_command: "sym".to_owned(), diff --git a/crate/cli/src/tests/kms/shared/locate.rs b/crate/cli/src/tests/kms/shared/locate.rs index 3df7be81..8d767d27 100644 --- a/crate/cli/src/tests/kms/shared/locate.rs +++ b/crate/cli/src/tests/kms/shared/locate.rs @@ -103,8 +103,7 @@ pub(crate) async fn test_locate_cover_crypt() -> CosmianResult<()> { assert!(ids.contains(&master_private_key_id)); assert!(ids.contains(&master_public_key_id)); - // Locate with cryptographic algorithm - // this should be case insensitive + // Locate with cryptographic algorithm (CLI expects lowercase names) let ids = locate( &owner_client_conf_path, Some(&["test_cc"]), @@ -345,7 +344,7 @@ pub(crate) async fn test_locate_symmetric_key() -> CosmianResult<()> { let ids = locate( &owner_client_conf_path, Some(&["test_sym"]), - Some("Aes"), + Some("aes"), None, None, )?; @@ -363,11 +362,11 @@ pub(crate) async fn test_locate_symmetric_key() -> CosmianResult<()> { assert_eq!(ids.len(), 1); assert!(ids.contains(&key_id)); - //locate using tags and cryptographic algorithm and key format type + // locate using tags and cryptographic algorithm and key format type let ids = locate( &owner_client_conf_path, Some(&["test_sym"]), - Some("AES"), + Some("aes"), None, Some("TransparentSymmetricKey"), )?; diff --git a/crate/cli/src/tests/kms/symmetric/create_key.rs b/crate/cli/src/tests/kms/symmetric/create_key.rs index 9584229b..843ae25f 100644 --- a/crate/cli/src/tests/kms/symmetric/create_key.rs +++ b/crate/cli/src/tests/kms/symmetric/create_key.rs @@ -2,6 +2,7 @@ use std::process::Command; use assert_cmd::prelude::*; use base64::{Engine as _, engine::general_purpose}; +use clap::ValueEnum; use cosmian_kms_cli::{ actions::kms::symmetric::keys::create_key::CreateKeyAction, reexport::{ @@ -45,7 +46,15 @@ pub(crate) fn create_symmetric_key( if let Some(wrap_key_b64) = action.wrap_key_b64.clone() { args.extend(vec!["--bytes-b64".to_owned(), wrap_key_b64]); } - args.extend(vec!["--algorithm".to_owned(), action.algorithm.to_string()]); + args.extend(vec![ + "--algorithm".to_owned(), + action + .algorithm + .to_possible_value() + .expect("possible value") + .get_name() + .to_string(), + ]); // add tags for tag in action.tags { diff --git a/documentation/docs/cli/main_commands.md b/documentation/docs/cli/main_commands.md index 2e78ad92..54a9c634 100644 --- a/documentation/docs/cli/main_commands.md +++ b/documentation/docs/cli/main_commands.md @@ -1273,6 +1273,10 @@ Manage elliptic curve keys. Encrypt and decrypt data using ECIES **`decrypt`** [[1.8.3]](#183-cosmian-kms-ec-decrypt) Decrypts a file with the given private key using ECIES +**`sign`** [[1.8.4]](#184-cosmian-kms-ec-sign) Sign a file using elliptic curve digital signature algorithms (ECDSA) + +**`sign-verify`** [[1.8.5]](#185-cosmian-kms-ec-sign-verify) Verify an ECDSA signature for a given data file + --- ## 1.8.1 cosmian kms ec keys @@ -1563,6 +1567,69 @@ Decrypts a file with the given private key using ECIES +--- + +## 1.8.4 cosmian kms ec sign + +Sign a file using elliptic curve digital signature algorithms (ECDSA) + +### Usage +`cosmian kms ec sign [options] +` +### Arguments +`--curve [-c] ` The elliptic curve + +Possible values: `"nist-p192", "nist-p224", "nist-p256", "nist-p384", "nist-p521", "x25519", "ed25519", "x448", "ed448", "secp256k1", "secp224k1"` [default: `"nist-p256"`] + +` ` The file to sign + +`--key-id [-k] ` The private key unique identifier If not specified, tags should be specified + +`--tag [-t] ` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times + +`--signature-algorithm [-s] ` The signature algorithm + +Possible values: `"ecdsa-with-sha256", "ecdsa-with-sha384", "ecdsa-with-sha512"` [default: `"ecdsa-with-sha256"`] + +`--output-file [-o] ` The signature output file path + +`--digested ` Treat input as already-digested data (pre-hash) + +Possible values: `"true", "false"` + + + +--- + +## 1.8.5 cosmian kms ec sign-verify + +Verify an ECDSA signature for a given data file + +### Usage +`cosmian kms ec sign-verify [options] + +` +### Arguments +` ` The data that was signed + +` ` The signature file + +`--key-id [-k] ` The private key unique identifier If not specified, tags should be specified + +`--tag [-t] ` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times + +`--signature-algorithm [-s] ` The signature algorithm + +Possible values: `"ecdsa-with-sha256", "ecdsa-with-sha384", "ecdsa-with-sha512"` [default: `"ecdsa-with-sha256"`] + +`--output-file [-o] ` Optional output file path + +`--digested ` Treat data input as already-digested (pre-hash) + +Possible values: `"true", "false"` + + + --- @@ -2097,6 +2164,10 @@ Manage RSA keys. Encrypt and decrypt data using RSA keys - `CKM_RSA_PKCS_OAEP` a.k.a PKCS #1 RSA OAEP as specified in PKCS#11 v2.40 - `CKM_RSA_AES_KEY_WRAP` as specified in PKCS#11 v2.40 +**`sign`** [[1.18.4]](#1184-cosmian-kms-rsa-sign) Digital signature supported is RSASSA-PSS + +**`sign-verify`** [[1.18.5]](#1185-cosmian-kms-rsa-sign-verify) Verify an RSASSA-PSS signature for a given data file + --- ## 1.18.1 cosmian kms rsa keys @@ -2409,6 +2480,65 @@ Possible values: `"sha1", "sha224", "sha256", "sha384", "sha512", "sha3-224", " +--- + +## 1.18.4 cosmian kms rsa sign + +Digital signature supported is RSASSA-PSS + +### Usage +`cosmian kms rsa sign [options] +` +### Arguments +` ` The file to sign + +`--key-id [-k] ` The private key unique identifier If not specified, tags should be specified + +`--tag [-t] ` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times + +`--signature-algorithm [-s] ` The signature algorithm + +Possible values: `"rsassapss"` [default: `"rsassapss"`] + +`--output-file [-o] ` The signature output file path + +`--digested ` Treat input as already-digested data (pre-hash) + +Possible values: `"true", "false"` + + + +--- + +## 1.18.5 cosmian kms rsa sign-verify + +Verify an RSASSA-PSS signature for a given data file + +### Usage +`cosmian kms rsa sign-verify [options] + +` +### Arguments +` ` The data that was signed + +` ` The signature file + +`--key-id [-k] ` The private key unique identifier If not specified, tags should be specified + +`--tag [-t] ` Tag to use to retrieve the key when no key id is specified. To specify multiple tags, use the option multiple times + +`--signature-algorithm [-s] ` The signature algorithm + +Possible values: `"rsassapss"` [default: `"rsassapss"`] + +`--output-file [-o] ` Optional output file path + +`--digested ` Treat data input as already-digested (pre-hash) + +Possible values: `"true", "false"` + + + --- diff --git a/kms b/kms index e8545ebd..dc5585d7 160000 --- a/kms +++ b/kms @@ -1 +1 @@ -Subproject commit e8545ebd4d9564a934d60ac590090368579debab +Subproject commit dc5585d7b559a161ac42ae3fa0ee70f73532cf5d