[keymanager] GenerateKey API - incorporate signature change#677
Open
atulpatildbz wants to merge 2 commits intogoogle:mainfrom
Open
[keymanager] GenerateKey API - incorporate signature change#677atulpatildbz wants to merge 2 commits intogoogle:mainfrom
atulpatildbz wants to merge 2 commits intogoogle:mainfrom
Conversation
atulpatildbz
force-pushed
the
generate_signature_fix_20260225
branch
from
c6b247e to
65c8d9f
Compare
atulpatildbz
force-pushed
the
generate_signature_fix_20260225
branch
from
65c8d9f to
fcb3242
Compare
NilanjanDaw
reviewed
Feb 26, 2026
Comment on lines
156
to
160
| if req.Algorithm.Type != "kem" { | ||
| writeError(w, fmt.Sprintf("unsupported algorithm type: %q. Only 'kem' is supported.", req.Algorithm.Type), http.StatusBadRequest) | ||
| return | ||
| } | ||
|
|
Collaborator
There was a problem hiding this comment.
How do we make this check future proof, since we will also be using this to generate signing keys in future?
Collaborator
Author
There was a problem hiding this comment.
added a switch case here. that can be extended once we support new keys
Comment on lines
168
to
173
| if req.KeyProtectionMechanism == KeyProtectionMechanismUnspecified { | ||
| req.KeyProtectionMechanism = KeyProtectionMechanismVMEmulated | ||
| } | ||
| if !req.KeyProtectionMechanism.IsSupported() { | ||
| writeError(w, fmt.Sprintf("unsupported keyProtectionMechanism: %s", req.KeyProtectionMechanism), http.StatusBadRequest) | ||
| return |
Collaborator
There was a problem hiding this comment.
GenerateKey does not have a KeyProtectionMechanism in the param anymore.
Collaborator
Author
There was a problem hiding this comment.
thanks. somehow i had missed this. removed
| KemID: KemAlgorithmDHKEMX25519HKDFSHA256, | ||
| }, | ||
| }, | ||
| KeyProtectionMechanism: KeyProtectionMechanismVMEmulated, |
Collaborator
There was a problem hiding this comment.
Same KeyProtectionMechanism param anymore.
NilanjanDaw
reviewed
Feb 26, 2026
Comment on lines
68
to
71
| KeyProtectionMechanismUnspecified: "KEY_PROTECTION_UNSPECIFIED", | ||
| KeyProtectionMechanismDefault: "DEFAULT", | ||
| KeyProtectionMechanismVM: "KEY_PROTECTION_VM", | ||
| KeyProtectionMechanismVMEmulated: "KEY_PROTECTION_VM_EMULATED", |
Collaborator
There was a problem hiding this comment.
Instead of two definitions, can we use the proto as the SoT? https://github.com/google/go-tpm-tools/pull/671/changes#diff-1bc4cf1b75525a6d94e7cf9573d1efbc30dc9015819879d337aa365be34e5ba5R15-R23
Collaborator
Author
There was a problem hiding this comment.
removed this entirely
atulpatildbz
force-pushed
the
generate_signature_fix_20260225
branch
from
d5c867b to
a7a2b09
Compare
atulpatildbz
force-pushed
the
generate_signature_fix_20260225
branch
3 times, most recently
from
f26280f to
cb4e9af
Compare
Key changes: - Renamed endpoint from /v1/keys:generate_kem to /v1/keys:generate_key. - Restructured `GenerateKeyRequest` to use a nested `Algorithm` definition containing `Type` and an algorithm-specific `Params` object with `kem_id`. - Added support for `KEY_PROTECTION_VM_EMULATED` in the KeyProtectionMechanism enum and established this as the default and only supported mechanism for Vanguard so far. - Validated lifecycle configurations and parsed `Algorithm` appropriately according to updated schemas. - Updated associated unit and integration tests (server_test.go, integration_test.go) to use the new endpoints and the new request signature.
* Refactor GenerateKey algorithm validation to support future key types * remove KeyProtectionMechanism
atulpatildbz
force-pushed
the
generate_signature_fix_20260225
branch
from
cb4e9af to
5e805cc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GenerateKeyRequestto use a nestedAlgorithmdefinition containingTypeand an algorithm-specificParamsobject withkem_id.KEY_PROTECTION_VM_EMULATEDin the KeyProtectionMechanism enum and established this as the default and only supported mechanism for Vanguard so far.Algorithmappropriately according to updated schemas.Manually tested with :
result: