feat(jwe): add endpoint to import wrapped key#977
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new REST Crypto API endpoint to unwrap (RSA-OAEP decrypt) a JWE encrypted_key (CEK) and import the resulting symmetric key into the KMS, enabling subsequent alg=dir decrypt/encrypt operations without exposing CEK material to the caller. It also updates documentation, OpenAPI, and server/tests wiring to support and validate the new endpoint.
Changes:
- Add
POST /v1/crypto/keys/unwraphandler to unwrap RSA-OAEP-wrapped CEKs and import them as managed symmetric keys. - Register the endpoint in the server startup path and test app wiring; add integration tests and vector-runner support.
- Document the unwrap flow (MkDocs nav + REST Crypto API page + OpenAPI schema).
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| documentation/mkdocs.yml | Adds JOSE/REST Crypto documentation pages to MkDocs navigation. |
| documentation/docs/integrations/jose/rest_crypto_api.md | Documents the new unwrap endpoint and updates TOC/auth link. |
| documentation/docs/integrations/jose/jwe_decryption.md | New guide describing one-shot JWE decrypt vs persisted CEK unwrap flow. |
| crate/server/src/tests/test_utils.rs | Registers unwrap handler in test Actix app scopes. |
| crate/server/src/tests/rest_crypto/unwrap.rs | New integration tests for unwrap success + error cases. |
| crate/server/src/tests/rest_crypto/mod.rs | Includes the new unwrap test module. |
| crate/server/src/tests/rest_crypto/jose_vectors.rs | Adds vector runner support for unwrap round-trip vectors. |
| crate/server/src/start_kms_server.rs | Registers unwrap handler in /v1/crypto scope. |
| crate/server/src/routes/crypto/unwrap.rs | Implements POST /keys/unwrap endpoint: parse header, unwrap CEK, import key, return metadata. |
| crate/server/src/routes/crypto/models.rs | Adds request/response models for unwrap endpoint. |
| crate/server/src/routes/crypto/mod.rs | Exposes unwrap module + re-exports handler for registration. |
| crate/server/documentation/openapi.yaml | Adds schemas and path definition for /v1/crypto/keys/unwrap. |
| CHANGELOG/fix_jwe_import_wrapped_key | Adds a branch changelog entry for the new feature/tests/docs. |
Comments suppressed due to low confidence (1)
documentation/docs/integrations/jose/rest_crypto_api.md:20
- The nested list under "Endpoints" in the Table of Contents is indented enough to be rendered as a code block by CommonMark/MkDocs. This breaks the TOC links; indent nested bullets by 2 spaces under the parent list item.
- Use DecryptionFailed error for RSA-OAEP unwrap failures (RFC 7516 §11.5) - Fix OpenAPI kid description to accept any key UID, not just UUID - Rename CHANGELOG file to .md extension - Remove incorrect top-level header from CHANGELOG - Fix TOC indentation in rest_crypto_api.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.