fixes

service/internal/security/config.go

@@ -73,6 +73,11 @@ type StandardKeyInfo struct {
 
 // Deprecated
 type CryptoConfig2024 struct {
+	Type     string `mapstructure:"type"`
+	Standard `mapstructure:"standard"`
+}
+
+type Standard struct {
 	Keys []KeyPairInfo `mapstructure:"keys" json:"keys"`
 	// Deprecated
 	RSAKeys map[string]StandardKeyInfo `mapstructure:"rsa,omitempty" json:"rsa,omitempty"`

service/internal/security/config_test.go

@@ -19,12 +19,14 @@ func TestMarshalTo(t *testing.T) {
 		{
 			name: "upgrade2023CertID",
 			config: CryptoConfig2024{
-				RSAKeys: map[string]StandardKeyInfo{
-					"rsa1": {PrivateKeyPath: "rsa1_private.pem", PublicKeyPath: "rsa1_public.pem"},
-				},
-				ECKeys: map[string]StandardKeyInfo{
-					"ec1": {PrivateKeyPath: "ec1_private.pem", PublicKeyPath: "ec1_public.pem"},
-					"ec2": {PrivateKeyPath: "ec2_private.pem", PublicKeyPath: "ec2_public.pem"},
+				Standard: Standard{
+					RSAKeys: map[string]StandardKeyInfo{
+						"rsa1": {PrivateKeyPath: "rsa1_private.pem", PublicKeyPath: "rsa1_public.pem"},
+					},
+					ECKeys: map[string]StandardKeyInfo{
+						"ec1": {PrivateKeyPath: "ec1_private.pem", PublicKeyPath: "ec1_public.pem"},
+						"ec2": {PrivateKeyPath: "ec2_private.pem", PublicKeyPath: "ec2_public.pem"},
+					},
 				},
 			},
 			input: map[string]any{
@@ -43,11 +45,13 @@ func TestMarshalTo(t *testing.T) {
 		{
 			name: "upgrade2023NoCertIDs",
 			config: CryptoConfig2024{
-				RSAKeys: map[string]StandardKeyInfo{
-					"rsa1": {PrivateKeyPath: "rsa1_private.pem", PublicKeyPath: "rsa1_public.pem"},
-				},
-				ECKeys: map[string]StandardKeyInfo{
-					"ec1": {PrivateKeyPath: "ec1_private.pem", PublicKeyPath: "ec1_public.pem"},
+				Standard: Standard{
+					RSAKeys: map[string]StandardKeyInfo{
+						"rsa1": {PrivateKeyPath: "rsa1_private.pem", PublicKeyPath: "rsa1_public.pem"},
+					},
+					ECKeys: map[string]StandardKeyInfo{
+						"ec1": {PrivateKeyPath: "ec1_private.pem", PublicKeyPath: "ec1_public.pem"},
+					},
 				},
 			},
 			input: map[string]any{},
@@ -62,9 +66,11 @@ func TestMarshalTo(t *testing.T) {
 		{
 			name: "upgrade2024H2",
 			config: CryptoConfig2024{
-				Keys: []KeyPairInfo{
-					{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem"},
-					{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem"},
+				Standard: Standard{
+					Keys: []KeyPairInfo{
+						{Algorithm: "rsa:2048", KID: "rsa1", Private: "rsa1_private.pem", Certificate: "rsa1_public.pem"},
+						{Algorithm: "ec:secp256r1", KID: "ec1", Private: "ec1_private.pem", Certificate: "ec1_public.pem"},
+					},
 				},
 			},
 			input: map[string]any{
@@ -84,9 +90,11 @@ func TestMarshalTo(t *testing.T) {
 		{
 			name: "invalid input confusing",
 			config: CryptoConfig2024{
-				RSAKeys: map[string]StandardKeyInfo{},
-				ECKeys:  map[string]StandardKeyInfo{},
-				Keys:    []KeyPairInfo{},
+				Standard: Standard{
+					RSAKeys: map[string]StandardKeyInfo{},
+					ECKeys:  map[string]StandardKeyInfo{},
+					Keys:    []KeyPairInfo{},
+				},
 			},
 			input: map[string]any{
 				"keyring": []map[string]any{

service/pkg/server/services.go

@@ -169,6 +169,7 @@ func startServices(ctx context.Context, cfg config.Config, otdf *server.OpenTDFS
 
 			svcConfig := cfg.Services[ns]
 			if ns == "kas" {
+				logger.Debug("updating kas key configuration", slog.String("namespace", ns), slog.Any("legacyConfig", cfg.Server.CryptoConfig2024))
 				// Upgrade the the kas configuration, if there is a legacy `CryptoProvider` configuration
 				// present in the otdf server config.
 				if cfg.Server.CryptoConfig2024 != nil {