[keymanager/wsd] Add Go orchestration layer (KOL) for WSD key generation#652
Merged
atulpatildbz merged 14 commits intogoogle:mainfrom Feb 19, 2026
Merged
[keymanager/wsd] Add Go orchestration layer (KOL) for WSD key generation#652atulpatildbz merged 14 commits intogoogle:mainfrom
atulpatildbz merged 14 commits intogoogle:mainfrom
Conversation
NilanjanDaw
reviewed
Feb 9, 2026
Collaborator
NilanjanDaw
left a comment
NilanjanDaw
left a comment
There was a problem hiding this comment.
Thanks for the PR. Some initial comments.
keymanager/key_protection_service/key_custody_core/include/kps_key_custody_core.h
Outdated
Show resolved
Hide resolved
keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go
Outdated
Show resolved
Hide resolved
keymanager/workload_service/key_custody_core/include/ws_key_custody_core.h
Outdated
Show resolved
Hide resolved
keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go
Outdated
Show resolved
Hide resolved
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 9, 2026
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 10, 2026
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
2 times, most recently
from
e333851 to
4d0831d
Compare
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 10, 2026
Generate FFI headers for km_common, workload_service key custody core, and key_protection_service key custody core using cbindgen. Headers were generated from source with: CBINDGEN_BIN=cbindgen ./keymanager/generate_ffi_headers.sh Generation output was then compared against the headers in PR google#652 for parity.
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
from
4d0831d to
91d3bd7
Compare
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 14, 2026
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
3 times, most recently
from
bba524b to
426856a
Compare
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 15, 2026
This change functions as the Go-side implementation for the Decap and Seal flow. It is based on PR google#652 (Key Gen) and PR google#649 (FFI Decap). Base Commit: 2030fa6 (Align Key Generation API with contract) Squashed Commits: - Fix compilation and tests for wsd_decaps_go (API alignment to /v1/keys:decap) - keymanager/wsd: align decaps payloads with proto messages - keymanager/wsd: define decaps API proto schema - [keymanager/wsd] Add /keys:decaps endpoint with DecapAndSeal + Open orchestration Key Features: - endpoint: POST /v1/keys:decap - Request: DecapsRequest (snake_case) - Response: DecapsResponse (snake_case) - Flows: DecapAndSeal (KPS) -> Open (WSD)
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
2 times, most recently
from
696b9db to
a8545e1
Compare
NilanjanDaw
reviewed
Feb 17, 2026
| } | ||
|
|
||
| let mut config = prost_build::Config::new(); | ||
| config.type_attribute("HpkeAlgorithm", "#[repr(C)]"); |
Collaborator
There was a problem hiding this comment.
I see you removed the type_attribute injection in build.rs. Is this because cbindgen couldn't pick up the generated struct from OUT_DIR?
| extern "C" { | ||
| #endif // __cplusplus | ||
|
|
||
| int32_t key_manager_generate_kem_keypair(KmHpkeAlgorithm algo, |
Collaborator
There was a problem hiding this comment.
Can we remove the km prefixes from the algorithm definitions, seems a bit weird to have them
Collaborator
Author
There was a problem hiding this comment.
i'm trying to remove KmHpkeAlgorithm altogether and reuse HpkeAlgorithm. as discussed here
Keeping this thread open until that is done
Comment on lines
133
to
136
| if r.Method != http.MethodPost { | ||
| http.Error(w, "method not allowed", http.StatusMethodNotAllowed) | ||
| return | ||
| } |
Collaborator
There was a problem hiding this comment.
Does Golang support function decorators? I am wondering if there is a way to handle the list of supported HTTP methods in a cleaner way.
Collaborator
There was a problem hiding this comment.
Something like https://go.dev/blog/routing-enhancements maybe?
Collaborator
Author
There was a problem hiding this comment.
i don't actually see a problem with this. i had referred to the teeserver implementation https://github.com/google/go-tpm-tools/blob/main/launcher/teeserver/tee_server.go#L142
But makes sense to follow Go 1.22's routing. handled here
|
|
||
| // Validate algorithm: only DHKEM_X25519_HKDF_SHA256 supported. | ||
| if req.Algorithm != KemAlgorithmDHKEMX25519HKDFSHA256 { | ||
| http.Error( |
Collaborator
There was a problem hiding this comment.
Nit: Should we declare a global error handler? Probably would make it easier to handle and return standard HTTP error codes.
Collaborator
Author
There was a problem hiding this comment.
handled it using a helper function. here
| w, | ||
| fmt.Sprintf( | ||
| "unsupported algorithm: only DHKEM_X25519_HKDF_SHA256 (%d) is supported", | ||
| KemAlgorithmDHKEMX25519HKDFSHA256, |
Collaborator
There was a problem hiding this comment.
Should be a list of supported algorithms coming from algorithms.proto
| } | ||
|
|
||
| // Validate keyProtectionMechanism: only KEY_PROTECTION_VM supported. | ||
| if req.KeyProtectionMechanism != KeyProtectionMechanismVM { |
Collaborator
There was a problem hiding this comment.
Wondering if there is a better way to sanitize the request params. Can something like https://github.com/bufbuild/protovalidate-go for this?
Collaborator
Author
There was a problem hiding this comment.
Since GenerateKemRequest is a manually defined Go struct (not a generated Protobuf message), protovalidate-go cannot be used directly on it as it requires proto.Message instances
keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go
Show resolved
Hide resolved
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 17, 2026
Update the /v1/keys:generate_kem API to accept strictly numeric values (seconds) for the 'lifespan' field. Previously it accepted string values like '300s', which is now removed to simplify the API contract. as per comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 17, 2026
Evaluate support for KEM algorithms and Key Protection Mechanisms using IsSupported() methods on the enums instead of hardcoded checks. This simplifies adding new supported algorithms in the future. comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 17, 2026
This change introduces a helper function 'writeError' in server.go to ensure all error responses are returned as JSON, consistent with the API's Content-Type. This addresses the review comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 18, 2026
Address review comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 18, 2026
This change introduces a helper function 'writeError' in server.go to ensure all error responses are returned as JSON, consistent with the API's Content-Type. This addresses the review comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 18, 2026
Address review comment: google#652 (comment)
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
from
0af243e to
d757900
Compare
NilanjanDaw
requested changes
Feb 18, 2026
keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go
Show resolved
Hide resolved
keymanager/workload_service/key_custody_core/ws_key_custody_core_cgo.go
Outdated
Show resolved
Hide resolved
keymanager/key_protection_service/key_custody_core/kps_key_custody_core_cgo.go
Outdated
Show resolved
Hide resolved
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 18, 2026
…afety - keymanager/go.mod: Removed explicit toolchain pin and aligned module to go 1.22. - keymanager/ws/include/ws_key_custody_core.h: Updated WSD header to include shared generated km_algorithms.h. - keymanager/ws/server.go: Replaced hardcoded algorithm checks with typed proto_enums validation. - keymanager/ws/server.go: Refactored request fields to use explicitly typed enum definitions. - keymanager/ws/server.go: Implemented parsing of duration strings in JSON requests. - keymanager/ws/server.go: Updated routing to follow Go 1.22 patterns. - keymanager/ws/ws_key_custody_core_cgo.go: Parameterized algorithm selection to use request values instead of hardcoding. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO to use shared generated FFI constants from km_common. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO LDFLAGS to link against both debug and release Rust targets. - keymanager/go.sum: Checked in go.sum for reproducible builds. - keymanager/km_common/build.rs: Verified type_attribute injection for HpkeAlgorithm. - keymanager/ws/lib.rs: Updated Rust FFI to accept serialized HpkeAlgorithm bytes explicitly.
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 19, 2026
Update the /v1/keys:generate_kem API to accept strictly numeric values (seconds) for the 'lifespan' field. Previously it accepted string values like '300s', which is now removed to simplify the API contract. as per comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 19, 2026
Evaluate support for KEM algorithms and Key Protection Mechanisms using IsSupported() methods on the enums instead of hardcoded checks. This simplifies adding new supported algorithms in the future. comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 19, 2026
This change introduces a helper function 'writeError' in server.go to ensure all error responses are returned as JSON, consistent with the API's Content-Type. This addresses the review comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 19, 2026
Address review comment: google#652 (comment)
atulpatildbz
added a commit
to atulpatildbz/go-tpm-tools
that referenced
this pull request
Feb 19, 2026
…afety - keymanager/go.mod: Removed explicit toolchain pin and aligned module to go 1.22. - keymanager/ws/include/ws_key_custody_core.h: Updated WSD header to include shared generated km_algorithms.h. - keymanager/ws/server.go: Replaced hardcoded algorithm checks with typed proto_enums validation. - keymanager/ws/server.go: Refactored request fields to use explicitly typed enum definitions. - keymanager/ws/server.go: Implemented parsing of duration strings in JSON requests. - keymanager/ws/server.go: Updated routing to follow Go 1.22 patterns. - keymanager/ws/ws_key_custody_core_cgo.go: Parameterized algorithm selection to use request values instead of hardcoding. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO to use shared generated FFI constants from km_common. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO LDFLAGS to link against both debug and release Rust targets. - keymanager/go.sum: Checked in go.sum for reproducible builds. - keymanager/km_common/build.rs: Verified type_attribute injection for HpkeAlgorithm. - keymanager/ws/lib.rs: Updated Rust FFI to accept serialized HpkeAlgorithm bytes explicitly.
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
from
28b1e04 to
039ca49
Compare
This change introduces automated C header generation using binding and fixes a critical ABI mismatch in the key custody FFI layer. Changes: 1. FFI Header Generation: - Added keymanager/generate_ffi_headers.sh script to generate C headers for all key custody components. - Added cbindgen.toml configurations for km_common, kps_key_custody_core, and ws_key_custody_core. - Exposed km_common::ffi with stable C-ABI structs and constants to ensure compatibility. 2. FFI ABI Safety Fix: - Problem: Previous FFI functions accepted HpkeAlgorithm (Protobuf-generated repr(Rust) struct) by value. This caused undefined behavior as C callers expected a C-compatible layout. - Fix: Updated key_manager_generate_kem_keypair and key_manager_generate_binding_keypair to accept KmHpkeAlgorithm, a dedicated repr(C) struct. - Mechanism: Implemented safe conversion (impl From<KmHpkeAlgorithm> for HpkeAlgorithm) to bridge the FFI boundary safely. - Verification: Added FFI-specific tests covering KmHpkeAlgorithm usage.
This commit implements the Go orchestration layer changes for key generation. It aligns the Key Generation API with the contract.
Update the /v1/keys:generate_kem API to accept strictly numeric values (seconds) for the 'lifespan' field. Previously it accepted string values like '300s', which is now removed to simplify the API contract. as per comment: google#652 (comment)
Use http.ServeMux features to strictly enforce POST method for /v1/keys:generate_kem, removing manual checks in the handler.
Evaluate support for KEM algorithms and Key Protection Mechanisms using IsSupported() methods on the enums instead of hardcoded checks. This simplifies adding new supported algorithms in the future. comment: google#652 (comment)
This change introduces a helper function 'writeError' in server.go to ensure all error responses are returned as JSON, consistent with the API's Content-Type. This addresses the review comment: google#652 (comment)
- Replaced KmHpkeAlgorithm struct with serialized HpkeAlgorithm protobuf bytes in FFI. - Added prost dependency to kps and ws crates for decoding. - Removed keymanager/km_common/src/ffi.rs and include/km_algorithms.h to avoid duplication. - Regenerated C headers for kps and ws components. - Verified with cargo test.
This change updates the Go FFI bindings to match the recent Rust changes where KmHpkeAlgorithm C-struct was replaced with a serialized HpkeAlgorithm proto.
Address review comment: google#652 (comment)
…afety - keymanager/go.mod: Removed explicit toolchain pin and aligned module to go 1.22. - keymanager/ws/include/ws_key_custody_core.h: Updated WSD header to include shared generated km_algorithms.h. - keymanager/ws/server.go: Replaced hardcoded algorithm checks with typed proto_enums validation. - keymanager/ws/server.go: Refactored request fields to use explicitly typed enum definitions. - keymanager/ws/server.go: Implemented parsing of duration strings in JSON requests. - keymanager/ws/server.go: Updated routing to follow Go 1.22 patterns. - keymanager/ws/ws_key_custody_core_cgo.go: Parameterized algorithm selection to use request values instead of hardcoding. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO to use shared generated FFI constants from km_common. - keymanager/kps/kps_key_custody_core_cgo.go: Updated CGO LDFLAGS to link against both debug and release Rust targets. - keymanager/go.sum: Checked in go.sum for reproducible builds. - keymanager/km_common/build.rs: Verified type_attribute injection for HpkeAlgorithm. - keymanager/ws/lib.rs: Updated Rust FFI to accept serialized HpkeAlgorithm bytes explicitly.
atulpatildbz
force-pushed
the
wsd_generate_key_go
branch
from
039ca49 to
f8fe23d
Compare
Centralizes the algorithm mapping logic by moving it from a private helper in server.go to a public method ToHpkeAlgorithm on the KemAlgorithm type in proto_enums.go. This change simplifies future introspection APIs (e.g., getCapabilities) by providing a single source of truth for algorithm configuration without needing to instantiate backend services or duplicate logic. It ensures that the API layer can validate and describe supported algorithms consistently.
NilanjanDaw
approved these changes
Feb 19, 2026
Collaborator
Author
|
/gcbrun |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement the Go Key Orchestration Layer (KOL) for the Workload Service Daemon (WSD)
Expose POST
/v1/keys:generate_kemendpoint that orchestrates the full key generation flow:Extend Go CGO wrappers to match updated Rust FFI signatures (KmHpkeAlgorithm, usize)
Align request/response format with API spec (JSON body with algorithm, key_protection_mechanism, lifespan)
Dependencies
This PR is created on top of #655
Commits to Review
a8545e1 onwards ("feat(keymanager): orchestrate Key Generation in Go"), which contains all orchestration logic and CGO adaptations.
Details
wskcc,kpskcc): Go wrappers calling Rust FFI via CGO, returning(uuid.UUID, []byte, error)key_protection_service/service.go): KEMKeyGenerator interface wrapping KPS KCC FFIworkload_service/server.go): HTTP server with/v1/keys:generate_kem,kemToBindingMap, dependency-injected interfacesVerification
Component Integration Tests:
Verifies full flow from Go Service layer -> CGO -> Rust Core FFI.
Covers:
Manual Verification :
1647b5e : Created a manual test binary that initializes the WSD server with Rust FFI bindings and exposed the
generate_kemendpoint for verification via curl.