[keymanager] GenerateKey API - incorporate signature change

Key changes:
- Renamed endpoint from /v1/keys:generate_kem to /v1/keys:generate_key.
- Restructured `GenerateKeyRequest` to use a nested `Algorithm`
definition containing `Type` and an algorithm-specific `Params` object
with `kem_id`.
- Added support for `KEY_PROTECTION_VM_EMULATED` in the
KeyProtectionMechanism enum and established this as the default and only
supported mechanism for Vanguard so far.
- Validated lifecycle configurations and parsed `Algorithm`
appropriately according to updated schemas.
- Updated associated unit and integration tests (server_test.go,
integration_test.go) to use the new endpoints and the new request
signature.

Author: atulpatildbz

keymanager/workload_service/integration_test.go

@@ -29,15 +29,15 @@ func TestIntegrationGenerateKeysEndToEnd(t *testing.T) {
 	kpsSvc := kps.NewService(kpskcc.GenerateKEMKeypair)
 	srv := NewServer(kpsSvc, &realWorkloadService{})
 
-	reqBody, err := json.Marshal(GenerateKemRequest{
-		Algorithm:              KemAlgorithmDHKEMX25519HKDFSHA256,
-		KeyProtectionMechanism: KeyProtectionMechanismVM,
+	reqBody, err := json.Marshal(GenerateKeyRequest{
+		Algorithm:              AlgorithmDetails{Type: "kem", Params: AlgorithmParams{KemID: KemAlgorithmDHKEMX25519HKDFSHA256}},
+		KeyProtectionMechanism: KeyProtectionMechanismVMEmulated,
 		Lifespan:               ProtoDuration{Seconds: 3600},
 	})
 	if err != nil {
 		t.Fatalf("failed to marshal request: %v", err)
 	}
-	req := httptest.NewRequest(http.MethodPost, "/v1/keys:generate_kem", bytes.NewReader(reqBody))
+	req := httptest.NewRequest(http.MethodPost, "/v1/keys:generate_key", bytes.NewReader(reqBody))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	srv.Handler().ServeHTTP(w, req)
@@ -46,7 +46,7 @@ func TestIntegrationGenerateKeysEndToEnd(t *testing.T) {
 		t.Fatalf("expected status 200, got %d: %s", w.Code, w.Body.String())
 	}
 
-	var resp GenerateKemResponse
+	var resp GenerateKeyResponse
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
@@ -78,15 +78,15 @@ func TestIntegrationGenerateKeysUniqueMappings(t *testing.T) {
 	// Generate two key sets.
 	var kemUUIDs [2]uuid.UUID
 	for i := 0; i < 2; i++ {
-		reqBody, err := json.Marshal(GenerateKemRequest{
-			Algorithm:              KemAlgorithmDHKEMX25519HKDFSHA256,
-			KeyProtectionMechanism: KeyProtectionMechanismVM,
+		reqBody, err := json.Marshal(GenerateKeyRequest{
+			Algorithm:              AlgorithmDetails{Type: "kem", Params: AlgorithmParams{KemID: KemAlgorithmDHKEMX25519HKDFSHA256}},
+			KeyProtectionMechanism: KeyProtectionMechanismVMEmulated,
 			Lifespan:               ProtoDuration{Seconds: 3600},
 		})
 		if err != nil {
 			t.Fatalf("call %d: failed to marshal request: %v", i+1, err)
 		}
-		req := httptest.NewRequest(http.MethodPost, "/v1/keys:generate_kem", bytes.NewReader(reqBody))
+		req := httptest.NewRequest(http.MethodPost, "/v1/keys:generate_key", bytes.NewReader(reqBody))
 		req.Header.Set("Content-Type", "application/json")
 		w := httptest.NewRecorder()
 		srv.Handler().ServeHTTP(w, req)
@@ -95,7 +95,7 @@ func TestIntegrationGenerateKeysUniqueMappings(t *testing.T) {
 			t.Fatalf("call %d: expected status 200, got %d: %s", i+1, w.Code, w.Body.String())
 		}
 
-		var resp GenerateKemResponse
+		var resp GenerateKeyResponse
 		if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 			t.Fatalf("call %d: failed to decode response: %v", i+1, err)
 		}

keymanager/workload_service/proto_enums.go

@@ -61,20 +61,26 @@ func (k *KemAlgorithm) UnmarshalJSON(data []byte) error {
 type KeyProtectionMechanism int32
 
 const (
+	KeyProtectionMechanismUnspecified KeyProtectionMechanism = 0
 	// KeyProtectionMechanismDefault is the default but invalid value.
 	KeyProtectionMechanismDefault KeyProtectionMechanism = 1
 	// KeyProtectionMechanismVM specifies that the key is protected by the VM.
-	KeyProtectionMechanismVM KeyProtectionMechanism = 2
+	KeyProtectionMechanismVM         KeyProtectionMechanism = 2
+	KeyProtectionMechanismVMEmulated KeyProtectionMechanism = 3
 )
 
 var (
 	keyProtectionMechanismToString = map[KeyProtectionMechanism]string{
-		KeyProtectionMechanismDefault: "DEFAULT",
-		KeyProtectionMechanismVM:      "KEY_PROTECTION_VM",
+		KeyProtectionMechanismUnspecified: "KEY_PROTECTION_UNSPECIFIED",
+		KeyProtectionMechanismDefault:     "DEFAULT",
+		KeyProtectionMechanismVM:          "KEY_PROTECTION_VM",
+		KeyProtectionMechanismVMEmulated:  "KEY_PROTECTION_VM_EMULATED",
 	}
 	stringToKeyProtectionMechanism = map[string]KeyProtectionMechanism{
-		"DEFAULT":           KeyProtectionMechanismDefault,
-		"KEY_PROTECTION_VM": KeyProtectionMechanismVM,
+		"KEY_PROTECTION_UNSPECIFIED": KeyProtectionMechanismUnspecified,
+		"DEFAULT":                    KeyProtectionMechanismDefault,
+		"KEY_PROTECTION_VM":          KeyProtectionMechanismVM,
+		"KEY_PROTECTION_VM_EMULATED": KeyProtectionMechanismVMEmulated,
 	}
 )
 
@@ -112,8 +118,7 @@ var (
 
 	// SupportedKeyProtectionMechanisms is the source of truth for supported mechanisms.
 	SupportedKeyProtectionMechanisms = []KeyProtectionMechanism{
-		KeyProtectionMechanismDefault,
-		KeyProtectionMechanismVM,
+		KeyProtectionMechanismVMEmulated,
 	}
 )
 

keymanager/workload_service/server.go

@@ -68,15 +68,15 @@ func (d ProtoDuration) MarshalJSON() ([]byte, error) {
 	return json.Marshal(d.Seconds)
 }
 
-// GenerateKemRequest is the JSON body for POST /v1/keys:generate_kem.
-type GenerateKemRequest struct {
-	Algorithm              KemAlgorithm           `json:"algorithm"`
-	KeyProtectionMechanism KeyProtectionMechanism `json:"key_protection_mechanism"`
+// GenerateKeyRequest is the JSON body for POST /v1/keys:generate_key.
+type GenerateKeyRequest struct {
+	Algorithm              AlgorithmDetails       `json:"algorithm"`
+	KeyProtectionMechanism KeyProtectionMechanism `json:"key_protection_mechanism,omitempty"`
 	Lifespan               ProtoDuration          `json:"lifespan"`
 }
 
-// GenerateKemResponse is returned by POST /v1/keys:generate_kem.
-type GenerateKemResponse struct {
+// GenerateKeyResponse is returned by POST /v1/keys:generate_key.
+type GenerateKeyResponse struct {
 	KeyHandle KeyHandle `json:"key_handle"`
 }
 
@@ -129,7 +129,7 @@ func NewServer(keyProtectionService KeyProtectionService, workloadService Worklo
 	}
 
 	mux := http.NewServeMux()
-	mux.HandleFunc("POST /v1/keys:generate_kem", s.handleGenerateKem)
+	mux.HandleFunc("POST /v1/keys:generate_key", s.handleGenerateKey)
 	mux.HandleFunc("GET /v1/capabilities", s.handleGetCapabilities)
 
 	s.httpServer = &http.Server{Handler: mux}
@@ -166,20 +166,28 @@ func (s *Server) LookupBindingUUID(kemUUID uuid.UUID) (uuid.UUID, bool) {
 	return id, ok
 }
 
-func (s *Server) handleGenerateKem(w http.ResponseWriter, r *http.Request) {
-	var req GenerateKemRequest
+func (s *Server) handleGenerateKey(w http.ResponseWriter, r *http.Request) {
+	var req GenerateKeyRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		writeError(w, fmt.Sprintf("invalid request body: %v", err), http.StatusBadRequest)
 		return
 	}
 
+	if req.Algorithm.Type != "kem" {
+		writeError(w, fmt.Sprintf("unsupported algorithm type: %q. Only 'kem' is supported.", req.Algorithm.Type), http.StatusBadRequest)
+		return
+	}
+
 	// Validate algorithm.
-	if !req.Algorithm.IsSupported() {
-		writeError(w, fmt.Sprintf("unsupported algorithm: %s. Supported algorithms: %s", req.Algorithm, SupportedKemAlgorithmsString()), http.StatusBadRequest)
+	if !req.Algorithm.Params.KemID.IsSupported() {
+		writeError(w, fmt.Sprintf("unsupported algorithm: %s. Supported algorithms: %s", req.Algorithm.Params.KemID, SupportedKemAlgorithmsString()), http.StatusBadRequest)
 		return
 	}
 
 	// Validate keyProtectionMechanism.
+	if req.KeyProtectionMechanism == KeyProtectionMechanismUnspecified {
+		req.KeyProtectionMechanism = KeyProtectionMechanismVMEmulated
+	}
 	if !req.KeyProtectionMechanism.IsSupported() {
 		writeError(w, fmt.Sprintf("unsupported keyProtectionMechanism: %s", req.KeyProtectionMechanism), http.StatusBadRequest)
 		return
@@ -193,7 +201,7 @@ func (s *Server) handleGenerateKem(w http.ResponseWriter, r *http.Request) {
 
 	// Construct the full HPKE algorithm suite based on the requested KEM.
 	// We currently only support one suite.
-	algo, err := req.Algorithm.ToHpkeAlgorithm()
+	algo, err := req.Algorithm.Params.KemID.ToHpkeAlgorithm()
 	if err != nil {
 		writeError(w, err.Error(), http.StatusBadRequest)
 		return
@@ -219,7 +227,7 @@ func (s *Server) handleGenerateKem(w http.ResponseWriter, r *http.Request) {
 	s.mu.Unlock()
 
 	// Step 4: Return KEM UUID to workload.
-	resp := GenerateKemResponse{
+	resp := GenerateKeyResponse{
 		KeyHandle: KeyHandle{Handle: kemUUID.String()},
 	}
 	writeJSON(w, resp, http.StatusOK)