Merge branch 'release/v8.0.0'

Author: Hugo Rosenkranz-Costa

.github/workflows/ci.yml

@@ -49,7 +49,7 @@ jobs:
   build_in_docker:
     services:
       kms:
-        image: ghcr.io/cosmian/kms:4.10.0
+        image: ghcr.io/cosmian/kms:4.13.0
         ports:
           - 9998:9998
       findex_cloud:
@@ -161,7 +161,7 @@ jobs:
     with:
       branch: develop
       target: wasm32-unknown-unknown
-      kms-version: 4.10.0
+      kms-version: ghcr.io/cosmian/kms:4.13.0
       findex-cloud-version: 0.3.1
       copy_fresh_build: false
       copy_regression_files: |
@@ -174,7 +174,7 @@ jobs:
     with:
       branch: develop
       target: x86_64-unknown-linux-gnu
-      kms-version: 4.10.0
+      kms-version: ghcr.io/cosmian/kms:4.13.0
       findex-cloud-version: 0.3.1
       copy_fresh_build: false
       copy_regression_files: |
@@ -185,7 +185,7 @@ jobs:
     needs: build_in_docker
     uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_flutter.yml@develop
     with:
-      branch: develop
+      branch: feature/covercrypt_rekey
       target: x86_64-unknown-linux-gnu
       extension: so
       copy_fresh_build: false

.pre-commit-config.yaml

@@ -9,7 +9,7 @@
 exclude: src/test/java/com/cosmian/TestUtils.java|src/test/resources
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v2.1.1
+    rev: v3.1.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]
@@ -23,7 +23,7 @@ repos:
       - id: markdown-toc
 
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.4
+    rev: v4.0.0-alpha.8
     hooks:
       - id: prettier
         stages: [commit]
@@ -32,7 +32,7 @@ repos:
           - markdown
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.32.2
+    rev: v0.39.0
     hooks:
       - id: markdownlint-fix
         args: [--disable=MD004, --disable=MD013, --disable=MD024, --disable=MD041]
@@ -44,26 +44,26 @@ repos:
         args: [-q]
 
   - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt
-    rev: 0.2.2
+    rev: 0.2.3
     hooks:
       - id: yamlfmt
         args: [--mapping, '2', --sequence, '4', --offset, '2']
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.13.0
+    rev: typos-v0.10.21
     hooks:
       - id: typos
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.3.1
+    rev: v1.5.4
     hooks:
       - id: forbid-crlf
       - id: remove-crlf
       - id: forbid-tabs
       - id: remove-tabs
 
   - repo: https://github.com/sirosen/texthooks
-    rev: 0.4.0
+    rev: 0.6.4
     hooks:
       - id: fix-smartquotes
       - id: fix-ligatures
@@ -77,7 +77,7 @@ repos:
       - id: shellcheck
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-added-large-files
       - id: check-ast
@@ -108,7 +108,7 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 24.2.0
     hooks:
       - id: black
         # avoid clash with `double-quote-string-fixer`

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## [8.0.0] - 2024-03-13
+
+### Features
+
+- Upgrade to CoverCrypt `14.0.0`:
+  - Support Covercrypt KMS edit policy capability
+  - Replace policy `rotate` with `rekeyMasterKeys`
+
 ## [7.0.0] - 2023-12-11
 
 ### Features

README.md

@@ -1,6 +1,6 @@
 # Cloudproof Java Library
 
-![workflow](https://github.com/Cosmian/cloudproof_java/actions/workflows/maven.yml/badge.svg)
+![workflow](https://github.com/Cosmian/cloudproof_java/actions/workflows/ci.yml/badge.svg)
 
 The Cloudproof Java library provides a Java-friendly API to [Cosmian's Cloudproof Encryption](https://docs.cosmian.com/).
 
@@ -86,26 +86,19 @@ key is half hybridized).
 
 ## Versions Correspondence
 
-This library uses the 2 native libraries CoverCrypt and Findex for performance and safe implementation reasons.
+This library uses [cloudproof_rust](https://github.com/Cosmian/cloudproof_rust) for both CoverCrypt and Findex FFI interface.
 
 This table shows the compatible versions of the various components
 
-| This lib | KMS Server | CoverCrypt | Findex |
-|----------|------------|------------|--------|
-| 3.0.0    | 4.0.1      | 8.0.1      | 1.0.1  |
-| 3.0.2    | 4.0.1      | 8.0.1      | 2.0.0  |
-| 3.0.3    | 4.0.1      | 8.0.2      | 2.0.0  |
-| 4.0.0    | 4.2.0      | 10.0.0     | 2.0.1  |
-| 4.0.1    | 4.2.0      | 10.0.0     | 2.0.1  |
-| 4.1.0    | 4.2.0      | 10.0.0     | 2.1.0  |
-
 From the version 5.0.0, `cloudproof_java` depends on [cloudproof_rust](https://github.com/Cosmian/cloudproof_rust) which wraps the interfaces of `CoverCrypt` and `Findex`.
 
 | This lib | KMS Server | Cloudproof Rust lib |
 |----------|------------|---------------------|
 | 5.0.0    | 4.3.3      | 1.0.0               |
 | 6.0.0    | 4.3.3      | 2.0.1               |
 | 7.0.0    | 4.10.0     | 2.4.0               |
+| 7.1.0    | 4.11.0     | 2.4.0               |
+| 7.2.0    | 4.11.3     | 2.4.0               |
 
 ## Using in Java projects
 

docker-compose.yml

@@ -13,7 +13,7 @@ services:
       - PGDATA=/tmp/postgres2
   kms:
     container_name: kms
-    image: ghcr.io/cosmian/kms:4.10.0
+    image: ghcr.io/cosmian/kms:4.11.3
     ports:
       - 9998:9998
     depends_on:

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.cosmian</groupId>
     <artifactId>cloudproof_java</artifactId>
-    <version>7.0.0</version>
+    <version>8.0.0</version>
 
     <name>cloudproof_java</name>
     <description>The Cloudproof Java Lib secures data repositories in the cloud with attributes-based access control encryption and encrypted search</description>

scripts/get_native_libraries.py

@@ -62,6 +62,6 @@ def download_native_libraries(version: str) -> bool:
 
 
 if __name__ == '__main__':
-    RET = download_native_libraries('v2.4.0')
+    RET = download_native_libraries('v3.0.0')
     if RET is False and getenv('GITHUB_ACTIONS'):
-        download_native_libraries('last_build/fix/rename_findex_traits')
+        download_native_libraries('last_build/feature/covercrypt_rekey')

src/main/java/com/cosmian/jna/covercrypt/ffi/CoverCryptWrapper.java

@@ -141,6 +141,26 @@ int h_hybrid_decrypt(byte[] plaintext,
                          byte[] userDecryptionKeyBuffer,
                          int userDecryptionKeyLength);
 
+    int h_rekey_master_keys(byte[] updatedMsk,
+                            IntByReference updatedMskSize,
+                            byte[] updatedMpk,
+                            IntByReference updatedMpkSize,
+                            byte[] currentMsk,
+                            int currentMskLength,
+                            byte[] currentMpk,
+                            int currentMpkLength,
+                            String accessPolicy,
+                            byte[] policyBytes,
+                            int policyBytesSize);
+
+    int h_prune_master_secret_key(byte[] updatedMsk,
+                                 IntByReference updatedMskSize,
+                                 byte[] currentMsk,
+                                 int currentMskLength,
+                                 String accessPolicy,
+                                 byte[] policyBytes,
+                                 int policyBytesSize);
+
     //
     // Policy APIs
     //
@@ -154,12 +174,6 @@ int h_add_policy_axis(byte[] updatedPolicyBuffer,
                           int currentPolicyBufferSize,
                           String axis);
 
-    int h_rotate_attribute(byte[] updatedPolicyBuffer,
-                           IntByReference updatedPolicyBufferSize,
-                           byte[] currentPolicyBuffer,
-                           int currentPolicyBufferSize,
-                           String attribute);
-
     int h_validate_boolean_expression(String booleanExpression);
 
     int h_validate_attribute(String booleanExpression);

src/main/java/com/cosmian/jna/covercrypt/structs/MasterKeys.java

@@ -1,10 +1,15 @@
 package com.cosmian.jna.covercrypt.structs;
 
-public class MasterKeys {
+import java.util.Arrays;
 
-    private final byte[] privateKey;
+import com.cosmian.utils.CloudproofException;
+import com.sun.jna.ptr.IntByReference;
 
-    private final byte[] publicKey;
+public class MasterKeys extends Ffi {
+
+    private byte[] privateKey;
+
+    private byte[] publicKey;
 
     public MasterKeys(byte[] privateKey, byte[] publicKey) {
         this.privateKey = privateKey;
@@ -18,4 +23,49 @@ public byte[] getPrivateKey() {
     public byte[] getPublicKey() {
         return publicKey;
     }
+
+    public void rekeyMasterKeys(String accessPolicy, Policy policy) throws CloudproofException {
+        // Master Private Key
+        byte[] updatedMsk = new byte[8 * 1024];
+        IntByReference updatedMskSize = new IntByReference(updatedMsk.length);
+
+        // Master Public Key OUT
+        byte[] updatedMpk = new byte[8 * 1024];
+        IntByReference updatedMpkSize = new IntByReference(updatedMpk.length);
+
+        int ffiCode = INSTANCE.h_rekey_master_keys(updatedMsk, updatedMskSize,
+            updatedMpk, updatedMpkSize, privateKey, privateKey.length, publicKey, publicKey.length, accessPolicy, policy.getBytes(), policy.getBytes().length);
+
+        if (ffiCode == 1) {
+            // Retry with correct allocated size
+            updatedMsk = new byte[updatedMskSize.getValue()];
+            updatedMpk = new byte[updatedMpkSize.getValue()];
+            INSTANCE.h_rekey_master_keys(updatedMsk, updatedMskSize,
+                updatedMpk, updatedMpkSize, privateKey, privateKey.length, publicKey, publicKey.length, accessPolicy, policy.getBytes(), policy.getBytes().length);
+        } else {
+            unwrap(ffiCode);
+        }
+
+        this.privateKey = Arrays.copyOfRange(updatedMsk, 0, updatedMskSize.getValue());
+        this.publicKey = Arrays.copyOfRange(updatedMpk, 0, updatedMpkSize.getValue());
+    }
+
+    public void pruneMasterSecretKey(String accessPolicy, Policy policy) throws CloudproofException {
+        // Master Private Key
+        byte[] updatedMsk = new byte[8 * 1024];
+        IntByReference updatedMskSize = new IntByReference(updatedMsk.length);
+
+        int ffiCode = INSTANCE.h_prune_master_secret_key(updatedMsk, updatedMskSize,
+            privateKey, privateKey.length, accessPolicy, policy.getBytes(), policy.getBytes().length);
+
+        if (ffiCode == 1) {
+            // Retry with correct allocated size
+            updatedMsk = new byte[updatedMskSize.getValue()];
+            INSTANCE.h_prune_master_secret_key(updatedMsk, updatedMskSize,
+                privateKey, privateKey.length, accessPolicy, policy.getBytes(), policy.getBytes().length);
+        } else {
+            unwrap(ffiCode);
+        }
+        this.privateKey = Arrays.copyOfRange(updatedMsk, 0, updatedMskSize.getValue());
+    }
 }

src/main/java/com/cosmian/jna/covercrypt/structs/Policy.java

@@ -119,17 +119,6 @@ public static Policy fromAttributes(Attributes attributes) throws CloudproofExce
         throw new CloudproofException("No policy available in the vendor attributes");
     }
 
-    public void rotateAttributes(String[] attributes) throws CloudproofException {
-        byte[] updatedPolicyBuffer = new byte[8192];
-        IntByReference updatedPolicyBufferSize = new IntByReference(updatedPolicyBuffer.length);
-        for (String attr : attributes) {
-            unwrap(INSTANCE.h_rotate_attribute(updatedPolicyBuffer, updatedPolicyBufferSize, _bytes,
-                _bytes.length, attr));
-            _bytes = Arrays.copyOfRange(updatedPolicyBuffer, 0, updatedPolicyBufferSize.getValue());
-            updatedPolicyBufferSize.setValue(updatedPolicyBuffer.length);
-        }
-    }
-
     @Override
     public boolean equals(Object o) {
         if (o == this)