fixups

Author: vishesh92

api/src/main/java/org/apache/cloudstack/kms/KMSManager.java

@@ -118,17 +118,6 @@ public interface KMSManager extends Manager, Configurable {
      */
     KMSProvider getKMSProvider(String name);
 
-    /**
-     * Unwrap a DEK from a wrapped key
-     * SECURITY: Caller must zeroize returned byte array after use!
-     *
-     * @param wrappedKey the wrapped key from database
-     * @param zoneId     the zone ID
-     * @return plaintext DEK (caller must zeroize!)
-     * @throws KMSException if unwrap fails
-     */
-    byte[] unwrapVolumeKey(WrappedKey wrappedKey, Long zoneId) throws KMSException;
-
     /**
      * Check if caller has permission to use a KMS key
      *

engine/schema/src/main/java/com/cloud/storage/dao/VolumeDaoImpl.java

@@ -404,6 +404,7 @@ public VolumeDaoImpl() {
         AllFieldsSearch.and("passphraseId", AllFieldsSearch.entity().getPassphraseId(), Op.EQ);
         AllFieldsSearch.and("iScsiName", AllFieldsSearch.entity().get_iScsiName(), Op.EQ);
         AllFieldsSearch.and("path", AllFieldsSearch.entity().getPath(), Op.EQ);
+        AllFieldsSearch.and("kmsKeyId", AllFieldsSearch.entity().getKmsKeyId(), Op.EQ);
         AllFieldsSearch.done();
 
         RootDiskStateSearch = createSearchBuilder();

engine/schema/src/main/java/org/apache/cloudstack/kms/KMSKekVersionVO.java

@@ -75,21 +75,26 @@ public enum Status {
     private Status status;
     @Column(name = "hsm_profile_id")
     private Long hsmProfileId;
-    @Column(name = "hsm_key_label")
-    private String hsmKeyLabel;
     @Column(name = GenericDao.CREATED_COLUMN, nullable = false)
     @Temporal(TemporalType.TIMESTAMP)
     private Date created;
     @Column(name = GenericDao.REMOVED_COLUMN)
     @Temporal(TemporalType.TIMESTAMP)
     private Date removed;
 
-    public KMSKekVersionVO(Long kmsKeyId, Integer versionNumber, String kekLabel, Status status) {
+    public KMSKekVersionVO(Long kmsKeyId, Integer versionNumber, String kekLabel) {
         this();
         this.kmsKeyId = kmsKeyId;
         this.versionNumber = versionNumber;
         this.kekLabel = kekLabel;
-        this.status = status;
+        this.status = Status.Active;
+    }
+
+    public KMSKekVersionVO(Long kmsKeyId, String kekLabel) {
+        this();
+        this.kmsKeyId = kmsKeyId;
+        this.kekLabel = kekLabel;
+        this.status = Status.Active;
     }
 
     public KMSKekVersionVO() {
@@ -154,13 +159,6 @@ public void setHsmProfileId(Long hsmProfileId) {
         this.hsmProfileId = hsmProfileId;
     }
 
-    public String getHsmKeyLabel() {
-        return hsmKeyLabel;
-    }
-
-    public void setHsmKeyLabel(String hsmKeyLabel) {
-        this.hsmKeyLabel = hsmKeyLabel;
-    }
 
     public Date getCreated() {
         return created;

engine/schema/src/main/java/org/apache/cloudstack/kms/dao/KMSWrappedKeyDaoImpl.java

@@ -38,7 +38,6 @@ public KMSWrappedKeyDaoImpl() {
         allFieldSearch.and("kmsKeyId", allFieldSearch.entity().getKmsKeyId(), SearchCriteria.Op.EQ);
         allFieldSearch.and("kekVersionId", allFieldSearch.entity().getKekVersionId(), SearchCriteria.Op.EQ);
         allFieldSearch.and("zoneId", allFieldSearch.entity().getZoneId(), SearchCriteria.Op.EQ);
-        allFieldSearch.and("kmsKeyId", allFieldSearch.entity().getKmsKeyId(), SearchCriteria.Op.EQ);
         allFieldSearch.done();
     }
 

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -134,7 +134,6 @@ CREATE TABLE IF NOT EXISTS `cloud`.`kms_kek_versions` (
     `kek_label` VARCHAR(255) NOT NULL COMMENT 'Provider-specific KEK label/ID for this version',
     `status` VARCHAR(32) NOT NULL DEFAULT 'Active' COMMENT 'Active, Previous, Archived',
     `hsm_profile_id` BIGINT UNSIGNED COMMENT 'HSM profile where this KEK version is stored',
-    `hsm_key_label` VARCHAR(255) COMMENT 'Optional HSM-specific key label/alias',
     `created` DATETIME NOT NULL COMMENT 'Creation timestamp',
     `removed` DATETIME COMMENT 'Removal timestamp for soft delete',
     PRIMARY KEY (`id`),

engine/storage/volume/src/main/java/org/apache/cloudstack/storage/volume/VolumeObject.java

@@ -29,6 +29,7 @@
 import com.cloud.utils.db.TransactionCallbackNoReturn;
 import com.cloud.utils.db.TransactionStatus;
 import org.apache.cloudstack.engine.orchestration.service.VolumeOrchestrationService;
+import org.apache.cloudstack.framework.kms.KMSException;
 import org.apache.cloudstack.secret.dao.PassphraseDao;
 import org.apache.cloudstack.secret.PassphraseVO;
 import com.cloud.service.dao.ServiceOfferingDetailsDao;
@@ -971,8 +972,8 @@ public byte[] getPassphrase() {
                 java.util.Arrays.fill(dekBytes, (byte) 0);
                 // Return UTF-8 bytes of the base64 string
                 return base64Dek.getBytes(java.nio.charset.StandardCharsets.UTF_8);
-            } catch (org.apache.cloudstack.framework.kms.KMSException e) {
-                logger.error("Failed to unwrap KMS key for volume {}: {}", volumeVO.getId(), e.getMessage());
+            } catch (KMSException e) {
+                logger.error("Failed to unwrap KMS key for volume {}: {}", volumeVO, e.getMessage(), e);
                 return new byte[0];
             }
         }

plugins/kms/database/src/main/java/org/apache/cloudstack/kms/provider/DatabaseKMSProvider.java

@@ -20,6 +20,7 @@
 import com.cloud.utils.component.AdapterBase;
 import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.google.crypto.tink.subtle.AesGcmJce;
+
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.kms.KMSException;
 import org.apache.cloudstack.framework.kms.KMSProvider;

plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java

@@ -26,7 +26,6 @@
 import org.apache.cloudstack.framework.kms.WrappedKey;
 import org.apache.cloudstack.kms.HSMProfileDetailsVO;
 import org.apache.cloudstack.kms.KMSKekVersionVO;
-import org.apache.cloudstack.kms.dao.HSMProfileDao;
 import org.apache.cloudstack.kms.dao.HSMProfileDetailsDao;
 import org.apache.cloudstack.kms.dao.KMSKekVersionDao;
 import org.apache.commons.lang3.StringUtils;
@@ -75,7 +74,7 @@
 public class PKCS11HSMProvider extends AdapterBase implements KMSProvider {
     private static final Logger logger = LogManager.getLogger(PKCS11HSMProvider.class);
     private static final String PROVIDER_NAME = "pkcs11";
-    // Security note (#7): AES-CBC provides confidentiality but not authenticity (no
+    // Security note: AES-CBC provides confidentiality but not authenticity (no
     // HMAC).
     // While AES-GCM is preferred, SunPKCS11 support for GCM is often buggy or
     // missing
@@ -89,8 +88,6 @@ public class PKCS11HSMProvider extends AdapterBase implements KMSProvider {
     private static final int[] VALID_KEY_SIZES = {128, 192, 256};
     private final Map<Long, HSMSessionPool> sessionPools = new ConcurrentHashMap<>();
     @Inject
-    private HSMProfileDao hsmProfileDao;
-    @Inject
     private HSMProfileDetailsDao hsmProfileDetailsDao;
     @Inject
     private KMSKekVersionDao kmsKekVersionDao;
@@ -125,6 +122,85 @@ public void deleteKek(String kekId) throws KMSException {
         });
     }
 
+    Long resolveProfileId(String kekLabel) throws KMSException {
+        KMSKekVersionVO version = kmsKekVersionDao.findByKekLabel(kekLabel);
+        if (version != null && version.getHsmProfileId() != null) {
+            return version.getHsmProfileId();
+        }
+        throw new KMSException(KMSException.ErrorType.KEK_NOT_FOUND,
+                "Could not resolve HSM profile for KEK: " + kekLabel);
+    }
+
+    /**
+     * Validates HSM profile configuration for PKCS#11 provider.
+     *
+     * <p>
+     * Validates:
+     * <ul>
+     * <li>{@code library}: Required, should point to PKCS#11 library</li>
+     * <li>{@code slot}, {@code slot_list_index}, or {@code token_label}: At least
+     * one required</li>
+     * <li>{@code pin}: Required for HSM authentication</li>
+     * <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
+     * </ul>
+     *
+     * @param config Configuration map from HSM profile details
+     * @throws KMSException with {@code INVALID_PARAMETER} if validation fails
+     */
+    @Override
+    public void validateProfileConfig(Map<String, String> config) throws KMSException {
+        String libraryPath = config.get("library");
+        if (StringUtils.isBlank(libraryPath)) {
+            throw KMSException.invalidParameter("library is required for PKCS#11 HSM profile");
+        }
+
+        String slot = config.get("slot");
+        String slotListIndex = config.get("slot_list_index");
+        String tokenLabel = config.get("token_label");
+        if (StringUtils.isAllBlank(slot, slotListIndex, tokenLabel)) {
+            throw KMSException.invalidParameter(
+                    "One of 'slot', 'slot_list_index', or 'token_label' is required for PKCS#11 HSM profile");
+        }
+
+        if (StringUtils.isNotBlank(slot)) {
+            try {
+                Integer.parseInt(slot);
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("slot must be a valid integer: " + slot);
+            }
+        }
+
+        if (StringUtils.isNotBlank(slotListIndex)) {
+            try {
+                int idx = Integer.parseInt(slotListIndex);
+                if (idx < 0) {
+                    throw KMSException.invalidParameter("slot_list_index must be a non-negative integer");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("slot_list_index must be a valid integer: " + slotListIndex);
+            }
+        }
+
+        File libraryFile = new File(libraryPath);
+        if (!libraryFile.exists() && !libraryFile.isAbsolute()) {
+            // The HSM library might be in the system library path
+            logger.debug("Library path {} does not exist as absolute path, will rely on system library path",
+                    libraryPath);
+        }
+
+        String max_sessions = config.get("max_sessions");
+        if (StringUtils.isNotBlank(max_sessions)) {
+            try {
+                int idx = Integer.parseInt(max_sessions);
+                if (idx <= 0) {
+                    throw KMSException.invalidParameter("max_sessions must be greater than 0");
+                }
+            } catch (NumberFormatException e) {
+                throw KMSException.invalidParameter("max_sessions must be a valid integer: " + max_sessions);
+            }
+        }
+    }
+
     @Override
     public boolean isKekAvailable(String kekId) throws KMSException {
         try {
@@ -245,15 +321,6 @@ public void invalidateProfileCache(Long profileId) {
         logger.info("Invalidated HSM session pool for profile {}", profileId);
     }
 
-    Long resolveProfileId(String kekLabel) throws KMSException {
-        KMSKekVersionVO version = kmsKekVersionDao.findByKekLabel(kekLabel);
-        if (version != null && version.getHsmProfileId() != null) {
-            return version.getHsmProfileId();
-        }
-        throw new KMSException(KMSException.ErrorType.KEK_NOT_FOUND,
-                "Could not resolve HSM profile for KEK: " + kekLabel);
-    }
-
     /**
      * Executes an operation with a session from the pool, handling acquisition and release.
      *
@@ -295,82 +362,11 @@ Map<String, String> loadProfileConfig(Long profileId) {
         return config;
     }
 
-    /**
-     * Validates HSM profile configuration for PKCS#11 provider.
-     *
-     * <p>
-     * Validates:
-     * <ul>
-     * <li>{@code library}: Required, should point to PKCS#11 library</li>
-     * <li>{@code slot}, {@code slot_list_index}, or {@code token_label}: At least
-     * one required</li>
-     * <li>{@code pin}: Required for HSM authentication</li>
-     * <li>{@code max_sessions}: Optional, must be positive integer if provided</li>
-     * </ul>
-     *
-     * @param config Configuration map from HSM profile details
-     * @throws KMSException with {@code INVALID_PARAMETER} if validation fails
-     */
-    @Override
-    public void validateProfileConfig(Map<String, String> config) throws KMSException {
-        String libraryPath = config.get("library");
-        if (StringUtils.isBlank(libraryPath)) {
-            throw KMSException.invalidParameter("library is required for PKCS#11 HSM profile");
-        }
-
-        String slot = config.get("slot");
-        String slotListIndex = config.get("slot_list_index");
-        String tokenLabel = config.get("token_label");
-        if (StringUtils.isAllBlank(slot, slotListIndex, tokenLabel)) {
-            throw KMSException.invalidParameter(
-                    "One of 'slot', 'slot_list_index', or 'token_label' is required for PKCS#11 HSM profile");
-        }
-
-        if (StringUtils.isNotBlank(slot)) {
-            try {
-                Integer.parseInt(slot);
-            } catch (NumberFormatException e) {
-                throw KMSException.invalidParameter("slot must be a valid integer: " + slot);
-            }
-        }
-
-        if (StringUtils.isNotBlank(slotListIndex)) {
-            try {
-                int idx = Integer.parseInt(slotListIndex);
-                if (idx < 0) {
-                    throw KMSException.invalidParameter("slot_list_index must be a non-negative integer");
-                }
-            } catch (NumberFormatException e) {
-                throw KMSException.invalidParameter("slot_list_index must be a valid integer: " + slotListIndex);
-            }
-        }
-
-        File libraryFile = new File(libraryPath);
-        if (!libraryFile.exists() && !libraryFile.isAbsolute()) {
-            // The HSM library might be in the system library path
-            logger.debug("Library path {} does not exist as absolute path, will rely on system library path",
-                    libraryPath);
-        }
-
-        String max_sessions = config.get("max_sessions");
-        if (StringUtils.isNotBlank(max_sessions)) {
-            try {
-                int idx = Integer.parseInt(max_sessions);
-                if (idx <= 0) {
-                    throw KMSException.invalidParameter("max_sessions must be greater than 0");
-                }
-            } catch (NumberFormatException e) {
-                throw KMSException.invalidParameter("max_sessions must be a valid integer: " + max_sessions);
-            }
-        }
-    }
-
     boolean isSensitiveKey(String key) {
         return KMSProvider.isSensitiveKey(key);
     }
 
 
-
     @Override
     public String getConfigComponentName() {
         return PKCS11HSMProvider.class.getSimpleName();
@@ -641,6 +637,17 @@ private String buildSunPKCS11Config(Map<String, String> config, String nameSuffi
                 throw KMSException.invalidParameter("One of 'slot', 'slot_list_index', or 'token_label' is required");
             }
 
+            // Explicitly configure SunPKCS11 to generate AES keys as Data Encryption Keys.
+            // Strict HSMs (like Thales Luna in FIPS mode) forbid a key from having both
+            // CKA_WRAP and CKA_ENCRYPT attributes. Because CloudStack uses Cipher.ENCRYPT_MODE
+            // (which maps to C_Encrypt) to protect the DEK, the KEK must have CKA_ENCRYPT=true.
+            configBuilder.append("\nattributes(generate, CKO_SECRET_KEY, CKK_AES) = {\n");
+            configBuilder.append("  CKA_ENCRYPT = true\n");
+            configBuilder.append("  CKA_DECRYPT = true\n");
+            configBuilder.append("  CKA_WRAP = false\n");
+            configBuilder.append("  CKA_UNWRAP = false\n");
+            configBuilder.append("}\n");
+
             return configBuilder.toString();
         }
 
@@ -823,9 +830,9 @@ String generateKey(String label, int keyBits, KeyPurpose purpose) throws KMSExce
 
             } catch (KeyStoreException e) {
                 if (e.getMessage() != null
-                        && e.getMessage().contains("found multiple secret keys sharing same CKA_LABEL")) {
+                    && e.getMessage().contains("found multiple secret keys sharing same CKA_LABEL")) {
                     logger.warn("Multiple duplicate keys found with label '{}' in HSM. Reusing the existing key. " +
-                            "Please purge duplicate keys manually if possible.", label);
+                                "Please purge duplicate keys manually if possible.", label);
                     return label;
                 }
                 handlePKCS11Exception(e, "Failed to store key in HSM KeyStore");

server/src/main/java/com/cloud/api/ApiResponseHelper.java

@@ -208,7 +208,6 @@
 import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.framework.jobs.AsyncJobManager;
 import org.apache.cloudstack.gui.theme.GuiThemeJoin;
-import org.apache.cloudstack.kms.dao.HSMProfileDao;
 import org.apache.cloudstack.management.ManagementServerHost;
 import org.apache.cloudstack.network.BgpPeerVO;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
@@ -520,8 +519,6 @@ public class ApiResponseHelper implements ResponseGenerator {
     private ASNumberRangeDao asNumberRangeDao;
     @Inject
     private ASNumberDao asNumberDao;
-    @Inject
-    private HSMProfileDao hsmProfileDao;
 
     @Inject
     ObjectStoreDao _objectStoreDao;

server/src/main/java/com/cloud/api/query/dao/VolumeJoinDaoImpl.java

@@ -1,4 +1,4 @@
-// Licensed to the Apache Software Foundation (ASF) under one
+    // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
@@ -32,7 +32,6 @@
 import org.apache.cloudstack.kms.KMSKekVersionVO;
 import org.apache.cloudstack.kms.KMSWrappedKeyVO;
 import org.apache.cloudstack.kms.dao.KMSKekVersionDao;
-import org.apache.cloudstack.kms.dao.KMSKeyDao;
 import org.apache.cloudstack.kms.dao.KMSWrappedKeyDao;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
@@ -63,8 +62,6 @@ public class VolumeJoinDaoImpl extends GenericDaoBaseWithTagInformation<VolumeJo
     @Inject
     private PrimaryDataStoreDao primaryDataStoreDao;
     @Inject
-    private KMSKeyDao kmsKeyDao;
-    @Inject
     private KMSWrappedKeyDao kmsWrappedKeyDao;
     @Inject
     private KMSKekVersionDao kmsKekVersionDao;