feat: Replace old Policy rotation functions with master keys functi…

…ons `rekey` and `prune` (#64) * feat: replace old `rotation` functions by `rekey` and `prune` * feat: replace old `rotation` functions in FFI and WASM * ci: update cloudproof and kms deps * test: use new policy bytes in wasm test * ci: update covercrypt branch * ci: update cloudproof python branch * test: check ffi policy creation respect ordered dimension * ci: fix pyo3 windows build * ci: update kms branch * ci: update cloudproof-kms-js branch * ci: update kms url * ci: update client repos * fix: convert input to CString before calling FFI tests (cherry picked from commit fd1ad5fd8e9f95e024c53ebede81454d84676c29) * test: fix pyo3 test to prevent removing the last attribute of a dimension * ci: update flutter branch * chore: update CoverCrypt to version `14.0.0` * ci: update KMS to `4.13.0` * fix: update FFI docstring --------- Co-authored-by: Manuthor <[email protected]>
Cosmian · Mar 12, 2024 · 4c43dc9 · 4c43dc9
1 parent 700c9c4
commit 4c43dc9
Show file tree

Hide file tree

Showing 20 changed files with 391 additions and 392 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,12 +13,12 @@ jobs:
     with:
       project-name: cloudproof_rust
       toolchain: stable
-      kms-version: ghcr.io/cosmian/kms:4.11.3
+      kms-version: ghcr.io/cosmian/kms:4.13.0
       findex-cloud-version: 0.3.1
-      branch-java: develop
-      branch-js: develop
+      branch-java: feature/covercrypt_rekey
+      branch-js: feature/covercrypt_rekey
       branch-kms-js: develop
-      branch-flutter: develop
-      branch-python: develop
+      branch-flutter: feature/covercrypt_rekey
+      branch-python: feature/covercrypt-rekey
       exclusions: --exclude=cloudproof_findex
     secrets: inherit
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,13 +13,13 @@ members = [
 resolver = "1"
 
 [workspace.dependencies]
-async-trait = "0.1.74"
-base64 = "0.21.5"
+async-trait = "0.1.77"
+base64 = "0.21.7"
 cosmian_crypto_core = { version = "9.3.0", default-features = false }
 cosmian_ffi_utils = "0.1.3"
 hex = "0.4.3"
 js-sys = "0.3"
-pyo3 = { version = "0.20.0", features = [
+pyo3 = { version = "0.20.3", features = [
   "extension-module",
   "abi3",
   "abi3-py37",
@@ -28,10 +28,10 @@ pyo3 = { version = "0.20.0", features = [
 rand = "0.8"
 thiserror = "1.0"
 tracing = "0.1"
-tracing-log = "0.1"
+tracing-log = "0.2"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
-tracing-tree = "0.2"
-wasm-bindgen = "0.2.89"
+tracing-tree = "0.3"
+wasm-bindgen = "0.2.91"
 
 [profile.release]
 lto = true

diff --git a/crates/aesgcm/Cargo.toml b/crates/aesgcm/Cargo.toml
@@ -28,4 +28,4 @@ pyo3 = { workspace = true, optional = true }
 wasm-bindgen = { workspace = true, optional = true }
 
 [dev-dependencies]
-wasm-bindgen-test = "0.3.39"
+wasm-bindgen-test = "0.3.41"
diff --git a/crates/aesgcm/pyproject.toml b/crates/aesgcm/pyproject.toml
@@ -1,5 +1,5 @@
 [build-system]
-requires = ["maturin>=0.13,<0.15"]
+requires = ["maturin>=1.0,<2.0"]
 build-backend = "maturin"
 
 [tool.maturin]

diff --git a/crates/anonymization/Cargo.toml b/crates/anonymization/Cargo.toml
@@ -43,4 +43,4 @@ wasm-bindgen = { workspace = true, optional = true }
 
 [dev-dependencies]
 approx = "0.5.1"
-wasm-bindgen-test = "0.3.39"
+wasm-bindgen-test = "0.3.41"
diff --git a/crates/cloudproof/Cargo.toml b/crates/cloudproof/Cargo.toml
@@ -44,7 +44,7 @@ ffi = [
 # Watchout: for convenience in development mode, we can set one of those following dependencies such as:
 # cloudproof_aesgcm = { path = "../aesgcm", optional = true }
 # cloudproof_anonymization = { path = "../anonymization", optional = true }
-# cloudproof_cover_crypt = { path = "../cover_crypt", optional = true }
+cloudproof_cover_crypt = { path = "../cover_crypt", optional = true }
 # cloudproof_ecies = { path = "../ecies", optional = true }
 cloudproof_findex = { path = "../findex", optional = true }
 # cloudproof_fpe = { path = "../fpe", optional = true }
@@ -54,7 +54,7 @@ cloudproof_findex = { path = "../findex", optional = true }
 ######
 cloudproof_aesgcm = { version = "0.1.3", optional = true }
 cloudproof_anonymization = { version = "0.1.2", optional = true }
-cloudproof_cover_crypt = { version = "13.0.1", optional = true }
+# cloudproof_cover_crypt = { version = "13.0.1", optional = true }
 cloudproof_ecies = { version = "0.1.3", optional = true }
 # cloudproof_findex = { version = "6.0.1", optional = true }
 cloudproof_fpe = { version = "0.2.2", optional = true }

diff --git a/crates/cloudproof/src/lib.rs b/crates/cloudproof/src/lib.rs
@@ -15,7 +15,7 @@ pub use cloudproof_fpe::ffi as fpe_ffi;
 
 // re-export of CoverCrypt and Crypto Core
 // so that projects that use their low level functionalities
-// do  not have to depend on them directly, avoiding version conflicts.
+// do not have to depend on them directly, avoiding version conflicts.
 #[cfg(feature = "default")]
 pub mod reexport {
     pub use cloudproof_anonymization as anonymization;

diff --git a/crates/cover_crypt/Cargo.toml b/crates/cover_crypt/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cloudproof_cover_crypt"
-version = "13.0.1"
+version = "14.0.0"
 authors = ["Théophile Brézot<[email protected]>"]
 edition = "2021"
 license-file = "../../LICENSE.md"
@@ -19,9 +19,9 @@ python = ["pyo3"]
 wasm = ["js-sys", "wasm-bindgen"]
 
 [dependencies]
-cosmian_cover_crypt = { version = "13.0.0", features = ["serialization"] }
+cosmian_cover_crypt = { version = "14.0", features = ["serialization"] }
 cosmian_crypto_core = { workspace = true }
-serde_json = "1.0.108"
+serde_json = "1.0"
 
 # Optional dependencies
 cosmian_ffi_utils = { workspace = true, optional = true }
@@ -31,5 +31,5 @@ pyo3 = { workspace = true, optional = true }
 wasm-bindgen = { workspace = true, optional = true }
 
 [dev-dependencies]
-cosmian_cover_crypt = { version = "13.0.0", features = ["test_utils"] }
-wasm-bindgen-test = "0.3.39"
+cosmian_cover_crypt = { version = "14.0", features = ["test_utils"] }
+wasm-bindgen-test = "0.3.41"
diff --git a/crates/cover_crypt/python/cloudproof_cover_crypt/__init__.pyi b/crates/cover_crypt/python/cloudproof_cover_crypt/__init__.pyi
@@ -142,18 +142,7 @@ class Policy:
 
         Args:
             attribute (Attribute)
-        """
-    def rotate(self, attribute: Attribute) -> None:
-        """Rotates an attribute, changing its underlying value with a new value.
-
-        Args:
-            attribute (Attribute)
-        """
-    def clear_old_attribute_values(self, attribute: Attribute) -> None:
-        """Removes old attribute values of an attribute
-
-        Args:
-            attribute (Attribute)
+            new_name (str)
         """
     def attributes(self) -> List[Attribute]:
         """Returns the list of Attributes of this Policy.
@@ -300,6 +289,33 @@ class CoverCrypt:
             msk (MasterSecretKey): master secret key
             pk (MasterPublicKey): master public key
         """
+    def rekey_master_keys(
+        self,
+        access_policy_str: str,
+        policy: Policy,
+        msk: MasterSecretKey,
+        mpk: MasterPublicKey,
+    ):
+        """Generate new keys associated to the given access policy in the master keys.
+        User keys will need to be refreshed after this step.
+
+        Args:
+            access_policy_str (str): describe the keys to renew
+            policy (Policy): global policy
+            msk (MasterSecretKey): master secret key
+            mpk (MasterPublicKey): master public key
+        """
+    def prune_master_secret_key(
+        self, access_policy_str: str, policy: Policy, msk: MasterSecretKey
+    ):
+        """Removes old keys associated to the given master keys from the master keys.
+        This will permanently remove access to old ciphers.
+
+        Args:
+            access_policy_str (str): describe the keys to prune
+            policy (Policy): global policy
+            msk (MasterSecretKey): master secret key
+        """
     def generate_user_secret_key(
         self, msk: MasterSecretKey, access_policy_str: str, policy: Policy
     ) -> UserSecretKey:
@@ -317,20 +333,16 @@ class CoverCrypt:
     def refresh_user_secret_key(
         self,
         usk: UserSecretKey,
-        access_policy_str: str,
         msk: MasterSecretKey,
-        policy: Policy,
         keep_old_accesses: bool,
     ):
-        """Refreshes the user key according to the given master key and access policy.
+        """Refreshes the user key according to the given master key.
         The user key will be granted access to the current partitions, as determined by its access policy.
         If `keep_old_accesses` is set, the user access to rotated partitions will be preserved
 
         Args:
             usk (UserSecretKey): the user key to refresh
-            access_policy_str (str): the access policy of the user key
             msk (MasterSecretKey): master secret key
-            policy (Policy): global policy of the master secret key
             keep_old_accesses (bool): whether access to old partitions (i.e. before rotation) should be kept
         """
     def encrypt_symmetric_block(