[KeyManager] Expose Granular Error Codes in FFI

The current Rust FFI implementation for `key_protection_service` collapses most logical errors (e.g., `UnsupportedAlgorithm`, `InvalidKey`, `CryptoError`) into a generic error code `-1`. Only buffer size mismatches return a specific code (`-2`).

This prevents the Go client code from providing meaningful diagnostics to users (e.g., distinguishing between a bad key and an unsupported algorithm).

**Proposed Change:**

*   **Rust Side:**
    Update [key_manager_generate_kem_keypair](cci:1://file:///usr/local/google/home/patilatul/github/go-tpm-tools/keymanager/key_protection_service/key_custody_core/src/lib.rs:57:0-107:1) (and other FFI functions) to return specific error codes corresponding to `km_common::crypto::Error` variants.
    Example:
    *   `-3`: `UnsupportedAlgorithm`
    *   `-4`: `InvalidKey`
    *   `-5`: `CryptoError`

*   **Go Side:**
    Update the CGO wrapper in [kps_key_custody_core_cgo.go](cci:7://file:///usr/local/google/home/patilatul/github/go-tpm-tools/keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go:0:0-0:0) to handle these specific error codes and translate them into idiomatic Go errors with clear messages for the client.
    Example:
    ```go
    if rc == -3 {
        return ..., fmt.Errorf("unsupported algorithm configuration")
    }
    ```

we can also rely on `cbindgen` to export C constants for these error codes (e.g., C.KM_ERR_UNSUPPORTED_ALGORITHM) or define equivalent Go constants if that's not possible

discussion: https://github.com/google/go-tpm-tools/pull/652#discussion_r2816149645

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[KeyManager] Expose Granular Error Codes in FFI #668

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[KeyManager] Expose Granular Error Codes in FFI #668

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions