Skip to content

fix(sdk): Support RSA4096 Kas keys#343

Merged
elizabethhealy merged 5 commits intomainfrom
dspx-2517-support-4096-rsa
Mar 3, 2026
Merged

fix(sdk): Support RSA4096 Kas keys#343
elizabethhealy merged 5 commits intomainfrom
dspx-2517-support-4096-rsa

Conversation

@elizabethhealy
Copy link
Member

@elizabethhealy elizabethhealy commented Mar 3, 2026
edited
Loading

This pull request primarily enhances the SDK's cryptographic capabilities by introducing comprehensive support for RSA4096 keys, allowing for stronger encryption in Key Access Server (KAS) operations. It also refines the key retrieval process by incorporating Key IDs (KID) for better key management.

Highlights

  • RSA4096 Key Support: Added RSA4096Key to the KeyType enum and updated its mapping methods (fromAlgorithm, fromPublicKeyAlgorithm) to correctly recognize and handle 4096-bit RSA keys for KAS operations.
  • Key ID (KID) Inclusion in KASInfo: Included the Key ID (KID) when retrieving public keys from a Key Access Server (KAS), improving key resolution and management.
  • Unit Test Coverage: Expanded unit tests in KeyTypeTest to ensure proper functionality and mapping for the newly introduced RSA4096Key.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 3, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the SDK's cryptographic capabilities by integrating support for RSA4096 keys. This allows the system to handle stronger encryption standards for Key Access Server (KAS) operations, improving overall security and compatibility with more robust key management practices.

Highlights

  • Added RSA4096 KeyType: Introduced a new RSA4096Key enum member to the KeyType enumeration to represent RSA keys with a 4096-bit modulus.
  • Updated KeyType mapping from Algorithm: Modified the fromAlgorithm method to correctly map the ALGORITHM_RSA_4096 to the newly added RSA4096Key.
  • Updated KeyType mapping from PublicKeyAlgorithm: Adjusted the fromPublicKeyAlgorithm method to recognize and map KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 to the RSA4096Key.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
    • Added RSA4096Key to the KeyType enum.
    • Updated fromAlgorithm to include ALGORITHM_RSA_4096 mapping.
    • Updated fromPublicKeyAlgorithm to include KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 mapping.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/checks.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for RSA 4096 keys by introducing a new KeyType enum value. While the changes in KeyType.java are correct, there are a couple of issues. Firstly, the implementation seems incomplete as the key generation logic in KASClient does not appear to respect the new key size, potentially leading to security issues. Secondly, unit tests have not been added for the new key type. Please see the detailed comments for more information.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

X-Test Failure Report

✅ go-main
✅ js-v0.13.0
✅ go-v0.13.0
❌ java-v0.13.0
❌ java-main

@elizabethhealy
Copy link
Member Author

elizabethhealy commented Mar 3, 2026
edited
Loading

passing test: [gw2] [ 40%] PASSED test_abac.py::test_key_mapping_extended_rsa_mechanisms[small-java@pull 343-go@main-in_focus0] test_abac.py::test_autoconfigure_one_attribute_standard[small-java@pull-343-go@main-in_focus0]

successful run: https://github.com/opentdf/java-sdk/actions/runs/22634917479/job/65595094337

@elizabethhealy elizabethhealy changed the title fix(sdk): Support RSA4096 Kas keys fix(sdk): Support RSA4096 Kas keys + enable encrypting with EC extended curve keys Mar 3, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

X-Test Results

✅ go-v0.13.0
✅ js-main
✅ go-main
✅ js-v0.13.0
✅ java-main
✅ java-v0.13.0

@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

X-Test Failure Report

@elizabethhealy
Copy link
Member Author

elizabethhealy commented Mar 3, 2026

/gemini summary

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 3, 2026

Summary of Changes

This pull request primarily enhances the SDK's cryptographic capabilities by introducing comprehensive support for RSA4096 keys, allowing for stronger encryption in Key Access Server (KAS) operations. It also refines the key retrieval process by incorporating Key IDs (KID) for better key management.

Highlights

  • RSA4096 Key Support: Added RSA4096Key to the KeyType enum and updated its mapping methods (fromAlgorithm, fromPublicKeyAlgorithm) to correctly recognize and handle 4096-bit RSA keys for KAS operations.
  • Key ID (KID) Inclusion in KASInfo: Included the Key ID (KID) when retrieving public keys from a Key Access Server (KAS), improving key resolution and management.
  • Unit Test Coverage: Expanded unit tests in KeyTypeTest to ensure proper functionality and mapping for the newly introduced RSA4096Key.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • sdk/src/main/java/io/opentdf/platform/sdk/KeyType.java
    • Added RSA4096Key to the KeyType enum.
    • Updated fromAlgorithm method to map ALGORITHM_RSA_4096 to RSA4096Key.
    • Updated fromPublicKeyAlgorithm method to map KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 to RSA4096Key.
  • sdk/src/main/java/io/opentdf/platform/sdk/Planner.java
    • Added KID to the KASInfo object when retrieving public keys from a KAS.
  • sdk/src/main/java/io/opentdf/platform/sdk/Version.java
    • Reordered import statements for org.slf4j and javax.annotation packages.
  • sdk/src/test/java/io/opentdf/platform/sdk/KeyTypeTest.java
    • Added ALGORITHM_RSA_4096 and KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 imports.
    • Added test cases for RSA4096Key in testFromString, testFromAlgorithm, and testFromPublicKeyAlgEnum methods.
Activity
  • An initial summary of changes was provided by gemini-code-assist[bot].
  • gemini-code-assist[bot] raised a high-priority concern regarding potential incorrect RSA key size usage in KASClient.unwrap and caching issues.
  • The author, elizabethhealy, responded to the high-priority concern, clarifying that client ephemeral keys can be 2048-bit even if KAS keys are 4096-bit, aligning with the Go implementation.
  • gemini-code-assist[bot] also raised a medium-priority concern about missing unit tests for the new RSA4096Key enum constant.
  • Initial CI/CD checks reported failures for java-v0.13.0 and java-main builds.
  • SonarQube reported that the Quality Gate passed with 1 new issue and 50.0% coverage on new code.
  • The author, elizabethhealy, commented on passing tests, specifically mentioning test_abac.py.
  • Subsequent CI/CD checks reported all builds (go-v0.13.0, js-main, go-main, js-v0.13.0, java-main, java-v0.13.0) as successful.
  • The author, elizabethhealy, requested a new summary from gemini-code-assist[bot].

@elizabethhealy elizabethhealy mentioned this pull request Mar 3, 2026
Merged
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 3, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@elizabethhealy elizabethhealy marked this pull request as ready for review March 3, 2026 18:02
@elizabethhealy elizabethhealy requested review from a team as code owners March 3, 2026 18:02
@elizabethhealy elizabethhealy changed the title fix(sdk): Support RSA4096 Kas keys + enable encrypting with EC extended curve keys fix(sdk): Support RSA4096 Kas keys Mar 3, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

X-Test Results

✅ go-v0.13.0
✅ go-main
✅ js-v0.13.0
✅ js-main
✅ java-v0.13.0
✅ java-main

@elizabethhealy elizabethhealy merged commit dba9bbf into main Mar 3, 2026
18 checks passed
@elizabethhealy elizabethhealy deleted the dspx-2517-support-4096-rsa branch March 3, 2026 19:07
elizabethhealy added a commit to opentdf/tests that referenced this pull request Mar 3, 2026
@elizabethhealy
fix(xtest): Enable extended rsa tests for java >= v0.13.0 (#417)
3157426 
Java sdk enables rsa 4096 with
opentdf/java-sdk#343, passing the tests against
this branch

Dynamic version check for RSA 4096 support: A new mechanism was
introduced in cli.sh to dynamically check if the Java SDK version
supports RSA 4096, specifically for versions at or above 0.13.0.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pflynn-virtru pflynn-virtru pflynn-virtru approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elizabethhealy @pflynn-virtru