directly create the key in the store

Author: vishesh92

api/src/main/java/org/apache/cloudstack/api/command/user/kms/hsm/AddHSMProfileCmd.java

@@ -47,7 +47,7 @@
 
 @APICommand(name = "addHSMProfile", description = "Adds a new HSM profile", responseObject = HSMProfileResponse.class,
             requestHasSensitiveInfo = true, responseHasSensitiveInfo = true, since = "4.23.0",
-            authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
+        authorized = { RoleType.Admin })
 public class AddHSMProfileCmd extends BaseCmd {
 
     @Inject

api/src/main/java/org/apache/cloudstack/api/command/user/kms/hsm/DeleteHSMProfileCmd.java

@@ -40,7 +40,7 @@
 
 @APICommand(name = "deleteHSMProfile", description = "Deletes an HSM profile", responseObject = SuccessResponse.class,
             requestHasSensitiveInfo = false, responseHasSensitiveInfo = false, since = "4.23.0",
-            authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
+        authorized = { RoleType.Admin })
 public class DeleteHSMProfileCmd extends BaseCmd {
 
     @Inject

api/src/main/java/org/apache/cloudstack/api/command/user/kms/hsm/UpdateHSMProfileCmd.java

@@ -40,7 +40,7 @@
 @APICommand(name = "updateHSMProfile", description = "Updates an HSM profile",
             responseObject = HSMProfileResponse.class,
             requestHasSensitiveInfo = true, responseHasSensitiveInfo = true, since = "4.23.0",
-            authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
+        authorized = { RoleType.Admin })
 public class UpdateHSMProfileCmd extends BaseCmd {
 
     @Inject

engine/schema/src/main/java/org/apache/cloudstack/kms/KMSWrappedKeyVO.java

@@ -170,9 +170,7 @@ public void setRemoved(Date removed) {
 
     @Override
     public String toString() {
-        return String.format("KMSWrappedKey %s",
-                ReflectionToStringBuilderUtils.reflectOnlySelectedFields(
-                        this, "id", "uuid", "kmsKeyId", "kekVersionId", "accountId", "zoneId", "state", "created",
-                        "removed"));
+        return String.format("KMSWrappedKey %s", ReflectionToStringBuilderUtils.reflectOnlySelectedFields(
+                this, "id", "uuid", "kmsKeyId", "kekVersionId", "zoneId", "created", "removed"));
     }
 }

framework/kms/src/main/java/org/apache/cloudstack/framework/kms/KMSProvider.java

@@ -37,23 +37,36 @@
 public interface KMSProvider extends Configurable, Adapter {
 
     /**
-     * Get the unique name of this provider
+     * Returns {@code true} if the given HSM profile configuration key name refers
+     * to a
+     * sensitive value (PIN, password, secret, or private key) that must be
+     * encrypted at
+     * rest and masked in API responses.
      *
-     * @return provider name (e.g., "database", "pkcs11")
+     * <p>
+     * This is a shared naming-convention helper used by both KMS providers (when
+     * loading/storing profile details) and the KMS manager (when building API
+     * responses).
+     *
+     * @param key configuration key name (case-insensitive); null returns false
+     * @return true if the key is considered sensitive
      */
-    String getProviderName();
+    static boolean isSensitiveKey(String key) {
+        if (key == null) {
+            return false;
+        }
+        return key.equalsIgnoreCase("pin") ||
+               key.equalsIgnoreCase("password") ||
+               key.toLowerCase().contains("secret") ||
+               key.equalsIgnoreCase("private_key");
+    }
 
     /**
-     * Create a new Key Encryption Key (KEK) in the secure backend with explicit HSM profile.
+     * Get the unique name of this provider
      *
-     * @param purpose      the purpose/scope for this KEK
-     * @param label        human-readable label for the KEK (must be unique within purpose)
-     * @param keyBits      key size in bits (typically 128, 192, or 256)
-     * @param hsmProfileId optional HSM profile ID to create the KEK in (null for auto-resolution/default)
-     * @return the KEK identifier (label or handle) for later reference
-     * @throws KMSException if KEK creation fails
+     * @return provider name (e.g., "database", "pkcs11")
      */
-    String createKek(KeyPurpose purpose, String label, int keyBits, Long hsmProfileId) throws KMSException;
+    String getProviderName();
 
     /**
      * Create a new Key Encryption Key (KEK) in the secure backend.
@@ -69,6 +82,18 @@ default String createKek(KeyPurpose purpose, String label, int keyBits) throws K
         return createKek(purpose, label, keyBits, null);
     }
 
+    /**
+     * Create a new Key Encryption Key (KEK) in the secure backend with explicit HSM profile.
+     *
+     * @param purpose      the purpose/scope for this KEK
+     * @param label        human-readable label for the KEK (must be unique within purpose)
+     * @param keyBits      key size in bits (typically 128, 192, or 256)
+     * @param hsmProfileId optional HSM profile ID to create the KEK in (null for auto-resolution/default)
+     * @return the KEK identifier (label or handle) for later reference
+     * @throws KMSException if KEK creation fails
+     */
+    String createKek(KeyPurpose purpose, String label, int keyBits, Long hsmProfileId) throws KMSException;
+
     /**
      * Delete a KEK from the secure backend.
      * WARNING: This will make all DEKs wrapped by this KEK unrecoverable.
@@ -78,7 +103,6 @@ default String createKek(KeyPurpose purpose, String label, int keyBits) throws K
      */
     void deleteKek(String kekId) throws KMSException;
 
-
     /**
      * Check if a KEK exists and is accessible
      *
@@ -88,18 +112,6 @@ default String createKek(KeyPurpose purpose, String label, int keyBits) throws K
      */
     boolean isKekAvailable(String kekId) throws KMSException;
 
-    /**
-     * Wrap (encrypt) a plaintext Data Encryption Key with a KEK using explicit HSM profile.
-     *
-     * @param plainDek     the plaintext DEK to wrap (caller must zeroize after call)
-     * @param purpose      the intended purpose of this DEK
-     * @param kekLabel     the label of the KEK to use for wrapping
-     * @param hsmProfileId optional HSM profile ID to use (null for auto-resolution/default)
-     * @return WrappedKey containing the encrypted DEK and metadata
-     * @throws KMSException if wrapping fails or KEK not found
-     */
-    WrappedKey wrapKey(byte[] plainDek, KeyPurpose purpose, String kekLabel, Long hsmProfileId) throws KMSException;
-
     /**
      * Wrap (encrypt) a plaintext Data Encryption Key with a KEK.
      * Delegates to {@link #wrapKey(byte[], KeyPurpose, String, Long)} with null profile ID.
@@ -115,16 +127,16 @@ default WrappedKey wrapKey(byte[] plainDek, KeyPurpose purpose, String kekLabel)
     }
 
     /**
-     * Unwrap (decrypt) a wrapped DEK to obtain the plaintext key using explicit HSM profile.
-     * <p>
-     * SECURITY: Caller MUST zeroize the returned byte array after use
+     * Wrap (encrypt) a plaintext Data Encryption Key with a KEK using explicit HSM profile.
      *
-     * @param wrappedKey   the wrapped key to decrypt
+     * @param plainDek     the plaintext DEK to wrap (caller must zeroize after call)
+     * @param purpose      the intended purpose of this DEK
+     * @param kekLabel     the label of the KEK to use for wrapping
      * @param hsmProfileId optional HSM profile ID to use (null for auto-resolution/default)
-     * @return plaintext DEK (caller must zeroize!)
-     * @throws KMSException if unwrapping fails or KEK not found
+     * @return WrappedKey containing the encrypted DEK and metadata
+     * @throws KMSException if wrapping fails or KEK not found
      */
-    byte[] unwrapKey(WrappedKey wrappedKey, Long hsmProfileId) throws KMSException;
+    WrappedKey wrapKey(byte[] plainDek, KeyPurpose purpose, String kekLabel, Long hsmProfileId) throws KMSException;
 
     /**
      * Unwrap (decrypt) a wrapped DEK to obtain the plaintext key.
@@ -141,18 +153,16 @@ default byte[] unwrapKey(WrappedKey wrappedKey) throws KMSException {
     }
 
     /**
-     * Generate a new random DEK and immediately wrap it with a KEK using explicit HSM profile.
-     * (convenience method combining generation + wrapping)
+     * Unwrap (decrypt) a wrapped DEK to obtain the plaintext key using explicit HSM profile.
+     * <p>
+     * SECURITY: Caller MUST zeroize the returned byte array after use
      *
-     * @param purpose      the intended purpose of the new DEK
-     * @param kekLabel     the label of the KEK to use for wrapping
-     * @param keyBits      DEK size in bits (typically 128, 192, or 256)
+     * @param wrappedKey   the wrapped key to decrypt
      * @param hsmProfileId optional HSM profile ID to use (null for auto-resolution/default)
-     * @return WrappedKey containing the newly generated and wrapped DEK
-     * @throws KMSException if generation or wrapping fails
+     * @return plaintext DEK (caller must zeroize!)
+     * @throws KMSException if unwrapping fails or KEK not found
      */
-    WrappedKey generateAndWrapDek(KeyPurpose purpose, String kekLabel, int keyBits,
-            Long hsmProfileId) throws KMSException;
+    byte[] unwrapKey(WrappedKey wrappedKey, Long hsmProfileId) throws KMSException;
 
     /**
      * Generate a new random DEK and immediately wrap it with a KEK.
@@ -170,16 +180,18 @@ default WrappedKey generateAndWrapDek(KeyPurpose purpose, String kekLabel, int k
     }
 
     /**
-     * Rewrap a DEK with a different KEK (used during key rotation) using explicit target HSM profile.
-     * This unwraps with the old KEK and wraps with the new KEK without exposing the plaintext DEK.
+     * Generate a new random DEK and immediately wrap it with a KEK using explicit HSM profile.
+     * (convenience method combining generation + wrapping)
      *
-     * @param oldWrappedKey      the currently wrapped key
-     * @param newKekLabel        the label of the new KEK to wrap with
-     * @param targetHsmProfileId optional target HSM profile ID to wrap with (null for auto-resolution/default)
-     * @return new WrappedKey encrypted with the new KEK
-     * @throws KMSException if rewrapping fails
+     * @param purpose      the intended purpose of the new DEK
+     * @param kekLabel     the label of the KEK to use for wrapping
+     * @param keyBits      DEK size in bits (typically 128, 192, or 256)
+     * @param hsmProfileId optional HSM profile ID to use (null for auto-resolution/default)
+     * @return WrappedKey containing the newly generated and wrapped DEK
+     * @throws KMSException if generation or wrapping fails
      */
-    WrappedKey rewrapKey(WrappedKey oldWrappedKey, String newKekLabel, Long targetHsmProfileId) throws KMSException;
+    WrappedKey generateAndWrapDek(KeyPurpose purpose, String kekLabel, int keyBits,
+            Long hsmProfileId) throws KMSException;
 
     /**
      * Rewrap a DEK with a different KEK (used during key rotation).
@@ -195,6 +207,18 @@ default WrappedKey rewrapKey(WrappedKey oldWrappedKey, String newKekLabel) throw
         return rewrapKey(oldWrappedKey, newKekLabel, null);
     }
 
+    /**
+     * Rewrap a DEK with a different KEK (used during key rotation) using explicit target HSM profile.
+     * This unwraps with the old KEK and wraps with the new KEK without exposing the plaintext DEK.
+     *
+     * @param oldWrappedKey      the currently wrapped key
+     * @param newKekLabel        the label of the new KEK to wrap with
+     * @param targetHsmProfileId optional target HSM profile ID to wrap with (null for auto-resolution/default)
+     * @return new WrappedKey encrypted with the new KEK
+     * @throws KMSException if rewrapping fails
+     */
+    WrappedKey rewrapKey(WrappedKey oldWrappedKey, String newKekLabel, Long targetHsmProfileId) throws KMSException;
+
     /**
      * Perform health check on the provider backend
      *