some more simplifications

Author: NilanjanDaw

keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go

@@ -125,12 +125,10 @@ func EnumerateKEMKeys(limit, offset int) ([]KEMKeyInfo, bool, error) {
 // DestroyKEMKey destroys the KEM key identified by kemUUID via Rust FFI.
 func DestroyKEMKey(kemUUID uuid.UUID) error {
 	uuidBytes := kemUUID[:]
-	if rc := C.key_manager_destroy_kem_key(
+	rc := C.key_manager_destroy_kem_key(
 		(*C.uint8_t)(unsafe.Pointer(&uuidBytes[0])),
-	); keymanager.Status(rc) != keymanager.Status_STATUS_SUCCESS {
-		return keymanager.Status(rc).ToStatus()
-	}
-	return nil
+	)
+	return keymanager.Status(rc).ToStatus()
 }
 
 // GetKEMKey retrieves KEM and binding public keys, HpkeAlgorithm and remaining lifespan via Rust FFI.

keymanager/key_protection_service/key_custody_core/src/lib.rs

@@ -1,6 +1,6 @@
 use km_common::crypto::PublicKey;
 use km_common::key_types::{KeyRecord, KeyRegistry, KeySpec};
-use km_common::proto::{Status, HpkeAlgorithm};
+use km_common::proto::{HpkeAlgorithm, Status};
 use km_common::{MAX_ALGORITHM_LEN, MAX_PUBLIC_KEY_LEN};
 
 use prost::Message;
@@ -23,21 +23,16 @@ fn generate_kem_keypair_internal(
     binding_pubkey: PublicKey,
     expiry_secs: u64,
 ) -> Result<(uuid::Uuid, PublicKey), Status> {
-    let result =
-        KeyRecord::create_bound_kem_key(algo, binding_pubkey, Duration::from_secs(expiry_secs));
-
-    match result {
-        Ok(record) => {
-            let id = record.meta.id;
-            let pubkey = match &record.meta.spec {
-                KeySpec::KemWithBindingPub { kem_public_key, .. } => kem_public_key.clone(),
-                _ => return Err(Status::InternalError),
-            };
-            KEY_REGISTRY.add_key(record);
-            Ok((id, pubkey))
-        }
-        Err(e) => Err(Status::from(e)),
-    }
+    let record =
+        KeyRecord::create_bound_kem_key(algo, binding_pubkey, Duration::from_secs(expiry_secs))?;
+
+    let id = record.meta.id;
+    let pubkey = match &record.meta.spec {
+        KeySpec::KemWithBindingPub { kem_public_key, .. } => kem_public_key.clone(),
+        _ => return Err(Status::InternalError),
+    };
+    KEY_REGISTRY.add_key(record);
+    Ok((id, pubkey))
 }
 
 /// Generates a new KEM keypair associated with a binding public key.

keymanager/km_common/proto/algorithms.proto

@@ -32,7 +32,7 @@ message HpkeAlgorithm {
 // Specifies parameters for a particular algorithm type.
 message AlgorithmParams {
   oneof params {
-    // KEM algorithm identifier (e.g., DHKEM_X25519_HKDF_SHA256).
+    // KEM algorithm identifier (e.g., KEM_ALGORITHM_DHKEM_X25519_HKDF_SHA256).
     KemAlgorithm kem_id = 1;
   }
 }

keymanager/km_common/proto/status.proto

@@ -5,18 +5,18 @@ package keymanager;
 option go_package = "github.com/google/go-tpm-tools/keymanager/km_common/proto;keymanager";
 
 enum Status {
-  STATUS_UNSPECIFIED = 0;
-  STATUS_SUCCESS = 1;
-  STATUS_INTERNAL_ERROR = 2;
-  STATUS_INVALID_ARGUMENT = 3;
-  STATUS_NOT_FOUND = 4;
-  STATUS_ALREADY_EXISTS = 5;
-  STATUS_PERMISSION_DENIED = 6;
-  STATUS_UNAUTHENTICATED = 7;
+  STATUS_UNSPECIFIED           = 0;
+  STATUS_SUCCESS               = 1;
+  STATUS_INTERNAL_ERROR        = 2;
+  STATUS_INVALID_ARGUMENT      = 3;
+  STATUS_NOT_FOUND             = 4;
+  STATUS_ALREADY_EXISTS        = 5;
+  STATUS_PERMISSION_DENIED     = 6;
+  STATUS_UNAUTHENTICATED       = 7;
   STATUS_UNSUPPORTED_ALGORITHM = 8;
-  STATUS_INVALID_KEY = 9;
-  STATUS_CRYPTO_ERROR = 10;
-  STATUS_DECRYPTION_FAILURE = 11;
-  STATUS_ENCRYPTION_FAILURE = 12;
+  STATUS_INVALID_KEY           = 9;
+  STATUS_CRYPTO_ERROR          = 10;
+  STATUS_DECRYPTION_FAILURE    = 11;
+  STATUS_ENCRYPTION_FAILURE    = 12;
   STATUS_DECAPSULATION_FAILURE = 13;
 }

keymanager/km_common/src/keymanager.rs

@@ -9,160 +9,6 @@ pub struct HpkeAlgorithm {
     #[prost(enumeration = "AeadAlgorithm", tag = "3")]
     pub aead: i32,
 }
-/// Key Encapsulation Mechanism (KEM)
-#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
-#[repr(i32)]
-pub enum KemAlgorithm {
-    Unspecified = 0,
-    DhkemX25519HkdfSha256 = 1,
-}
-impl KemAlgorithm {
-    /// String value of the enum field names used in the ProtoBuf definition.
-    ///
-    /// The values are not transformed in any way and thus are considered stable
-    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
-    pub fn as_str_name(&self) -> &'static str {
-        match self {
-            Self::Unspecified => "KEM_ALGORITHM_UNSPECIFIED",
-            Self::DhkemX25519HkdfSha256 => "KEM_ALGORITHM_DHKEM_X25519_HKDF_SHA256",
-        }
-    }
-    /// Creates an enum from field names used in the ProtoBuf definition.
-    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
-        match value {
-            "KEM_ALGORITHM_UNSPECIFIED" => Some(Self::Unspecified),
-            "KEM_ALGORITHM_DHKEM_X25519_HKDF_SHA256" => Some(Self::DhkemX25519HkdfSha256),
-            _ => None,
-        }
-    }
-}
-/// Key Derivation Function (KDF)
-#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
-#[repr(i32)]
-pub enum KdfAlgorithm {
-    Unspecified = 0,
-    HkdfSha256 = 1,
-}
-impl KdfAlgorithm {
-    /// String value of the enum field names used in the ProtoBuf definition.
-    ///
-    /// The values are not transformed in any way and thus are considered stable
-    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
-    pub fn as_str_name(&self) -> &'static str {
-        match self {
-            Self::Unspecified => "KDF_ALGORITHM_UNSPECIFIED",
-            Self::HkdfSha256 => "KDF_ALGORITHM_HKDF_SHA256",
-        }
-    }
-    /// Creates an enum from field names used in the ProtoBuf definition.
-    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
-        match value {
-            "KDF_ALGORITHM_UNSPECIFIED" => Some(Self::Unspecified),
-            "KDF_ALGORITHM_HKDF_SHA256" => Some(Self::HkdfSha256),
-            _ => None,
-        }
-    }
-}
-/// Authenticated Encryption with Associated Data (AEAD)
-#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
-#[repr(i32)]
-pub enum AeadAlgorithm {
-    Unspecified = 0,
-    Aes256Gcm = 1,
-}
-impl AeadAlgorithm {
-    /// String value of the enum field names used in the ProtoBuf definition.
-    ///
-    /// The values are not transformed in any way and thus are considered stable
-    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
-    pub fn as_str_name(&self) -> &'static str {
-        match self {
-            Self::Unspecified => "AEAD_ALGORITHM_UNSPECIFIED",
-            Self::Aes256Gcm => "AEAD_ALGORITHM_AES_256_GCM",
-        }
-    }
-    /// Creates an enum from field names used in the ProtoBuf definition.
-    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
-        match value {
-            "AEAD_ALGORITHM_UNSPECIFIED" => Some(Self::Unspecified),
-            "AEAD_ALGORITHM_AES_256_GCM" => Some(Self::Aes256Gcm),
-            _ => None,
-        }
-    }
-}
-#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
-#[repr(i32)]
-pub enum Status {
-    Unspecified = 0,
-    Success = 1,
-    InternalError = 2,
-    InvalidArgument = 3,
-    NotFound = 4,
-    AlreadyExists = 5,
-    PermissionDenied = 6,
-    Unauthenticated = 7,
-    UnsupportedAlgorithm = 8,
-    InvalidKey = 9,
-    CryptoError = 10,
-    DecryptionFailure = 11,
-    EncryptionFailure = 12,
-    DecapsulationFailure = 13,
-}
-impl Status {
-    /// String value of the enum field names used in the ProtoBuf definition.
-    ///
-    /// The values are not transformed in any way and thus are considered stable
-    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
-    pub fn as_str_name(&self) -> &'static str {
-        match self {
-            Self::Unspecified => "STATUS_UNSPECIFIED",
-            Self::Success => "STATUS_SUCCESS",
-            Self::InternalError => "STATUS_INTERNAL_ERROR",
-            Self::InvalidArgument => "STATUS_INVALID_ARGUMENT",
-            Self::NotFound => "STATUS_NOT_FOUND",
-            Self::AlreadyExists => "STATUS_ALREADY_EXISTS",
-            Self::PermissionDenied => "STATUS_PERMISSION_DENIED",
-            Self::Unauthenticated => "STATUS_UNAUTHENTICATED",
-            Self::UnsupportedAlgorithm => "STATUS_UNSUPPORTED_ALGORITHM",
-            Self::InvalidKey => "STATUS_INVALID_KEY",
-            Self::CryptoError => "STATUS_CRYPTO_ERROR",
-            Self::DecryptionFailure => "STATUS_DECRYPTION_FAILURE",
-            Self::EncryptionFailure => "STATUS_ENCRYPTION_FAILURE",
-            Self::DecapsulationFailure => "STATUS_DECAPSULATION_FAILURE",
-        }
-    }
-    /// Creates an enum from field names used in the ProtoBuf definition.
-    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
-        match value {
-            "STATUS_UNSPECIFIED" => Some(Self::Unspecified),
-            "STATUS_SUCCESS" => Some(Self::Success),
-            "STATUS_INTERNAL_ERROR" => Some(Self::InternalError),
-            "STATUS_INVALID_ARGUMENT" => Some(Self::InvalidArgument),
-            "STATUS_NOT_FOUND" => Some(Self::NotFound),
-            "STATUS_ALREADY_EXISTS" => Some(Self::AlreadyExists),
-            "STATUS_PERMISSION_DENIED" => Some(Self::PermissionDenied),
-            "STATUS_UNAUTHENTICATED" => Some(Self::Unauthenticated),
-            "STATUS_UNSUPPORTED_ALGORITHM" => Some(Self::UnsupportedAlgorithm),
-            "STATUS_INVALID_KEY" => Some(Self::InvalidKey),
-            "STATUS_CRYPTO_ERROR" => Some(Self::CryptoError),
-            "STATUS_DECRYPTION_FAILURE" => Some(Self::DecryptionFailure),
-            "STATUS_ENCRYPTION_FAILURE" => Some(Self::EncryptionFailure),
-            "STATUS_DECAPSULATION_FAILURE" => Some(Self::DecapsulationFailure),
-            _ => None,
-        }
-    }
-}
-// This file is @generated by prost-build.
-/// Composite HPKE Algorithm suite
-#[derive(Clone, Copy, PartialEq, ::prost::Message)]
-pub struct HpkeAlgorithm {
-    #[prost(enumeration = "KemAlgorithm", tag = "1")]
-    pub kem: i32,
-    #[prost(enumeration = "KdfAlgorithm", tag = "2")]
-    pub kdf: i32,
-    #[prost(enumeration = "AeadAlgorithm", tag = "3")]
-    pub aead: i32,
-}
 /// Specifies parameters for a particular algorithm type.
 #[derive(Clone, Copy, PartialEq, ::prost::Message)]
 pub struct AlgorithmParams {
@@ -173,7 +19,7 @@ pub struct AlgorithmParams {
 pub mod algorithm_params {
     #[derive(Clone, Copy, PartialEq, ::prost::Oneof)]
     pub enum Params {
-        /// KEM algorithm identifier (e.g., DHKEM_X25519_HKDF_SHA256).
+        /// KEM algorithm identifier (e.g., KEM_ALGORITHM_DHKEM_X25519_HKDF_SHA256).
         #[prost(enumeration = "super::KemAlgorithm", tag = "1")]
         KemId(i32),
     }

keymanager/workload_service/key_custody_core/src/lib.rs

@@ -1,7 +1,7 @@
 use km_common::crypto::PublicKey;
 use km_common::crypto::secret_box::SecretBox;
 use km_common::key_types::{KeyRecord, KeyRegistry, KeySpec};
-use km_common::proto::{Status, HpkeAlgorithm};
+use km_common::proto::{HpkeAlgorithm, Status};
 use km_common::{MAX_ALGORITHM_LEN, MAX_PUBLIC_KEY_LEN};
 use prost::Message;
 use std::slice;
@@ -22,22 +22,17 @@ fn generate_binding_keypair_internal(
     algo: HpkeAlgorithm,
     expiry_secs: u64,
 ) -> Result<(uuid::Uuid, PublicKey), Status> {
-    let result = KeyRecord::create_binding_key(algo, Duration::from_secs(expiry_secs));
-
-    match result {
-        Ok(record) => {
-            let id = record.meta.id;
-            let pubkey = match &record.meta.spec {
-                KeySpec::Binding {
-                    binding_public_key, ..
-                } => binding_public_key.clone(),
-                _ => return Err(Status::InternalError),
-            };
-            KEY_REGISTRY.add_key(record);
-            Ok((id, pubkey))
-        }
-        Err(e) => Err(Status::from(e)),
-    }
+    let record = KeyRecord::create_binding_key(algo, Duration::from_secs(expiry_secs))?;
+
+    let id = record.meta.id;
+    let pubkey = match &record.meta.spec {
+        KeySpec::Binding {
+            binding_public_key, ..
+        } => binding_public_key.clone(),
+        _ => return Err(Status::InternalError),
+    };
+    KEY_REGISTRY.add_key(record);
+    Ok((id, pubkey))
 }
 
 /// Generates a new binding HPKE keypair.

keymanager/workload_service/key_custody_core/ws_key_custody_core_cgo.go

@@ -69,10 +69,7 @@ func DestroyBindingKey(bindingUUID uuid.UUID) error {
 	rc := C.key_manager_destroy_binding_key(
 		(*C.uint8_t)(unsafe.Pointer(&uuidBytes[0])),
 	)
-	if keymanager.Status(rc) != keymanager.Status_STATUS_SUCCESS {
-		return keymanager.Status(rc).ToStatus()
-	}
-	return nil
+	return keymanager.Status(rc).ToStatus()
 }
 
 // Open decrypts a sealed ciphertext using the binding key identified by
@@ -130,14 +127,13 @@ func GetBindingKey(id uuid.UUID) ([]byte, *keymanager.HpkeAlgorithm, error) {
 	var algoBuf [C.MAX_ALGORITHM_LEN]byte
 	algoLenC := C.size_t(len(algoBuf))
 
-	rc := C.key_manager_get_binding_key(
+	if rc := C.key_manager_get_binding_key(
 		(*C.uint8_t)(unsafe.Pointer(&uuidBytes[0])),
 		(*C.uint8_t)(unsafe.Pointer(&pubkeyBuf[0])),
 		pubkeyLen,
 		(*C.uint8_t)(unsafe.Pointer(&algoBuf[0])),
 		&algoLenC,
-	)
-	if keymanager.Status(rc) != keymanager.Status_STATUS_SUCCESS {
+	); keymanager.Status(rc) != keymanager.Status_STATUS_SUCCESS {
 		return nil, nil, keymanager.Status(rc).ToStatus()
 	}