fixups

Author: vishesh92

engine/schema/src/main/java/org/apache/cloudstack/kms/KMSKekVersionVO.java

@@ -75,21 +75,26 @@ public enum Status {
     private Status status;
     @Column(name = "hsm_profile_id")
     private Long hsmProfileId;
-    @Column(name = "hsm_key_label")
-    private String hsmKeyLabel;
     @Column(name = GenericDao.CREATED_COLUMN, nullable = false)
     @Temporal(TemporalType.TIMESTAMP)
     private Date created;
     @Column(name = GenericDao.REMOVED_COLUMN)
     @Temporal(TemporalType.TIMESTAMP)
     private Date removed;
 
-    public KMSKekVersionVO(Long kmsKeyId, Integer versionNumber, String kekLabel, Status status) {
+    public KMSKekVersionVO(Long kmsKeyId, Integer versionNumber, String kekLabel) {
         this();
         this.kmsKeyId = kmsKeyId;
         this.versionNumber = versionNumber;
         this.kekLabel = kekLabel;
-        this.status = status;
+        this.status = Status.Active;
+    }
+
+    public KMSKekVersionVO(Long kmsKeyId, String kekLabel) {
+        this();
+        this.kmsKeyId = kmsKeyId;
+        this.kekLabel = kekLabel;
+        this.status = Status.Active;
     }
 
     public KMSKekVersionVO() {
@@ -154,13 +159,6 @@ public void setHsmProfileId(Long hsmProfileId) {
         this.hsmProfileId = hsmProfileId;
     }
 
-    public String getHsmKeyLabel() {
-        return hsmKeyLabel;
-    }
-
-    public void setHsmKeyLabel(String hsmKeyLabel) {
-        this.hsmKeyLabel = hsmKeyLabel;
-    }
 
     public Date getCreated() {
         return created;

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -134,7 +134,6 @@ CREATE TABLE IF NOT EXISTS `cloud`.`kms_kek_versions` (
     `kek_label` VARCHAR(255) NOT NULL COMMENT 'Provider-specific KEK label/ID for this version',
     `status` VARCHAR(32) NOT NULL DEFAULT 'Active' COMMENT 'Active, Previous, Archived',
     `hsm_profile_id` BIGINT UNSIGNED COMMENT 'HSM profile where this KEK version is stored',
-    `hsm_key_label` VARCHAR(255) COMMENT 'Optional HSM-specific key label/alias',
     `created` DATETIME NOT NULL COMMENT 'Creation timestamp',
     `removed` DATETIME COMMENT 'Removal timestamp for soft delete',
     PRIMARY KEY (`id`),

plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java

@@ -26,7 +26,6 @@
 import org.apache.cloudstack.framework.kms.WrappedKey;
 import org.apache.cloudstack.kms.HSMProfileDetailsVO;
 import org.apache.cloudstack.kms.KMSKekVersionVO;
-import org.apache.cloudstack.kms.dao.HSMProfileDao;
 import org.apache.cloudstack.kms.dao.HSMProfileDetailsDao;
 import org.apache.cloudstack.kms.dao.KMSKekVersionDao;
 import org.apache.commons.lang3.StringUtils;
@@ -75,7 +74,7 @@
 public class PKCS11HSMProvider extends AdapterBase implements KMSProvider {
     private static final Logger logger = LogManager.getLogger(PKCS11HSMProvider.class);
     private static final String PROVIDER_NAME = "pkcs11";
-    // Security note (#7): AES-CBC provides confidentiality but not authenticity (no
+    // Security note: AES-CBC provides confidentiality but not authenticity (no
     // HMAC).
     // While AES-GCM is preferred, SunPKCS11 support for GCM is often buggy or
     // missing
@@ -89,8 +88,6 @@ public class PKCS11HSMProvider extends AdapterBase implements KMSProvider {
     private static final int[] VALID_KEY_SIZES = {128, 192, 256};
     private final Map<Long, HSMSessionPool> sessionPools = new ConcurrentHashMap<>();
     @Inject
-    private HSMProfileDao hsmProfileDao;
-    @Inject
     private HSMProfileDetailsDao hsmProfileDetailsDao;
     @Inject
     private KMSKekVersionDao kmsKekVersionDao;
@@ -641,6 +638,17 @@ private String buildSunPKCS11Config(Map<String, String> config, String nameSuffi
                 throw KMSException.invalidParameter("One of 'slot', 'slot_list_index', or 'token_label' is required");
             }
 
+            // Explicitly configure SunPKCS11 to generate AES keys as Data Encryption Keys.
+            // Strict HSMs (like Thales Luna in FIPS mode) forbid a key from having both
+            // CKA_WRAP and CKA_ENCRYPT attributes. Because CloudStack uses Cipher.ENCRYPT_MODE
+            // (which maps to C_Encrypt) to protect the DEK, the KEK must have CKA_ENCRYPT=true.
+            configBuilder.append("\nattributes(generate, CKO_SECRET_KEY, CKK_AES) = {\n");
+            configBuilder.append("  CKA_ENCRYPT = true\n");
+            configBuilder.append("  CKA_DECRYPT = true\n");
+            configBuilder.append("  CKA_WRAP = false\n");
+            configBuilder.append("  CKA_UNWRAP = false\n");
+            configBuilder.append("}\n");
+
             return configBuilder.toString();
         }
 

server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java

@@ -45,7 +45,6 @@
 import com.cloud.utils.db.SearchCriteria;
 import com.cloud.utils.db.Transaction;
 import com.cloud.utils.db.TransactionCallbackWithException;
-import com.cloud.utils.db.TransactionStatus;
 import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.command.admin.kms.MigrateVolumesToKMSCmd;
@@ -453,8 +452,7 @@ KMSKey createUserKMSKey(Long accountId, Long domainId, Long zoneId,
         kmsKey.setHsmProfileId(finalProfileId);
         kmsKey = kmsKeyDao.persist(kmsKey);
 
-        KMSKekVersionVO initialVersion = new KMSKekVersionVO(kmsKey.getId(), 1, providerKekLabel,
-                KMSKekVersionVO.Status.Active);
+        KMSKekVersionVO initialVersion = new KMSKekVersionVO(kmsKey.getId(), 1, providerKekLabel);
         initialVersion.setHsmProfileId(finalProfileId);
         initialVersion = kmsKekVersionDao.persist(initialVersion);
 
@@ -578,22 +576,39 @@ public SuccessResponse deleteKMSKey(DeleteKMSKeyCmd cmd) throws KMSException {
 
         KMSKeyVO key = findKMSKeyAndCheckAccess(cmd.getId(), caller);
 
-        deleteUserKMSKey(key, caller);
+        deleteUserKMSKey(key);
         return new SuccessResponse();
     }
 
-    private void deleteUserKMSKey(KMSKeyVO key, Account caller) throws KMSException {
+    private void deleteUserKMSKey(KMSKeyVO key) throws KMSException {
         long wrappedKeyCount = kmsWrappedKeyDao.countByKmsKeyId(key.getId());
         if (wrappedKeyCount > 0) {
             throw new InvalidParameterValueException("Cannot delete KMS key: " + key + ". " + wrappedKeyCount +
                                                      " wrapped key(s) still reference this key");
         }
 
-        kmsKeyDao.remove(key.getId());
         if (volumeDao.existsWithKmsKey(key.getId())) {
             throw new InvalidParameterValueException("Cannot delete KMS key: " + key + ". " +
                                                      "There are Volumes which still reference this key");
         }
+
+        List<KMSKekVersionVO> kekVersions = kmsKekVersionDao.listByKmsKeyId(key.getId());
+        for (KMSKekVersionVO kekVersion : kekVersions) {
+            try {
+                HSMProfileVO hsmProfile = hsmProfileDao.findById(kekVersion.getHsmProfileId());
+                if (hsmProfile != null) {
+                    KMSProvider provider = getKMSProvider(hsmProfile.getProtocol());
+                    provider.deleteKek(kekVersion.getKekLabel());
+                    logger.info("Deleted KEK {} (v{}) from provider {}",
+                            kekVersion.getKekLabel(), kekVersion.getVersionNumber(), provider.getProviderName());
+                }
+            } catch (Exception e) {
+                logger.warn("Failed to delete KEK {} (v{}) from provider during KMS key deletion: {}",
+                        kekVersion.getKekLabel(), kekVersion.getVersionNumber(), e.getMessage());
+            }
+        }
+
+        kmsKeyDao.remove(key.getId());
         logger.info("Deleted KMS key {}", key);
     }
 
@@ -663,13 +678,13 @@ String rotateKek(KMSKeyVO kmsKey, String oldKekLabel, String newKekLabel, int ke
         try {
             logger.info("Starting KEK rotation from {} to {} for kms key {}", oldKekLabel, newKekLabel, kmsKey);
 
-            final KMSKekVersionVO newVersionEntity = new KMSKekVersionVO();
             if (StringUtils.isEmpty(newKekLabel)) {
                 List<KMSKekVersionVO> existingVersions = kmsKekVersionDao.listByKmsKeyId(kmsKey.getId());
                 int nextVersion = existingVersions.stream().mapToInt(KMSKekVersionVO::getVersionNumber).max().orElse(0) + 1;
                 newKekLabel = kmsKey.getPurpose().generateKekLabel(kmsKey.getDomainId(), kmsKey.getAccountId(),
                         kmsKey.getUuid(), nextVersion);
             }
+            final KMSKekVersionVO newVersionEntity = new KMSKekVersionVO(kmsKey.getId(), newKekLabel);
 
             String finalNewKekLabel = newKekLabel;
             Long newProfileId = newHSMProfile.getId();
@@ -679,20 +694,19 @@ String rotateKek(KMSKeyVO kmsKey, String oldKekLabel, String newKekLabel, int ke
 
             try {
                 KMSKekVersionVO newVersion = Transaction
-                        .execute(new TransactionCallbackWithException<KMSKekVersionVO, KMSException>() {
-                            @Override
-                            public KMSKekVersionVO doInTransaction(TransactionStatus status) throws KMSException {
-                                newVersionEntity.setKmsKeyId(kmsKey.getId());
-                                newVersionEntity.setHsmProfileId(newProfileId);
-                                KMSKekVersionVO version = createKekVersion(newVersionEntity);
-
-                                if (!newProfileId.equals(kmsKey.getHsmProfileId())) {
-                                    kmsKey.setHsmProfileId(newProfileId);
-                                    kmsKeyDao.update(kmsKey.getId(), kmsKey);
-                                    logger.info("Updated KMS key {} to use HSM profile {}", kmsKey, finalHSMProfile);
-                                }
-                                return version;
+                        .execute((TransactionCallbackWithException<KMSKekVersionVO, KMSException>) status -> {
+                            newVersionEntity.setKmsKeyId(kmsKey.getId());
+                            newVersionEntity.setHsmProfileId(newProfileId);
+                            newVersionEntity.setKekLabel(finalNewKekLabel);
+                            KMSKekVersionVO version = createKekVersion(newVersionEntity);
+
+                            if (!newProfileId.equals(kmsKey.getHsmProfileId())) {
+                                kmsKey.setHsmProfileId(newProfileId);
+                                logger.info("Updated KMS key {} to use HSM profile {}", kmsKey, finalHSMProfile);
                             }
+                            kmsKey.setKekLabel(finalNewKekLabel);
+                            kmsKeyDao.update(kmsKey.getId(), kmsKey);
+                            return version;
                         });
 
                 logger.info("KEK rotation: KMS key {} now has {} versions (active: v{}, previous: v{})",