[keymanager/wsd] Add /keys:destroy endpoint with KEM + binding key destruction

Implement the Go KOL handler for POST /keys:destroy that orchestrates
the full key destruction flow:
1. Workload sends {kemKeyHandle} to WSD
2. WSD looks up binding UUID from KEM-to-binding map
3. WSD calls KPS DestroyKEMKey to destroy the KEM key
4. WSD calls WSD KCC DestroyBindingKey to destroy the binding key
5. WSD removes the KEM→Binding mapping
6. Returns 204 No Content

Changes:
- C headers: add key_manager_destroy_kem_key (KPS) and
  key_manager_destroy_binding_key (WSD) declarations
- CGO bridges: add DestroyKEMKey and DestroyBindingKey Go wrappers
- KPS service: extend with DestroyKEMKey method and KEMKeyDestroyer
  interface
- WSD server: add KEMKeyDestroyer/BindingKeyDestroyer interfaces,
  DestroyRequest type, handleDestroy handler, /keys:destroy route
- Tests: 7 new destroy handler tests + 2 new KPS service tests

Remove DecapAndSeal and Open from KPS and WSD

Author: atulpatildbz

keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go

@@ -60,3 +60,15 @@ func GenerateKEMKeypair(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, li
 	copy(pubkey, pubkeyBuf[:pubkeyLen])
 	return id, pubkey, nil
 }
+
+// DestroyKEMKey destroys the KEM key identified by kemUUID via Rust FFI.
+func DestroyKEMKey(kemUUID uuid.UUID) error {
+	uuidBytes := kemUUID[:]
+	rc := C.key_manager_destroy_kem_key(
+		(*C.uint8_t)(unsafe.Pointer(&uuidBytes[0])),
+	)
+	if rc != 0 {
+		return fmt.Errorf("key_manager_destroy_kem_key failed with code %d", rc)
+	}
+	return nil
+}

keymanager/key_protection_service/service.go

@@ -10,22 +10,41 @@ import (
 )
 
 // KEMKeyGenerator generates KEM keypairs linked to a binding public key.
+
+// KEMKeyDestroyer destroys a KEM key by UUID.
+type KEMKeyDestroyer interface {
+	DestroyKEMKey(kemUUID uuid.UUID) error
+}
+
 type KEMKeyGenerator interface {
 	GenerateKEMKeypair(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error)
 }
 
-// Service implements KEMKeyGenerator by delegating to the KPS KCC FFI.
+// Service implements KEMKeyGenerator and KEMKeyDestroyer by
+// delegating to the KPS KCC FFI.
 type Service struct {
+	destroyKEMKeyFn      func(kemUUID uuid.UUID) error
 	generateKEMKeypairFn func(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error)
 }
 
 // NewService creates a new KPS KOL service with the given KCC function.
-func NewService(generateKEMKeypairFn func(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error)) *Service {
-	return &Service{generateKEMKeypairFn: generateKEMKeypairFn}
+func NewService(
+	generateKEMKeypairFn func(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error),
+	destroyKEMKeyFn func(kemUUID uuid.UUID) error,
+) *Service {
+	return &Service{
+		generateKEMKeypairFn: generateKEMKeypairFn,
+		destroyKEMKeyFn:      destroyKEMKeyFn,
+	}
 }
 
 // GenerateKEMKeypair generates a KEM keypair linked to the provided binding
 // public key by calling the KPS KCC FFI.
 func (s *Service) GenerateKEMKeypair(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error) {
 	return s.generateKEMKeypairFn(algo, bindingPubKey, lifespanSecs)
 }
+
+// DestroyKEMKey destroys the KEM key identified by kemUUID by calling the KPS KCC FFI.
+func (s *Service) DestroyKEMKey(kemUUID uuid.UUID) error {
+	return s.destroyKEMKeyFn(kemUUID)
+}

keymanager/key_protection_service/service_test.go

@@ -9,6 +9,10 @@ import (
 	algorithms "github.com/google/go-tpm-tools/keymanager/km_common/proto"
 )
 
+// noopDestroyKEMKey is a placeholder for tests that don't exercise DestroyKEMKey.
+func noopDestroyKEMKey(_ uuid.UUID) error {
+	return nil
+}
 func TestServiceGenerateKEMKeypairSuccess(t *testing.T) {
 	expectedUUID := uuid.New()
 	expectedPubKey := make([]byte, 32)
@@ -24,7 +28,7 @@ func TestServiceGenerateKEMKeypairSuccess(t *testing.T) {
 			t.Fatalf("expected lifespanSecs 7200, got %d", lifespanSecs)
 		}
 		return expectedUUID, expectedPubKey, nil
-	})
+	}, noopDestroyKEMKey)
 
 	id, pubKey, err := svc.GenerateKEMKeypair(&algorithms.HpkeAlgorithm{}, make([]byte, 32), 7200)
 	if err != nil {
@@ -41,10 +45,35 @@ func TestServiceGenerateKEMKeypairSuccess(t *testing.T) {
 func TestServiceGenerateKEMKeypairError(t *testing.T) {
 	svc := NewService(func(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error) {
 		return uuid.Nil, nil, fmt.Errorf("FFI error")
-	})
+	}, noopDestroyKEMKey)
 
 	_, _, err := svc.GenerateKEMKeypair(&algorithms.HpkeAlgorithm{}, make([]byte, 32), 3600)
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
 }
+
+func TestServiceDestroyKEMKeySuccess(t *testing.T) {
+	kemUUID := uuid.New()
+	svc := NewService(nil, func(id uuid.UUID) error {
+		if id != kemUUID {
+			t.Fatalf("expected KEM UUID %s, got %s", kemUUID, id)
+		}
+		return nil
+	})
+
+	if err := svc.DestroyKEMKey(kemUUID); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestServiceDestroyKEMKeyError(t *testing.T) {
+	svc := NewService(nil, func(_ uuid.UUID) error {
+		return fmt.Errorf("destroy FFI error")
+	})
+
+	err := svc.DestroyKEMKey(uuid.New())
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+}

keymanager/workload_service/integration_test.go

@@ -24,10 +24,17 @@ func (r *realBindingKeyGen) GenerateBindingKeypair(algo *algorithms.HpkeAlgorith
 	return wskcc.GenerateBindingKeypair(algo, lifespanSecs)
 }
 
+// realBindingKeyDestroyer wraps the actual WSD KCC FFI for DestroyBindingKey.
+type realBindingKeyDestroyer struct{}
+
+func (r *realBindingKeyDestroyer) DestroyBindingKey(bindingUUID uuid.UUID) error {
+	return wskcc.DestroyBindingKey(bindingUUID)
+}
+
 func TestIntegrationGenerateKeysEndToEnd(t *testing.T) {
 	// Wire up real FFI calls: WSD KCC for binding, KPS KCC (via KPS KOL) for KEM.
-	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair)
-	srv := NewServer(&realBindingKeyGen{}, kpsSvc)
+	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair, kpskcc.DecapAndSeal, kpskcc.DestroyKEMKey)
+	srv := NewServer(&realBindingKeyGen{}, kpsSvc, kpsSvc, &realBindingKeyDestroyer{})
 
 	reqBody, err := json.Marshal(GenerateKemRequest{
 		Algorithm:              KemAlgorithmDHKEMX25519HKDFSHA256,
@@ -72,8 +79,8 @@ func TestIntegrationGenerateKeysEndToEnd(t *testing.T) {
 }
 
 func TestIntegrationGenerateKeysUniqueMappings(t *testing.T) {
-	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair)
-	srv := NewServer(&realBindingKeyGen{}, kpsSvc)
+	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair, kpskcc.DestroyKEMKey)
+	srv := NewServer(&realBindingKeyGen{}, kpsSvc, kpsSvc, &realBindingKeyDestroyer{})
 
 	// Generate two key sets.
 	var kemUUIDs [2]uuid.UUID
@@ -121,3 +128,69 @@ func TestIntegrationGenerateKeysUniqueMappings(t *testing.T) {
 	t.Logf("E2E uniqueness: KEM1=%s→Binding1=%s, KEM2=%s→Binding2=%s",
 		kemUUIDs[0], binding1, kemUUIDs[1], binding2)
 }
+
+func TestIntegrationDestroyKey(t *testing.T) {
+	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair, kpskcc.DestroyKEMKey)
+	srv := NewServer(&realBindingKeyGen{}, kpsSvc, kpsSvc, &realBindingKeyDestroyer{})
+
+	// 1. Generate a key first
+	reqBody, _ := json.Marshal(GenerateKemRequest{
+		Algorithm:              KemAlgorithmDHKEMX25519HKDFSHA256,
+		KeyProtectionMechanism: KeyProtectionMechanismVM,
+		Lifespan:               ProtoDuration{Seconds: 3600},
+	})
+	reqGen := httptest.NewRequest(http.MethodPost, "/v1/keys:generate_kem", bytes.NewReader(reqBody))
+	reqGen.Header.Set("Content-Type", "application/json")
+	wGen := httptest.NewRecorder()
+	srv.Handler().ServeHTTP(wGen, reqGen)
+
+	if wGen.Code != http.StatusOK {
+		t.Fatalf("setup: expected generate status 200, got %d: %s", wGen.Code, wGen.Body.String())
+	}
+
+	var respGen GenerateKemResponse
+	if err := json.NewDecoder(wGen.Body).Decode(&respGen); err != nil {
+		t.Fatalf("setup: failed to decode generate response: %v", err)
+	}
+	kemHandle := respGen.KeyHandle.Handle
+	kemUUID, err := uuid.Parse(kemHandle)
+	if err != nil {
+		t.Fatalf("setup: invalid KEM UUID: %v", err)
+	}
+
+	// Verify mapping exists
+	_, ok := srv.LookupBindingUUID(kemUUID)
+	if !ok {
+		t.Fatal("setup: expected mapping to exist")
+	}
+
+	// 2. Destroy the key
+	reqDestroyBody, _ := json.Marshal(DestroyRequest{
+		KeyHandle: KeyHandle{Handle: kemHandle},
+	})
+	reqDestroy := httptest.NewRequest(http.MethodPost, "/v1/keys:destroy", bytes.NewReader(reqDestroyBody))
+	reqDestroy.Header.Set("Content-Type", "application/json")
+	wDestroy := httptest.NewRecorder()
+	srv.Handler().ServeHTTP(wDestroy, reqDestroy)
+
+	if wDestroy.Code != http.StatusNoContent {
+		t.Fatalf("expected destroy status 204, got %d: %s", wDestroy.Code, wDestroy.Body.String())
+	}
+
+	// 3. Verify mapping is gone
+	_, ok = srv.LookupBindingUUID(kemUUID)
+	if ok {
+		t.Fatal("expected KEM UUID mapping to be removed after destroy")
+	}
+
+	// 4. Try to destroy again (should fail? or be 404? or 500?)
+	// If mapping is gone, it returns 404.
+	reqDestroy2 := httptest.NewRequest(http.MethodPost, "/v1/keys:destroy", bytes.NewReader(reqDestroyBody))
+	reqDestroy2.Header.Set("Content-Type", "application/json")
+	wDestroy2 := httptest.NewRecorder()
+	srv.Handler().ServeHTTP(wDestroy2, reqDestroy2)
+
+	if wDestroy2.Code != http.StatusNotFound {
+		t.Fatalf("expected second destroy to return 404, got %d", wDestroy2.Code)
+	}
+}

keymanager/workload_service/key_custody_core/ws_key_custody_core_cgo.go

@@ -53,3 +53,15 @@ func GenerateBindingKeypair(algo *algorithms.HpkeAlgorithm, lifespanSecs uint64)
 	copy(pubkey, pubkeyBuf[:pubkeyLen])
 	return id, pubkey, nil
 }
+
+// DestroyBindingKey destroys the binding key identified by bindingUUID via Rust FFI.
+func DestroyBindingKey(bindingUUID uuid.UUID) error {
+	uuidBytes := bindingUUID[:]
+	rc := C.key_manager_destroy_binding_key(
+		(*C.uint8_t)(unsafe.Pointer(&uuidBytes[0])),
+	)
+	if rc != 0 {
+		return fmt.Errorf("key_manager_destroy_binding_key failed with code %d", rc)
+	}
+	return nil
+}

keymanager/workload_service/server.go

@@ -24,6 +24,16 @@ type BindingKeyGenerator interface {
 }
 
 // KEMKeyGenerator generates KEM keypairs via the KPS KOL/KCC.
+// KEMKeyDestroyer destroys a KEM key by UUID via the KPS KCC FFI.
+type KEMKeyDestroyer interface {
+	DestroyKEMKey(kemUUID uuid.UUID) error
+}
+
+// BindingKeyDestroyer destroys a binding key by UUID via the WSD KCC FFI.
+type BindingKeyDestroyer interface {
+	DestroyBindingKey(bindingUUID uuid.UUID) error
+}
+
 type KEMKeyGenerator interface {
 	GenerateKEMKeypair(algo *algorithms.HpkeAlgorithm, bindingPubKey []byte, lifespanSecs uint64) (uuid.UUID, []byte, error)
 }
@@ -64,6 +74,10 @@ type GenerateKemRequest struct {
 }
 
 // GenerateKemResponse is returned by POST /v1/keys:generate_kem.
+type DestroyRequest struct {
+	KeyHandle KeyHandle `json:"key_handle"`
+}
+
 type GenerateKemResponse struct {
 	KeyHandle KeyHandle `json:"key_handle"`
 }
@@ -91,8 +105,10 @@ type GetCapabilitiesResponse struct {
 
 // Server is the WSD HTTP server.
 type Server struct {
-	bindingGen BindingKeyGenerator
-	kemGen     KEMKeyGenerator
+	bindingGen          BindingKeyGenerator
+	kemGen              KEMKeyGenerator
+	kemKeyDestroyer     KEMKeyDestroyer
+	bindingKeyDestroyer BindingKeyDestroyer
 
 	mu              sync.RWMutex
 	kemToBindingMap map[uuid.UUID]uuid.UUID
@@ -102,16 +118,19 @@ type Server struct {
 }
 
 // NewServer creates a new WSD server with the given dependencies.
-func NewServer(bindingGen BindingKeyGenerator, kemGen KEMKeyGenerator) *Server {
+func NewServer(bindingGen BindingKeyGenerator, kemGen KEMKeyGenerator, kemKeyDestroyer KEMKeyDestroyer, bindingKeyDestroyer BindingKeyDestroyer) *Server {
 	s := &Server{
-		bindingGen:      bindingGen,
-		kemGen:          kemGen,
-		kemToBindingMap: make(map[uuid.UUID]uuid.UUID),
+		bindingGen:          bindingGen,
+		kemGen:              kemGen,
+		kemKeyDestroyer:     kemKeyDestroyer,
+		bindingKeyDestroyer: bindingKeyDestroyer,
+		kemToBindingMap:     make(map[uuid.UUID]uuid.UUID),
 	}
 
 	mux := http.NewServeMux()
 	mux.HandleFunc("POST /v1/keys:generate_kem", s.handleGenerateKem)
 	mux.HandleFunc("GET /v1/capabilities", s.handleGetCapabilities)
+	mux.HandleFunc("POST /v1/keys:destroy", s.handleDestroy)
 
 	s.httpServer = &http.Server{Handler: mux}
 	return s
@@ -242,3 +261,43 @@ func writeJSON(w http.ResponseWriter, v any, code int) {
 func writeError(w http.ResponseWriter, message string, code int) {
 	writeJSON(w, map[string]string{"error": message}, code)
 }
+
+func (s *Server) handleDestroy(w http.ResponseWriter, r *http.Request) {
+	var req DestroyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, fmt.Sprintf("invalid request body: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	kemUUID, err := uuid.Parse(req.KeyHandle.Handle)
+	if err != nil {
+		writeError(w, fmt.Sprintf("invalid key handle: %v", err), http.StatusBadRequest)
+		return
+	}
+
+	// Step 1: Look up the binding UUID for this KEM key.
+	bindingUUID, ok := s.LookupBindingUUID(kemUUID)
+	if !ok {
+		writeError(w, fmt.Sprintf("KEM key handle not found: %s", kemUUID), http.StatusNotFound)
+		return
+	}
+
+	// Step 2: Destroy the KEM key via KPS.
+	if err := s.kemKeyDestroyer.DestroyKEMKey(kemUUID); err != nil {
+		writeError(w, fmt.Sprintf("failed to destroy KEM key: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Step 3: Destroy the binding key via WSD KCC.
+	if err := s.bindingKeyDestroyer.DestroyBindingKey(bindingUUID); err != nil {
+		writeError(w, fmt.Sprintf("failed to destroy binding key: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Step 4: Remove the mapping.
+	s.mu.Lock()
+	delete(s.kemToBindingMap, kemUUID)
+	s.mu.Unlock()
+
+	w.WriteHeader(http.StatusNoContent)
+}