Fix missing labels and label generation

Author: vishesh92

framework/kms/src/main/java/org/apache/cloudstack/framework/kms/KeyPurpose.java

@@ -65,12 +65,15 @@ public String getDescription() {
     }
 
     /**
-     * Generate a KEK label with purpose prefix
+     * Generate a globally unique, collision-resistant KEK label with context
      *
-     * @param customLabel optional custom label suffix
-     * @return formatted KEK label (e.g., "volume-kek-v1")
+     * @param domainId  the domain ID associated with this key
+     * @param accountId the account ID associated with this key
+     * @param uuid      the unique identifier of the key entity
+     * @param version   the version number of the key
+     * @return formatted KEK label (e.g., "volume-kek-1-2-a8054d8f-...-1")
      */
-    public String generateKekLabel(String customLabel) {
-        return name + "-kek-" + (customLabel != null ? customLabel : "v1");
+    public String generateKekLabel(long domainId, long accountId, String uuid, int version) {
+        return name + "-kek-" + domainId + "-" + accountId + "-" + uuid.replace("-", "") + "-v" + version;
     }
 }

plugins/kms/database/src/main/java/org/apache/cloudstack/kms/provider/DatabaseKMSProvider.java

@@ -37,7 +37,6 @@
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Date;
-import java.util.UUID;
 
 /**
  * Database-backed KMS provider that stores master KEKs in a PKCS#11-like object table.
@@ -78,7 +77,7 @@ public String createKek(KeyPurpose purpose, String label, int keyBits) throws KM
         }
 
         if (StringUtils.isEmpty(label)) {
-            label = generateKekLabel(purpose);
+            throw KMSException.invalidParameter("KEK label cannot be empty");
         }
 
         if (kekObjectDao.existsByLabel(label)) {
@@ -321,9 +320,6 @@ private void updateLastUsed(String kekLabel) {
         }
     }
 
-    private String generateKekLabel(KeyPurpose purpose) {
-        return purpose.getName() + "-kek-" + UUID.randomUUID().toString().substring(0, 8);
-    }
 
     @Override
     public String getConfigComponentName() {

plugins/kms/pkcs11/src/main/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProvider.java

@@ -110,8 +110,10 @@ public String createKek(KeyPurpose purpose, String label, int keyBits, Long hsmP
         if (hsmProfileId == null) {
             throw KMSException.invalidParameter("HSM Profile ID is required for PKCS#11 provider");
         }
-        final String kekLabel = StringUtils.isEmpty(label) ? generateKekLabel(purpose) : label;
-        return executeWithSession(hsmProfileId, session -> session.generateKey(kekLabel, keyBits, purpose));
+        if (StringUtils.isEmpty(label)) {
+            throw KMSException.invalidParameter("KEK label cannot be empty");
+        }
+        return executeWithSession(hsmProfileId, session -> session.generateKey(label, keyBits, purpose));
     }
 
     @Override
@@ -367,9 +369,7 @@ boolean isSensitiveKey(String key) {
         return KMSProvider.isSensitiveKey(key);
     }
 
-    String generateKekLabel(KeyPurpose purpose) {
-        return purpose.getName() + "-kek-" + UUID.randomUUID().toString().substring(0, 8);
-    }
+
 
     @Override
     public String getConfigComponentName() {
@@ -822,6 +822,12 @@ String generateKey(String label, int keyBits, KeyPurpose purpose) throws KMSExce
                 return label;
 
             } catch (KeyStoreException e) {
+                if (e.getMessage() != null
+                        && e.getMessage().contains("found multiple secret keys sharing same CKA_LABEL")) {
+                    logger.warn("Multiple duplicate keys found with label '{}' in HSM. Reusing the existing key. " +
+                            "Please purge duplicate keys manually if possible.", label);
+                    return label;
+                }
                 handlePKCS11Exception(e, "Failed to store key in HSM KeyStore");
             } catch (NoSuchAlgorithmException e) {
                 handlePKCS11Exception(e, "AES KeyGenerator not available via PKCS#11 provider");

plugins/kms/pkcs11/src/test/java/org/apache/cloudstack/kms/provider/pkcs11/PKCS11HSMProviderTest.java

@@ -186,21 +186,6 @@ public void testIsSensitiveKey_IdentifiesNonSensitiveKeys() {
         assertFalse(provider.isSensitiveKey("max_sessions"));
     }
 
-    /**
-     * Test: generateKekLabel creates valid label
-     */
-    @Test
-    public void testGenerateKekLabel_CreatesValidLabel() {
-        // Test
-        String label = provider.generateKekLabel(KeyPurpose.VOLUME_ENCRYPTION);
-
-        // Verify
-        assertNotNull("Label should not be null", label);
-        assertTrue("Label should start with purpose", label.startsWith(KeyPurpose.VOLUME_ENCRYPTION.getName()));
-        assertTrue("Label should contain UUID",
-                label.length() > (KeyPurpose.VOLUME_ENCRYPTION.getName() + "-kek-").length());
-    }
-
     /**
      * Test: getProviderName returns correct name
      */

server/src/main/java/org/apache/cloudstack/kms/KMSManagerImpl.java

@@ -87,7 +87,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.UUID;
+
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
@@ -435,8 +435,11 @@ KMSKey createUserKMSKey(Long accountId, Long domainId, Long zoneId,
             throw KMSException.invalidParameter("HSM Profile not found");
         }
 
+        KMSKeyVO kmsKey = new KMSKeyVO(name, description, "", purpose,
+                accountId, domainId, zoneId, "AES/GCM/NoPadding", keyBits);
+
         KMSProvider provider = getKMSProvider(profile.getProtocol());
-        String kekLabel = purpose.getName() + "-kek-" + UUID.randomUUID().toString().substring(0, 8);
+        String kekLabel = purpose.generateKekLabel(domainId, accountId, kmsKey.getUuid(), 1);
 
         String providerKekLabel;
         Long finalProfileId = hsmProfileId;
@@ -446,8 +449,7 @@ KMSKey createUserKMSKey(Long accountId, Long domainId, Long zoneId,
             throw handleKmsException(e);
         }
 
-        KMSKeyVO kmsKey = new KMSKeyVO(name, description, providerKekLabel, purpose,
-                accountId, domainId, zoneId, "AES/GCM/NoPadding", keyBits);
+        kmsKey.setKekLabel(providerKekLabel);
         kmsKey.setHsmProfileId(finalProfileId);
         kmsKey = kmsKeyDao.persist(kmsKey);
 
@@ -661,8 +663,12 @@ String rotateKek(KMSKeyVO kmsKey, String oldKekLabel, String newKekLabel, int ke
         try {
             logger.info("Starting KEK rotation from {} to {} for kms key {}", oldKekLabel, newKekLabel, kmsKey);
 
+            final KMSKekVersionVO newVersionEntity = new KMSKekVersionVO();
             if (StringUtils.isEmpty(newKekLabel)) {
-                newKekLabel = kmsKey.getPurpose().getName() + "-kek-" + UUID.randomUUID().toString().substring(0, 8);
+                List<KMSKekVersionVO> existingVersions = kmsKekVersionDao.listByKmsKeyId(kmsKey.getId());
+                int nextVersion = existingVersions.stream().mapToInt(KMSKekVersionVO::getVersionNumber).max().orElse(0) + 1;
+                newKekLabel = kmsKey.getPurpose().generateKekLabel(kmsKey.getDomainId(), kmsKey.getAccountId(),
+                        kmsKey.getUuid(), nextVersion);
             }
 
             String finalNewKekLabel = newKekLabel;
@@ -676,7 +682,9 @@ String rotateKek(KMSKeyVO kmsKey, String oldKekLabel, String newKekLabel, int ke
                         .execute(new TransactionCallbackWithException<KMSKekVersionVO, KMSException>() {
                             @Override
                             public KMSKekVersionVO doInTransaction(TransactionStatus status) throws KMSException {
-                                KMSKekVersionVO version = createKekVersion(kmsKey.getId(), newKekId, newProfileId);
+                                newVersionEntity.setKmsKeyId(kmsKey.getId());
+                                newVersionEntity.setHsmProfileId(newProfileId);
+                                KMSKekVersionVO version = createKekVersion(newVersionEntity);
 
                                 if (!newProfileId.equals(kmsKey.getHsmProfileId())) {
                                     kmsKey.setHsmProfileId(newProfileId);
@@ -712,26 +720,23 @@ public KMSKekVersionVO doInTransaction(TransactionStatus status) throws KMSExcep
         }
     }
 
-    private KMSKekVersionVO createKekVersion(Long kmsKeyId, String kekLabel, Long hsmProfileId) throws KMSException {
-        List<KMSKekVersionVO> existingVersions = kmsKekVersionDao.listByKmsKeyId(kmsKeyId);
+    private KMSKekVersionVO createKekVersion(KMSKekVersionVO newVersion) throws KMSException {
+        List<KMSKekVersionVO> existingVersions = kmsKekVersionDao.listByKmsKeyId(newVersion.getKmsKeyId());
         int nextVersion = existingVersions.stream()
                                   .mapToInt(KMSKekVersionVO::getVersionNumber)
                                   .max()
                                   .orElse(0) + 1;
 
-        KMSKekVersionVO currentActive = kmsKekVersionDao.getActiveVersion(kmsKeyId);
+        KMSKekVersionVO currentActive = kmsKekVersionDao.getActiveVersion(newVersion.getKmsKeyId());
         if (currentActive != null) {
             currentActive.setStatus(KMSKekVersionVO.Status.Previous);
             kmsKekVersionDao.update(currentActive.getId(), currentActive);
         }
 
-        KMSKekVersionVO newVersion = new KMSKekVersionVO(kmsKeyId, nextVersion, kekLabel,
-                KMSKekVersionVO.Status.Active);
-        newVersion.setHsmProfileId(hsmProfileId);
+        newVersion.setVersionNumber(nextVersion);
+        newVersion.setStatus(KMSKekVersionVO.Status.Active);
         newVersion = kmsKekVersionDao.persist(newVersion);
-
-        logger.info("Created KEK version {} for KMS key {} (label: {}, profile: {})", nextVersion, kmsKeyId, kekLabel,
-                hsmProfileId);
+        logger.info("Created KEK version {} for KMS key {}", nextVersion, newVersion.getKmsKeyId());
         return newVersion;
     }
 

server/src/test/java/org/apache/cloudstack/kms/KMSManagerImplKeyRotationTest.java

@@ -253,6 +253,9 @@ public void testRotateKek_GeneratesLabel() throws Exception {
         when(kmsKey.getId()).thenReturn(kmsKeyId);
         when(kmsKey.getHsmProfileId()).thenReturn(oldProfileId);
         when(kmsKey.getPurpose()).thenReturn(KeyPurpose.VOLUME_ENCRYPTION);
+        when(kmsKey.getUuid()).thenReturn("test-kms-key-uuid");
+        when(kmsKey.getDomainId()).thenReturn(1L);
+        when(kmsKey.getAccountId()).thenReturn(2L);
 
         HSMProfileVO hsmProfile = mock(HSMProfileVO.class);
         when(hsmProfile.getId()).thenReturn(oldProfileId);

ui/public/locales/en.json

@@ -1419,6 +1419,7 @@
 "label.keep": "Keep",
 "label.kernelversion": "Kernel Version",
 "label.key": "Key",
+"label.keybits": "Key Bits",
 "label.keyboard": "Keyboard language",
 "label.keyboardtype": "Keyboard type",
 "label.keypair": "SSH key pair",
@@ -1434,6 +1435,7 @@
 "label.migrate.volumes.to.kms": "Migrate Volumes to KMS",
 "label.hsm.profile": "HSM Profile",
 "label.hsmprofile": "HSM Profile",
+"label.hsmprofileid": "HSM Profile",
 "label.create.hsmprofile": "Add HSM Profile",
 "label.update.hsm.profile": "Update HSM Profile",
 "label.delete.hsm.profile": "Delete HSM Profile",
@@ -1496,6 +1498,7 @@
 "label.lbruleid": "Load balancer ID",
 "label.lbtype": "Load balancer type",
 "label.ldap": "LDAP",
+"label.library": "Library",
 "label.ldapdomain": "LDAP Domain",
 "label.ldap.configuration": "LDAP Configuration",
 "label.ldap.group.name": "LDAP Group",
@@ -1912,6 +1915,7 @@
 "label.physicalnetworkid": "Physical Network",
 "label.physicalnetworkname": "Physical Network name",
 "label.physicalsize": "Physical size",
+"label.pin": "PIN",
 "label.ping.path": "Ping path",
 "label.pkcs.private.certificate": "PKCS#8 private certificate",
 "label.plannermode": "Planner mode",
@@ -2498,6 +2502,7 @@
 "label.suspend.project": "Suspend Project",
 "label.switch.type": "Switch type",
 "label.sync.storage": "Sync Storage Pool",
+"label.system": "System",
 "label.system.ip.pool": "System Pool",
 "label.system.offering": "System Offering",
 "label.system.offerings": "System Offerings",

ui/src/config/section/kms.js

@@ -220,7 +220,7 @@ export default {
           },
           mapping: {
             details: {
-              optionalKeys: ['pin', 'library', 'slot', 'token_label']
+              optionalKeys: ['pin', 'library', 'slot', 'slot_list_index', 'token_label']
             }
           }
         },