From bd34bd191fb21f5dfc04ad16f4457ea443c5b448 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 01/48] feat(core): bulk rewrap

go structs of new rewrap API




Summary:

Test Plan:
---
 docs/grpc/index.html                         | 135 ++++-
 docs/openapi/kas/kas.swagger.json            |  48 +-
 protocol/go/kas/kas.pb.go                    | 389 ++++++++++---
 service/kas/access/accessPdp.go              |  72 ++-
 service/kas/access/policy_test.go            |   1 -
 service/kas/access/rewrap.go                 | 549 +++++++++++--------
 service/kas/kas.proto                        |  19 +
 service/kas/{access => request}/attribute.go |   2 +-
 service/kas/{access => request}/keyaccess.go |   8 +-
 service/kas/{access => request}/policy.go    |   2 +-
 service/kas/request/rewrap.go                |  31 ++
 11 files changed, 911 insertions(+), 345 deletions(-)
 delete mode 100644 service/kas/access/policy_test.go
 rename service/kas/{access => request}/attribute.go (96%)
 rename service/kas/{access => request}/keyaccess.go (72%)
 rename service/kas/{access => request}/policy.go (98%)
 create mode 100644 service/kas/request/rewrap.go

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 30670c6418..d6fed367a5 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -438,6 +438,14 @@ <h2>Table of Contents</h2>
                   <a href="#kas.InfoResponse"><span class="badge">M</span>InfoResponse</a>
                 </li>
               
+                <li>
+                  <a href="#kas.KAORewrapResult"><span class="badge">M</span>KAORewrapResult</a>
+                </li>
+              
+                <li>
+                  <a href="#kas.KAORewrapResult.MetadataEntry"><span class="badge">M</span>KAORewrapResult.MetadataEntry</a>
+                </li>
+              
                 <li>
                   <a href="#kas.LegacyPublicKeyRequest"><span class="badge">M</span>LegacyPublicKeyRequest</a>
                 </li>
@@ -462,6 +470,10 @@ <h2>Table of Contents</h2>
                   <a href="#kas.RewrapResponse.MetadataEntry"><span class="badge">M</span>RewrapResponse.MetadataEntry</a>
                 </li>
               
+                <li>
+                  <a href="#kas.RewrapResult"><span class="badge">M</span>RewrapResult</a>
+                </li>
+              
               
               
               
@@ -3203,6 +3215,89 @@ <h3 id="kas.InfoResponse">InfoResponse</h3>
 
         
       
+        <h3 id="kas.KAORewrapResult">KAORewrapResult</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>metadata</td>
+                  <td><a href="#kas.KAORewrapResult.MetadataEntry">KAORewrapResult.MetadataEntry</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>key_access_object_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>status</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>kasWrappedKey</td>
+                  <td><a href="#bytes">bytes</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>error</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
+        <h3 id="kas.KAORewrapResult.MetadataEntry">KAORewrapResult.MetadataEntry</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>key</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>value</td>
+                  <td><a href="#google.protobuf.Value">google.protobuf.Value</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.LegacyPublicKeyRequest">LegacyPublicKeyRequest</h3>
         <p></p>
 
@@ -3334,7 +3429,7 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
                   <td>metadata</td>
                   <td><a href="#kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</a></td>
                   <td>repeated</td>
-                  <td><p> </p></td>
+                  <td><p>Deprecated </p></td>
                 </tr>
               
                 <tr>
@@ -3358,6 +3453,13 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
                   <td><p> </p></td>
                 </tr>
               
+                <tr>
+                  <td>responses</td>
+                  <td><a href="#kas.RewrapResult">RewrapResult</a></td>
+                  <td>repeated</td>
+                  <td><p>New Rewrap API changes </p></td>
+                </tr>
+              
             </tbody>
           </table>
 
@@ -3396,6 +3498,37 @@ <h3 id="kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</h3>
 
         
       
+        <h3 id="kas.RewrapResult">RewrapResult</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>policy_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>results</td>
+                  <td><a href="#kas.KAORewrapResult">KAORewrapResult</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
 
       
 
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
index 4852076299..a8e165302d 100644
--- a/docs/openapi/kas/kas.swagger.json
+++ b/docs/openapi/kas/kas.swagger.json
@@ -130,6 +130,28 @@
     }
   },
   "definitions": {
+    "kasKAORewrapResult": {
+      "type": "object",
+      "properties": {
+        "metadata": {
+          "type": "object",
+          "additionalProperties": {}
+        },
+        "keyAccessObjectId": {
+          "type": "string"
+        },
+        "status": {
+          "type": "string"
+        },
+        "kasWrappedKey": {
+          "type": "string",
+          "format": "byte"
+        },
+        "error": {
+          "type": "string"
+        }
+      }
+    },
     "kasPublicKeyResponse": {
       "type": "object",
       "properties": {
@@ -154,7 +176,8 @@
       "properties": {
         "metadata": {
           "type": "object",
-          "additionalProperties": {}
+          "additionalProperties": {},
+          "title": "Deprecated"
         },
         "entityWrappedKey": {
           "type": "string",
@@ -165,6 +188,29 @@
         },
         "schemaVersion": {
           "type": "string"
+        },
+        "responses": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasRewrapResult"
+          },
+          "title": "New Rewrap API changes"
+        }
+      }
+    },
+    "kasRewrapResult": {
+      "type": "object",
+      "properties": {
+        "policyId": {
+          "type": "string"
+        },
+        "results": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasKAORewrapResult"
+          }
         }
       }
     },
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index eee98539af..d8df41d2ff 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -322,21 +322,184 @@ func (x *RewrapRequest) GetSignedRequestToken() string {
 	return ""
 }
 
+type KAORewrapResult struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Metadata          map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	KeyAccessObjectId string                     `protobuf:"bytes,2,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
+	Status            string                     `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
+	// Types that are assignable to Result:
+	//
+	//	*KAORewrapResult_KasWrappedKey
+	//	*KAORewrapResult_Error
+	Result isKAORewrapResult_Result `protobuf_oneof:"result"`
+}
+
+func (x *KAORewrapResult) Reset() {
+	*x = KAORewrapResult{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *KAORewrapResult) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KAORewrapResult) ProtoMessage() {}
+
+func (x *KAORewrapResult) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KAORewrapResult.ProtoReflect.Descriptor instead.
+func (*KAORewrapResult) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *KAORewrapResult) GetMetadata() map[string]*structpb.Value {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
+func (x *KAORewrapResult) GetKeyAccessObjectId() string {
+	if x != nil {
+		return x.KeyAccessObjectId
+	}
+	return ""
+}
+
+func (x *KAORewrapResult) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
+func (m *KAORewrapResult) GetResult() isKAORewrapResult_Result {
+	if m != nil {
+		return m.Result
+	}
+	return nil
+}
+
+func (x *KAORewrapResult) GetKasWrappedKey() []byte {
+	if x, ok := x.GetResult().(*KAORewrapResult_KasWrappedKey); ok {
+		return x.KasWrappedKey
+	}
+	return nil
+}
+
+func (x *KAORewrapResult) GetError() string {
+	if x, ok := x.GetResult().(*KAORewrapResult_Error); ok {
+		return x.Error
+	}
+	return ""
+}
+
+type isKAORewrapResult_Result interface {
+	isKAORewrapResult_Result()
+}
+
+type KAORewrapResult_KasWrappedKey struct {
+	KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kasWrappedKey,proto3,oneof"`
+}
+
+type KAORewrapResult_Error struct {
+	Error string `protobuf:"bytes,5,opt,name=error,proto3,oneof"`
+}
+
+func (*KAORewrapResult_KasWrappedKey) isKAORewrapResult_Result() {}
+
+func (*KAORewrapResult_Error) isKAORewrapResult_Result() {}
+
+type RewrapResult struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	PolicyId string             `protobuf:"bytes,1,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
+	Results  []*KAORewrapResult `protobuf:"bytes,2,rep,name=results,proto3" json:"results,omitempty"`
+}
+
+func (x *RewrapResult) Reset() {
+	*x = RewrapResult{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RewrapResult) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RewrapResult) ProtoMessage() {}
+
+func (x *RewrapResult) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RewrapResult.ProtoReflect.Descriptor instead.
+func (*RewrapResult) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *RewrapResult) GetPolicyId() string {
+	if x != nil {
+		return x.PolicyId
+	}
+	return ""
+}
+
+func (x *RewrapResult) GetResults() []*KAORewrapResult {
+	if x != nil {
+		return x.Results
+	}
+	return nil
+}
+
 type RewrapResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
+	// Deprecated
 	Metadata         map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	EntityWrappedKey []byte                     `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
 	SessionPublicKey string                     `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
 	SchemaVersion    string                     `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
+	// New Rewrap API changes
+	Responses []*RewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
 }
 
 func (x *RewrapResponse) Reset() {
 	*x = RewrapResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[6]
+		mi := &file_kas_kas_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -349,7 +512,7 @@ func (x *RewrapResponse) String() string {
 func (*RewrapResponse) ProtoMessage() {}
 
 func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[6]
+	mi := &file_kas_kas_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -362,7 +525,7 @@ func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
 func (*RewrapResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{6}
+	return file_kas_kas_proto_rawDescGZIP(), []int{8}
 }
 
 func (x *RewrapResponse) GetMetadata() map[string]*structpb.Value {
@@ -393,6 +556,13 @@ func (x *RewrapResponse) GetSchemaVersion() string {
 	return ""
 }
 
+func (x *RewrapResponse) GetResponses() []*RewrapResult {
+	if x != nil {
+		return x.Responses
+	}
+	return nil
+}
+
 var File_kas_kas_proto protoreflect.FileDescriptor
 
 var file_kas_kas_proto_rawDesc = []byte{
@@ -433,62 +603,90 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74,
 	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e,
 	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04,
-	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xa7, 0x02, 0x0a,
-	0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x3d, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c,
-	0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
-	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69,
-	0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12,
-	0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b,
-	0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
-	0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63,
-	0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f,
-	0x6e, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74,
-	0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b,
-	0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30,
-	0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76,
-	0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79,
-	0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67,
-	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a,
-	0x06, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65,
-	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61,
-	0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32,
-	0x2f, 0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a,
-	0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42,
-	0x53, 0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61,
-	0x72, 0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75,
-	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61,
-	0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65,
-	0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30,
-	0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72,
-	0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
-	0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f,
-	0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b,
-	0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02,
-	0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xb9, 0x02, 0x0a,
+	0x0f, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x12, 0x3e, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f,
+	0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11,
+	0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49,
+	0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x26, 0x0a, 0x0d, 0x6b, 0x61, 0x73,
+	0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c,
+	0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65,
+	0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
+	0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61,
+	0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08,
+	0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73,
+	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65,
+	0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e,
+	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70,
+	0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
+	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65,
+	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x63, 0x68,
+	0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
+	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
+	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
+	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
+	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
+	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
+	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
+	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
+	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
+	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
+	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
+	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
+	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
+	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
+	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
+	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
+	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
+	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
+	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
+	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
+	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -503,7 +701,7 @@ func file_kas_kas_proto_rawDescGZIP() []byte {
 	return file_kas_kas_proto_rawDescData
 }
 
-var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
 var file_kas_kas_proto_goTypes = []interface{}{
 	(*InfoRequest)(nil),            // 0: kas.InfoRequest
 	(*InfoResponse)(nil),           // 1: kas.InfoResponse
@@ -511,25 +709,32 @@ var file_kas_kas_proto_goTypes = []interface{}{
 	(*PublicKeyRequest)(nil),       // 3: kas.PublicKeyRequest
 	(*PublicKeyResponse)(nil),      // 4: kas.PublicKeyResponse
 	(*RewrapRequest)(nil),          // 5: kas.RewrapRequest
-	(*RewrapResponse)(nil),         // 6: kas.RewrapResponse
-	nil,                            // 7: kas.RewrapResponse.MetadataEntry
-	(*structpb.Value)(nil),         // 8: google.protobuf.Value
-	(*wrapperspb.StringValue)(nil), // 9: google.protobuf.StringValue
+	(*KAORewrapResult)(nil),        // 6: kas.KAORewrapResult
+	(*RewrapResult)(nil),           // 7: kas.RewrapResult
+	(*RewrapResponse)(nil),         // 8: kas.RewrapResponse
+	nil,                            // 9: kas.KAORewrapResult.MetadataEntry
+	nil,                            // 10: kas.RewrapResponse.MetadataEntry
+	(*structpb.Value)(nil),         // 11: google.protobuf.Value
+	(*wrapperspb.StringValue)(nil), // 12: google.protobuf.StringValue
 }
 var file_kas_kas_proto_depIdxs = []int32{
-	7, // 0: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
-	8, // 1: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
-	3, // 2: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
-	2, // 3: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
-	5, // 4: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
-	4, // 5: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
-	9, // 6: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
-	6, // 7: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
-	5, // [5:8] is the sub-list for method output_type
-	2, // [2:5] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	9,  // 0: kas.KAORewrapResult.metadata:type_name -> kas.KAORewrapResult.MetadataEntry
+	6,  // 1: kas.RewrapResult.results:type_name -> kas.KAORewrapResult
+	10, // 2: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
+	7,  // 3: kas.RewrapResponse.responses:type_name -> kas.RewrapResult
+	11, // 4: kas.KAORewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
+	11, // 5: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
+	3,  // 6: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
+	2,  // 7: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
+	5,  // 8: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
+	4,  // 9: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
+	12, // 10: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
+	8,  // 11: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
+	9,  // [9:12] is the sub-list for method output_type
+	6,  // [6:9] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_kas_kas_proto_init() }
@@ -611,6 +816,30 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*KAORewrapResult); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*RewrapResult); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RewrapResponse); i {
 			case 0:
 				return &v.state
@@ -623,13 +852,17 @@ func file_kas_kas_proto_init() {
 			}
 		}
 	}
+	file_kas_kas_proto_msgTypes[6].OneofWrappers = []interface{}{
+		(*KAORewrapResult_KasWrappedKey)(nil),
+		(*KAORewrapResult_Error)(nil),
+	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_kas_kas_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   8,
+			NumMessages:   11,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/service/kas/access/accessPdp.go b/service/kas/access/accessPdp.go
index 04e7553cf3..519f474e04 100644
--- a/service/kas/access/accessPdp.go
+++ b/service/kas/access/accessPdp.go
@@ -3,6 +3,8 @@ package access
 import (
 	"context"
 	"errors"
+	"fmt"
+	"github.com/opentdf/platform/service/kas/request"
 
 	"github.com/opentdf/platform/protocol/go/authorization"
 	"github.com/opentdf/platform/protocol/go/policy"
@@ -14,30 +16,51 @@ const (
 	ErrDecisionCountUnexpected = Error("authorization decision count unexpected")
 )
 
-func (p *Provider) canAccess(ctx context.Context, token *authorization.Token, policy Policy) (bool, error) {
-	if len(policy.Body.Dissem) > 0 {
-		// TODO: Move dissems check to the getdecisions endpoint
-		p.Logger.Error("Dissems check is not enabled in v2 platform kas")
-	}
-	if len(policy.Body.DataAttributes) > 0 {
-		attrAccess, err := p.checkAttributes(ctx, policy.Body.DataAttributes, token)
-		if err != nil {
-			return false, err
+type PDPAccessResult struct {
+	Access bool
+	Error  error
+	Policy *request.Policy
+}
+
+func (p *Provider) canAccess(ctx context.Context, token *authorization.Token, policies []*request.Policy) ([]PDPAccessResult, error) {
+	var res []PDPAccessResult
+	var rasList []*authorization.ResourceAttribute
+	idPolicyMap := make(map[string]*request.Policy)
+	for i, policy := range policies {
+		if len(policy.Body.Dissem) > 0 {
+			// TODO: Move dissems check to the getdecisions endpoint
+			p.Logger.Error("Dissems check is not enabled in v2 platform kas")
+		}
+		if len(policy.Body.DataAttributes) > 0 {
+			id := fmt.Sprintf("rewrap-%d", i)
+			ras := &authorization.ResourceAttribute{ResourceAttributesId: id}
+			for _, attr := range policy.Body.DataAttributes {
+				ras.AttributeValueFqns = append(ras.AttributeValueFqns, attr.URI)
+			}
+			rasList = append(rasList, ras)
+			idPolicyMap[id] = policy
+		} else {
+			res = append(res, PDPAccessResult{Access: true, Policy: policy})
 		}
-		return attrAccess, nil
 	}
-	// if no dissem and no attributes then allow
-	return true, nil
-}
 
-func (p *Provider) checkAttributes(ctx context.Context, dataAttrs []Attribute, ent *authorization.Token) (bool, error) {
-	ras := []*authorization.ResourceAttribute{{
-		AttributeValueFqns: make([]string, 0),
-	}}
+	dr, err := p.checkAttributes(ctx, rasList, token)
 
-	for _, attr := range dataAttrs {
-		ras[0].AttributeValueFqns = append(ras[0].GetAttributeValueFqns(), attr.URI)
+	if err != nil {
+		return nil, err
 	}
+	for _, resp := range dr.DecisionResponses {
+		policy, ok := idPolicyMap[resp.ResourceAttributesId]
+		if !ok { // this really should not happen
+			continue
+		}
+		res = append(res, PDPAccessResult{Policy: policy, Access: resp.Decision == authorization.DecisionResponse_DECISION_PERMIT})
+	}
+
+	return res, nil
+}
+
+func (p *Provider) checkAttributes(ctx context.Context, ras []*authorization.ResourceAttribute, ent *authorization.Token) (*authorization.GetDecisionsByTokenResponse, error) {
 	in := authorization.GetDecisionsByTokenRequest{
 		DecisionRequests: []*authorization.TokenDecisionRequest{
 			{
@@ -52,14 +75,7 @@ func (p *Provider) checkAttributes(ctx context.Context, dataAttrs []Attribute, e
 	dr, err := p.SDK.Authorization.GetDecisionsByToken(ctx, &in)
 	if err != nil {
 		p.Logger.ErrorContext(ctx, "Error received from GetDecisionsByToken", "err", err)
-		return false, errors.Join(ErrDecisionUnexpected, err)
-	}
-	if len(dr.GetDecisionResponses()) != 1 {
-		p.Logger.ErrorContext(ctx, ErrDecisionCountUnexpected.Error(), "count", len(dr.GetDecisionResponses()))
-		return false, ErrDecisionCountUnexpected
-	}
-	if dr.GetDecisionResponses()[0].GetDecision() == authorization.DecisionResponse_DECISION_PERMIT {
-		return true, nil
+		return nil, errors.Join(ErrDecisionUnexpected, err)
 	}
-	return false, nil
+	return dr, nil
 }
diff --git a/service/kas/access/policy_test.go b/service/kas/access/policy_test.go
deleted file mode 100644
index 09bb5922e4..0000000000
--- a/service/kas/access/policy_test.go
+++ /dev/null
@@ -1 +0,0 @@
-package access
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index ea4e538218..51c34aff63 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -1,7 +1,7 @@
 package access
 
 import (
-	"bytes"
+	// "bytes"
 	"context"
 	"crypto"
 	"crypto/ecdsa"
@@ -31,6 +31,7 @@ import (
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/sdk"
 	"github.com/opentdf/platform/service/internal/security"
+	"github.com/opentdf/platform/service/kas/request"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/logger/audit"
 	ctxAuth "github.com/opentdf/platform/service/pkg/auth"
@@ -38,20 +39,15 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+const kTDF3Algorithm = "rsa:2048"
+const kNanoAlgorithm = "ec:secp256r1"
+const kFailedStatus = "fail"
+const kPermitStatus = "permit"
+
 type SignedRequestBody struct {
 	RequestBody string `json:"requestBody"`
 }
 
-type RequestBody struct {
-	AuthToken       string      `json:"authToken"`
-	KeyAccess       KeyAccess   `json:"keyAccess"`
-	Policy          string      `json:"policy,omitempty"`
-	Algorithm       string      `json:"algorithm,omitempty"`
-	ClientPublicKey string      `json:"clientPublicKey"`
-	PublicKey       interface{} `json:"-"`
-	SchemaVersion   string      `json:"schemaVersion,omitempty"`
-}
-
 type entityInfo struct {
 	EntityID string `json:"sub"`
 	ClientID string `json:"clientId"`
@@ -121,7 +117,7 @@ func justRequestBody(ctx context.Context, token jwt.Token, logger logger.Logger)
 	return rbString, nil
 }
 
-func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*RequestBody, error) {
+func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.RequestBody, error) {
 	// First load legacy method for verifying SRT
 	if vpk, ok := headers["X-Virtrupubkey"]; ok && len(vpk) == 1 {
 		logger.InfoContext(ctx, "Legacy Client: Processing X-Virtrupubkey")
@@ -153,7 +149,7 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		}
 	}
 
-	var requestBody RequestBody
+	var requestBody request.RequestBody
 	err = json.Unmarshal([]byte(rbString), &requestBody)
 	if err != nil {
 		logger.WarnContext(ctx, "invalid request body")
@@ -175,12 +171,10 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		return nil, err400("clientPublicKey parse failure")
 	}
 	// Check to make sure the clientPublicKey is a supported key type
-	switch publicKey := clientPublicKey.(type) {
+	switch clientPublicKey.(type) {
 	case *rsa.PublicKey:
-		requestBody.PublicKey = publicKey
 		return &requestBody, nil
 	case *ecdsa.PublicKey:
-		requestBody.PublicKey = publicKey
 		return &requestBody, nil
 	default:
 		logger.WarnContext(ctx, fmt.Sprintf("clientPublicKey not a supported key, was [%T]", clientPublicKey))
@@ -202,44 +196,55 @@ func extractPolicyBinding(policyBinding interface{}) (string, error) {
 	}
 }
 
-func verifyAndParsePolicy(ctx context.Context, requestBody *RequestBody, k []byte, logger logger.Logger) (*Policy, error) {
-	actualHMAC, err := generateHMACDigest(ctx, []byte(requestBody.Policy), k, logger)
-	if err != nil {
-		logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
-		return nil, err400("bad request")
-	}
-
-	policyBinding, err := extractPolicyBinding(requestBody.KeyAccess.PolicyBinding)
-	if err != nil {
-		logger.WarnContext(ctx, "invalid policy binding", "err", err)
-		return nil, err400("bad request")
-	}
-
-	expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
-	n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
-	if err == nil {
-		n, err = hex.Decode(expectedHMAC, expectedHMAC[:n])
-	}
-	expectedHMAC = expectedHMAC[:n]
-	if err != nil {
-		logger.WarnContext(ctx, "invalid policy binding", "err", err)
-		return nil, err400("bad request")
-	}
-	if !hmac.Equal(actualHMAC, expectedHMAC) {
-		logger.WarnContext(ctx, "policy hmac mismatch", "policyBinding", policyBinding)
-		return nil, err400("bad request")
-	}
-	sDecPolicy, err := base64.StdEncoding.DecodeString(requestBody.Policy)
+func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logger logger.Logger) (*request.Policy, error) {
+	failed := false
+	sDecPolicy, err := base64.StdEncoding.DecodeString(req.Policy.Body)
 	if err != nil {
 		logger.WarnContext(ctx, "unable to decode policy", "err", err)
-		return nil, err400("bad request")
+		failed = true
 	}
 	decoder := json.NewDecoder(strings.NewReader(string(sDecPolicy)))
-	var policy Policy
+	var policy request.Policy
 	err = decoder.Decode(&policy)
 	if err != nil {
 		logger.WarnContext(ctx, "unable to decode policy", "err", err)
-		return nil, err400("bad request")
+		failed = true
+	}
+	req.Results.PolicyId = policy.UUID.String()
+
+	for _, kao := range req.KeyAccessObjectRequests {
+		if failed {
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
+		}
+		actualHMAC, err := generateHMACDigest(ctx, []byte(req.Policy.Body), kao.SymmetricKey, logger)
+		if err != nil {
+			logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
+		}
+		policyBinding := kao.PolicyBinding.(string)
+
+		expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
+		n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
+		if err == nil {
+			n, err = hex.Decode(expectedHMAC, expectedHMAC[:n])
+		}
+		expectedHMAC = expectedHMAC[:n]
+		if err != nil {
+			logger.WarnContext(ctx, "invalid policy binding", "err", err)
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
+		}
+		if !hmac.Equal(actualHMAC, expectedHMAC) {
+			logger.WarnContext(ctx, "policy hmac mismatch", "policyBinding", policyBinding)
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
+		}
+	}
+
+	if failed {
+		return nil, fmt.Errorf("invalid policy")
 	}
 	return &policy, nil
 }
@@ -267,6 +272,27 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
+func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err string) *kaspb.KAORewrapResult {
+	if kao.Processed {
+		return nil
+	}
+	kao.Processed = true
+	kaoRes := &kaspb.KAORewrapResult{
+		KeyAccessObjectId: kao.KeyAccessObjectId,
+		Status:            kFailedStatus,
+		Result:            &kaspb.KAORewrapResult_Error{Error: err},
+	}
+	res.Results = append(res.Results, kaoRes)
+	return kaoRes
+}
+
+func markUnproccessedRequests(reqs []*request.RewrapRequests) {
+	for _, req := range reqs {
+		for _, kao := range req.KeyAccessObjectRequests {
+			failedKAORewrap(req.Results, kao, "could not proccess request")
+		}
+	}
+}
 
 func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.RewrapRequest]) (*connect.Response[kaspb.RewrapResponse], error) {
 	in := req.Msg
@@ -284,227 +310,290 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 		return nil, err
 	}
 
-	if body.Algorithm == "" {
-		p.Logger.DebugContext(ctx, "default rewrap algorithm")
-		body.Algorithm = "rsa:2048"
-	}
-
-	if body.Algorithm == "ec:secp256r1" {
-		rsp, err := p.nanoTDFRewrap(ctx, body, entityInfo)
-		if err != nil {
-			p.Logger.ErrorContext(ctx, "rewrap nano", "err", err)
+	resp := &kaspb.RewrapResponse{}
+
+	// var nanoReqs []*RewrapRequests
+	var tdf3Reqs []*request.RewrapRequests
+	for _, req := range body.Requests {
+		switch {
+		// case req.Algorithm == kNanoAlgorithm:
+		// 	nanoReqs = append(nanoReqs, req)
+		case req.Algorithm == "" || req.Algorithm == kTDF3Algorithm:
+			tdf3Reqs = append(tdf3Reqs, req)
+		default:
+			// No algorithm: fail all Policy's KAOs
+			var failedKAOs []*kaspb.KAORewrapResult
+			for _, kao := range req.KeyAccessObjectRequests {
+				failedKAOs = append(failedKAOs,
+					failedKAORewrap(req.Results, kao, fmt.Sprintf("%s is not a valid algorithm", req.Algorithm)))
+			}
+			rewrapResult := &kaspb.RewrapResult{
+				Results: failedKAOs,
+			}
+			resp.Responses = append(resp.Responses, rewrapResult)
 		}
-		p.Logger.DebugContext(ctx, "rewrap nano", "rsp", rsp)
-		return connect.NewResponse(rsp), err
 	}
-	rsp, err := p.tdf3Rewrap(ctx, body, entityInfo)
-	if err != nil {
-		p.Logger.ErrorContext(ctx, "rewrap tdf3", "err", err)
+
+	p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
+	markUnproccessedRequests(tdf3Reqs)
+	for _, req := range tdf3Reqs {
+		resp.Responses = append(resp.Responses, req.Results)
 	}
-	return connect.NewResponse(rsp), err
+
+	return connect.NewResponse(resp), err
 }
 
-func (p *Provider) tdf3Rewrap(ctx context.Context, body *RequestBody, entity *entityInfo) (*kaspb.RewrapResponse, error) {
-	if p.Tracer != nil {
-		var span trace.Span
-		ctx, span = p.Tracer.Start(ctx, "rewrap-tdf3")
-		defer span.End()
+func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.RewrapRequests) (*request.Policy, error) {
+	anyValidKAOs := false
+	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", req.Policy)
+	sDecPolicy, policyErr := base64.StdEncoding.DecodeString(req.Policy.Body)
+	req.Results = &kaspb.RewrapResult{
+		PolicyId: req.Policy.Id,
+	}
+	policy := &request.Policy{}
+	if policyErr == nil {
+		policyErr = json.Unmarshal(sDecPolicy, policy)
 	}
 
-	var kidsToCheck []string
-	if body.KeyAccess.KID != "" {
-		kidsToCheck = []string{body.KeyAccess.KID}
-	} else {
-		p.Logger.InfoContext(ctx, "kid free kao")
-		for _, k := range p.KASConfig.Keyring {
-			if k.Algorithm == security.AlgorithmRSA2048 && k.Legacy {
-				kidsToCheck = append(kidsToCheck, k.KID)
+	for _, kao := range req.KeyAccessObjectRequests {
+		if policyErr != nil {
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
+		}
+		var kidsToCheck []string
+		if kao.KID != "" {
+			kidsToCheck = []string{kao.KID}
+		} else {
+			p.Logger.InfoContext(ctx, "kid free kao")
+			for _, k := range p.KASConfig.Keyring {
+				if k.Algorithm == security.AlgorithmRSA2048 && k.Legacy {
+					kidsToCheck = append(kidsToCheck, k.KID)
+				}
+			}
+			if len(kidsToCheck) == 0 {
+				p.Logger.WarnContext(ctx, "failure to find legacy kids for rsa")
+				failedKAORewrap(req.Results, kao, "bad request")
+				continue
 			}
 		}
-		if len(kidsToCheck) == 0 {
-			p.Logger.WarnContext(ctx, "failure to find legacy kids for rsa")
-			return nil, err400("bad request")
+
+		var err error
+		kao.SymmetricKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kidsToCheck[0], "", kao.WrappedKey)
+		for _, kid := range kidsToCheck[1:] {
+			p.Logger.WarnContext(ctx, "continue paging through legacy KIDs for kid free kao", "err", err)
+			if err == nil {
+				break
+			}
+			kao.SymmetricKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kid, "", kao.WrappedKey)
 		}
-	}
-	symmetricKey, err := p.CryptoProvider.RSADecrypt(crypto.SHA1, kidsToCheck[0], "", body.KeyAccess.WrappedKey)
-	for _, kid := range kidsToCheck[1:] {
-		p.Logger.WarnContext(ctx, "continue paging through legacy KIDs for kid free kao", "err", err)
-		if err == nil {
-			break
+		if err != nil {
+			p.Logger.WarnContext(ctx, "failure to decrypt dek", "err", err)
+			failedKAORewrap(req.Results, kao, "bad request")
+			continue
 		}
-		symmetricKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kid, "", body.KeyAccess.WrappedKey)
-	}
-	if err != nil {
-		p.Logger.WarnContext(ctx, "failure to decrypt dek", "err", err)
-		return nil, err400("bad request")
-	}
-
-	p.Logger.DebugContext(ctx, "verifying policy binding", "requestBody.policy", body.Policy)
-	policy, err := verifyAndParsePolicy(ctx, body, symmetricKey, *p.Logger)
-	if err != nil {
-		return nil, err
+		anyValidKAOs = true
 	}
 
-	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", body.Policy)
-	// changed use the entities in the token to get the decisions
-	tok := &authorization.Token{
-		Id:  "rewrap-tok",
-		Jwt: entity.Token,
+	if policyErr != nil {
+		return policy, nil
 	}
-
-	access, err := p.canAccess(ctx, tok, *policy)
-
-	// Audit the TDF3 Rewrap
-	kasPolicy := ConvertToAuditKasPolicy(*policy)
-
-	policyBinding, _ := extractPolicyBinding(body.KeyAccess.PolicyBinding)
-
-	auditEventParams := audit.RewrapAuditEventParams{
-		Policy:        kasPolicy,
-		IsSuccess:     access,
-		TDFFormat:     "tdf3",
-		Algorithm:     body.Algorithm,
-		PolicyBinding: policyBinding,
+	if !anyValidKAOs {
+		p.Logger.WarnContext(ctx, "no valid KAOs found")
+		return policy, fmt.Errorf("no valid KAOs")
 	}
-
-	if err != nil {
-		p.Logger.WarnContext(ctx, "Could not perform access decision!", "err", err)
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, err403("forbidden")
-	}
-
-	if !access {
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, err403("forbidden")
-	}
-
-	asymEncrypt, err := ocrypto.NewAsymEncryption(body.ClientPublicKey)
-	if err != nil {
-		p.Logger.WarnContext(ctx, "ocrypto.NewAsymEncryption:", "err", err)
-	}
-
-	rewrappedKey, err := asymEncrypt.Encrypt(symmetricKey)
-	if err != nil {
-		p.Logger.WarnContext(ctx, "rewrap: ocrypto.AsymEncryption.encrypt failed", "err", err, "clientPublicKey", &body.ClientPublicKey)
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, err400("bad key for rewrap")
-	}
-
-	p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
-	return &kaspb.RewrapResponse{
-		EntityWrappedKey: rewrappedKey,
-		SessionPublicKey: "",
-		SchemaVersion:    schemaVersion,
-	}, nil
+	return policy, nil
 }
 
-func (p *Provider) nanoTDFRewrap(ctx context.Context, body *RequestBody, entity *entityInfo) (*kaspb.RewrapResponse, error) {
+func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapRequests, clientPublicKey string, entity *entityInfo) {
 	if p.Tracer != nil {
 		var span trace.Span
-		ctx, span = p.Tracer.Start(ctx, "rewrap-nanotdf")
+		ctx, span = p.Tracer.Start(ctx, "rewrap-tdf3")
 		defer span.End()
 	}
 
-	headerReader := bytes.NewReader(body.KeyAccess.Header)
-
-	header, _, err := sdk.NewNanoTDFHeaderFromReader(headerReader)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse NanoTDF header: %w", err)
-	}
-	// Lookup KID from nano header
-	kid, err := header.GetKasURL().GetIdentifier()
-	if err != nil {
-		p.Logger.DebugContext(ctx, "nanoTDFRewrap GetIdentifier", "kid", kid, "err", err)
-		// legacy nano with KID
-		kid, err = p.lookupKid(ctx, security.AlgorithmECP256R1)
+	var policies []*request.Policy
+	policyReqs := make(map[*request.Policy]*request.RewrapRequests)
+	for _, req := range requests {
+		policy, err := p.verifyRewrapRequests(ctx, req)
 		if err != nil {
-			p.Logger.ErrorContext(ctx, "failure to find default kid for ec", "err", err)
-			return nil, err400("bad request")
+			continue
 		}
-		p.Logger.DebugContext(ctx, "nanoTDFRewrap lookupKid", "kid", kid)
-	}
-	p.Logger.DebugContext(ctx, "nanoTDFRewrap", "kid", kid)
-	ecCurve, err := header.ECCurve()
-	if err != nil {
-		return nil, fmt.Errorf("ECCurve failed: %w", err)
+		policies = append(policies, policy)
+		policyReqs[policy] = req
 	}
 
-	symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(kid, header.EphemeralKey, ecCurve)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate symmetric key: %w", err)
-	}
-
-	// extract the policy
-	policy, err := extractNanoPolicy(symmetricKey, header)
-	if err != nil {
-		return nil, fmt.Errorf("Error extracting policy: %w", err)
-	}
-
-	// check the policy binding
-	verify, err := header.VerifyPolicyBinding()
-	if err != nil {
-		return nil, fmt.Errorf("failed to verify policy binding: %w", err)
-	}
-
-	if !verify {
-		return nil, fmt.Errorf("policy binding verification failed")
-	}
-
-	// do the access check
 	tok := &authorization.Token{
-		Id:  "rewrap-tok",
+		Id:  "rewrap-token",
 		Jwt: entity.Token,
 	}
-
-	access, err := p.canAccess(ctx, tok, *policy)
-
-	// Audit the rewrap
-	kasPolicy := ConvertToAuditKasPolicy(*policy)
-	auditEventParams := audit.RewrapAuditEventParams{
-		Policy:    kasPolicy,
-		TDFFormat: "nano",
-		Algorithm: body.Algorithm,
+	pdpAccessResults, accessErr := p.canAccess(ctx, tok, policies)
+	if accessErr != nil {
+		for _, req := range requests {
+			for _, kao := range req.KeyAccessObjectRequests {
+				failedKAORewrap(req.Results, kao, "could not perform access")
+			}
+		}
+		return
 	}
 
+	asymEncrypt, err := ocrypto.NewAsymEncryption(clientPublicKey)
 	if err != nil {
-		p.Logger.WarnContext(ctx, "Could not perform access decision!", "err", err)
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, err403("forbidden")
+		p.Logger.WarnContext(ctx, "ocrypto.NewAsymEncryption:", "err", err)
 	}
 
-	if !access {
-		p.Logger.WarnContext(ctx, "Access Denied; no reason given")
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, err403("forbidden")
-	}
+	for _, pdpAccess := range pdpAccessResults {
+		policy := pdpAccess.Policy
+		req, ok := policyReqs[policy]
+		if !ok { // this should not happen
+			continue
+		}
+		access := pdpAccess.Access
+
+		// Audit the TDF3 Rewrap
+		kasPolicy := request.ConvertToAuditKasPolicy(*policy)
+
+		for _, kao := range req.KeyAccessObjectRequests {
+			policyBinding, _ := extractPolicyBinding(kao.PolicyBinding)
+			auditEventParams := audit.RewrapAuditEventParams{
+				Policy:        kasPolicy,
+				IsSuccess:     access,
+				TDFFormat:     "tdf3",
+				Algorithm:     req.Algorithm,
+				PolicyBinding: policyBinding,
+			}
 
-	privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys()
-	if err != nil {
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, fmt.Errorf("failed to generate keypair: %w", err)
-	}
-	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(body.ClientPublicKey))
-	if err != nil {
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, fmt.Errorf("failed to generate session key: %w", err)
-	}
+			if !access {
+				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+				failedKAORewrap(req.Results, kao, "forbidden")
+				continue
+			}
 
-	cipherText, err := wrapKeyAES(sessionKey, symmetricKey)
-	if err != nil {
-		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-		return nil, fmt.Errorf("failed to encrypt key: %w", err)
+			rewrappedKey, err := asymEncrypt.Encrypt(kao.SymmetricKey)
+			if err != nil {
+				p.Logger.WarnContext(ctx, "rewrap: ocrypto.AsymEncryption.encrypt failed", "err", err, "clientPublicKey", clientPublicKey)
+				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+				failedKAORewrap(req.Results, kao, "bad key for rewrap")
+				continue
+			}
+			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
+				KeyAccessObjectId: kao.KeyAccessObjectId,
+				Status:            kPermitStatus,
+				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: rewrappedKey},
+			})
+
+			kao.Processed = true
+			p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
+		}
 	}
-
-	p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
-
-	return &kaspb.RewrapResponse{
-		EntityWrappedKey: cipherText,
-		SessionPublicKey: string(publicKeyHandle),
-		SchemaVersion:    schemaVersion,
-	}, nil
 }
 
-func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*Policy, error) {
+// func (p *Provider) nanoTDFRewrap(ctx context.Context, body *RequestBody, entity *entityInfo) (*kaspb.RewrapResponse, error) {
+// 	if p.Tracer != nil {
+// 		var span trace.Span
+// 		ctx, span = p.Tracer.Start(ctx, "rewrap-nanotdf")
+// 		defer span.End()
+// 	}
+//
+// 	headerReader := bytes.NewReader(body.KeyAccess.Header)
+//
+// 	header, _, err := sdk.NewNanoTDFHeaderFromReader(headerReader)
+// 	if err != nil {
+// 		return nil, fmt.Errorf("failed to parse NanoTDF header: %w", err)
+// 	}
+// 	// Lookup KID from nano header
+// 	kid, err := header.GetKasURL().GetIdentifier()
+// 	if err != nil {
+// 		p.Logger.DebugContext(ctx, "nanoTDFRewrap GetIdentifier", "kid", kid, "err", err)
+// 		// legacy nano with KID
+// 		kid, err = p.lookupKid(ctx, security.AlgorithmECP256R1)
+// 		if err != nil {
+// 			p.Logger.ErrorContext(ctx, "failure to find default kid for ec", "err", err)
+// 			return nil, err400("bad request")
+// 		}
+// 		p.Logger.DebugContext(ctx, "nanoTDFRewrap lookupKid", "kid", kid)
+// 	}
+// 	p.Logger.DebugContext(ctx, "nanoTDFRewrap", "kid", kid)
+// 	ecCurve, err := header.ECCurve()
+// 	if err != nil {
+// 		return nil, fmt.Errorf("ECCurve failed: %w", err)
+// 	}
+//
+// 	symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(kid, header.EphemeralKey, ecCurve)
+// 	if err != nil {
+// 		return nil, fmt.Errorf("failed to generate symmetric key: %w", err)
+// 	}
+//
+// 	// extract the policy
+// 	policy, err := extractNanoPolicy(symmetricKey, header)
+// 	if err != nil {
+// 		return nil, fmt.Errorf("Error extracting policy: %w", err)
+// 	}
+//
+// 	// check the policy binding
+// 	verify, err := header.VerifyPolicyBinding()
+// 	if err != nil {
+// 		return nil, fmt.Errorf("failed to verify policy binding: %w", err)
+// 	}
+//
+// 	if !verify {
+// 		return nil, fmt.Errorf("policy binding verification failed")
+// 	}
+//
+// 	// do the access check
+// 	tok := &authorization.Token{
+// 		Id:  "rewrap-tok",
+// 		Jwt: entity.Token,
+// 	}
+//
+// 	access, err := p.canAccess(ctx, tok, *policy)
+//
+// 	// Audit the rewrap
+// 	kasPolicy := ConvertToAuditKasPolicy(*policy)
+// 	auditEventParams := audit.RewrapAuditEventParams{
+// 		Policy:    kasPolicy,
+// 		TDFFormat: "nano",
+// 		Algorithm: body.Algorithm,
+// 	}
+//
+// 	if err != nil {
+// 		p.Logger.WarnContext(ctx, "Could not perform access decision!", "err", err)
+// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+// 		return nil, err403("forbidden")
+// 	}
+//
+// 	if !access {
+// 		p.Logger.WarnContext(ctx, "Access Denied; no reason given")
+// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+// 		return nil, err403("forbidden")
+// 	}
+//
+// 	privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys()
+// 	if err != nil {
+// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+// 		return nil, fmt.Errorf("failed to generate keypair: %w", err)
+// 	}
+// 	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(body.ClientPublicKey))
+// 	if err != nil {
+// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+// 		return nil, fmt.Errorf("failed to generate session key: %w", err)
+// 	}
+//
+// 	cipherText, err := wrapKeyAES(sessionKey, symmetricKey)
+// 	if err != nil {
+// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+// 		return nil, fmt.Errorf("failed to encrypt key: %w", err)
+// 	}
+//
+// 	p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
+//
+// 	return &kaspb.RewrapResponse{
+// 		EntityWrappedKey: cipherText,
+// 		SessionPublicKey: string(publicKeyHandle),
+// 		SchemaVersion:    schemaVersion,
+// 	}, nil
+// }
+
+func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*request.Policy, error) {
 	gcm, err := ocrypto.NewAESGcm(symmetricKey)
 	if err != nil {
 		return nil, fmt.Errorf("crypto.NewAESGcm:%w", err)
@@ -524,7 +613,7 @@ func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*Policy,
 		return nil, fmt.Errorf("Error decrypting policy body:%w", err)
 	}
 
-	var policy Policy
+	var policy request.Policy
 	err = json.Unmarshal(policyData, &policy)
 	if err != nil {
 		return nil, fmt.Errorf("Error unmarshalling policy:%w", err)
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 8f0528d051..93877a0ad3 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -48,11 +48,30 @@ message RewrapRequest {
   string signed_request_token = 1;
 }
 
+message KAORewrapResult {
+	map<string, google.protobuf.Value> metadata = 1;
+	string key_access_object_id = 2;
+	string status = 3;
+	oneof result { 
+		bytes kasWrappedKey = 4;
+		string error = 5;
+	}
+}
+
+message RewrapResult {
+	string policy_id = 1;
+	repeated KAORewrapResult results = 2;
+}
+
+
 message RewrapResponse {
+	// Deprecated
   map<string, google.protobuf.Value> metadata = 1;
   bytes entity_wrapped_key = 2;
   string session_public_key = 3;
   string schema_version = 4;
+	// New Rewrap API changes
+	repeated RewrapResult responses = 5;
 }
 
 // Get app info from the root path
diff --git a/service/kas/access/attribute.go b/service/kas/request/attribute.go
similarity index 96%
rename from service/kas/access/attribute.go
rename to service/kas/request/attribute.go
index 75e9c7113d..087f5be9f0 100644
--- a/service/kas/access/attribute.go
+++ b/service/kas/request/attribute.go
@@ -1,4 +1,4 @@
-package access
+package request
 
 import (
 	"crypto"
diff --git a/service/kas/access/keyaccess.go b/service/kas/request/keyaccess.go
similarity index 72%
rename from service/kas/access/keyaccess.go
rename to service/kas/request/keyaccess.go
index 69cd7fe210..e8580a226f 100644
--- a/service/kas/access/keyaccess.go
+++ b/service/kas/request/keyaccess.go
@@ -1,13 +1,13 @@
-package access
+package request
 
 type KeyAccess struct {
 	EncryptedMetadata string      `json:"encryptedMetadata,omitempty"`
 	PolicyBinding     interface{} `json:"policyBinding,omitempty"`
 	Protocol          string      `json:"protocol"`
-	Type              string      `json:"type"`
-	URL               string      `json:"url"`
+	KeyType              string      `json:"type"`
+	KasURL               string      `json:"url"`
 	KID               string      `json:"kid,omitempty"`
-	SID               string      `json:"sid,omitempty"`
+	SplitID               string      `json:"sid,omitempty"`
 	WrappedKey        []byte      `json:"wrappedKey,omitempty"`
 	Header            []byte      `json:"header,omitempty"`
 	Algorithm         string      `json:"algorithm,omitempty"`
diff --git a/service/kas/access/policy.go b/service/kas/request/policy.go
similarity index 98%
rename from service/kas/access/policy.go
rename to service/kas/request/policy.go
index c84e19ef77..aab7a443ea 100644
--- a/service/kas/access/policy.go
+++ b/service/kas/request/policy.go
@@ -1,4 +1,4 @@
-package access
+package request
 
 import (
 	"github.com/google/uuid"
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
new file mode 100644
index 0000000000..2abc60184a
--- /dev/null
+++ b/service/kas/request/rewrap.go
@@ -0,0 +1,31 @@
+package request
+
+import "github.com/opentdf/platform/protocol/go/kas"
+
+type PolicyRequest struct {
+	Id string `json:"id"`
+	Body string `json:"body"`
+}
+
+type KeyAccessObjectRequest struct {
+	KeyAccessObjectId string `json:"keyAccessObjectId"`
+	KeyAccess `json:"keyAccessObject"`
+
+	// For Platform Use
+	Processed bool `json:"-"`
+	SymmetricKey []byte `json:"-"`
+}
+
+type RewrapRequests struct {
+	KeyAccessObjectRequests []*KeyAccessObjectRequest `json:"keyAccessObjects"`
+	Policy PolicyRequest  `json:"policy"`
+	Algorithm       string    `json:"algorithm,omitempty"`
+
+	// For Platform Use
+	Results *kas.RewrapResult `json:"-"`
+}
+
+type RequestBody struct {
+	Requests []*RewrapRequests `json:"requests"`
+	ClientPublicKey string `json:"ClientPublicKey"`
+}

From f1e143d33e43460a5de260bc86c68fa2cead4529 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 02/48] fixes rrttests

Summary:

Test Plan:
---
 service/kas/access/rewrap.go      | 105 ++++++++++++++++++++++--------
 service/kas/access/rewrap_test.go |  49 +++++++++-----
 service/kas/kas.proto             |   3 +
 service/kas/request/rewrap.go     |  15 +++--
 4 files changed, 123 insertions(+), 49 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 51c34aff63..35db1aed32 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -48,6 +48,15 @@ type SignedRequestBody struct {
 	RequestBody string `json:"requestBody"`
 }
 
+type RequestBody struct {
+	AuthToken       string            `json:"authToken"`
+	KeyAccess       request.KeyAccess `json:"keyAccess"`
+	Policy          string            `json:"policy,omitempty"`
+	Algorithm       string            `json:"algorithm,omitempty"`
+	ClientPublicKey string            `json:"clientPublicKey"`
+	PublicKey       interface{}       `json:"-"`
+	SchemaVersion   string            `json:"schemaVersion,omitempty"`
+}
 type entityInfo struct {
 	EntityID string `json:"sub"`
 	ClientID string `json:"clientId"`
@@ -117,7 +126,34 @@ func justRequestBody(ctx context.Context, token jwt.Token, logger logger.Logger)
 	return rbString, nil
 }
 
-func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.RequestBody, error) {
+func extractAndConvertV1SRTBody(body []byte) (request.RequestBody, error) {
+	var requestBody RequestBody
+	if err := json.Unmarshal(body, &requestBody); err != nil {
+		return request.RequestBody{}, err
+	}
+
+	reqs := []*request.RewrapRequests{
+		{
+			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
+				{KeyAccessObjectId: "kao-0", KeyAccess: requestBody.KeyAccess},
+			},
+			Algorithm: requestBody.Algorithm,
+			Policy: request.PolicyRequest{
+				Id:   "policy-1",
+				Body: requestBody.Policy,
+			},
+		},
+	}
+
+	return request.RequestBody{
+		ClientPublicKey: requestBody.ClientPublicKey,
+		Requests:        reqs,
+	}, nil
+
+}
+
+func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.RequestBody, bool, error) {
+	isV1 := false
 	// First load legacy method for verifying SRT
 	if vpk, ok := headers["X-Virtrupubkey"]; ok && len(vpk) == 1 {
 		logger.InfoContext(ctx, "Legacy Client: Processing X-Virtrupubkey")
@@ -138,22 +174,27 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		rbString, err = noverify(ctx, srt, logger)
 		if err != nil {
 			logger.ErrorContext(ctx, "unable to load RSA verifier", "err", err)
-			return nil, err
+			return nil, false, err
 		}
 	} else {
 		// verify and validate the request token
 		var err error
 		rbString, err = verifySRT(ctx, srt, dpopJWK, logger)
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
 	}
 
 	var requestBody request.RequestBody
 	err = json.Unmarshal([]byte(rbString), &requestBody)
-	if err != nil {
-		logger.WarnContext(ctx, "invalid request body")
-		return nil, err400("invalid request body")
+	// if there are no requests then it could be a v1 request
+	if err != nil || len(requestBody.Requests) == 0 {
+		logger.WarnContext(ctx, "invalid request body! checking v1 SRT")
+		requestBody, err = extractAndConvertV1SRTBody([]byte(rbString))
+		if err != nil {
+			return nil, false, err400("invalid request body")
+		}
+		isV1 = true
 	}
 	logger.DebugContext(ctx, "extracted request body", slog.Any("requestBody", requestBody))
 
@@ -161,24 +202,24 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	block, _ := pem.Decode([]byte(requestBody.ClientPublicKey))
 	if block == nil {
 		logger.WarnContext(ctx, "missing clientPublicKey")
-		return nil, err400("clientPublicKey failure")
+		return nil, isV1, err400("clientPublicKey failure")
 	}
 
 	// Try to parse the clientPublicKey
 	clientPublicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
 	if err != nil {
 		logger.WarnContext(ctx, "failure to parse clientPublicKey", "err", err)
-		return nil, err400("clientPublicKey parse failure")
+		return nil, isV1, err400("clientPublicKey parse failure")
 	}
 	// Check to make sure the clientPublicKey is a supported key type
 	switch clientPublicKey.(type) {
 	case *rsa.PublicKey:
-		return &requestBody, nil
+		return &requestBody, isV1, nil
 	case *ecdsa.PublicKey:
-		return &requestBody, nil
+		return &requestBody, isV1, nil
 	default:
 		logger.WarnContext(ctx, fmt.Sprintf("clientPublicKey not a supported key, was [%T]", clientPublicKey))
-		return nil, err400("clientPublicKey unsupported type")
+		return nil, isV1, err400("clientPublicKey unsupported type")
 	}
 }
 
@@ -214,13 +255,13 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 
 	for _, kao := range req.KeyAccessObjectRequests {
 		if failed {
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 		actualHMAC, err := generateHMACDigest(ctx, []byte(req.Policy.Body), kao.SymmetricKey, logger)
 		if err != nil {
 			logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 		policyBinding := kao.PolicyBinding.(string)
@@ -233,12 +274,12 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 		expectedHMAC = expectedHMAC[:n]
 		if err != nil {
 			logger.WarnContext(ctx, "invalid policy binding", "err", err)
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 		if !hmac.Equal(actualHMAC, expectedHMAC) {
 			logger.WarnContext(ctx, "policy hmac mismatch", "policyBinding", policyBinding)
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 	}
@@ -272,7 +313,7 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
-func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err string) *kaspb.KAORewrapResult {
+func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err error) *kaspb.KAORewrapResult {
 	if kao.Processed {
 		return nil
 	}
@@ -280,8 +321,9 @@ func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectReques
 	kaoRes := &kaspb.KAORewrapResult{
 		KeyAccessObjectId: kao.KeyAccessObjectId,
 		Status:            kFailedStatus,
-		Result:            &kaspb.KAORewrapResult_Error{Error: err},
+		Result:            &kaspb.KAORewrapResult_Error{Error: err.Error()},
 	}
+	kao.Err = err
 	res.Results = append(res.Results, kaoRes)
 	return kaoRes
 }
@@ -289,7 +331,7 @@ func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectReques
 func markUnproccessedRequests(reqs []*request.RewrapRequests) {
 	for _, req := range reqs {
 		for _, kao := range req.KeyAccessObjectRequests {
-			failedKAORewrap(req.Results, kao, "could not proccess request")
+			failedKAORewrap(req.Results, kao, err400("could not process request"))
 		}
 	}
 }
@@ -298,7 +340,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 	in := req.Msg
 	p.Logger.DebugContext(ctx, "REWRAP")
 
-	body, err := extractSRTBody(ctx, req.Header(), in, *p.Logger)
+	body, isV1, err := extractSRTBody(ctx, req.Header(), in, *p.Logger)
 	if err != nil {
 		p.Logger.DebugContext(ctx, "unverifiable srt", "err", err)
 		return nil, err
@@ -325,7 +367,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 			var failedKAOs []*kaspb.KAORewrapResult
 			for _, kao := range req.KeyAccessObjectRequests {
 				failedKAOs = append(failedKAOs,
-					failedKAORewrap(req.Results, kao, fmt.Sprintf("%s is not a valid algorithm", req.Algorithm)))
+					failedKAORewrap(req.Results, kao, err400(fmt.Sprintf("invalid algorithm: %s", req.Algorithm))))
 			}
 			rewrapResult := &kaspb.RewrapResult{
 				Results: failedKAOs,
@@ -339,6 +381,17 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 	for _, req := range tdf3Reqs {
 		resp.Responses = append(resp.Responses, req.Results)
 	}
+	if isV1 {
+		if len(resp.Responses) != 1 || len(resp.Responses[0].Results) != 1 {
+			return nil, fmt.Errorf("invalid request")
+		}
+		res := resp.Responses[0].Results[0]
+		if res.Status == kFailedStatus {
+			return nil, tdf3Reqs[0].KeyAccessObjectRequests[0].Err
+		}
+		resp.EntityWrappedKey = res.GetKasWrappedKey()
+		resp.Metadata = res.GetMetadata()
+	}
 
 	return connect.NewResponse(resp), err
 }
@@ -357,7 +410,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 
 	for _, kao := range req.KeyAccessObjectRequests {
 		if policyErr != nil {
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 		var kidsToCheck []string
@@ -372,7 +425,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 			}
 			if len(kidsToCheck) == 0 {
 				p.Logger.WarnContext(ctx, "failure to find legacy kids for rsa")
-				failedKAORewrap(req.Results, kao, "bad request")
+				failedKAORewrap(req.Results, kao, err400("bad request"))
 				continue
 			}
 		}
@@ -388,7 +441,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 		}
 		if err != nil {
 			p.Logger.WarnContext(ctx, "failure to decrypt dek", "err", err)
-			failedKAORewrap(req.Results, kao, "bad request")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
 		anyValidKAOs = true
@@ -430,7 +483,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 	if accessErr != nil {
 		for _, req := range requests {
 			for _, kao := range req.KeyAccessObjectRequests {
-				failedKAORewrap(req.Results, kao, "could not perform access")
+				failedKAORewrap(req.Results, kao, err403("could not perform access"))
 			}
 		}
 		return
@@ -464,7 +517,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 
 			if !access {
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, "forbidden")
+				failedKAORewrap(req.Results, kao, err403("forbidden"))
 				continue
 			}
 
@@ -472,7 +525,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 			if err != nil {
 				p.Logger.WarnContext(ctx, "rewrap: ocrypto.AsymEncryption.encrypt failed", "err", err, "clientPublicKey", clientPublicKey)
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, "bad key for rewrap")
+				failedKAORewrap(req.Results, kao, err400("bad key for rewrap"))
 				continue
 			}
 			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index a9eff6e975..ce1b404eef 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
+	"github.com/opentdf/platform/service/kas/request"
 	"log/slog"
 	"net/http"
 	"testing"
@@ -113,10 +114,10 @@ Dzq7D9lqeqSK/ds7r7hpbs4iIr6KrSuXwlXmYtnhRvKT
 	mockIDPOrigin = "https://keycloak-http/"
 )
 
-func fauxPolicy() *Policy {
-	return &Policy{
+func fauxPolicy() *request.Policy {
+	return &request.Policy{
 		UUID: uuid.MustParse("12345678-1234-1234-1234-1234567890AB"),
-		Body: PolicyBody{DataAttributes: []Attribute{
+		Body: request.PolicyBody{DataAttributes: []request.Attribute{
 			{URI: "https://example.com/attr/Classification/value/S"},
 			{URI: "https://example.com/attr/COI/value/PRX"},
 		}},
@@ -124,9 +125,9 @@ func fauxPolicy() *Policy {
 }
 
 func emptyPolicyBytes() []byte {
-	data, err := json.Marshal(Policy{
+	data, err := json.Marshal(request.Policy{
 		UUID: uuid.MustParse("12345678-1234-1234-1234-1234567890AB"),
-		Body: PolicyBody{},
+		Body: request.PolicyBody{},
 	})
 	if err != nil {
 		panic(err)
@@ -199,7 +200,7 @@ type PolicyBinding struct {
 	Hash string `json:"hash"`
 }
 
-func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) KeyAccess {
+func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) request.KeyAccessObjectRequest {
 	policyBytes := fauxPolicyBytes(t)
 	asym, err := ocrypto.NewAsymEncryption(rsaPublicAlt)
 	require.NoError(t, err, "rewrap: NewAsymEncryption failed")
@@ -224,12 +225,15 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) KeyAccess {
 		}
 	}
 
-	return KeyAccess{
-		Type:          "wrapped",
-		URL:           "http://127.0.0.1:4000",
-		Protocol:      "kas",
-		WrappedKey:    []byte(base64.StdEncoding.EncodeToString(wrappedKey)),
-		PolicyBinding: policyBinding,
+	return request.KeyAccessObjectRequest{
+		KeyAccessObjectId: "123",
+		KeyAccess: request.KeyAccess{
+			KeyType:       "wrapped",
+			KasURL:        "http://127.0.0.1:4000",
+			Protocol:      "kas",
+			WrappedKey:    []byte(base64.StdEncoding.EncodeToString(wrappedKey)),
+			PolicyBinding: policyBinding,
+		},
 	}
 }
 
@@ -276,10 +280,23 @@ func jwtWrongKey(t *testing.T) []byte {
 	return signedMockJWT(t, entityPrivateKey(t))
 }
 
+func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*request.RewrapRequests {
+
+	kaoReq := keyAccessWrappedRaw(t, bindingAsString)
+	return []*request.RewrapRequests{
+		{
+			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{&kaoReq},
+			Policy: request.PolicyRequest{
+				Id:   "123",
+				Body: string(policy),
+			},
+		},
+	}
+}
+
 func makeRewrapBody(t *testing.T, policy []byte, policyBindingAsString bool) []byte {
-	mockBody := RequestBody{
-		KeyAccess:       keyAccessWrappedRaw(t, policyBindingAsString),
-		Policy:          string(policy),
+	mockBody := request.RequestBody{
+		Requests:        makeRewrapRequests(t, policy, policyBindingAsString),
 		ClientPublicKey: rsaPublicAlt,
 	}
 	bodyData, err := json.Marshal(mockBody)
@@ -349,7 +366,7 @@ func TestParseAndVerifyRequest(t *testing.T) {
 				require.NotNil(t, verified, "unable to load request body")
 				require.NotNil(t, verified.ClientPublicKey, "unable to load public key")
 
-				policy, err := verifyAndParsePolicy(context.Background(), verified, []byte(plainKey), *logger)
+				policy, err := verifyAndParsePolicy(context.Background(), verified.Requests[0], *logger)
 				if !tt.shouldError {
 					require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
 					assert.Len(t, policy.Body.DataAttributes, 2, "incorrect policy body=[%v]", policy.Body)
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 93877a0ad3..33449e98f8 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -67,8 +67,11 @@ message RewrapResult {
 message RewrapResponse {
 	// Deprecated
   map<string, google.protobuf.Value> metadata = 1;
+  // Deprecated
   bytes entity_wrapped_key = 2;
+  // Deprecated
   string session_public_key = 3;
+  // Deprecated
   string schema_version = 4;
 	// New Rewrap API changes
 	repeated RewrapResult responses = 5;
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
index 2abc60184a..7740b1d3d6 100644
--- a/service/kas/request/rewrap.go
+++ b/service/kas/request/rewrap.go
@@ -3,29 +3,30 @@ package request
 import "github.com/opentdf/platform/protocol/go/kas"
 
 type PolicyRequest struct {
-	Id string `json:"id"`
+	Id   string `json:"id"`
 	Body string `json:"body"`
 }
 
 type KeyAccessObjectRequest struct {
 	KeyAccessObjectId string `json:"keyAccessObjectId"`
-	KeyAccess `json:"keyAccessObject"`
+	KeyAccess         `json:"keyAccessObject"`
 
 	// For Platform Use
-	Processed bool `json:"-"`
+	Processed    bool   `json:"-"`
 	SymmetricKey []byte `json:"-"`
+	Err          error  `json"-"`
 }
 
 type RewrapRequests struct {
 	KeyAccessObjectRequests []*KeyAccessObjectRequest `json:"keyAccessObjects"`
-	Policy PolicyRequest  `json:"policy"`
-	Algorithm       string    `json:"algorithm,omitempty"`
+	Policy                  PolicyRequest             `json:"policy"`
+	Algorithm               string                    `json:"algorithm,omitempty"`
 
 	// For Platform Use
 	Results *kas.RewrapResult `json:"-"`
 }
 
 type RequestBody struct {
-	Requests []*RewrapRequests `json:"requests"`
-	ClientPublicKey string `json:"ClientPublicKey"`
+	Requests        []*RewrapRequests `json:"requests"`
+	ClientPublicKey string            `json:"ClientPublicKey"`
 }

From 69f9d07bb03e78bf6b4fe1fd3f4e649c1f27293a Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 03/48] add in working nano

Summary:

Test Plan:
---
 service/kas/access/rewrap.go      | 290 ++++++++++++++++++------------
 service/kas/access/rewrap_test.go |   4 +-
 service/kas/kas.proto             |   1 -
 3 files changed, 176 insertions(+), 119 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 35db1aed32..1a01ac97ec 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -1,6 +1,7 @@
 package access
 
 import (
+	"bytes"
 	// "bytes"
 	"context"
 	"crypto"
@@ -354,12 +355,12 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 
 	resp := &kaspb.RewrapResponse{}
 
-	// var nanoReqs []*RewrapRequests
+	var nanoReqs []*request.RewrapRequests
 	var tdf3Reqs []*request.RewrapRequests
 	for _, req := range body.Requests {
 		switch {
-		// case req.Algorithm == kNanoAlgorithm:
-		// 	nanoReqs = append(nanoReqs, req)
+		case req.Algorithm == kNanoAlgorithm:
+			nanoReqs = append(nanoReqs, req)
 		case req.Algorithm == "" || req.Algorithm == kTDF3Algorithm:
 			tdf3Reqs = append(tdf3Reqs, req)
 		default:
@@ -375,12 +376,23 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 			resp.Responses = append(resp.Responses, rewrapResult)
 		}
 	}
+	var requests []*request.RewrapRequests
+	if len(tdf3Reqs) > 0 {
+		p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
+		requests = append(requests, tdf3Reqs...)
 
-	p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
-	markUnproccessedRequests(tdf3Reqs)
-	for _, req := range tdf3Reqs {
+	}
+
+	if len(nanoReqs) > 0 {
+		resp.SessionPublicKey = p.nanoTDFRewrap(ctx, nanoReqs, body.ClientPublicKey, entityInfo)
+		requests = append(requests, nanoReqs...)
+	}
+
+	markUnproccessedRequests(requests)
+	for _, req := range requests {
 		resp.Responses = append(resp.Responses, req.Results)
 	}
+
 	if isV1 {
 		if len(resp.Responses) != 1 || len(resp.Responses[0].Results) != 1 {
 			return nil, fmt.Errorf("invalid request")
@@ -481,11 +493,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 	}
 	pdpAccessResults, accessErr := p.canAccess(ctx, tok, policies)
 	if accessErr != nil {
-		for _, req := range requests {
-			for _, kao := range req.KeyAccessObjectRequests {
-				failedKAORewrap(req.Results, kao, err403("could not perform access"))
-			}
-		}
+		failAllKaos(requests, err403("could not perform access"))
 		return
 	}
 
@@ -540,111 +548,153 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 	}
 }
 
-// func (p *Provider) nanoTDFRewrap(ctx context.Context, body *RequestBody, entity *entityInfo) (*kaspb.RewrapResponse, error) {
-// 	if p.Tracer != nil {
-// 		var span trace.Span
-// 		ctx, span = p.Tracer.Start(ctx, "rewrap-nanotdf")
-// 		defer span.End()
-// 	}
-//
-// 	headerReader := bytes.NewReader(body.KeyAccess.Header)
-//
-// 	header, _, err := sdk.NewNanoTDFHeaderFromReader(headerReader)
-// 	if err != nil {
-// 		return nil, fmt.Errorf("failed to parse NanoTDF header: %w", err)
-// 	}
-// 	// Lookup KID from nano header
-// 	kid, err := header.GetKasURL().GetIdentifier()
-// 	if err != nil {
-// 		p.Logger.DebugContext(ctx, "nanoTDFRewrap GetIdentifier", "kid", kid, "err", err)
-// 		// legacy nano with KID
-// 		kid, err = p.lookupKid(ctx, security.AlgorithmECP256R1)
-// 		if err != nil {
-// 			p.Logger.ErrorContext(ctx, "failure to find default kid for ec", "err", err)
-// 			return nil, err400("bad request")
-// 		}
-// 		p.Logger.DebugContext(ctx, "nanoTDFRewrap lookupKid", "kid", kid)
-// 	}
-// 	p.Logger.DebugContext(ctx, "nanoTDFRewrap", "kid", kid)
-// 	ecCurve, err := header.ECCurve()
-// 	if err != nil {
-// 		return nil, fmt.Errorf("ECCurve failed: %w", err)
-// 	}
-//
-// 	symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(kid, header.EphemeralKey, ecCurve)
-// 	if err != nil {
-// 		return nil, fmt.Errorf("failed to generate symmetric key: %w", err)
-// 	}
-//
-// 	// extract the policy
-// 	policy, err := extractNanoPolicy(symmetricKey, header)
-// 	if err != nil {
-// 		return nil, fmt.Errorf("Error extracting policy: %w", err)
-// 	}
-//
-// 	// check the policy binding
-// 	verify, err := header.VerifyPolicyBinding()
-// 	if err != nil {
-// 		return nil, fmt.Errorf("failed to verify policy binding: %w", err)
-// 	}
-//
-// 	if !verify {
-// 		return nil, fmt.Errorf("policy binding verification failed")
-// 	}
-//
-// 	// do the access check
-// 	tok := &authorization.Token{
-// 		Id:  "rewrap-tok",
-// 		Jwt: entity.Token,
-// 	}
-//
-// 	access, err := p.canAccess(ctx, tok, *policy)
-//
-// 	// Audit the rewrap
-// 	kasPolicy := ConvertToAuditKasPolicy(*policy)
-// 	auditEventParams := audit.RewrapAuditEventParams{
-// 		Policy:    kasPolicy,
-// 		TDFFormat: "nano",
-// 		Algorithm: body.Algorithm,
-// 	}
-//
-// 	if err != nil {
-// 		p.Logger.WarnContext(ctx, "Could not perform access decision!", "err", err)
-// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-// 		return nil, err403("forbidden")
-// 	}
-//
-// 	if !access {
-// 		p.Logger.WarnContext(ctx, "Access Denied; no reason given")
-// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-// 		return nil, err403("forbidden")
-// 	}
-//
-// 	privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys()
-// 	if err != nil {
-// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-// 		return nil, fmt.Errorf("failed to generate keypair: %w", err)
-// 	}
-// 	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(body.ClientPublicKey))
-// 	if err != nil {
-// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-// 		return nil, fmt.Errorf("failed to generate session key: %w", err)
-// 	}
-//
-// 	cipherText, err := wrapKeyAES(sessionKey, symmetricKey)
-// 	if err != nil {
-// 		p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-// 		return nil, fmt.Errorf("failed to encrypt key: %w", err)
-// 	}
-//
-// 	p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
-//
-// 	return &kaspb.RewrapResponse{
-// 		EntityWrappedKey: cipherText,
-// 		SessionPublicKey: string(publicKeyHandle),
-// 		SchemaVersion:    schemaVersion,
-// 	}, nil
-// }
+func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.RewrapRequests, clientPublicKey string, entity *entityInfo) string {
+	if p.Tracer != nil {
+		var span trace.Span
+		ctx, span = p.Tracer.Start(ctx, "rewrap-nanotdf")
+		defer span.End()
+	}
+
+	var policies []*request.Policy
+	policyReqs := make(map[*request.Policy]*request.RewrapRequests)
+
+	for _, req := range requests {
+		policy := p.verifyNanoRewrapRequests(ctx, req)
+		if policy != nil {
+			policies = append(policies, policy)
+			policyReqs[policy] = req
+		}
+	}
+	// do the access check
+	tok := &authorization.Token{
+		Id:  "rewrap-tok",
+		Jwt: entity.Token,
+	}
+
+	pdpAccessResults, accessErr := p.canAccess(ctx, tok, policies)
+	if accessErr != nil {
+		failAllKaos(requests, err403("could not perform access"))
+		return ""
+	}
+
+	privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys()
+	if err != nil {
+		failAllKaos(requests, fmt.Errorf("failed to generate keypair: %w", err))
+		return ""
+	}
+	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(clientPublicKey))
+	if err != nil {
+		failAllKaos(requests, fmt.Errorf("failed to generate session key: %w", err))
+		return ""
+	}
+
+	for _, pdpAccess := range pdpAccessResults {
+		policy := pdpAccess.Policy
+		req, ok := policyReqs[policy]
+		if !ok { // this should not happen
+			continue
+		}
+		access := pdpAccess.Access
+
+		// Audit the Nano Rewrap
+		kasPolicy := request.ConvertToAuditKasPolicy(*policy)
+
+		for _, kao := range req.KeyAccessObjectRequests {
+			auditEventParams := audit.RewrapAuditEventParams{
+				Policy:    kasPolicy,
+				IsSuccess: access,
+				TDFFormat: "Nano",
+				Algorithm: req.Algorithm,
+			}
+
+			if !access {
+				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+				failedKAORewrap(req.Results, kao, err403("forbidden"))
+				continue
+			}
+			cipherText, err := wrapKeyAES(sessionKey, kao.SymmetricKey)
+			if err != nil {
+				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
+				failedKAORewrap(req.Results, kao, err403("forbidden"))
+				continue
+			}
+
+			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
+				KeyAccessObjectId: kao.KeyAccessObjectId,
+				Status:            kPermitStatus,
+				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: cipherText},
+			})
+
+			kao.Processed = true
+			p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
+		}
+	}
+	return string(publicKeyHandle)
+}
+func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.RewrapRequests) *request.Policy {
+
+	for _, kao := range req.KeyAccessObjectRequests {
+		// there should never be multiple KAOs in policy
+		if len(req.KeyAccessObjectRequests) != 1 {
+			failedKAORewrap(req.Results, kao, err400("NanoTDFs should not have multiple KAOs per Policy"))
+			continue
+		}
+
+		headerReader := bytes.NewReader(kao.Header)
+		header, _, err := sdk.NewNanoTDFHeaderFromReader(headerReader)
+		if err != nil {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to parse NanoTDF header: %w", err))
+			return nil
+		}
+		// Lookup KID from nano header
+		kid, err := header.GetKasURL().GetIdentifier()
+		if err != nil {
+			p.Logger.DebugContext(ctx, "nanoTDFRewrap GetIdentifier", "kid", kid, "err", err)
+			// legacy nano with KID
+			kid, err = p.lookupKid(ctx, security.AlgorithmECP256R1)
+			if err != nil {
+				p.Logger.ErrorContext(ctx, "failure to find default kid for ec", "err", err)
+				failedKAORewrap(req.Results, kao, err400("bad request"))
+				continue
+			}
+			p.Logger.DebugContext(ctx, "nanoTDFRewrap lookupKid", "kid", kid)
+		}
+		p.Logger.DebugContext(ctx, "nanoTDFRewrap", "kid", kid)
+		ecCurve, err := header.ECCurve()
+		if err != nil {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("ECCurve failed: %w", err))
+			return nil
+		}
+
+		symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(kid, header.EphemeralKey, ecCurve)
+		if err != nil {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to generate symmetric key: %w", err))
+			return nil
+		}
+
+		// extract the policy
+		policy, err := extractNanoPolicy(symmetricKey, header)
+		if err != nil {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("Error extracting policy: %w", err))
+			return nil
+		}
+
+		// check the policy binding
+		verify, err := header.VerifyPolicyBinding()
+		if err != nil {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to verify policy binding: %w", err))
+			return nil
+		}
+
+		if !verify {
+			failedKAORewrap(req.Results, kao, fmt.Errorf("policy binding verification failed"))
+			return nil
+		}
+		kao.SymmetricKey = symmetricKey
+		return policy
+	}
+	return nil
+}
 
 func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*request.Policy, error) {
 	gcm, err := ocrypto.NewAESGcm(symmetricKey)
@@ -687,3 +737,11 @@ func wrapKeyAES(sessionKey, dek []byte) ([]byte, error) {
 
 	return cipherText, nil
 }
+
+func failAllKaos(requests []*request.RewrapRequests, err error) {
+	for _, req := range requests {
+		for _, kao := range req.KeyAccessObjectRequests {
+			failedKAORewrap(req.Results, kao, err)
+		}
+	}
+}
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index ce1b404eef..0fc4fc5ab7 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -353,7 +353,7 @@ func TestParseAndVerifyRequest(t *testing.T) {
 
 			logger := logger.CreateTestLogger()
 
-			verified, err := extractSRTBody(
+			verified, _, err := extractSRTBody(
 				ctx,
 				http.Header{},
 				&kaspb.RewrapRequest{
@@ -392,7 +392,7 @@ func Test_SignedRequestBody_When_Bad_Signature_Expect_Failure(t *testing.T) {
 	md := metadata.New(map[string]string{"token": string(jwtWrongKey(t))})
 	ctx = metadata.NewIncomingContext(ctx, md)
 
-	verified, err := extractSRTBody(
+	verified, _, err := extractSRTBody(
 		ctx,
 		http.Header{},
 		&kaspb.RewrapRequest{
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 33449e98f8..69e80e78e7 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -69,7 +69,6 @@ message RewrapResponse {
   map<string, google.protobuf.Value> metadata = 1;
   // Deprecated
   bytes entity_wrapped_key = 2;
-  // Deprecated
   string session_public_key = 3;
   // Deprecated
   string schema_version = 4;

From c029c304a67bd24e304cb154ccee45c1dddca721 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 04/48] lint changes

Summary:

Test Plan:
---
 service/kas/access/accessPdp.go   |  7 +++---
 service/kas/access/rewrap.go      | 42 +++++++++++++++++--------------
 service/kas/access/rewrap_test.go |  9 +++----
 service/kas/kas.proto             |  2 +-
 service/kas/request/attribute.go  |  2 +-
 service/kas/request/keyaccess.go  |  6 ++---
 service/kas/request/rewrap.go     |  8 +++---
 7 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/service/kas/access/accessPdp.go b/service/kas/access/accessPdp.go
index 519f474e04..07e90a0476 100644
--- a/service/kas/access/accessPdp.go
+++ b/service/kas/access/accessPdp.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+
 	"github.com/opentdf/platform/service/kas/request"
 
 	"github.com/opentdf/platform/protocol/go/authorization"
@@ -49,12 +50,12 @@ func (p *Provider) canAccess(ctx context.Context, token *authorization.Token, po
 	if err != nil {
 		return nil, err
 	}
-	for _, resp := range dr.DecisionResponses {
-		policy, ok := idPolicyMap[resp.ResourceAttributesId]
+	for _, resp := range dr.GetDecisionResponses() {
+		policy, ok := idPolicyMap[resp.GetResourceAttributesId()]
 		if !ok { // this really should not happen
 			continue
 		}
-		res = append(res, PDPAccessResult{Policy: policy, Access: resp.Decision == authorization.DecisionResponse_DECISION_PERMIT})
+		res = append(res, PDPAccessResult{Policy: policy, Access: resp.GetDecision() == authorization.DecisionResponse_DECISION_PERMIT})
 	}
 
 	return res, nil
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 1a01ac97ec..614ac4a5a9 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -127,33 +127,32 @@ func justRequestBody(ctx context.Context, token jwt.Token, logger logger.Logger)
 	return rbString, nil
 }
 
-func extractAndConvertV1SRTBody(body []byte) (request.RequestBody, error) {
+func extractAndConvertV1SRTBody(body []byte) (request.Body, error) {
 	var requestBody RequestBody
 	if err := json.Unmarshal(body, &requestBody); err != nil {
-		return request.RequestBody{}, err
+		return request.Body{}, err
 	}
 
 	reqs := []*request.RewrapRequests{
 		{
 			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
-				{KeyAccessObjectId: "kao-0", KeyAccess: requestBody.KeyAccess},
+				{KeyAccessObjectID: "kao-0", KeyAccess: requestBody.KeyAccess},
 			},
 			Algorithm: requestBody.Algorithm,
 			Policy: request.PolicyRequest{
-				Id:   "policy-1",
+				ID:   "policy-1",
 				Body: requestBody.Policy,
 			},
 		},
 	}
 
-	return request.RequestBody{
+	return request.Body{
 		ClientPublicKey: requestBody.ClientPublicKey,
 		Requests:        reqs,
 	}, nil
-
 }
 
-func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.RequestBody, bool, error) {
+func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.Body, bool, error) {
 	isV1 := false
 	// First load legacy method for verifying SRT
 	if vpk, ok := headers["X-Virtrupubkey"]; ok && len(vpk) == 1 {
@@ -186,7 +185,7 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		}
 	}
 
-	var requestBody request.RequestBody
+	var requestBody request.Body
 	err = json.Unmarshal([]byte(rbString), &requestBody)
 	// if there are no requests then it could be a v1 request
 	if err != nil || len(requestBody.Requests) == 0 {
@@ -265,7 +264,12 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
-		policyBinding := kao.PolicyBinding.(string)
+		policyBinding, ok := kao.PolicyBinding.(string)
+		if !ok {
+			logger.WarnContext(ctx, "bad policy binding")
+			failedKAORewrap(req.Results, kao, err400("bad request"))
+			continue
+		}
 
 		expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
 		n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
@@ -320,7 +324,7 @@ func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectReques
 	}
 	kao.Processed = true
 	kaoRes := &kaspb.KAORewrapResult{
-		KeyAccessObjectId: kao.KeyAccessObjectId,
+		KeyAccessObjectId: kao.KeyAccessObjectID,
 		Status:            kFailedStatus,
 		Result:            &kaspb.KAORewrapResult_Error{Error: err.Error()},
 	}
@@ -380,7 +384,6 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 	if len(tdf3Reqs) > 0 {
 		p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
 		requests = append(requests, tdf3Reqs...)
-
 	}
 
 	if len(nanoReqs) > 0 {
@@ -394,11 +397,11 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 	}
 
 	if isV1 {
-		if len(resp.Responses) != 1 || len(resp.Responses[0].Results) != 1 {
+		if len(resp.GetResponses()) != 1 || len(resp.GetResponses()[0].GetResults()) != 1 {
 			return nil, fmt.Errorf("invalid request")
 		}
-		res := resp.Responses[0].Results[0]
-		if res.Status == kFailedStatus {
+		res := resp.GetResponses()[0].GetResults()[0]
+		if res.GetStatus() == kFailedStatus {
 			return nil, tdf3Reqs[0].KeyAccessObjectRequests[0].Err
 		}
 		resp.EntityWrappedKey = res.GetKasWrappedKey()
@@ -413,7 +416,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", req.Policy)
 	sDecPolicy, policyErr := base64.StdEncoding.DecodeString(req.Policy.Body)
 	req.Results = &kaspb.RewrapResult{
-		PolicyId: req.Policy.Id,
+		PolicyId: req.Policy.ID,
 	}
 	policy := &request.Policy{}
 	if policyErr == nil {
@@ -460,8 +463,9 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 	}
 
 	if policyErr != nil {
-		return policy, nil
+		return nil, policyErr
 	}
+
 	if !anyValidKAOs {
 		p.Logger.WarnContext(ctx, "no valid KAOs found")
 		return policy, fmt.Errorf("no valid KAOs")
@@ -537,7 +541,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 				continue
 			}
 			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
-				KeyAccessObjectId: kao.KeyAccessObjectId,
+				KeyAccessObjectId: kao.KeyAccessObjectID,
 				Status:            kPermitStatus,
 				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: rewrappedKey},
 			})
@@ -620,7 +624,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 			}
 
 			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
-				KeyAccessObjectId: kao.KeyAccessObjectId,
+				KeyAccessObjectId: kao.KeyAccessObjectID,
 				Status:            kPermitStatus,
 				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: cipherText},
 			})
@@ -631,8 +635,8 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 	}
 	return string(publicKeyHandle)
 }
-func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.RewrapRequests) *request.Policy {
 
+func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.RewrapRequests) *request.Policy {
 	for _, kao := range req.KeyAccessObjectRequests {
 		// there should never be multiple KAOs in policy
 		if len(req.KeyAccessObjectRequests) != 1 {
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index 0fc4fc5ab7..a7c5a2cc80 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -8,7 +8,6 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
-	"github.com/opentdf/platform/service/kas/request"
 	"log/slog"
 	"net/http"
 	"testing"
@@ -25,6 +24,7 @@ import (
 
 	"github.com/google/uuid"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
+	"github.com/opentdf/platform/service/kas/request"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -226,7 +226,7 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) request.KeyAc
 	}
 
 	return request.KeyAccessObjectRequest{
-		KeyAccessObjectId: "123",
+		KeyAccessObjectID: "123",
 		KeyAccess: request.KeyAccess{
 			KeyType:       "wrapped",
 			KasURL:        "http://127.0.0.1:4000",
@@ -281,13 +281,12 @@ func jwtWrongKey(t *testing.T) []byte {
 }
 
 func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*request.RewrapRequests {
-
 	kaoReq := keyAccessWrappedRaw(t, bindingAsString)
 	return []*request.RewrapRequests{
 		{
 			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{&kaoReq},
 			Policy: request.PolicyRequest{
-				Id:   "123",
+				ID:   "123",
 				Body: string(policy),
 			},
 		},
@@ -295,7 +294,7 @@ func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*re
 }
 
 func makeRewrapBody(t *testing.T, policy []byte, policyBindingAsString bool) []byte {
-	mockBody := request.RequestBody{
+	mockBody := request.Body{
 		Requests:        makeRewrapRequests(t, policy, policyBindingAsString),
 		ClientPublicKey: rsaPublicAlt,
 	}
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 69e80e78e7..55d832c735 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -53,7 +53,7 @@ message KAORewrapResult {
 	string key_access_object_id = 2;
 	string status = 3;
 	oneof result { 
-		bytes kasWrappedKey = 4;
+		bytes kas_wrapped_key = 4;
 		string error = 5;
 	}
 }
diff --git a/service/kas/request/attribute.go b/service/kas/request/attribute.go
index 087f5be9f0..424da91ce1 100644
--- a/service/kas/request/attribute.go
+++ b/service/kas/request/attribute.go
@@ -4,7 +4,7 @@ import (
 	"crypto"
 )
 
-const schemaVersion = "1.1.0"
+// const schemaVersion = "1.1.0"
 
 type Attribute struct {
 	URI           string           `json:"attribute"` // attribute
diff --git a/service/kas/request/keyaccess.go b/service/kas/request/keyaccess.go
index e8580a226f..1bf67b9223 100644
--- a/service/kas/request/keyaccess.go
+++ b/service/kas/request/keyaccess.go
@@ -4,10 +4,10 @@ type KeyAccess struct {
 	EncryptedMetadata string      `json:"encryptedMetadata,omitempty"`
 	PolicyBinding     interface{} `json:"policyBinding,omitempty"`
 	Protocol          string      `json:"protocol"`
-	KeyType              string      `json:"type"`
-	KasURL               string      `json:"url"`
+	KeyType           string      `json:"type"`
+	KasURL            string      `json:"url"`
 	KID               string      `json:"kid,omitempty"`
-	SplitID               string      `json:"sid,omitempty"`
+	SplitID           string      `json:"sid,omitempty"`
 	WrappedKey        []byte      `json:"wrappedKey,omitempty"`
 	Header            []byte      `json:"header,omitempty"`
 	Algorithm         string      `json:"algorithm,omitempty"`
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
index 7740b1d3d6..096bd2d65b 100644
--- a/service/kas/request/rewrap.go
+++ b/service/kas/request/rewrap.go
@@ -3,18 +3,18 @@ package request
 import "github.com/opentdf/platform/protocol/go/kas"
 
 type PolicyRequest struct {
-	Id   string `json:"id"`
+	ID   string `json:"id"`
 	Body string `json:"body"`
 }
 
 type KeyAccessObjectRequest struct {
-	KeyAccessObjectId string `json:"keyAccessObjectId"`
+	KeyAccessObjectID string `json:"keyAccessObjectId"`
 	KeyAccess         `json:"keyAccessObject"`
 
 	// For Platform Use
 	Processed    bool   `json:"-"`
 	SymmetricKey []byte `json:"-"`
-	Err          error  `json"-"`
+	Err          error  `json:"-"`
 }
 
 type RewrapRequests struct {
@@ -26,7 +26,7 @@ type RewrapRequests struct {
 	Results *kas.RewrapResult `json:"-"`
 }
 
-type RequestBody struct {
+type Body struct {
 	Requests        []*RewrapRequests `json:"requests"`
 	ClientPublicKey string            `json:"ClientPublicKey"`
 }

From 23bc7fb2d89ceae90d3429ddb1d06f2f797d08a4 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 05/48] fixes rewrap tests

---
 service/kas/access/rewrap.go      | 32 +++++++++++++++----------------
 service/kas/access/rewrap_test.go |  6 ++++++
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 614ac4a5a9..924f34e43f 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -223,20 +223,6 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	}
 }
 
-func extractPolicyBinding(policyBinding interface{}) (string, error) {
-	switch v := policyBinding.(type) {
-	case string:
-		return v, nil
-	case map[string]interface{}:
-		if hash, ok := v["hash"].(string); ok {
-			return hash, nil
-		}
-		return "", fmt.Errorf("invalid policy binding object, missing 'hash' field")
-	default:
-		return "", fmt.Errorf("unsupported policy binding type")
-	}
-}
-
 func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logger logger.Logger) (*request.Policy, error) {
 	failed := false
 	sDecPolicy, err := base64.StdEncoding.DecodeString(req.Policy.Body)
@@ -264,8 +250,8 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
-		policyBinding, ok := kao.PolicyBinding.(string)
-		if !ok {
+		policyBinding, err := extractPolicyBinding(kao.PolicyBinding)
+		if err != nil {
 			logger.WarnContext(ctx, "bad policy binding")
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
@@ -295,6 +281,20 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 	return &policy, nil
 }
 
+func extractPolicyBinding(policyBinding interface{}) (string, error) {
+	switch v := policyBinding.(type) {
+	case string:
+		return v, nil
+	case map[string]interface{}:
+		if hash, ok := v["hash"].(string); ok {
+			return hash, nil
+		}
+		return "", fmt.Errorf("invalid policy binding object, missing 'hash' field")
+	default:
+		return "", fmt.Errorf("unsupported policy binding type")
+	}
+}
+
 func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, error) {
 	info := new(entityInfo)
 
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index a7c5a2cc80..15dafd7cf4 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"log/slog"
 	"net/http"
 	"testing"
@@ -365,7 +366,12 @@ func TestParseAndVerifyRequest(t *testing.T) {
 				require.NotNil(t, verified, "unable to load request body")
 				require.NotNil(t, verified.ClientPublicKey, "unable to load public key")
 
+				verified.Requests[0].Results = &kaspb.RewrapResult{}
+
+				verified.Requests[0].KeyAccessObjectRequests[0].SymmetricKey = []byte(plainKey)
+
 				policy, err := verifyAndParsePolicy(context.Background(), verified.Requests[0], *logger)
+				err = errors.Join(err, verified.Requests[0].KeyAccessObjectRequests[0].Err)
 				if !tt.shouldError {
 					require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
 					assert.Len(t, policy.Body.DataAttributes, 2, "incorrect policy body=[%v]", policy.Body)

From 2ab7e2a79768300f6df7c236e25ceb86408748cd Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 06/48] Proto-generate

Summary:

Test Plan:
---
 docs/grpc/index.html              |   6 +-
 docs/openapi/kas/kas.swagger.json |   6 +-
 protocol/go/kas/kas.pb.go         | 152 +++++++++++++++---------------
 3 files changed, 84 insertions(+), 80 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index d6fed367a5..ff3e231312 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -3247,7 +3247,7 @@ <h3 id="kas.KAORewrapResult">KAORewrapResult</h3>
                 </tr>
               
                 <tr>
-                  <td>kasWrappedKey</td>
+                  <td>kas_wrapped_key</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
                   <td><p> </p></td>
@@ -3436,7 +3436,7 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
                   <td>entity_wrapped_key</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
-                  <td><p> </p></td>
+                  <td><p>Deprecated </p></td>
                 </tr>
               
                 <tr>
@@ -3450,7 +3450,7 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
                   <td>schema_version</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p> </p></td>
+                  <td><p>Deprecated </p></td>
                 </tr>
               
                 <tr>
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
index a8e165302d..46409eaa56 100644
--- a/docs/openapi/kas/kas.swagger.json
+++ b/docs/openapi/kas/kas.swagger.json
@@ -181,13 +181,15 @@
         },
         "entityWrappedKey": {
           "type": "string",
-          "format": "byte"
+          "format": "byte",
+          "title": "Deprecated"
         },
         "sessionPublicKey": {
           "type": "string"
         },
         "schemaVersion": {
-          "type": "string"
+          "type": "string",
+          "title": "Deprecated"
         },
         "responses": {
           "type": "array",
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index d8df41d2ff..16139a6317 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -416,7 +416,7 @@ type isKAORewrapResult_Result interface {
 }
 
 type KAORewrapResult_KasWrappedKey struct {
-	KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kasWrappedKey,proto3,oneof"`
+	KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kas_wrapped_key,json=kasWrappedKey,proto3,oneof"`
 }
 
 type KAORewrapResult_Error struct {
@@ -488,10 +488,12 @@ type RewrapResponse struct {
 	unknownFields protoimpl.UnknownFields
 
 	// Deprecated
-	Metadata         map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	EntityWrappedKey []byte                     `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
-	SessionPublicKey string                     `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
-	SchemaVersion    string                     `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
+	Metadata map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// Deprecated
+	EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
+	SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
+	// Deprecated
+	SchemaVersion string `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
 	// New Rewrap API changes
 	Responses []*RewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
 }
@@ -603,7 +605,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74,
 	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e,
 	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04,
-	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xb9, 0x02, 0x0a,
+	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xbb, 0x02, 0x0a,
 	0x0f, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
 	0x12, 0x3e, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03,
 	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72,
@@ -613,80 +615,80 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11,
 	0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49,
 	0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x26, 0x0a, 0x0d, 0x6b, 0x61, 0x73,
-	0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c,
-	0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65,
-	0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
-	0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08,
-	0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73,
-	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f,
-	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65,
-	0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73,
-	0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74,
-	0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70,
-	0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x63, 0x68,
-	0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e,
-	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
-	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
+	0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73,
+	0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x0c, 0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
+	0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
 	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
 	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
 	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
 	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
 	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
-	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
-	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
-	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
-	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
-	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
-	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
-	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
-	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
-	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
-	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
-	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
-	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
-	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
-	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
-	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
-	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x42, 0x08, 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65,
+	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c,
+	0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b,
+	0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07,
+	0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b,
+	0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
+	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74,
+	0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61,
+	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
+	0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f,
+	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73,
+	0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09,
+	0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x11, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75,
+	0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a,
+	0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
+	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
+	0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
+	0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61,
+	0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12,
+	0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92,
+	0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65,
+	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41,
+	0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13,
+	0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65,
+	0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20,
+	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33,
+	0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68,
+	0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e,
+	0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49,
+	0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f,
+	0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+	0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70,
+	0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02,
+	0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73,
+	0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

From e8db50467431516cbe72caaf006592130fde438d Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 07/48] benchmark divide by 0

Summary:

Test Plan:
---
 examples/cmd/benchmark.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/cmd/benchmark.go b/examples/cmd/benchmark.go
index 3909cb1ffc..125fd7afa7 100644
--- a/examples/cmd/benchmark.go
+++ b/examples/cmd/benchmark.go
@@ -202,6 +202,10 @@ func runBenchmark(cmd *cobra.Command, args []string) error {
 		successCount++
 		totalDuration += result
 	}
+	// fixes divide by 0 error
+	if successCount == 0 {
+		successCount = 1
+	}
 
 	totalTime := time.Since(startTime)
 	averageLatency := totalDuration / time.Duration(successCount)

From 8092608344039890e6bc5f19151554468270d48f Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 08/48] fixes nil err in NTDF rewrap

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 924f34e43f..ea4ccb6818 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -637,6 +637,9 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 }
 
 func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.RewrapRequests) *request.Policy {
+	req.Results = &kaspb.RewrapResult{
+		PolicyId: req.Policy.ID,
+	}
 	for _, kao := range req.KeyAccessObjectRequests {
 		// there should never be multiple KAOs in policy
 		if len(req.KeyAccessObjectRequests) != 1 {

From ff06a6698f9af05258330c37157be28d2ffe66b2 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 09/48] Fixes

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index ea4ccb6818..21cbee6524 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -361,6 +361,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 
 	var nanoReqs []*request.RewrapRequests
 	var tdf3Reqs []*request.RewrapRequests
+	var requests []*request.RewrapRequests
 	for _, req := range body.Requests {
 		switch {
 		case req.Algorithm == kNanoAlgorithm:
@@ -369,18 +370,17 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 			tdf3Reqs = append(tdf3Reqs, req)
 		default:
 			// No algorithm: fail all Policy's KAOs
+
 			var failedKAOs []*kaspb.KAORewrapResult
-			for _, kao := range req.KeyAccessObjectRequests {
-				failedKAOs = append(failedKAOs,
-					failedKAORewrap(req.Results, kao, err400(fmt.Sprintf("invalid algorithm: %s", req.Algorithm))))
-			}
-			rewrapResult := &kaspb.RewrapResult{
+			req.Results = &kaspb.RewrapResult{
 				Results: failedKAOs,
 			}
-			resp.Responses = append(resp.Responses, rewrapResult)
+			for _, kao := range req.KeyAccessObjectRequests {
+				failedKAORewrap(req.Results, kao, err400(fmt.Sprintf("invalid algorithm: %s", req.Algorithm)))
+			}
+			requests = append(requests, req)
 		}
 	}
-	var requests []*request.RewrapRequests
 	if len(tdf3Reqs) > 0 {
 		p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
 		requests = append(requests, tdf3Reqs...)
@@ -402,7 +402,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 		}
 		res := resp.GetResponses()[0].GetResults()[0]
 		if res.GetStatus() == kFailedStatus {
-			return nil, tdf3Reqs[0].KeyAccessObjectRequests[0].Err
+			return nil, requests[0].KeyAccessObjectRequests[0].Err
 		}
 		resp.EntityWrappedKey = res.GetKasWrappedKey()
 		resp.Metadata = res.GetMetadata()

From 62583781698dbc03fe1af15b2bda7cf099b325c0 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 10/48] algo fixes

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 21cbee6524..9716b5fe66 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -366,19 +366,12 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 		switch {
 		case req.Algorithm == kNanoAlgorithm:
 			nanoReqs = append(nanoReqs, req)
-		case req.Algorithm == "" || req.Algorithm == kTDF3Algorithm:
+		case req.Algorithm == "":
+			req.Algorithm = kTDF3Algorithm
 			tdf3Reqs = append(tdf3Reqs, req)
 		default:
-			// No algorithm: fail all Policy's KAOs
+			tdf3Reqs = append(tdf3Reqs, req)
 
-			var failedKAOs []*kaspb.KAORewrapResult
-			req.Results = &kaspb.RewrapResult{
-				Results: failedKAOs,
-			}
-			for _, kao := range req.KeyAccessObjectRequests {
-				failedKAORewrap(req.Results, kao, err400(fmt.Sprintf("invalid algorithm: %s", req.Algorithm)))
-			}
-			requests = append(requests, req)
 		}
 	}
 	if len(tdf3Reqs) > 0 {

From fc745c10757c323889b97111a41a62937e4ebba5 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 11/48] lint fixes

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 9716b5fe66..8ec1793a65 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -318,9 +318,9 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
-func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err error) *kaspb.KAORewrapResult {
+func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err error) {
 	if kao.Processed {
-		return nil
+		return
 	}
 	kao.Processed = true
 	kaoRes := &kaspb.KAORewrapResult{
@@ -330,7 +330,6 @@ func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectReques
 	}
 	kao.Err = err
 	res.Results = append(res.Results, kaoRes)
-	return kaoRes
 }
 
 func markUnproccessedRequests(reqs []*request.RewrapRequests) {
@@ -371,7 +370,6 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 			tdf3Reqs = append(tdf3Reqs, req)
 		default:
 			tdf3Reqs = append(tdf3Reqs, req)
-
 		}
 	}
 	if len(tdf3Reqs) > 0 {

From c0b46bc3cb8418e35086154bd90214f26f11f50d Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 12/48] add back hmac

Summary:

Test Plan:
---
 service/kas/access/rewrap.go      | 79 ++++++++++++-------------------
 service/kas/access/rewrap_test.go | 22 ++++-----
 2 files changed, 40 insertions(+), 61 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 8ec1793a65..0c2ad69b36 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
-	"strings"
 	"time"
 
 	"connectrpc.com/connect"
@@ -223,62 +222,34 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	}
 }
 
-func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logger logger.Logger) (*request.Policy, error) {
-	failed := false
-	sDecPolicy, err := base64.StdEncoding.DecodeString(req.Policy.Body)
+func verifyPolicyBinding(ctx context.Context, policy []byte, kao *request.KeyAccessObjectRequest, logger logger.Logger) error {
+	actualHMAC, err := generateHMACDigest(ctx, policy, kao.SymmetricKey, logger)
 	if err != nil {
-		logger.WarnContext(ctx, "unable to decode policy", "err", err)
-		failed = true
+		logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
+		return err400("bad request")
 	}
-	decoder := json.NewDecoder(strings.NewReader(string(sDecPolicy)))
-	var policy request.Policy
-	err = decoder.Decode(&policy)
+	policyBinding, err := extractPolicyBinding(kao.PolicyBinding)
 	if err != nil {
-		logger.WarnContext(ctx, "unable to decode policy", "err", err)
-		failed = true
+		logger.WarnContext(ctx, "bad policy binding")
+		return err400("bad request")
 	}
-	req.Results.PolicyId = policy.UUID.String()
-
-	for _, kao := range req.KeyAccessObjectRequests {
-		if failed {
-			failedKAORewrap(req.Results, kao, err400("bad request"))
-			continue
-		}
-		actualHMAC, err := generateHMACDigest(ctx, []byte(req.Policy.Body), kao.SymmetricKey, logger)
-		if err != nil {
-			logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
-			failedKAORewrap(req.Results, kao, err400("bad request"))
-			continue
-		}
-		policyBinding, err := extractPolicyBinding(kao.PolicyBinding)
-		if err != nil {
-			logger.WarnContext(ctx, "bad policy binding")
-			failedKAORewrap(req.Results, kao, err400("bad request"))
-			continue
-		}
 
-		expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
-		n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
-		if err == nil {
-			n, err = hex.Decode(expectedHMAC, expectedHMAC[:n])
-		}
-		expectedHMAC = expectedHMAC[:n]
-		if err != nil {
-			logger.WarnContext(ctx, "invalid policy binding", "err", err)
-			failedKAORewrap(req.Results, kao, err400("bad request"))
-			continue
-		}
-		if !hmac.Equal(actualHMAC, expectedHMAC) {
-			logger.WarnContext(ctx, "policy hmac mismatch", "policyBinding", policyBinding)
-			failedKAORewrap(req.Results, kao, err400("bad request"))
-			continue
-		}
+	expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
+	n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
+	if err == nil {
+		n, err = hex.Decode(expectedHMAC, expectedHMAC[:n])
 	}
-
-	if failed {
-		return nil, fmt.Errorf("invalid policy")
+	expectedHMAC = expectedHMAC[:n]
+	if err != nil {
+		logger.WarnContext(ctx, "invalid policy binding", "err", err)
+		return err400("bad request")
 	}
-	return &policy, nil
+	if !hmac.Equal(actualHMAC, expectedHMAC) {
+		logger.WarnContext(ctx, "policy hmac mismatch", "policyBinding", policyBinding)
+		return err400("bad request")
+	}
+
+	return nil
 }
 
 func extractPolicyBinding(policyBinding interface{}) (string, error) {
@@ -450,6 +421,13 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
+
+		err = verifyPolicyBinding(ctx, []byte(req.Policy.Body), kao, *p.Logger)
+		if err != nil {
+			failedKAORewrap(req.Results, kao, err)
+			continue
+		}
+
 		anyValidKAOs = true
 	}
 
@@ -461,6 +439,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 		p.Logger.WarnContext(ctx, "no valid KAOs found")
 		return policy, fmt.Errorf("no valid KAOs")
 	}
+
 	return policy, nil
 }
 
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index 15dafd7cf4..ef6cfdaab3 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -366,17 +366,17 @@ func TestParseAndVerifyRequest(t *testing.T) {
 				require.NotNil(t, verified, "unable to load request body")
 				require.NotNil(t, verified.ClientPublicKey, "unable to load public key")
 
-				verified.Requests[0].Results = &kaspb.RewrapResult{}
-
-				verified.Requests[0].KeyAccessObjectRequests[0].SymmetricKey = []byte(plainKey)
-
-				policy, err := verifyAndParsePolicy(context.Background(), verified.Requests[0], *logger)
-				err = errors.Join(err, verified.Requests[0].KeyAccessObjectRequests[0].Err)
-				if !tt.shouldError {
-					require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
-					assert.Len(t, policy.Body.DataAttributes, 2, "incorrect policy body=[%v]", policy.Body)
-				} else {
-					require.Error(t, err, "failed to fail policy body=[%v]", tt.body)
+				for _, req := range verified.Requests {
+					req.Results = &kaspb.RewrapResult{}
+					req.KeyAccessObjectRequests[0].SymmetricKey = []byte(plainKey)
+
+					err := verifyPolicyBinding(context.Background(), []byte(req.Policy.Body), req.KeyAccessObjectRequests[0], *logger)
+					err = errors.Join(err, verified.Requests[0].KeyAccessObjectRequests[0].Err)
+					if !tt.shouldError {
+						require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
+					} else {
+						require.Error(t, err, "failed to fail policy body=[%v]", tt.body)
+					}
 				}
 			} else {
 				require.Error(t, err, "failed to fail srt=[%s], tok=[%s]", tt.body, bearer)

From a949d424aa07326bd88b14e593dfc737065cdf96 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 13/48] Bulk SDK API

---
 sdk/bulk.go                   | 127 +++++++++++++++++++++++++++++++
 sdk/kas_client.go             | 139 ++++++++++++++++++++++++----------
 sdk/nanotdf.go                | 123 ++++++++++++++++++++++--------
 sdk/tdf.go                    | 116 +++++++++++++++++++++++++---
 service/kas/access/rewrap.go  |   1 +
 service/kas/request/rewrap.go |   4 +
 6 files changed, 430 insertions(+), 80 deletions(-)
 create mode 100644 sdk/bulk.go

diff --git a/sdk/bulk.go b/sdk/bulk.go
new file mode 100644
index 0000000000..8c65efcd7f
--- /dev/null
+++ b/sdk/bulk.go
@@ -0,0 +1,127 @@
+package sdk
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/opentdf/platform/service/kas/request"
+	"io"
+)
+
+type BulkTDF struct {
+	Reader io.ReadSeeker
+	Writer io.Writer
+	Error  error
+}
+
+type BulkDecryptRequest struct {
+	TDFs    []*BulkTDF
+	TDFType TdfType
+}
+
+type BulkDecryptionErrors []error
+
+func (b BulkDecryptionErrors) Error() string {
+	return fmt.Sprintf("Some TDFs could not be Decrypted: %s", errors.Join(b...).Error())
+}
+
+// IsPartialFailure Returns List of Decrypt Failures and true if is decryption failures
+func IsPartialFailure(err error) ([]error, bool) {
+	var list BulkDecryptionErrors
+	ok := errors.As(err, &list)
+	return list, ok
+}
+
+type BulkDecryptOption func(request *BulkDecryptRequest)
+
+func WithTDFs(tdfs ...*BulkTDF) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) {
+		request.AppendTDFs(tdfs...)
+	}
+}
+
+func (s SDK) CreateBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptRequest {
+	req := &BulkDecryptRequest{}
+	for _, opt := range options {
+		opt(req)
+	}
+	return req
+}
+
+func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
+	switch tdfType {
+	case Nano:
+		decryptor := CreateNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
+		return decryptor, nil
+	default:
+		return s.createTDF3DecryptHandler(tdf.Writer, tdf.Reader)
+	}
+}
+
+func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
+	var rewrapRequests []*request.RewrapRequests
+	tdfDecryptors := make(map[string]Decryptor)
+	policyTDF := make(map[string]*BulkTDF)
+
+	for i, tdf := range bulkReq.TDFs {
+		policyId := fmt.Sprintf("policy-%d", i)
+		decryptor, err := s.createDecryptor(tdf, bulkReq.TDFType)
+		if err != nil {
+			tdf.Error = err
+			continue
+		}
+
+		req, err := decryptor.CreateRewrapRequest(ctx)
+		if err != nil {
+			tdf.Error = err
+			continue
+		}
+		tdfDecryptors[policyId] = decryptor
+		policyTDF[policyId] = tdf
+
+		req.Policy.ID = policyId
+		rewrapRequests = append(rewrapRequests, req)
+	}
+
+	kasClient := newKASClient(s.dialOptions, s.tokenSource, s.kasSessionKey)
+	var rewrapResp map[string][]KAOResult
+	var err error
+	switch bulkReq.TDFType {
+	case Nano:
+		rewrapResp, err = kasClient.nanoUnwrap(ctx, rewrapRequests)
+	default:
+		rewrapResp, err = kasClient.unwrap(ctx, rewrapRequests)
+	}
+	if err != nil {
+		return fmt.Errorf("bulk rewrap failed: %w", err)
+	}
+
+	var errList []error
+	for id, tdf := range policyTDF {
+		kaoRes, ok := rewrapResp[id]
+		if !ok {
+			tdf.Error = fmt.Errorf("rewrap did not create a response for this TDF")
+			errList = append(errList, tdf.Error)
+			continue
+		}
+		decryptor := tdfDecryptors[id]
+		if _, err = decryptor.Decrypt(ctx, kaoRes); err != nil {
+			tdf.Error = err
+			errList = append(errList, tdf.Error)
+			continue
+		}
+
+	}
+	if len(errList) != 0 {
+		return BulkDecryptionErrors(errList)
+	}
+
+	return nil
+}
+
+func (b *BulkDecryptRequest) AppendTDFs(tdfs ...*BulkTDF) {
+	b.TDFs = append(
+		b.TDFs,
+		tdfs...,
+	)
+}
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index 5d1fe065ff..60e35fffd0 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -13,6 +13,7 @@ import (
 	"github.com/opentdf/platform/lib/ocrypto"
 	"github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/sdk/auth"
+	"github.com/opentdf/platform/service/kas/request"
 	"google.golang.org/grpc"
 )
 
@@ -20,25 +21,21 @@ const (
 	secondsPerMinute = 60
 )
 
-type RequestBody struct {
-	KeyAccess       `json:"keyAccess"`
-	ClientPublicKey string `json:"clientPublicKey"`
-	Policy          string `json:"policy"`
-}
-
 type KASClient struct {
 	accessTokenSource auth.AccessTokenSource
 	dialOptions       []grpc.DialOption
 	sessionKey        *ocrypto.RsaKeyPair
 }
 
-// once the backend moves over we should use the same type that the golang backend uses here
-type rewrapRequestBody struct {
-	KeyAccess       KeyAccess `json:"keyAccess"`
-	Policy          string    `json:"policy,omitempty"`
-	Algorithm       string    `json:"algorithm,omitempty"`
-	ClientPublicKey string    `json:"clientPublicKey"`
-	SchemaVersion   string    `json:"schemaVersion,omitempty"`
+type KAOResult struct {
+	SymmetricKey      []byte
+	Error             error
+	KeyAccessObjectId string
+}
+
+type Decryptor interface {
+	CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error)
+	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
 }
 
 func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTokenSource, sessionKey *ocrypto.RsaKeyPair) *KASClient {
@@ -50,12 +47,12 @@ func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTo
 }
 
 // there is no connection caching as of now
-func (k *KASClient) makeRewrapRequest(ctx context.Context, keyAccess KeyAccess, policy string) (*kas.RewrapResponse, error) {
-	rewrapRequest, err := k.getRewrapRequest(keyAccess, policy)
+func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*request.RewrapRequests, pubKey string) (*kas.RewrapResponse, error) {
+	rewrapRequest, err := k.getRewrapRequest(requests, pubKey)
 	if err != nil {
 		return nil, err
 	}
-	grpcAddress, err := getGRPCAddress(keyAccess.KasURL)
+	grpcAddress, err := getGRPCAddress(requests[0].KeyAccessObjectRequests[0].KasURL)
 	if err != nil {
 		return nil, err
 	}
@@ -75,16 +72,77 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, keyAccess KeyAccess,
 
 	return response, nil
 }
+func (k *KASClient) nanoUnwrap(ctx context.Context, requests []*request.RewrapRequests) (map[string][]KAOResult, error) {
+	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
+	}
 
-func (k *KASClient) unwrap(ctx context.Context, keyAccess KeyAccess, policy string) ([]byte, error) {
-	response, err := k.makeRewrapRequest(ctx, keyAccess, policy)
+	publicKeyAsPem, err := keypair.PublicKeyInPemFormat()
 	if err != nil {
-		return nil, fmt.Errorf("error making rewrap request to kas: %w", err)
+		return nil, fmt.Errorf("ocrypto.NewECKeyPair.PublicKeyInPemFormat failed :%w", err)
+	}
+
+	privateKeyAsPem, err := keypair.PrivateKeyInPemFormat()
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.NewECKeyPair.PrivateKeyInPemFormat failed :%w", err)
+	}
+	response, err := k.makeRewrapRequest(ctx, requests, publicKeyAsPem)
+	if err != nil {
+		return nil, err
+	}
+
+	sessionKey, err := ocrypto.ComputeECDHKey([]byte(privateKeyAsPem), []byte(response.GetSessionPublicKey()))
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.ComputeECDHKey failed :%w", err)
+	}
+
+	sessionKey, err = ocrypto.CalculateHKDF(versionSalt(), sessionKey)
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.CalculateHKDF failed:%w", err)
+	}
+
+	aesGcm, err := ocrypto.NewAESGcm(sessionKey)
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.NewAESGcm failed:%w", err)
 	}
 
+	policyResults := make(map[string][]KAOResult)
+	for _, results := range response.Responses {
+		var kaoKeys []KAOResult
+		for _, kao := range results.GetResults() {
+			if kao.GetStatus() == request.PermitStatus {
+				wrappedKey := kao.GetKasWrappedKey()
+				key, err := aesGcm.Decrypt(wrappedKey)
+				if err != nil {
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: err})
+				} else {
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, SymmetricKey: key})
+				}
+			} else {
+				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: fmt.Errorf(kao.GetError())})
+			}
+		}
+		policyResults[results.PolicyId] = kaoKeys
+	}
+
+	return policyResults, nil
+
+}
+
+func (k *KASClient) unwrap(ctx context.Context, requests []*request.RewrapRequests) (map[string][]KAOResult, error) {
 	if k.sessionKey == nil {
 		return nil, fmt.Errorf("session key is nil")
 	}
+	pubKey, err := k.sessionKey.PublicKeyInPemFormat()
+	if err != nil {
+		return nil, fmt.Errorf("ocrypto.PublicKeyInPermFormat failed: %w", err)
+	}
+	response, err := k.makeRewrapRequest(ctx, requests, pubKey)
+	if err != nil {
+		return nil, fmt.Errorf("error making rewrap request to kas: %w", err)
+	}
+
 	clientPrivateKey, err := k.sessionKey.PrivateKeyInPemFormat()
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.PrivateKeyInPemFormat failed: %w", err)
@@ -95,15 +153,29 @@ func (k *KASClient) unwrap(ctx context.Context, keyAccess KeyAccess, policy stri
 		return nil, fmt.Errorf("ocrypto.NewAsymDecryption failed: %w", err)
 	}
 
-	key, err := asymDecryption.Decrypt(response.GetEntityWrappedKey())
-	if err != nil {
-		return nil, fmt.Errorf("error decrypting payload from KAS: %w", err)
+	policyResults := make(map[string][]KAOResult)
+	for _, results := range response.Responses {
+		var kaoKeys []KAOResult
+		for _, kao := range results.GetResults() {
+			if kao.GetStatus() == request.PermitStatus {
+				wrappedKey := kao.GetKasWrappedKey()
+				key, err := asymDecryption.Decrypt(wrappedKey)
+				if err != nil {
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: err})
+				} else {
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, SymmetricKey: key})
+				}
+			} else {
+				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: fmt.Errorf(kao.GetError())})
+			}
+		}
+		policyResults[results.PolicyId] = kaoKeys
 	}
 
-	return key, nil
+	return policyResults, nil
 }
 
-func (k *KASClient) getNanoTDFRewrapRequest(header string, kasURL string, pubKey string) (*kas.RewrapRequest, error) {
+func (k *KASClient) createNanoTDFRewrapRequest(header string, kasURL string, pubKey string) (*kas.RewrapRequest, error) {
 	kAccess := keyAccess{
 		Header:        header,
 		KeyAccessType: "remote",
@@ -151,7 +223,7 @@ func (k *KASClient) getNanoTDFRewrapRequest(header string, kasURL string, pubKey
 }
 
 func (k *KASClient) makeNanoTDFRewrapRequest(ctx context.Context, header string, kasURL string, pubKey string) (*kas.RewrapResponse, error) {
-	rewrapRequest, err := k.getNanoTDFRewrapRequest(header, kasURL, pubKey)
+	rewrapRequest, err := k.createNanoTDFRewrapRequest(header, kasURL, pubKey)
 	if err != nil {
 		return nil, err
 	}
@@ -240,22 +312,13 @@ func getGRPCAddress(kasURL string) (string, error) {
 	return net.JoinHostPort(parsedURL.Hostname(), port), nil
 }
 
-func (k *KASClient) getRewrapRequest(keyAccess KeyAccess, policy string) (*kas.RewrapRequest, error) {
-	// check if the session key is nil if not return an error
-	if k.sessionKey == nil {
-		return nil, fmt.Errorf("session key is nil")
-	}
+func (k *KASClient) getRewrapRequest(reqs []*request.RewrapRequests, pubKey string) (*kas.RewrapRequest, error) {
 
-	clientPublicKey, err := k.sessionKey.PublicKeyInPemFormat()
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.PublicKeyInPemFormat failed: %w", err)
+	requestBody := request.Body{
+		ClientPublicKey: pubKey,
+		Requests:        reqs,
 	}
 
-	requestBody := rewrapRequestBody{
-		Policy:          policy,
-		KeyAccess:       keyAccess,
-		ClientPublicKey: clientPublicKey,
-	}
 	requestBodyJSON, err := json.Marshal(requestBody)
 	if err != nil {
 		return nil, fmt.Errorf("Error marshaling request body: %w", err)
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index cf735f9bd6..96b974aeaf 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/opentdf/platform/service/kas/request"
 	"io"
 	"log/slog"
 	"sync"
@@ -899,44 +900,78 @@ func (s SDK) CreateNanoTDF(writer io.Writer, reader io.Reader, config NanoTDFCon
 // NanoTDF Decrypt
 // ============================================================================================================
 
-// ReadNanoTDF - read the nano tdf and return the decrypted data from it
-func (s SDK) ReadNanoTDF(writer io.Writer, reader io.ReadSeeker) (uint32, error) {
-	return s.ReadNanoTDFContext(context.Background(), writer, reader)
+type NanoTDFDecryptHandler struct {
+	reader io.ReadSeeker
+	writer io.Writer
+
+	header    NanoTDFHeader
+	headerBuf []byte
 }
 
-// ReadNanoTDFContext - allows cancelling the reader
-func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io.ReadSeeker) (uint32, error) {
-	header, headerSize, err := NewNanoTDFHeaderFromReader(reader)
-	if err != nil {
-		return 0, err
+func CreateNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer) *NanoTDFDecryptHandler {
+	return &NanoTDFDecryptHandler{
+		reader: reader,
+		writer: writer,
 	}
 
-	_, err = reader.Seek(0, io.SeekStart)
+}
+
+func (n *NanoTDFDecryptHandler) getRawHeader() []byte {
+	return n.headerBuf
+}
+
+func (n *NanoTDFDecryptHandler) CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error) {
+	var err error
+	var headerSize uint32
+	n.header, headerSize, err = NewNanoTDFHeaderFromReader(n.reader)
 	if err != nil {
-		return 0, fmt.Errorf("readSeeker.Seek failed: %w", err)
+		return nil, err
+	}
+	_, err = n.reader.Seek(0, io.SeekStart)
+	if err != nil {
+		return nil, fmt.Errorf("readSeeker.Seek failed: %w", err)
 	}
 
 	headerBuf := make([]byte, headerSize)
-	_, err = reader.Read(headerBuf)
+	_, err = n.reader.Read(headerBuf)
 	if err != nil {
-		return 0, fmt.Errorf("readSeeker.Seek failed: %w", err)
+		return nil, fmt.Errorf("readSeeker.Seek failed: %w", err)
 	}
-
-	kasURL, err := header.kasURL.GetURL()
+	kasURL, err := n.header.kasURL.GetURL()
 	if err != nil {
-		return 0, fmt.Errorf("readSeeker.Seek failed: %w", err)
+		return nil, err
+	}
+
+	return &request.RewrapRequests{
+		KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
+			{
+				KeyAccessObjectID: "kao-0",
+				KeyAccess:         request.KeyAccess{KasURL: kasURL, Header: headerBuf, Algorithm: "ec:secp256r1"},
+			},
+		},
+		Policy: request.PolicyRequest{
+			ID: "policy",
+		},
+		Algorithm: "ec:secp256r1",
+	}, nil
+}
+
+func (n *NanoTDFDecryptHandler) Decrypt(ctx context.Context, result []KAOResult) (uint32, error) {
+	var err error
+	if len(result) != 1 {
+		return 0, fmt.Errorf("improper result from kas")
 	}
 
-	symmetricKey, err := s.getNanoRewrapKey(ctx, headerBuf, kasURL)
-	if err != nil {
-		return 0, err
+	if result[0].Error != nil {
+		return 0, result[0].Error
 	}
+	key := result[0].SymmetricKey
 
 	const (
 		kPayloadLoadLengthBufLength = 4
 	)
 	payloadLengthBuf := make([]byte, kPayloadLoadLengthBufLength)
-	_, err = reader.Read(payloadLengthBuf[1:])
+	_, err = n.reader.Read(payloadLengthBuf[1:])
 
 	if err != nil {
 		return 0, fmt.Errorf(" io.Reader.Read failed :%w", err)
@@ -946,12 +981,12 @@ func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io
 	slog.Debug("ReadNanoTDF", slog.Uint64("payloadLength", uint64(payloadLength)))
 
 	cipherDate := make([]byte, payloadLength)
-	_, err = reader.Read(cipherDate)
+	_, err = n.reader.Read(cipherDate)
 	if err != nil {
 		return 0, fmt.Errorf("readSeeker.Seek failed: %w", err)
 	}
 
-	aesGcm, err := ocrypto.NewAESGcm(symmetricKey)
+	aesGcm, err := ocrypto.NewAESGcm(key)
 	if err != nil {
 		return 0, fmt.Errorf("ocrypto.NewAESGcm failed:%w", err)
 	}
@@ -962,7 +997,7 @@ func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io
 	iv := cipherDate[:kNanoTDFIvSize]
 	ivPadded = append(ivPadded, iv...)
 
-	tagSize, err := SizeOfAuthTagForCipher(header.sigCfg.cipher)
+	tagSize, err := SizeOfAuthTagForCipher(n.header.sigCfg.cipher)
 	if err != nil {
 		return 0, fmt.Errorf("SizeOfAuthTagForCipher failed:%w", err)
 	}
@@ -972,7 +1007,7 @@ func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io
 		return 0, err
 	}
 
-	writeLen, err := writer.Write(decryptedData)
+	writeLen, err := n.writer.Write(decryptedData)
 	if err != nil {
 		return 0, err
 	}
@@ -980,24 +1015,52 @@ func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io
 	return uint32(writeLen), nil
 }
 
-func (s SDK) getNanoRewrapKey(ctx context.Context, header []byte, kasURL string) ([]byte, error) {
+// ReadNanoTDF - read the nano tdf and return the decrypted data from it
+func (s SDK) ReadNanoTDF(writer io.Writer, reader io.ReadSeeker) (uint32, error) {
+	return s.ReadNanoTDFContext(context.Background(), writer, reader)
+}
+
+// ReadNanoTDFContext - allows cancelling the reader
+func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io.ReadSeeker) (uint32, error) {
+	handler := CreateNanoTDFDecryptHandler(reader, writer)
+
+	symmetricKey, err := s.getNanoRewrapKey(ctx, handler)
+	if err != nil {
+		return 0, err
+	}
+	return handler.Decrypt(ctx, []KAOResult{{SymmetricKey: symmetricKey}})
+}
+
+func (s SDK) getNanoRewrapKey(ctx context.Context, decryptor *NanoTDFDecryptHandler) ([]byte, error) {
+	req, err := decryptor.CreateRewrapRequest(ctx)
+	if err != nil {
+		return nil, err
+	}
+
 	if s.collectionStore != nil {
-		if key, found := s.collectionStore.get(header); found {
+		if key, found := s.collectionStore.get(decryptor.getRawHeader()); found {
 			return key, nil
 		}
 	}
-	encodedHeader := ocrypto.Base64Encode(header)
 
 	client := newKASClient(s.dialOptions, s.tokenSource, nil)
 
-	symmetricKey, err := client.unwrapNanoTDF(ctx, string(encodedHeader), kasURL)
+	policyResult, err := client.nanoUnwrap(ctx, []*request.RewrapRequests{req})
 	if err != nil {
-		return nil, fmt.Errorf("readSeeker.Seek failed: %w", err)
+		return nil, fmt.Errorf("rewrap failed: %w", err)
+	}
+	result, ok := policyResult["policy"]
+	if !ok || len(result) != 1 {
+		return nil, fmt.Errorf("policy was not found in rewrap response")
 	}
+	if result[0].Error != nil {
+		return nil, result[0].Error
+	}
+
 	if s.collectionStore != nil {
-		s.collectionStore.store(header, symmetricKey)
+		s.collectionStore.store(decryptor.getRawHeader(), result[0].SymmetricKey)
 	}
-	return symmetricKey, nil
+	return result[0].SymmetricKey, nil
 }
 
 type requestBody struct {
diff --git a/sdk/tdf.go b/sdk/tdf.go
index e936812e7e..5f25cc4490 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -7,8 +7,10 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/opentdf/platform/service/kas/request"
 	"io"
 	"math"
+	"strconv"
 	"strings"
 
 	"github.com/google/uuid"
@@ -72,11 +74,45 @@ type TDFObject struct {
 	payloadKey [kKeySize]byte
 }
 
+type tdf3DecryptHandler struct {
+	writer io.Writer
+	reader *Reader
+}
+
+func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []KAOResult) (uint32, error) {
+	err := r.reader.buildKey(ctx, results)
+	if err != nil {
+		return 0, err
+	}
+	data, err := io.ReadAll(r.reader)
+	if err != nil {
+		return 0, err
+	}
+
+	n, err := r.writer.Write(data)
+	return uint32(n), err
+}
+
+func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error) {
+	return createRewrapRequest(ctx, r.reader)
+}
+
+func (s SDK) createTDF3DecryptHandler(writer io.Writer, reader io.ReadSeeker) (*tdf3DecryptHandler, error) {
+	tdfReader, err := s.LoadTDF(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tdf3DecryptHandler{
+		reader: tdfReader,
+		writer: writer,
+	}, nil
+}
+
 func (t TDFObject) Size() int64 {
 	return t.size
 }
 
-// CreateTDF reads plain text from the given reader and saves it to the writer, subject to the given options
 func (s SDK) CreateTDF(writer io.Writer, reader io.ReadSeeker, opts ...TDFOption) (*TDFObject, error) {
 	return s.CreateTDFContext(context.Background(), writer, reader, opts...)
 }
@@ -766,7 +802,7 @@ func (r *Reader) DataAttributes() ([]string, error) {
 /*
 *WARNING:* Using this function is unsafe since KAS will no longer be able to prevent access to the key.
 
-Retrieve the payload key, either from performing an unwrap or from a previous unwrap,
+Retrieve the payload key, either from performing an buildKey or from a previous buildKey,
 and write it to a user buffer.
 
 OUTPUTS:
@@ -784,8 +820,44 @@ func (r *Reader) UnsafePayloadKeyRetrieval() ([]byte, error) {
 	return r.payloadKey, nil
 }
 
-// Unwraps the payload key, if possible, using the access service
-func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocognit // Better readability keeping it as is
+func createRewrapRequest(ctx context.Context, r *Reader) (*request.RewrapRequests, error) {
+	rewrapReq := request.RewrapRequests{
+		Policy: request.PolicyRequest{
+			Body: r.manifest.EncryptionInformation.Policy,
+			ID:   "policy",
+		},
+	}
+	for i, kao := range r.manifest.EncryptionInformation.KeyAccessObjs {
+		kaoId := fmt.Sprintf("kao-%d", i)
+		key, err := ocrypto.Base64Decode([]byte(kao.WrappedKey))
+		if err != nil {
+			return nil, fmt.Errorf("could not decode wrapper key: %w", err)
+		}
+
+		rewrapReq.KeyAccessObjectRequests = append(rewrapReq.KeyAccessObjectRequests,
+			&request.KeyAccessObjectRequest{
+				KeyAccessObjectID: kaoId,
+				KeyAccess: request.KeyAccess{
+					KeyType:       kao.KeyType,
+					KasURL:        kao.KasURL,
+					KID:           kao.KID,
+					Protocol:      kao.Protocol,
+					PolicyBinding: kao.PolicyBinding,
+					SplitID:       kao.SplitID,
+					WrappedKey:    key,
+				},
+			})
+	}
+
+	return &rewrapReq, nil
+}
+
+func getIdx(kaoId string) int {
+	idx, _ := strconv.Atoi(strings.Split(kaoId, "-")[1])
+	return idx
+}
+
+func (r *Reader) buildKey(ctx context.Context, results []KAOResult) error {
 	var unencryptedMetadata []byte
 	var payloadKey [kKeySize]byte
 	knownSplits := make(map[string]bool)
@@ -793,15 +865,15 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 	skippedSplits := make(map[keySplitStep]error)
 	mixedSplits := len(r.manifest.KeyAccessObjs) > 1 && r.manifest.KeyAccessObjs[0].SplitID != ""
 
-	for _, keyAccessObj := range r.manifest.EncryptionInformation.KeyAccessObjs {
-		client := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
-
+	for _, kaoRes := range results {
+		idx := getIdx(kaoRes.KeyAccessObjectId)
+		keyAccessObj := r.manifest.KeyAccessObjs[idx]
 		ss := keySplitStep{KAS: keyAccessObj.KasURL, SplitID: keyAccessObj.SplitID}
 
-		var err error
-		var wrappedKey []byte
+		wrappedKey := kaoRes.SymmetricKey
+		err := kaoRes.Error
 		if !mixedSplits { //nolint:nestif // todo: subfunction
-			wrappedKey, err = client.unwrap(ctx, keyAccessObj, r.manifest.EncryptionInformation.Policy)
+
 			if err != nil {
 				errToReturn := fmt.Errorf("doPayloadKeyUnwrap splitKey.rewrap failed: %w", err)
 				if strings.Contains(err.Error(), codes.InvalidArgument.String()) {
@@ -818,9 +890,9 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 				// already found
 				continue
 			}
-			wrappedKey, err = client.unwrap(ctx, keyAccessObj, r.manifest.EncryptionInformation.Policy)
+			//wrappedKey, err = client.buildKey(ctx, keyAccessObj, r.manifest.EncryptionInformation.Policy)
 			if err != nil {
-				errToReturn := fmt.Errorf("kao unwrap failed for split %v: %w", ss, err)
+				errToReturn := fmt.Errorf("kao buildKey failed for split %v: %w", ss, err)
 				if !strings.Contains(err.Error(), codes.InvalidArgument.String()) {
 					skippedSplits[ss] = fmt.Errorf("%w: %w", ErrRewrapBadRequest, errToReturn)
 				}
@@ -969,6 +1041,26 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 	r.aesGcm = gcm
 
 	return nil
+
+}
+
+// Unwraps the payload key, if possible, using the access service
+func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocognit // Better readability keeping it as is
+	kasClient := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
+
+	req, err := createRewrapRequest(ctx, r)
+	if err != nil {
+		return err
+	}
+	policyRes, err := kasClient.unwrap(ctx, []*request.RewrapRequests{req})
+	if err != nil {
+		return err
+	}
+	result, ok := policyRes["policy"]
+	if !ok {
+		return fmt.Errorf("could not find policy in rewrap response")
+	}
+	return r.buildKey(ctx, result)
 }
 
 // calculateSignature calculate signature of data of the given algorithm.
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 0c2ad69b36..a6dd24c855 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -558,6 +558,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 	}
 	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(clientPublicKey))
 	if err != nil {
+		p.Logger.DebugContext(ctx, "GenerateNanoTDFSessionKey", "err", err)
 		failAllKaos(requests, fmt.Errorf("failed to generate session key: %w", err))
 		return ""
 	}
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
index 096bd2d65b..65c32cc5e0 100644
--- a/service/kas/request/rewrap.go
+++ b/service/kas/request/rewrap.go
@@ -2,6 +2,10 @@ package request
 
 import "github.com/opentdf/platform/protocol/go/kas"
 
+const (
+	PermitStatus = "permit"
+)
+
 type PolicyRequest struct {
 	ID   string `json:"id"`
 	Body string `json:"body"`

From 9e04dc6f529a84712baa677d1bc893b0571c270e Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 14/48] benchmark

Summary:

Test Plan:
---
 examples/cmd/benchmark_bulk.go | 170 +++++++++++++++++++++++++++++++++
 1 file changed, 170 insertions(+)
 create mode 100644 examples/cmd/benchmark_bulk.go

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
new file mode 100644
index 0000000000..13090ed509
--- /dev/null
+++ b/examples/cmd/benchmark_bulk.go
@@ -0,0 +1,170 @@
+package cmd
+
+import (
+	"bytes"
+	ctx "context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/opentdf/platform/sdk"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	benchmarkCmd := &cobra.Command{
+		Use:   "benchmark-bulk",
+		Short: "OpenTDF benchmark tool",
+		Long:  `A OpenTDF benchmark tool to measure Bulk Rewrap.`,
+		RunE:  runBenchmarkBulk,
+	}
+
+	benchmarkCmd.Flags().IntVar(&config.RequestCount, "count", 100, "Total number of requests")
+	benchmarkCmd.Flags().Var(&config.TDFFormat, "tdf", "TDF format (tdf3 or nanotdf)")
+	ExamplesCmd.AddCommand(benchmarkCmd)
+}
+
+func runBenchmarkBulk(cmd *cobra.Command, args []string) error {
+	in := strings.NewReader("Hello, World!")
+
+	// Create new offline client
+	client, err := newSDK()
+	if err != nil {
+		return err
+	}
+
+	out := os.Stdout
+	if outputName != "-" {
+		out, err = os.Create("sensitive.txt.tdf")
+		if err != nil {
+			return err
+		}
+	}
+	defer func() {
+		if outputName != "-" {
+			out.Close()
+		}
+	}()
+
+	var dataAttributes = []string{"https://example.com/attr/attr1/value/value1"}
+	if config.TDFFormat == NanoTDF {
+		nanoTDFConfig, err := client.NewNanoTDFConfig()
+		if err != nil {
+			return err
+		}
+		nanoTDFConfig.SetAttributes(dataAttributes)
+		nanoTDFConfig.EnableECDSAPolicyBinding()
+		err = nanoTDFConfig.SetKasURL(fmt.Sprintf("http://%s/kas", "localhost:8080"))
+		if err != nil {
+			return err
+		}
+
+		_, err = client.CreateNanoTDF(out, in, *nanoTDFConfig)
+		if err != nil {
+			return err
+		}
+
+		if outputName != "-" {
+			err = cat(cmd, outputName)
+			if err != nil {
+				return err
+			}
+		}
+	} else {
+		tdf, err :=
+			client.CreateTDF(
+				out, in,
+				sdk.WithDataAttributes(dataAttributes...),
+				sdk.WithKasInformation(
+					sdk.KASInfo{
+						URL:       fmt.Sprintf("http://%s", "localhost:8080"),
+						PublicKey: "",
+					}),
+				sdk.WithAutoconfigure(false))
+		if err != nil {
+			return err
+		}
+
+		manifestJSON, err := json.MarshalIndent(tdf.Manifest(), "", "  ")
+		if err != nil {
+			return err
+		}
+		cmd.Println(string(manifestJSON))
+	}
+
+	var errors []error
+	var requestFailure error
+
+	// Function to perform the operation
+	operation := func() {
+		file, err := os.Open("sensitive.txt.tdf")
+		if err != nil {
+			requestFailure = fmt.Errorf("file open error: %v", err)
+			return
+		}
+		defer file.Close()
+		cipher, _ := io.ReadAll(file)
+
+		file.Seek(0, 0)
+		bulkReq := client.CreateBulkRewrapRequest()
+		format := sdk.Nano
+		if config.TDFFormat == "tdf3" {
+			format = sdk.Standard
+		}
+		for i := 0; i < config.RequestCount; i++ {
+			bulkReq.AppendTDFs(&sdk.BulkTDF{Reader: bytes.NewReader(cipher), Writer: io.Discard})
+		}
+		bulkReq.TDFType = format
+		err = client.BulkDecrypt(ctx.Background(), bulkReq)
+		if err != nil {
+			if errList, ok := sdk.IsPartialFailure(err); ok {
+				errors = errList
+			} else {
+				requestFailure = err
+			}
+		}
+
+	}
+
+	// Start the benchmark
+	startTime := time.Now()
+	operation()
+	totalTime := time.Since(startTime)
+
+	// Count errors and collect error messages
+	errorCount := 0
+	successCount := 0
+	if requestFailure != nil {
+		errorCount = config.RequestCount
+		errors = append(errors, requestFailure)
+	} else {
+		errorCount = len(errors)
+		successCount = config.RequestCount - errorCount
+	}
+	throughput := float64(successCount) / totalTime.Seconds()
+
+	errorMsgs := make(map[string]int)
+	for _, err := range errors {
+		errorMsgs[err.Error()] += 1
+	}
+
+	// Print results
+	cmd.Printf("\nBenchmark Results:\n")
+	cmd.Printf("Total Decrypts: %d\n", config.RequestCount)
+	cmd.Printf("Successful Decrypts: %d\n", successCount)
+	cmd.Printf("Failed Decrypts: %d\n", errorCount)
+	cmd.Printf("Total Time: %s\n", totalTime)
+	cmd.Printf("Throughput: %.2f requests/second\n", throughput)
+
+	if errorCount > 0 {
+		cmd.Printf("\nError Summary:\n")
+		for errMsg, count := range errorMsgs {
+			cmd.Printf("%s: %d occurrences\n", errMsg, count)
+		}
+	}
+
+	return nil
+}

From 9f7d99f3b72811142702f3e175695decec38074c Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 15/48] lint and tests fixes

Summary:

Test Plan:
---
 sdk/bulk.go                   |  45 +++++++----
 sdk/kas_client.go             | 148 ++++------------------------------
 sdk/kas_client_test.go        |  61 ++++++++------
 sdk/nanotdf.go                |  32 +++-----
 sdk/tdf.go                    |  88 +++++++++++---------
 sdk/tdf_test.go               |  62 ++++++++------
 service/kas/request/rewrap.go |   2 +-
 7 files changed, 178 insertions(+), 260 deletions(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 8c65efcd7f..d09e86bab9 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -4,8 +4,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/opentdf/platform/service/kas/request"
 	"io"
+
+	"github.com/opentdf/platform/service/kas/request"
 )
 
 type BulkTDF struct {
@@ -53,18 +54,20 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 	case Nano:
 		decryptor := CreateNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
 		return decryptor, nil
-	default:
+	case Standard:
 		return s.createTDF3DecryptHandler(tdf.Writer, tdf.Reader)
+	case Invalid:
 	}
+	return nil, fmt.Errorf("unknown tdf type: %s", tdfType)
 }
 
 func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
-	var rewrapRequests []*request.RewrapRequests
+	kasRewrapRequests := make(map[string][]*request.RewrapRequests)
 	tdfDecryptors := make(map[string]Decryptor)
 	policyTDF := make(map[string]*BulkTDF)
 
 	for i, tdf := range bulkReq.TDFs {
-		policyId := fmt.Sprintf("policy-%d", i)
+		policyID := fmt.Sprintf("policy-%d", i)
 		decryptor, err := s.createDecryptor(tdf, bulkReq.TDFType)
 		if err != nil {
 			tdf.Error = err
@@ -76,21 +79,29 @@ func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error
 			tdf.Error = err
 			continue
 		}
-		tdfDecryptors[policyId] = decryptor
-		policyTDF[policyId] = tdf
-
-		req.Policy.ID = policyId
-		rewrapRequests = append(rewrapRequests, req)
+		tdfDecryptors[policyID] = decryptor
+		policyTDF[policyID] = tdf
+		for kasURL, r := range req {
+			r.Policy.ID = policyID
+			kasRewrapRequests[kasURL] = append(kasRewrapRequests[kasURL], r)
+		}
 	}
 
 	kasClient := newKASClient(s.dialOptions, s.tokenSource, s.kasSessionKey)
-	var rewrapResp map[string][]KAOResult
+	allRewrapResp := make(map[string][]KAOResult)
 	var err error
-	switch bulkReq.TDFType {
-	case Nano:
-		rewrapResp, err = kasClient.nanoUnwrap(ctx, rewrapRequests)
-	default:
-		rewrapResp, err = kasClient.unwrap(ctx, rewrapRequests)
+	for _, rewrapRequests := range kasRewrapRequests {
+		var rewrapResp map[string][]KAOResult
+		switch bulkReq.TDFType {
+		case Nano:
+			rewrapResp, err = kasClient.nanoUnwrap(ctx, rewrapRequests...)
+		case Standard, Invalid:
+			rewrapResp, err = kasClient.unwrap(ctx, rewrapRequests...)
+		}
+
+		for id, res := range rewrapResp {
+			allRewrapResp[id] = append(allRewrapResp[id], res...)
+		}
 	}
 	if err != nil {
 		return fmt.Errorf("bulk rewrap failed: %w", err)
@@ -98,7 +109,7 @@ func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error
 
 	var errList []error
 	for id, tdf := range policyTDF {
-		kaoRes, ok := rewrapResp[id]
+		kaoRes, ok := allRewrapResp[id]
 		if !ok {
 			tdf.Error = fmt.Errorf("rewrap did not create a response for this TDF")
 			errList = append(errList, tdf.Error)
@@ -110,8 +121,8 @@ func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error
 			errList = append(errList, tdf.Error)
 			continue
 		}
-
 	}
+
 	if len(errList) != 0 {
 		return BulkDecryptionErrors(errList)
 	}
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index 60e35fffd0..d2b11fbdab 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -3,6 +3,7 @@ package sdk
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -30,11 +31,11 @@ type KASClient struct {
 type KAOResult struct {
 	SymmetricKey      []byte
 	Error             error
-	KeyAccessObjectId string
+	KeyAccessObjectID string
 }
 
 type Decryptor interface {
-	CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error)
+	CreateRewrapRequest(ctx context.Context) (map[string]*request.RewrapRequests, error)
 	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
 }
 
@@ -72,7 +73,7 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*request.R
 
 	return response, nil
 }
-func (k *KASClient) nanoUnwrap(ctx context.Context, requests []*request.RewrapRequests) (map[string][]KAOResult, error) {
+func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*request.RewrapRequests) (map[string][]KAOResult, error) {
 	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
@@ -108,29 +109,28 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests []*request.RewrapRe
 	}
 
 	policyResults := make(map[string][]KAOResult)
-	for _, results := range response.Responses {
+	for _, results := range response.GetResponses() {
 		var kaoKeys []KAOResult
 		for _, kao := range results.GetResults() {
 			if kao.GetStatus() == request.PermitStatus {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := aesGcm.Decrypt(wrappedKey)
 				if err != nil {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: err})
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
 				} else {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, SymmetricKey: key})
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
 				}
 			} else {
-				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: fmt.Errorf(kao.GetError())})
+				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
 			}
 		}
-		policyResults[results.PolicyId] = kaoKeys
+		policyResults[results.GetPolicyId()] = kaoKeys
 	}
 
 	return policyResults, nil
-
 }
 
-func (k *KASClient) unwrap(ctx context.Context, requests []*request.RewrapRequests) (map[string][]KAOResult, error) {
+func (k *KASClient) unwrap(ctx context.Context, requests ...*request.RewrapRequests) (map[string][]KAOResult, error) {
 	if k.sessionKey == nil {
 		return nil, fmt.Errorf("session key is nil")
 	}
@@ -154,144 +154,27 @@ func (k *KASClient) unwrap(ctx context.Context, requests []*request.RewrapReques
 	}
 
 	policyResults := make(map[string][]KAOResult)
-	for _, results := range response.Responses {
+	for _, results := range response.GetResponses() {
 		var kaoKeys []KAOResult
 		for _, kao := range results.GetResults() {
 			if kao.GetStatus() == request.PermitStatus {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := asymDecryption.Decrypt(wrappedKey)
 				if err != nil {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: err})
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
 				} else {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, SymmetricKey: key})
+					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
 				}
 			} else {
-				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectId: kao.KeyAccessObjectId, Error: fmt.Errorf(kao.GetError())})
+				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
 			}
 		}
-		policyResults[results.PolicyId] = kaoKeys
+		policyResults[results.GetPolicyId()] = kaoKeys
 	}
 
 	return policyResults, nil
 }
 
-func (k *KASClient) createNanoTDFRewrapRequest(header string, kasURL string, pubKey string) (*kas.RewrapRequest, error) {
-	kAccess := keyAccess{
-		Header:        header,
-		KeyAccessType: "remote",
-		URL:           kasURL,
-		Protocol:      "kas",
-	}
-
-	requestBody := requestBody{
-		Algorithm:       "ec:secp256r1",
-		KeyAccess:       kAccess,
-		ClientPublicKey: pubKey,
-	}
-
-	requestBodyJSON, err := json.Marshal(requestBody)
-	if err != nil {
-		return nil, fmt.Errorf("Error marshaling request body: %w", err)
-	}
-
-	now := time.Now()
-	tok, err := jwt.NewBuilder().
-		Claim("requestBody", string(requestBodyJSON)).
-		IssuedAt(now).
-		Expiration(now.Add(secondsPerMinute * time.Second)).
-		Build()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create jwt: %w", err)
-	}
-
-	signedToken, err := k.accessTokenSource.MakeToken(func(key jwk.Key) ([]byte, error) {
-		signed, err := jwt.Sign(tok, jwt.WithKey(key.Algorithm(), key))
-		if err != nil {
-			return nil, fmt.Errorf("error signing DPoP token: %w", err)
-		}
-
-		return signed, nil
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to sign the token: %w", err)
-	}
-
-	rewrapRequest := kas.RewrapRequest{
-		SignedRequestToken: string(signedToken),
-	}
-	return &rewrapRequest, nil
-}
-
-func (k *KASClient) makeNanoTDFRewrapRequest(ctx context.Context, header string, kasURL string, pubKey string) (*kas.RewrapResponse, error) {
-	rewrapRequest, err := k.createNanoTDFRewrapRequest(header, kasURL, pubKey)
-	if err != nil {
-		return nil, err
-	}
-	grpcAddress, err := getGRPCAddress(kasURL)
-	if err != nil {
-		return nil, err
-	}
-
-	conn, err := grpc.NewClient(grpcAddress, k.dialOptions...)
-	if err != nil {
-		return nil, fmt.Errorf("error connecting to kas: %w", err)
-	}
-	defer conn.Close()
-
-	serviceClient := kas.NewAccessServiceClient(conn)
-
-	response, err := serviceClient.Rewrap(ctx, rewrapRequest)
-	if err != nil {
-		return nil, fmt.Errorf("error making rewrap request: %w", err)
-	}
-
-	return response, nil
-}
-
-func (k *KASClient) unwrapNanoTDF(ctx context.Context, header string, kasURL string) ([]byte, error) {
-	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
-	}
-
-	publicKeyAsPem, err := keypair.PublicKeyInPemFormat()
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.NewECKeyPair.PublicKeyInPemFormat failed :%w", err)
-	}
-
-	privateKeyAsPem, err := keypair.PrivateKeyInPemFormat()
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.NewECKeyPair.PrivateKeyInPemFormat failed :%w", err)
-	}
-
-	response, err := k.makeNanoTDFRewrapRequest(ctx, header, kasURL, publicKeyAsPem)
-	if err != nil {
-		return nil, fmt.Errorf("error making nano rewrap request to kas: %w", err)
-	}
-
-	sessionKey, err := ocrypto.ComputeECDHKey([]byte(privateKeyAsPem), []byte(response.GetSessionPublicKey()))
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.ComputeECDHKey failed :%w", err)
-	}
-
-	sessionKey, err = ocrypto.CalculateHKDF(versionSalt(), sessionKey)
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.CalculateHKDF failed:%w", err)
-	}
-
-	aesGcm, err := ocrypto.NewAESGcm(sessionKey)
-	if err != nil {
-		return nil, fmt.Errorf("ocrypto.NewAESGcm failed:%w", err)
-	}
-
-	symmetricKey, err := aesGcm.Decrypt(response.GetEntityWrappedKey())
-	if err != nil {
-		return nil, fmt.Errorf("AesGcm.Decrypt failed:%w", err)
-	}
-
-	return symmetricKey, nil
-}
-
 func getGRPCAddress(kasURL string) (string, error) {
 	parsedURL, err := url.Parse(kasURL)
 	if err != nil {
@@ -313,7 +196,6 @@ func getGRPCAddress(kasURL string) (string, error) {
 }
 
 func (k *KASClient) getRewrapRequest(reqs []*request.RewrapRequests, pubKey string) (*kas.RewrapRequest, error) {
-
 	requestBody := request.Body{
 		ClientPublicKey: pubKey,
 		Requests:        reqs,
diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index dfdb1f5a75..0590b504c2 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/opentdf/platform/service/kas/request"
+
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
@@ -58,21 +60,32 @@ func TestCreatingRequest(t *testing.T) {
 
 	client := newKASClient(dialOption, tokenSource, &kasKey)
 
-	keyAccess := KeyAccess{
-		KeyType:    "type1",
-		KasURL:     "https://kas.example.org",
-		Protocol:   "protocol one",
-		WrappedKey: "wrapped",
-		PolicyBinding: PolicyBinding{
-			Alg:  "HS256",
-			Hash: "somehash",
+	keyAccess := []*request.RewrapRequests{
+		{
+			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
+				{
+					KeyAccess: request.KeyAccess{
+						KeyType:    "type1",
+						KasURL:     "https://kas.example.org",
+						Protocol:   "protocol one",
+						WrappedKey: []byte("wrapped"),
+						PolicyBinding: PolicyBinding{
+							Alg:  "HS256",
+							Hash: "somehash",
+						},
+						EncryptedMetadata: "encrypted",
+					},
+				},
+			},
 		},
-		EncryptedMetadata: "encrypted",
 	}
+	kp, err := ocrypto.NewRSAKeyPair(1024)
+	require.NoError(t, err, "failed to make pub key")
+	pubkey, err := kp.PublicKeyInPemFormat()
+	require.NoError(t, err, "failed to make pub key")
 
-	req, err := client.getRewrapRequest(keyAccess, "a policy")
+	req, err := client.getRewrapRequest(keyAccess, pubkey)
 	require.NoError(t, err, "failed to create a rewrap request")
-
 	if req.GetSignedRequestToken() == "" {
 		t.Fatalf("didn't produce a signed request token")
 	}
@@ -85,29 +98,25 @@ func TestCreatingRequest(t *testing.T) {
 	rb, ok := tok.Get("requestBody")
 	require.True(t, ok, "didn't contain a request body")
 	requestBodyJSON, _ := rb.(string)
-	var requestBody map[string]interface{}
+	var requestBody request.Body
 
 	require.NoError(t, json.Unmarshal([]byte(requestBodyJSON), &requestBody), "error unmarshaling request body")
 
-	cpk, ok := requestBody["clientPublicKey"].(string)
-	require.True(t, ok)
-
-	_, err = ocrypto.NewAsymEncryption(cpk)
+	_, err = ocrypto.NewAsymEncryption(requestBody.ClientPublicKey)
 	require.NoError(t, err, "NewAsymEncryption failed, incorrect public key include")
 
-	assert.Equal(t, "a policy", requestBody["policy"])
-
-	requestKeyAccess, ok := requestBody["keyAccess"].(map[string]interface{})
-	require.True(t, ok)
-	policyBinding, ok := requestKeyAccess["policyBinding"].(map[string]interface{})
-	require.True(t, ok)
+	require.Len(t, requestBody.Requests, 1)
+	require.Len(t, requestBody.Requests[0].KeyAccessObjectRequests, 1)
+	kao := requestBody.Requests[0].KeyAccessObjectRequests[0]
+	policyBinding, ok := kao.PolicyBinding.(map[string]interface{})
+	require.True(t, ok, "invalid policy binding")
 
-	assert.Equal(t, "https://kas.example.org", requestKeyAccess["url"], "incorrect kasURL")
-	assert.Equal(t, "protocol one", requestKeyAccess["protocol"], "incorrect protocol")
-	assert.Equal(t, "wrapped", requestKeyAccess["wrappedKey"], "incorrect wrapped key")
+	assert.Equal(t, "https://kas.example.org", kao.KasURL, "incorrect kasURL")
+	assert.Equal(t, "protocol one", kao.Protocol, "incorrect protocol")
+	assert.Equal(t, []byte("wrapped"), kao.WrappedKey, "incorrect wrapped key")
 	assert.Equal(t, "HS256", policyBinding["alg"], "incorrect policy binding")
 	assert.Equal(t, "somehash", policyBinding["hash"], "incorrect policy binding")
-	assert.Equal(t, "encrypted", requestKeyAccess["encryptedMetadata"], "incorrect encrypted metadata")
+	assert.Equal(t, "encrypted", kao.EncryptedMetadata, "incorrect encrypted metadata")
 }
 
 func Test_StoreKASKeys(t *testing.T) {
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index 96b974aeaf..e4a7f7b9ca 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -9,12 +9,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/opentdf/platform/service/kas/request"
 	"io"
 	"log/slog"
 	"sync"
 	"time"
 
+	"github.com/opentdf/platform/service/kas/request"
+
 	"github.com/opentdf/platform/lib/ocrypto"
 )
 
@@ -913,14 +914,13 @@ func CreateNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer) *NanoTD
 		reader: reader,
 		writer: writer,
 	}
-
 }
 
 func (n *NanoTDFDecryptHandler) getRawHeader() []byte {
 	return n.headerBuf
 }
 
-func (n *NanoTDFDecryptHandler) CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error) {
+func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[string]*request.RewrapRequests, error) {
 	var err error
 	var headerSize uint32
 	n.header, headerSize, err = NewNanoTDFHeaderFromReader(n.reader)
@@ -942,7 +942,7 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(ctx context.Context) (*reque
 		return nil, err
 	}
 
-	return &request.RewrapRequests{
+	req := &request.RewrapRequests{
 		KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
 			{
 				KeyAccessObjectID: "kao-0",
@@ -953,10 +953,11 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(ctx context.Context) (*reque
 			ID: "policy",
 		},
 		Algorithm: "ec:secp256r1",
-	}, nil
+	}
+	return map[string]*request.RewrapRequests{kasURL: req}, nil
 }
 
-func (n *NanoTDFDecryptHandler) Decrypt(ctx context.Context, result []KAOResult) (uint32, error) {
+func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []KAOResult) (uint32, error) {
 	var err error
 	if len(result) != 1 {
 		return 0, fmt.Errorf("improper result from kas")
@@ -1044,8 +1045,12 @@ func (s SDK) getNanoRewrapKey(ctx context.Context, decryptor *NanoTDFDecryptHand
 	}
 
 	client := newKASClient(s.dialOptions, s.tokenSource, nil)
+	kasURL, err := decryptor.header.kasURL.GetURL()
+	if err != nil {
+		return nil, err
+	}
 
-	policyResult, err := client.nanoUnwrap(ctx, []*request.RewrapRequests{req})
+	policyResult, err := client.nanoUnwrap(ctx, req[kasURL])
 	if err != nil {
 		return nil, fmt.Errorf("rewrap failed: %w", err)
 	}
@@ -1063,19 +1068,6 @@ func (s SDK) getNanoRewrapKey(ctx context.Context, decryptor *NanoTDFDecryptHand
 	return result[0].SymmetricKey, nil
 }
 
-type requestBody struct {
-	Algorithm       string    `json:"algorithm,omitempty"`
-	KeyAccess       keyAccess `json:"keyAccess"`
-	ClientPublicKey string    `json:"clientPublicKey"`
-}
-
-type keyAccess struct {
-	Header        string `json:"header"`
-	KeyAccessType string `json:"type"`
-	URL           string `json:"url"`
-	Protocol      string `json:"protocol"`
-}
-
 func versionSalt() []byte {
 	digest := sha256.New()
 	digest.Write([]byte(kNanoTDFMagicStringAndVersion))
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 5f25cc4490..bb92415acb 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -7,12 +7,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/opentdf/platform/service/kas/request"
 	"io"
 	"math"
 	"strconv"
 	"strings"
 
+	"github.com/opentdf/platform/service/kas/request"
+
 	"github.com/google/uuid"
 	"github.com/opentdf/platform/lib/ocrypto"
 	"github.com/opentdf/platform/sdk/auth"
@@ -93,7 +94,7 @@ func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []KAOResult) (
 	return uint32(n), err
 }
 
-func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (*request.RewrapRequests, error) {
+func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (map[string]*request.RewrapRequests, error) {
 	return createRewrapRequest(ctx, r.reader)
 }
 
@@ -820,44 +821,50 @@ func (r *Reader) UnsafePayloadKeyRetrieval() ([]byte, error) {
 	return r.payloadKey, nil
 }
 
-func createRewrapRequest(ctx context.Context, r *Reader) (*request.RewrapRequests, error) {
-	rewrapReq := request.RewrapRequests{
-		Policy: request.PolicyRequest{
-			Body: r.manifest.EncryptionInformation.Policy,
-			ID:   "policy",
-		},
-	}
+func createRewrapRequest(_ context.Context, r *Reader) (map[string]*request.RewrapRequests, error) {
+	kasReqs := make(map[string]*request.RewrapRequests)
 	for i, kao := range r.manifest.EncryptionInformation.KeyAccessObjs {
-		kaoId := fmt.Sprintf("kao-%d", i)
+		kaoID := fmt.Sprintf("kao-%d", i)
 		key, err := ocrypto.Base64Decode([]byte(kao.WrappedKey))
 		if err != nil {
 			return nil, fmt.Errorf("could not decode wrapper key: %w", err)
 		}
 
-		rewrapReq.KeyAccessObjectRequests = append(rewrapReq.KeyAccessObjectRequests,
-			&request.KeyAccessObjectRequest{
-				KeyAccessObjectID: kaoId,
-				KeyAccess: request.KeyAccess{
-					KeyType:       kao.KeyType,
-					KasURL:        kao.KasURL,
-					KID:           kao.KID,
-					Protocol:      kao.Protocol,
-					PolicyBinding: kao.PolicyBinding,
-					SplitID:       kao.SplitID,
-					WrappedKey:    key,
+		kaoReq := &request.KeyAccessObjectRequest{
+			KeyAccessObjectID: kaoID,
+			KeyAccess: request.KeyAccess{
+				KeyType:       kao.KeyType,
+				KasURL:        kao.KasURL,
+				KID:           kao.KID,
+				Protocol:      kao.Protocol,
+				PolicyBinding: kao.PolicyBinding,
+				SplitID:       kao.SplitID,
+				WrappedKey:    key,
+			},
+		}
+		if req, ok := kasReqs[kao.KasURL]; ok {
+			req.KeyAccessObjectRequests = append(req.KeyAccessObjectRequests, kaoReq)
+		} else {
+			rewrapReq := request.RewrapRequests{
+				Policy: request.PolicyRequest{
+					Body: r.manifest.EncryptionInformation.Policy,
+					ID:   "policy",
 				},
-			})
+				KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{kaoReq},
+			}
+			kasReqs[kao.KasURL] = &rewrapReq
+		}
 	}
 
-	return &rewrapReq, nil
+	return kasReqs, nil
 }
 
-func getIdx(kaoId string) int {
-	idx, _ := strconv.Atoi(strings.Split(kaoId, "-")[1])
+func getIdx(kaoID string) int {
+	idx, _ := strconv.Atoi(strings.Split(kaoID, "-")[1])
 	return idx
 }
 
-func (r *Reader) buildKey(ctx context.Context, results []KAOResult) error {
+func (r *Reader) buildKey(_ context.Context, results []KAOResult) error {
 	var unencryptedMetadata []byte
 	var payloadKey [kKeySize]byte
 	knownSplits := make(map[string]bool)
@@ -866,14 +873,13 @@ func (r *Reader) buildKey(ctx context.Context, results []KAOResult) error {
 	mixedSplits := len(r.manifest.KeyAccessObjs) > 1 && r.manifest.KeyAccessObjs[0].SplitID != ""
 
 	for _, kaoRes := range results {
-		idx := getIdx(kaoRes.KeyAccessObjectId)
+		idx := getIdx(kaoRes.KeyAccessObjectID)
 		keyAccessObj := r.manifest.KeyAccessObjs[idx]
 		ss := keySplitStep{KAS: keyAccessObj.KasURL, SplitID: keyAccessObj.SplitID}
 
 		wrappedKey := kaoRes.SymmetricKey
 		err := kaoRes.Error
 		if !mixedSplits { //nolint:nestif // todo: subfunction
-
 			if err != nil {
 				errToReturn := fmt.Errorf("doPayloadKeyUnwrap splitKey.rewrap failed: %w", err)
 				if strings.Contains(err.Error(), codes.InvalidArgument.String()) {
@@ -890,7 +896,7 @@ func (r *Reader) buildKey(ctx context.Context, results []KAOResult) error {
 				// already found
 				continue
 			}
-			//wrappedKey, err = client.buildKey(ctx, keyAccessObj, r.manifest.EncryptionInformation.Policy)
+			// wrappedKey, err = client.buildKey(ctx, keyAccessObj, r.manifest.EncryptionInformation.Policy)
 			if err != nil {
 				errToReturn := fmt.Errorf("kao buildKey failed for split %v: %w", ss, err)
 				if !strings.Contains(err.Error(), codes.InvalidArgument.String()) {
@@ -1041,26 +1047,30 @@ func (r *Reader) buildKey(ctx context.Context, results []KAOResult) error {
 	r.aesGcm = gcm
 
 	return nil
-
 }
 
 // Unwraps the payload key, if possible, using the access service
 func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocognit // Better readability keeping it as is
 	kasClient := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
 
-	req, err := createRewrapRequest(ctx, r)
-	if err != nil {
-		return err
-	}
-	policyRes, err := kasClient.unwrap(ctx, []*request.RewrapRequests{req})
+	reqs, err := createRewrapRequest(ctx, r)
 	if err != nil {
 		return err
 	}
-	result, ok := policyRes["policy"]
-	if !ok {
-		return fmt.Errorf("could not find policy in rewrap response")
+	var kaoResults []KAOResult
+	for _, req := range reqs {
+		policyRes, err := kasClient.unwrap(ctx, req)
+		if err != nil {
+			return err
+		}
+		result, ok := policyRes["policy"]
+		if !ok {
+			return fmt.Errorf("could not find policy in rewrap response")
+		}
+		kaoResults = append(kaoResults, result...)
 	}
-	return r.buildKey(ctx, result)
+
+	return r.buildKey(ctx, kaoResults)
 }
 
 // calculateSignature calculate signature of data of the given algorithm.
diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go
index dd2bce58d6..9a5c66ce58 100644
--- a/sdk/tdf_test.go
+++ b/sdk/tdf_test.go
@@ -18,6 +18,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/opentdf/platform/service/kas/request"
+
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/ocrypto"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
@@ -1215,7 +1217,7 @@ func (s *TDFSuite) testDecryptWithReader(sdk *SDK, tdfFile, decryptedTdfFileName
 	r, err := sdk.LoadTDF(readSeeker)
 	s.Require().NoError(err)
 
-	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(60*time.Millisecond))
+	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(300*time.Minute))
 	defer cancel()
 	err = r.Init(ctx)
 	s.Require().NoError(err)
@@ -1427,40 +1429,52 @@ func (f *FakeKas) Rewrap(_ context.Context, in *kaspb.RewrapRequest) (*kaspb.Rew
 	if !ok {
 		return nil, fmt.Errorf("requestBody not a string")
 	}
-	entityWrappedKey := f.getRewrappedKey(requestBodyStr)
+	result := f.getRewrapResponse(requestBodyStr)
 
-	return &kaspb.RewrapResponse{EntityWrappedKey: entityWrappedKey}, nil
+	return result, nil
 }
 
 func (f *FakeKas) PublicKey(_ context.Context, _ *kaspb.PublicKeyRequest) (*kaspb.PublicKeyResponse, error) {
 	return &kaspb.PublicKeyResponse{PublicKey: f.KASInfo.PublicKey, Kid: f.KID}, nil
 }
 
-func (f *FakeKas) getRewrappedKey(rewrapRequest string) []byte {
-	bodyData := RequestBody{}
+func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse {
+	bodyData := request.Body{}
 	err := json.Unmarshal([]byte(rewrapRequest), &bodyData)
 	f.s.Require().NoError(err, "json.Unmarshal failed")
+	resp := &kaspb.RewrapResponse{}
+
+	for _, req := range bodyData.Requests {
+		results := &kaspb.RewrapResult{PolicyId: req.Policy.ID}
+		resp.Responses = append(resp.Responses, results)
+		for _, kaoReq := range req.KeyAccessObjectRequests {
+			wrappedKey := kaoReq.WrappedKey
+
+			kasPrivateKey := strings.ReplaceAll(f.privateKey, "\n\t", "\n")
+			if kaoReq.KID != "" && kaoReq.KID != f.KID {
+				// old kid
+				lk, ok := f.legakeys[kaoReq.KID]
+				f.s.Require().True(ok, "unable to find key [%s]", kaoReq.KID)
+				kasPrivateKey = strings.ReplaceAll(lk.private, "\n\t", "\n")
+			}
 
-	wrappedKey, err := ocrypto.Base64Decode([]byte(bodyData.WrappedKey))
-	f.s.Require().NoError(err, "ocrypto.Base64Decode failed")
-
-	kasPrivateKey := strings.ReplaceAll(f.privateKey, "\n\t", "\n")
-	if bodyData.KID != "" && bodyData.KID != f.KID {
-		// old kid
-		lk, ok := f.legakeys[bodyData.KID]
-		f.s.Require().True(ok, "unable to find key [%s]", bodyData.KID)
-		kasPrivateKey = strings.ReplaceAll(lk.private, "\n\t", "\n")
+			asymDecrypt, err := ocrypto.NewAsymDecryption(kasPrivateKey)
+			f.s.Require().NoError(err, "ocrypto.NewAsymDecryption failed")
+			symmetricKey, err := asymDecrypt.Decrypt(wrappedKey)
+			f.s.Require().NoError(err, "ocrypto.Decrypt failed")
+			asymEncrypt, err := ocrypto.NewAsymEncryption(bodyData.ClientPublicKey)
+			f.s.Require().NoError(err, "ocrypto.NewAsymEncryption failed")
+			entityWrappedKey, err := asymEncrypt.Encrypt(symmetricKey)
+			f.s.Require().NoError(err, "ocrypto.encrypt failed")
+			kaoResult := &kaspb.KAORewrapResult{
+				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: entityWrappedKey},
+				Status:            "permit",
+				KeyAccessObjectId: kaoReq.KeyAccessObjectID,
+			}
+			results.Results = append(results.Results, kaoResult)
+		}
 	}
-
-	asymDecrypt, err := ocrypto.NewAsymDecryption(kasPrivateKey)
-	f.s.Require().NoError(err, "ocrypto.NewAsymDecryption failed")
-	symmetricKey, err := asymDecrypt.Decrypt(wrappedKey)
-	f.s.Require().NoError(err, "ocrypto.Decrypt failed")
-	asymEncrypt, err := ocrypto.NewAsymEncryption(bodyData.ClientPublicKey)
-	f.s.Require().NoError(err, "ocrypto.NewAsymEncryption failed")
-	entityWrappedKey, err := asymEncrypt.Encrypt(symmetricKey)
-	f.s.Require().NoError(err, "ocrypto.encrypt failed")
-	return entityWrappedKey
+	return resp
 }
 
 func (s *TDFSuite) checkIdentical(file, checksum string) bool {
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
index 65c32cc5e0..92fbdd6dbb 100644
--- a/service/kas/request/rewrap.go
+++ b/service/kas/request/rewrap.go
@@ -32,5 +32,5 @@ type RewrapRequests struct {
 
 type Body struct {
 	Requests        []*RewrapRequests `json:"requests"`
-	ClientPublicKey string            `json:"ClientPublicKey"`
+	ClientPublicKey string            `json:"clientPublicKey"`
 }

From 81eb000be9c2bf5cc178c3acaa060835d5316102 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 16/48] added rt test

Summary:

Test Plan:
---
 service/rttests/rt_test.go | 57 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/service/rttests/rt_test.go b/service/rttests/rt_test.go
index 49a43737b0..624f443a80 100644
--- a/service/rttests/rt_test.go
+++ b/service/rttests/rt_test.go
@@ -123,11 +123,13 @@ func (s *RoundtripSuite) SetupSuite() {
 }
 
 func (s *RoundtripSuite) Tests() {
+	var passNames []string
 	// success tests
 	for i, attributes := range successAttributeSets {
 		n := fmt.Sprintf("success roundtrip %d", i)
 		s.Run(n, func() {
 			filename := fmt.Sprintf("test-success-%d.tdf", i)
+			passNames = append(passNames, filename)
 			plaintext := "Running a roundtrip test!"
 			err := encrypt(s.client, s.TestConfig, plaintext, attributes, filename)
 			s.Require().NoError(err)
@@ -136,11 +138,13 @@ func (s *RoundtripSuite) Tests() {
 		})
 	}
 
+	var failNames []string
 	// failure tests
 	for i, attributes := range failureAttributeSets {
 		n := fmt.Sprintf("failure roundtrip %d", i)
 		s.Run(n, func() {
 			filename := fmt.Sprintf("test-failure-%d.tdf", i)
+			failNames = append(failNames, filename)
 			plaintext := "Running a roundtrip test!"
 			err := encrypt(s.client, s.TestConfig, plaintext, attributes, filename)
 			s.Require().NoError(err)
@@ -148,6 +152,11 @@ func (s *RoundtripSuite) Tests() {
 			s.ErrorContains(err, "PermissionDenied")
 		})
 	}
+
+	// bulk tests
+	s.Run("bulk test", func() {
+		s.Require().NoError(bulk(s.client, passNames, failNames, "Running a roundtrip test!"))
+	})
 }
 
 func (s *RoundtripSuite) CreateTestData() error {
@@ -372,3 +381,51 @@ func decrypt(client *sdk.SDK, tdfFile string, plaintext string) error {
 
 	return nil
 }
+
+func bulk(client *sdk.SDK, tdfSuccess []string, tdfFail []string, plaintext string) error {
+	var passTDF []*sdk.BulkTDF
+	for _, fileName := range tdfSuccess {
+		file, err := os.Open(fileName)
+		if err != nil {
+			return err
+		}
+
+		defer file.Close()
+
+		buf := new(strings.Builder)
+		passTDF = append(passTDF, &sdk.BulkTDF{Writer: buf, Reader: file})
+	}
+
+	var failTDF []*sdk.BulkTDF
+	for _, fileName := range tdfFail {
+		file, err := os.Open(fileName)
+		if err != nil {
+			return err
+		}
+
+		defer file.Close()
+
+		buf := new(strings.Builder)
+		failTDF = append(failTDF, &sdk.BulkTDF{Writer: buf, Reader: file})
+	}
+
+	req := client.CreateBulkRewrapRequest(sdk.WithTDFs(passTDF...), sdk.WithTDFs(failTDF...))
+	req.TDFType = sdk.Standard
+	_ = client.BulkDecrypt(context.Background(), req)
+	for _, tdf := range passTDF {
+		builder := tdf.Writer.(*strings.Builder)
+		if tdf.Error != nil {
+			return tdf.Error
+		}
+		if builder.String() != plaintext {
+			return fmt.Errorf("bulk did not equal plaintext")
+		}
+	}
+	for _, tdf := range failTDF {
+		if tdf.Error == nil {
+			return fmt.Errorf("no expected err")
+		}
+	}
+
+	return nil
+}

From 2affa1cec98dc961ce736f2b0713e56a0b9ed10d Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 17/48] name fix

Summary:

Test Plan:
---
 sdk/bulk.go    | 3 ++-
 sdk/nanotdf.go | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index d09e86bab9..d0fdfc479e 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -52,7 +52,7 @@ func (s SDK) CreateBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptR
 func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 	switch tdfType {
 	case Nano:
-		decryptor := CreateNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
+		decryptor := createNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
 		return decryptor, nil
 	case Standard:
 		return s.createTDF3DecryptHandler(tdf.Writer, tdf.Reader)
@@ -61,6 +61,7 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 	return nil, fmt.Errorf("unknown tdf type: %s", tdfType)
 }
 
+// BulkDecrypt
 func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
 	kasRewrapRequests := make(map[string][]*request.RewrapRequests)
 	tdfDecryptors := make(map[string]Decryptor)
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index e4a7f7b9ca..aff0ad0221 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -909,7 +909,7 @@ type NanoTDFDecryptHandler struct {
 	headerBuf []byte
 }
 
-func CreateNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer) *NanoTDFDecryptHandler {
+func createNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer) *NanoTDFDecryptHandler {
 	return &NanoTDFDecryptHandler{
 		reader: reader,
 		writer: writer,
@@ -1023,7 +1023,7 @@ func (s SDK) ReadNanoTDF(writer io.Writer, reader io.ReadSeeker) (uint32, error)
 
 // ReadNanoTDFContext - allows cancelling the reader
 func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io.ReadSeeker) (uint32, error) {
-	handler := CreateNanoTDFDecryptHandler(reader, writer)
+	handler := createNanoTDFDecryptHandler(reader, writer)
 
 	symmetricKey, err := s.getNanoRewrapKey(ctx, handler)
 	if err != nil {

From ca981052cd18dd74d5040d718f83da93bdd6b31e Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:13:57 -0800
Subject: [PATCH 18/48] to proto

---
 docs/grpc/index.html                         | 238 ++++++
 protocol/go/kas/kas.pb.go                    | 770 +++++++++++++++----
 sdk/bulk.go                                  |   6 +-
 sdk/kas_client.go                            |  24 +-
 sdk/kas_client_test.go                       |  52 +-
 sdk/nanotdf.go                               |  18 +-
 sdk/tdf.go                                   |  35 +-
 sdk/tdf_test.go                              |  26 +-
 service/kas/access/accessPdp.go              |   8 +-
 service/kas/{request => access}/attribute.go |   4 +-
 service/kas/{request => access}/keyaccess.go |   8 +-
 service/kas/{request => access}/policy.go    |   2 +-
 service/kas/access/rewrap.go                 | 365 +++++----
 service/kas/access/rewrap_test.go            |  52 +-
 service/kas/kas.proto                        |  33 +
 service/kas/request/rewrap.go                |  36 -
 service/rttests/rt_test.go                   |   6 +-
 17 files changed, 1217 insertions(+), 466 deletions(-)
 rename service/kas/{request => access}/attribute.go (88%)
 rename service/kas/{request => access}/keyaccess.go (73%)
 rename service/kas/{request => access}/policy.go (98%)
 delete mode 100644 service/kas/request/rewrap.go

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index ff3e231312..b9d10acf1d 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -446,10 +446,22 @@ <h2>Table of Contents</h2>
                   <a href="#kas.KAORewrapResult.MetadataEntry"><span class="badge">M</span>KAORewrapResult.MetadataEntry</a>
                 </li>
               
+                <li>
+                  <a href="#kas.KeyAccess"><span class="badge">M</span>KeyAccess</a>
+                </li>
+              
+                <li>
+                  <a href="#kas.KeyAccessObjectRequest"><span class="badge">M</span>KeyAccessObjectRequest</a>
+                </li>
+              
                 <li>
                   <a href="#kas.LegacyPublicKeyRequest"><span class="badge">M</span>LegacyPublicKeyRequest</a>
                 </li>
               
+                <li>
+                  <a href="#kas.PolicyRequest"><span class="badge">M</span>PolicyRequest</a>
+                </li>
+              
                 <li>
                   <a href="#kas.PublicKeyRequest"><span class="badge">M</span>PublicKeyRequest</a>
                 </li>
@@ -458,10 +470,18 @@ <h2>Table of Contents</h2>
                   <a href="#kas.PublicKeyResponse"><span class="badge">M</span>PublicKeyResponse</a>
                 </li>
               
+                <li>
+                  <a href="#kas.RequestBody"><span class="badge">M</span>RequestBody</a>
+                </li>
+              
                 <li>
                   <a href="#kas.RewrapRequest"><span class="badge">M</span>RewrapRequest</a>
                 </li>
               
+                <li>
+                  <a href="#kas.RewrapRequestBody"><span class="badge">M</span>RewrapRequestBody</a>
+                </li>
+              
                 <li>
                   <a href="#kas.RewrapResponse"><span class="badge">M</span>RewrapResponse</a>
                 </li>
@@ -3298,6 +3318,124 @@ <h3 id="kas.KAORewrapResult.MetadataEntry">KAORewrapResult.MetadataEntry</h3>
 
         
       
+        <h3 id="kas.KeyAccess">KeyAccess</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>encrypted_metadata</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>policy_binding</td>
+                  <td><a href="#bytes">bytes</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>protocol</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>key_type</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>kas_url</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>kid</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>split_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>wrapped_key</td>
+                  <td><a href="#bytes">bytes</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>header</td>
+                  <td><a href="#bytes">bytes</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>algorithm</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
+        <h3 id="kas.KeyAccessObjectRequest">KeyAccessObjectRequest</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>key_access_object_id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>key_access_object</td>
+                  <td><a href="#kas.KeyAccess">KeyAccess</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.LegacyPublicKeyRequest">LegacyPublicKeyRequest</h3>
         <p></p>
 
@@ -3322,6 +3460,37 @@ <h3 id="kas.LegacyPublicKeyRequest">LegacyPublicKeyRequest</h3>
 
         
       
+        <h3 id="kas.PolicyRequest">PolicyRequest</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>id</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>body</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.PublicKeyRequest">PublicKeyRequest</h3>
         <p></p>
 
@@ -3391,6 +3560,37 @@ <h3 id="kas.PublicKeyResponse">PublicKeyResponse</h3>
 
         
       
+        <h3 id="kas.RequestBody">RequestBody</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>client_public_key</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>requests</td>
+                  <td><a href="#kas.RewrapRequestBody">RewrapRequestBody</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.RewrapRequest">RewrapRequest</h3>
         <p></p>
 
@@ -3415,6 +3615,44 @@ <h3 id="kas.RewrapRequest">RewrapRequest</h3>
 
         
       
+        <h3 id="kas.RewrapRequestBody">RewrapRequestBody</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>key_access_object_requests</td>
+                  <td><a href="#kas.KeyAccessObjectRequest">KeyAccessObjectRequest</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>policy</td>
+                  <td><a href="#kas.PolicyRequest">PolicyRequest</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>algorithm</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.RewrapResponse">RewrapResponse</h3>
         <p></p>
 
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index 16139a6317..0122d16147 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -157,6 +157,353 @@ func (x *LegacyPublicKeyRequest) GetAlgorithm() string {
 	return ""
 }
 
+type KeyAccess struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	EncryptedMetadata string `protobuf:"bytes,1,opt,name=encrypted_metadata,json=encryptedMetadata,proto3" json:"encrypted_metadata,omitempty"`
+	PolicyBinding     []byte `protobuf:"bytes,2,opt,name=policy_binding,json=policyBinding,proto3" json:"policy_binding,omitempty"`
+	Protocol          string `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	KeyType           string `protobuf:"bytes,4,opt,name=key_type,json=keyType,proto3" json:"key_type,omitempty"`
+	KasUrl            string `protobuf:"bytes,5,opt,name=kas_url,json=kasUrl,proto3" json:"kas_url,omitempty"`
+	Kid               string `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
+	SplitId           string `protobuf:"bytes,7,opt,name=split_id,json=splitId,proto3" json:"split_id,omitempty"`
+	WrappedKey        []byte `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
+	Header            []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
+	Algorithm         string `protobuf:"bytes,10,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
+}
+
+func (x *KeyAccess) Reset() {
+	*x = KeyAccess{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *KeyAccess) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KeyAccess) ProtoMessage() {}
+
+func (x *KeyAccess) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KeyAccess.ProtoReflect.Descriptor instead.
+func (*KeyAccess) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *KeyAccess) GetEncryptedMetadata() string {
+	if x != nil {
+		return x.EncryptedMetadata
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetPolicyBinding() []byte {
+	if x != nil {
+		return x.PolicyBinding
+	}
+	return nil
+}
+
+func (x *KeyAccess) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetKeyType() string {
+	if x != nil {
+		return x.KeyType
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetKasUrl() string {
+	if x != nil {
+		return x.KasUrl
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetKid() string {
+	if x != nil {
+		return x.Kid
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetSplitId() string {
+	if x != nil {
+		return x.SplitId
+	}
+	return ""
+}
+
+func (x *KeyAccess) GetWrappedKey() []byte {
+	if x != nil {
+		return x.WrappedKey
+	}
+	return nil
+}
+
+func (x *KeyAccess) GetHeader() []byte {
+	if x != nil {
+		return x.Header
+	}
+	return nil
+}
+
+func (x *KeyAccess) GetAlgorithm() string {
+	if x != nil {
+		return x.Algorithm
+	}
+	return ""
+}
+
+type PolicyRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Id   string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Body string `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
+}
+
+func (x *PolicyRequest) Reset() {
+	*x = PolicyRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PolicyRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PolicyRequest) ProtoMessage() {}
+
+func (x *PolicyRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PolicyRequest.ProtoReflect.Descriptor instead.
+func (*PolicyRequest) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *PolicyRequest) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *PolicyRequest) GetBody() string {
+	if x != nil {
+		return x.Body
+	}
+	return ""
+}
+
+type KeyAccessObjectRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyAccessObjectId string     `protobuf:"bytes,1,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
+	KeyAccessObject   *KeyAccess `protobuf:"bytes,2,opt,name=key_access_object,json=keyAccessObject,proto3" json:"key_access_object,omitempty"`
+}
+
+func (x *KeyAccessObjectRequest) Reset() {
+	*x = KeyAccessObjectRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *KeyAccessObjectRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KeyAccessObjectRequest) ProtoMessage() {}
+
+func (x *KeyAccessObjectRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KeyAccessObjectRequest.ProtoReflect.Descriptor instead.
+func (*KeyAccessObjectRequest) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *KeyAccessObjectRequest) GetKeyAccessObjectId() string {
+	if x != nil {
+		return x.KeyAccessObjectId
+	}
+	return ""
+}
+
+func (x *KeyAccessObjectRequest) GetKeyAccessObject() *KeyAccess {
+	if x != nil {
+		return x.KeyAccessObject
+	}
+	return nil
+}
+
+type RewrapRequestBody struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyAccessObjectRequests []*KeyAccessObjectRequest `protobuf:"bytes,1,rep,name=key_access_object_requests,json=keyAccessObjectRequests,proto3" json:"key_access_object_requests,omitempty"`
+	Policy                  *PolicyRequest            `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
+	Algorithm               string                    `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
+}
+
+func (x *RewrapRequestBody) Reset() {
+	*x = RewrapRequestBody{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RewrapRequestBody) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RewrapRequestBody) ProtoMessage() {}
+
+func (x *RewrapRequestBody) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RewrapRequestBody.ProtoReflect.Descriptor instead.
+func (*RewrapRequestBody) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *RewrapRequestBody) GetKeyAccessObjectRequests() []*KeyAccessObjectRequest {
+	if x != nil {
+		return x.KeyAccessObjectRequests
+	}
+	return nil
+}
+
+func (x *RewrapRequestBody) GetPolicy() *PolicyRequest {
+	if x != nil {
+		return x.Policy
+	}
+	return nil
+}
+
+func (x *RewrapRequestBody) GetAlgorithm() string {
+	if x != nil {
+		return x.Algorithm
+	}
+	return ""
+}
+
+type RequestBody struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ClientPublicKey string               `protobuf:"bytes,1,opt,name=client_public_key,json=clientPublicKey,proto3" json:"client_public_key,omitempty"`
+	Requests        []*RewrapRequestBody `protobuf:"bytes,2,rep,name=requests,proto3" json:"requests,omitempty"`
+}
+
+func (x *RequestBody) Reset() {
+	*x = RequestBody{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RequestBody) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RequestBody) ProtoMessage() {}
+
+func (x *RequestBody) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RequestBody.ProtoReflect.Descriptor instead.
+func (*RequestBody) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *RequestBody) GetClientPublicKey() string {
+	if x != nil {
+		return x.ClientPublicKey
+	}
+	return ""
+}
+
+func (x *RequestBody) GetRequests() []*RewrapRequestBody {
+	if x != nil {
+		return x.Requests
+	}
+	return nil
+}
+
 type PublicKeyRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -170,7 +517,7 @@ type PublicKeyRequest struct {
 func (x *PublicKeyRequest) Reset() {
 	*x = PublicKeyRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[3]
+		mi := &file_kas_kas_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -183,7 +530,7 @@ func (x *PublicKeyRequest) String() string {
 func (*PublicKeyRequest) ProtoMessage() {}
 
 func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[3]
+	mi := &file_kas_kas_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -196,7 +543,7 @@ func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead.
 func (*PublicKeyRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{3}
+	return file_kas_kas_proto_rawDescGZIP(), []int{8}
 }
 
 func (x *PublicKeyRequest) GetAlgorithm() string {
@@ -232,7 +579,7 @@ type PublicKeyResponse struct {
 func (x *PublicKeyResponse) Reset() {
 	*x = PublicKeyResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[4]
+		mi := &file_kas_kas_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -245,7 +592,7 @@ func (x *PublicKeyResponse) String() string {
 func (*PublicKeyResponse) ProtoMessage() {}
 
 func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[4]
+	mi := &file_kas_kas_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -258,7 +605,7 @@ func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKeyResponse.ProtoReflect.Descriptor instead.
 func (*PublicKeyResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{4}
+	return file_kas_kas_proto_rawDescGZIP(), []int{9}
 }
 
 func (x *PublicKeyResponse) GetPublicKey() string {
@@ -286,7 +633,7 @@ type RewrapRequest struct {
 func (x *RewrapRequest) Reset() {
 	*x = RewrapRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[5]
+		mi := &file_kas_kas_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -299,7 +646,7 @@ func (x *RewrapRequest) String() string {
 func (*RewrapRequest) ProtoMessage() {}
 
 func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[5]
+	mi := &file_kas_kas_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -312,7 +659,7 @@ func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapRequest.ProtoReflect.Descriptor instead.
 func (*RewrapRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{5}
+	return file_kas_kas_proto_rawDescGZIP(), []int{10}
 }
 
 func (x *RewrapRequest) GetSignedRequestToken() string {
@@ -340,7 +687,7 @@ type KAORewrapResult struct {
 func (x *KAORewrapResult) Reset() {
 	*x = KAORewrapResult{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[6]
+		mi := &file_kas_kas_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -353,7 +700,7 @@ func (x *KAORewrapResult) String() string {
 func (*KAORewrapResult) ProtoMessage() {}
 
 func (x *KAORewrapResult) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[6]
+	mi := &file_kas_kas_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -366,7 +713,7 @@ func (x *KAORewrapResult) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KAORewrapResult.ProtoReflect.Descriptor instead.
 func (*KAORewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{6}
+	return file_kas_kas_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *KAORewrapResult) GetMetadata() map[string]*structpb.Value {
@@ -439,7 +786,7 @@ type RewrapResult struct {
 func (x *RewrapResult) Reset() {
 	*x = RewrapResult{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[7]
+		mi := &file_kas_kas_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -452,7 +799,7 @@ func (x *RewrapResult) String() string {
 func (*RewrapResult) ProtoMessage() {}
 
 func (x *RewrapResult) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[7]
+	mi := &file_kas_kas_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -465,7 +812,7 @@ func (x *RewrapResult) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapResult.ProtoReflect.Descriptor instead.
 func (*RewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{7}
+	return file_kas_kas_proto_rawDescGZIP(), []int{12}
 }
 
 func (x *RewrapResult) GetPolicyId() string {
@@ -501,7 +848,7 @@ type RewrapResponse struct {
 func (x *RewrapResponse) Reset() {
 	*x = RewrapResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[8]
+		mi := &file_kas_kas_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -514,7 +861,7 @@ func (x *RewrapResponse) String() string {
 func (*RewrapResponse) ProtoMessage() {}
 
 func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[8]
+	mi := &file_kas_kas_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -527,7 +874,7 @@ func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
 func (*RewrapResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{8}
+	return file_kas_kas_proto_rawDescGZIP(), []int{13}
 }
 
 func (x *RewrapResponse) GetMetadata() map[string]*structpb.Value {
@@ -585,110 +932,160 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x22, 0xb1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69,
-	0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72,
-	0x73, 0x61, 0x3a, 0x3c, 0x6b, 0x65, 0x79, 0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20,
-	0x65, 0x63, 0x3a, 0x3c, 0x63, 0x75, 0x72, 0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d,
-	0x74, 0x12, 0x22, 0x0a, 0x01, 0x76, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41,
-	0x11, 0x32, 0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69,
-	0x6f, 0x6e, 0x52, 0x01, 0x76, 0x22, 0x44, 0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52,
-	0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14,
-	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74,
-	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e,
-	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04,
-	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xbb, 0x02, 0x0a,
-	0x0f, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
-	0x12, 0x3e, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x22, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f,
-	0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11,
-	0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49,
-	0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73,
-	0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x0c, 0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
-	0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
+	0x6d, 0x22, 0xb5, 0x02, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12,
+	0x2d, 0x0a, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x65, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x25,
+	0x0a, 0x0e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x69,
+	0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x07,
+	0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b,
+	0x61, 0x73, 0x55, 0x72, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x70, 0x6c, 0x69, 0x74,
+	0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x70, 0x6c, 0x69, 0x74,
+	0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
+	0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61,
+	0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
+	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x22, 0x33, 0x0a, 0x0d, 0x50, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f,
+	0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0x85,
+	0x01, 0x0a, 0x16, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
+	0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79,
+	0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x3a, 0x0a, 0x11, 0x6b, 0x65,
+	0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0xb7, 0x01, 0x0a, 0x11, 0x52, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x58, 0x0a, 0x1a,
+	0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63,
+	0x74, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x17, 0x6b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x2a, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
+	0x22, 0x6d, 0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x6f, 0x64, 0x79, 0x12,
+	0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x08, 0x72,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x42, 0x6f, 0x64, 0x79, 0x52, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x22,
+	0xb1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
+	0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e, 0x61, 0x6c,
+	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72, 0x73, 0x61,
+	0x3a, 0x3c, 0x6b, 0x65, 0x79, 0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20, 0x65, 0x63,
+	0x3a, 0x3c, 0x63, 0x75, 0x72, 0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09, 0x61, 0x6c,
+	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d, 0x74, 0x12,
+	0x22, 0x0a, 0x01, 0x76, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32,
+	0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
+	0x52, 0x01, 0x76, 0x22, 0x44, 0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14, 0x73, 0x69,
+	0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74, 0x6f, 0x6b,
+	0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04, 0x08, 0x02,
+	0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xbb, 0x02, 0x0a, 0x0f, 0x4b,
+	0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x3e,
+	0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x22, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45,
+	0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f,
+	0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a,
+	0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65,
+	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12,
+	0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73, 0x5f, 0x77,
+	0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c,
+	0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65,
+	0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
+	0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61,
+	0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08,
+	0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73,
+	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65,
+	0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e,
+	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70,
+	0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
+	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65,
+	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x63, 0x68,
+	0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
 	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
 	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
 	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
 	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
 	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
-	0x42, 0x08, 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65,
-	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c,
-	0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b,
-	0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07,
-	0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b,
-	0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74,
-	0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
-	0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f,
-	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73,
-	0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09,
-	0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x11, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75,
-	0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a,
-	0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
-	0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
-	0x38, 0x01, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61,
-	0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12,
-	0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50,
-	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92,
-	0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77,
-	0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65,
-	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41,
-	0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13,
-	0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77,
-	0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65,
-	0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20,
-	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33,
-	0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68,
-	0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
-	0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e,
-	0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49,
-	0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f,
-	0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
-	0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70,
-	0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02,
-	0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73,
-	0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
+	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
+	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
+	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
+	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
+	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
+	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
+	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
+	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
+	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
+	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
+	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
+	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
+	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
+	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
+	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
+	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
+	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -703,40 +1100,49 @@ func file_kas_kas_proto_rawDescGZIP() []byte {
 	return file_kas_kas_proto_rawDescData
 }
 
-var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
 var file_kas_kas_proto_goTypes = []interface{}{
 	(*InfoRequest)(nil),            // 0: kas.InfoRequest
 	(*InfoResponse)(nil),           // 1: kas.InfoResponse
 	(*LegacyPublicKeyRequest)(nil), // 2: kas.LegacyPublicKeyRequest
-	(*PublicKeyRequest)(nil),       // 3: kas.PublicKeyRequest
-	(*PublicKeyResponse)(nil),      // 4: kas.PublicKeyResponse
-	(*RewrapRequest)(nil),          // 5: kas.RewrapRequest
-	(*KAORewrapResult)(nil),        // 6: kas.KAORewrapResult
-	(*RewrapResult)(nil),           // 7: kas.RewrapResult
-	(*RewrapResponse)(nil),         // 8: kas.RewrapResponse
-	nil,                            // 9: kas.KAORewrapResult.MetadataEntry
-	nil,                            // 10: kas.RewrapResponse.MetadataEntry
-	(*structpb.Value)(nil),         // 11: google.protobuf.Value
-	(*wrapperspb.StringValue)(nil), // 12: google.protobuf.StringValue
+	(*KeyAccess)(nil),              // 3: kas.KeyAccess
+	(*PolicyRequest)(nil),          // 4: kas.PolicyRequest
+	(*KeyAccessObjectRequest)(nil), // 5: kas.KeyAccessObjectRequest
+	(*RewrapRequestBody)(nil),      // 6: kas.RewrapRequestBody
+	(*RequestBody)(nil),            // 7: kas.RequestBody
+	(*PublicKeyRequest)(nil),       // 8: kas.PublicKeyRequest
+	(*PublicKeyResponse)(nil),      // 9: kas.PublicKeyResponse
+	(*RewrapRequest)(nil),          // 10: kas.RewrapRequest
+	(*KAORewrapResult)(nil),        // 11: kas.KAORewrapResult
+	(*RewrapResult)(nil),           // 12: kas.RewrapResult
+	(*RewrapResponse)(nil),         // 13: kas.RewrapResponse
+	nil,                            // 14: kas.KAORewrapResult.MetadataEntry
+	nil,                            // 15: kas.RewrapResponse.MetadataEntry
+	(*structpb.Value)(nil),         // 16: google.protobuf.Value
+	(*wrapperspb.StringValue)(nil), // 17: google.protobuf.StringValue
 }
 var file_kas_kas_proto_depIdxs = []int32{
-	9,  // 0: kas.KAORewrapResult.metadata:type_name -> kas.KAORewrapResult.MetadataEntry
-	6,  // 1: kas.RewrapResult.results:type_name -> kas.KAORewrapResult
-	10, // 2: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
-	7,  // 3: kas.RewrapResponse.responses:type_name -> kas.RewrapResult
-	11, // 4: kas.KAORewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
-	11, // 5: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
-	3,  // 6: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
-	2,  // 7: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
-	5,  // 8: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
-	4,  // 9: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
-	12, // 10: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
-	8,  // 11: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
-	9,  // [9:12] is the sub-list for method output_type
-	6,  // [6:9] is the sub-list for method input_type
-	6,  // [6:6] is the sub-list for extension type_name
-	6,  // [6:6] is the sub-list for extension extendee
-	0,  // [0:6] is the sub-list for field type_name
+	3,  // 0: kas.KeyAccessObjectRequest.key_access_object:type_name -> kas.KeyAccess
+	5,  // 1: kas.RewrapRequestBody.key_access_object_requests:type_name -> kas.KeyAccessObjectRequest
+	4,  // 2: kas.RewrapRequestBody.policy:type_name -> kas.PolicyRequest
+	6,  // 3: kas.RequestBody.requests:type_name -> kas.RewrapRequestBody
+	14, // 4: kas.KAORewrapResult.metadata:type_name -> kas.KAORewrapResult.MetadataEntry
+	11, // 5: kas.RewrapResult.results:type_name -> kas.KAORewrapResult
+	15, // 6: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
+	12, // 7: kas.RewrapResponse.responses:type_name -> kas.RewrapResult
+	16, // 8: kas.KAORewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
+	16, // 9: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
+	8,  // 10: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
+	2,  // 11: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
+	10, // 12: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
+	9,  // 13: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
+	17, // 14: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
+	13, // 15: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
+	13, // [13:16] is the sub-list for method output_type
+	10, // [10:13] is the sub-list for method input_type
+	10, // [10:10] is the sub-list for extension type_name
+	10, // [10:10] is the sub-list for extension extendee
+	0,  // [0:10] is the sub-list for field type_name
 }
 
 func init() { file_kas_kas_proto_init() }
@@ -782,7 +1188,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyRequest); i {
+			switch v := v.(*KeyAccess); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -794,7 +1200,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyResponse); i {
+			switch v := v.(*PolicyRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -806,7 +1212,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapRequest); i {
+			switch v := v.(*KeyAccessObjectRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -818,7 +1224,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KAORewrapResult); i {
+			switch v := v.(*RewrapRequestBody); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -830,7 +1236,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapResult); i {
+			switch v := v.(*RequestBody); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -842,6 +1248,66 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PublicKeyRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*PublicKeyResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*RewrapRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*KAORewrapResult); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*RewrapResult); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RewrapResponse); i {
 			case 0:
 				return &v.state
@@ -854,7 +1320,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 	}
-	file_kas_kas_proto_msgTypes[6].OneofWrappers = []interface{}{
+	file_kas_kas_proto_msgTypes[11].OneofWrappers = []interface{}{
 		(*KAORewrapResult_KasWrappedKey)(nil),
 		(*KAORewrapResult_Error)(nil),
 	}
@@ -864,7 +1330,7 @@ func file_kas_kas_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_kas_kas_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   11,
+			NumMessages:   16,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/sdk/bulk.go b/sdk/bulk.go
index d0fdfc479e..05d6d8e54e 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/opentdf/platform/service/kas/request"
+	"github.com/opentdf/platform/protocol/go/kas"
 )
 
 type BulkTDF struct {
@@ -63,7 +63,7 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 
 // BulkDecrypt
 func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
-	kasRewrapRequests := make(map[string][]*request.RewrapRequests)
+	kasRewrapRequests := make(map[string][]*kas.RewrapRequestBody)
 	tdfDecryptors := make(map[string]Decryptor)
 	policyTDF := make(map[string]*BulkTDF)
 
@@ -83,7 +83,7 @@ func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error
 		tdfDecryptors[policyID] = decryptor
 		policyTDF[policyID] = tdf
 		for kasURL, r := range req {
-			r.Policy.ID = policyID
+			r.Policy.Id = policyID
 			kasRewrapRequests[kasURL] = append(kasRewrapRequests[kasURL], r)
 		}
 	}
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index d2b11fbdab..9132767a03 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -2,19 +2,19 @@ package sdk
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"net/url"
 	"time"
 
+	"google.golang.org/protobuf/encoding/protojson"
+
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/ocrypto"
 	"github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/sdk/auth"
-	"github.com/opentdf/platform/service/kas/request"
 	"google.golang.org/grpc"
 )
 
@@ -35,7 +35,7 @@ type KAOResult struct {
 }
 
 type Decryptor interface {
-	CreateRewrapRequest(ctx context.Context) (map[string]*request.RewrapRequests, error)
+	CreateRewrapRequest(ctx context.Context) (map[string]*kas.RewrapRequestBody, error)
 	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
 }
 
@@ -48,12 +48,12 @@ func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTo
 }
 
 // there is no connection caching as of now
-func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*request.RewrapRequests, pubKey string) (*kas.RewrapResponse, error) {
+func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.RewrapRequestBody, pubKey string) (*kas.RewrapResponse, error) {
 	rewrapRequest, err := k.getRewrapRequest(requests, pubKey)
 	if err != nil {
 		return nil, err
 	}
-	grpcAddress, err := getGRPCAddress(requests[0].KeyAccessObjectRequests[0].KasURL)
+	grpcAddress, err := getGRPCAddress(requests[0].GetKeyAccessObjectRequests()[0].GetKeyAccessObject().GetKasUrl())
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +73,7 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*request.R
 
 	return response, nil
 }
-func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*request.RewrapRequests) (map[string][]KAOResult, error) {
+func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.RewrapRequestBody) (map[string][]KAOResult, error) {
 	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
@@ -112,7 +112,7 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*request.RewrapR
 	for _, results := range response.GetResponses() {
 		var kaoKeys []KAOResult
 		for _, kao := range results.GetResults() {
-			if kao.GetStatus() == request.PermitStatus {
+			if kao.GetStatus() == "permit" {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := aesGcm.Decrypt(wrappedKey)
 				if err != nil {
@@ -130,7 +130,7 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*request.RewrapR
 	return policyResults, nil
 }
 
-func (k *KASClient) unwrap(ctx context.Context, requests ...*request.RewrapRequests) (map[string][]KAOResult, error) {
+func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.RewrapRequestBody) (map[string][]KAOResult, error) {
 	if k.sessionKey == nil {
 		return nil, fmt.Errorf("session key is nil")
 	}
@@ -157,7 +157,7 @@ func (k *KASClient) unwrap(ctx context.Context, requests ...*request.RewrapReque
 	for _, results := range response.GetResponses() {
 		var kaoKeys []KAOResult
 		for _, kao := range results.GetResults() {
-			if kao.GetStatus() == request.PermitStatus {
+			if kao.GetStatus() == "permit" {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := asymDecryption.Decrypt(wrappedKey)
 				if err != nil {
@@ -195,13 +195,13 @@ func getGRPCAddress(kasURL string) (string, error) {
 	return net.JoinHostPort(parsedURL.Hostname(), port), nil
 }
 
-func (k *KASClient) getRewrapRequest(reqs []*request.RewrapRequests, pubKey string) (*kas.RewrapRequest, error) {
-	requestBody := request.Body{
+func (k *KASClient) getRewrapRequest(reqs []*kas.RewrapRequestBody, pubKey string) (*kas.RewrapRequest, error) {
+	requestBody := &kas.RequestBody{
 		ClientPublicKey: pubKey,
 		Requests:        reqs,
 	}
 
-	requestBodyJSON, err := json.Marshal(requestBody)
+	requestBodyJSON, err := protojson.Marshal(requestBody)
 	if err != nil {
 		return nil, fmt.Errorf("Error marshaling request body: %w", err)
 	}
diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index 0590b504c2..39287e6a14 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -6,7 +6,8 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/opentdf/platform/service/kas/request"
+	kaspb "github.com/opentdf/platform/protocol/go/kas"
+	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
@@ -59,20 +60,22 @@ func TestCreatingRequest(t *testing.T) {
 	require.NoError(t, err, "error creating RSA Key")
 
 	client := newKASClient(dialOption, tokenSource, &kasKey)
+	policyBindingBytes, err := json.Marshal(PolicyBinding{
+		Alg:  "HS256",
+		Hash: "somehash",
+	})
+	require.NoError(t, err)
 
-	keyAccess := []*request.RewrapRequests{
+	keyAccess := []*kaspb.RewrapRequestBody{
 		{
-			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
+			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{
 				{
-					KeyAccess: request.KeyAccess{
-						KeyType:    "type1",
-						KasURL:     "https://kas.example.org",
-						Protocol:   "protocol one",
-						WrappedKey: []byte("wrapped"),
-						PolicyBinding: PolicyBinding{
-							Alg:  "HS256",
-							Hash: "somehash",
-						},
+					KeyAccessObject: &kaspb.KeyAccess{
+						KeyType:           "type1",
+						KasUrl:            "https://kas.example.org",
+						Protocol:          "protocol one",
+						WrappedKey:        []byte("wrapped"),
+						PolicyBinding:     policyBindingBytes,
 						EncryptedMetadata: "encrypted",
 					},
 				},
@@ -98,25 +101,26 @@ func TestCreatingRequest(t *testing.T) {
 	rb, ok := tok.Get("requestBody")
 	require.True(t, ok, "didn't contain a request body")
 	requestBodyJSON, _ := rb.(string)
-	var requestBody request.Body
+	var requestBody kaspb.RequestBody
 
-	require.NoError(t, json.Unmarshal([]byte(requestBodyJSON), &requestBody), "error unmarshaling request body")
+	require.NoError(t, protojson.Unmarshal([]byte(requestBodyJSON), &requestBody), "error unmarshaling request body")
 
-	_, err = ocrypto.NewAsymEncryption(requestBody.ClientPublicKey)
+	_, err = ocrypto.NewAsymEncryption(requestBody.GetClientPublicKey())
 	require.NoError(t, err, "NewAsymEncryption failed, incorrect public key include")
 
-	require.Len(t, requestBody.Requests, 1)
-	require.Len(t, requestBody.Requests[0].KeyAccessObjectRequests, 1)
-	kao := requestBody.Requests[0].KeyAccessObjectRequests[0]
-	policyBinding, ok := kao.PolicyBinding.(map[string]interface{})
-	require.True(t, ok, "invalid policy binding")
+	require.Len(t, requestBody.GetRequests(), 1)
+	require.Len(t, requestBody.GetRequests()[0].GetKeyAccessObjectRequests(), 1)
+	kao := requestBody.GetRequests()[0].GetKeyAccessObjectRequests()[0]
+	var policyBinding map[string]interface{}
+	err = json.Unmarshal(kao.GetKeyAccessObject().GetPolicyBinding(), &policyBinding)
+	require.NoError(t, err)
 
-	assert.Equal(t, "https://kas.example.org", kao.KasURL, "incorrect kasURL")
-	assert.Equal(t, "protocol one", kao.Protocol, "incorrect protocol")
-	assert.Equal(t, []byte("wrapped"), kao.WrappedKey, "incorrect wrapped key")
+	assert.Equal(t, "https://kas.example.org", kao.GetKeyAccessObject().GetKasUrl(), "incorrect kasURL")
+	assert.Equal(t, "protocol one", kao.GetKeyAccessObject().GetProtocol(), "incorrect protocol")
+	assert.Equal(t, []byte("wrapped"), kao.GetKeyAccessObject().GetWrappedKey(), "incorrect wrapped key")
 	assert.Equal(t, "HS256", policyBinding["alg"], "incorrect policy binding")
 	assert.Equal(t, "somehash", policyBinding["hash"], "incorrect policy binding")
-	assert.Equal(t, "encrypted", kao.EncryptedMetadata, "incorrect encrypted metadata")
+	assert.Equal(t, "encrypted", kao.GetKeyAccessObject().GetEncryptedMetadata(), "incorrect encrypted metadata")
 }
 
 func Test_StoreKASKeys(t *testing.T) {
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index aff0ad0221..6ffc6c577c 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -14,7 +14,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/opentdf/platform/service/kas/request"
+	"github.com/opentdf/platform/protocol/go/kas"
 
 	"github.com/opentdf/platform/lib/ocrypto"
 )
@@ -920,7 +920,7 @@ func (n *NanoTDFDecryptHandler) getRawHeader() []byte {
 	return n.headerBuf
 }
 
-func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[string]*request.RewrapRequests, error) {
+func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[string]*kas.RewrapRequestBody, error) {
 	var err error
 	var headerSize uint32
 	n.header, headerSize, err = NewNanoTDFHeaderFromReader(n.reader)
@@ -942,19 +942,19 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[stri
 		return nil, err
 	}
 
-	req := &request.RewrapRequests{
-		KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
+	req := &kas.RewrapRequestBody{
+		KeyAccessObjectRequests: []*kas.KeyAccessObjectRequest{
 			{
-				KeyAccessObjectID: "kao-0",
-				KeyAccess:         request.KeyAccess{KasURL: kasURL, Header: headerBuf, Algorithm: "ec:secp256r1"},
+				KeyAccessObjectId: "kao-0",
+				KeyAccessObject:   &kas.KeyAccess{KasUrl: kasURL, Header: headerBuf, Algorithm: "ec:secp256r1"},
 			},
 		},
-		Policy: request.PolicyRequest{
-			ID: "policy",
+		Policy: &kas.PolicyRequest{
+			Id: "policy",
 		},
 		Algorithm: "ec:secp256r1",
 	}
-	return map[string]*request.RewrapRequests{kasURL: req}, nil
+	return map[string]*kas.RewrapRequestBody{kasURL: req}, nil
 }
 
 func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []KAOResult) (uint32, error) {
diff --git a/sdk/tdf.go b/sdk/tdf.go
index bb92415acb..8b59a55d81 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -12,7 +12,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/opentdf/platform/service/kas/request"
+	"github.com/opentdf/platform/protocol/go/kas"
 
 	"github.com/google/uuid"
 	"github.com/opentdf/platform/lib/ocrypto"
@@ -94,7 +94,7 @@ func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []KAOResult) (
 	return uint32(n), err
 }
 
-func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (map[string]*request.RewrapRequests, error) {
+func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (map[string]*kas.RewrapRequestBody, error) {
 	return createRewrapRequest(ctx, r.reader)
 }
 
@@ -821,36 +821,39 @@ func (r *Reader) UnsafePayloadKeyRetrieval() ([]byte, error) {
 	return r.payloadKey, nil
 }
 
-func createRewrapRequest(_ context.Context, r *Reader) (map[string]*request.RewrapRequests, error) {
-	kasReqs := make(map[string]*request.RewrapRequests)
+func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.RewrapRequestBody, error) {
+	kasReqs := make(map[string]*kas.RewrapRequestBody)
 	for i, kao := range r.manifest.EncryptionInformation.KeyAccessObjs {
 		kaoID := fmt.Sprintf("kao-%d", i)
 		key, err := ocrypto.Base64Decode([]byte(kao.WrappedKey))
 		if err != nil {
 			return nil, fmt.Errorf("could not decode wrapper key: %w", err)
 		}
-
-		kaoReq := &request.KeyAccessObjectRequest{
-			KeyAccessObjectID: kaoID,
-			KeyAccess: request.KeyAccess{
+		binding, err := json.Marshal(kao.PolicyBinding)
+		if err != nil {
+			return nil, err
+		}
+		kaoReq := &kas.KeyAccessObjectRequest{
+			KeyAccessObjectId: kaoID,
+			KeyAccessObject: &kas.KeyAccess{
 				KeyType:       kao.KeyType,
-				KasURL:        kao.KasURL,
-				KID:           kao.KID,
+				KasUrl:        kao.KasURL,
+				Kid:           kao.KID,
 				Protocol:      kao.Protocol,
-				PolicyBinding: kao.PolicyBinding,
-				SplitID:       kao.SplitID,
+				PolicyBinding: binding,
+				SplitId:       kao.SplitID,
 				WrappedKey:    key,
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {
 			req.KeyAccessObjectRequests = append(req.KeyAccessObjectRequests, kaoReq)
 		} else {
-			rewrapReq := request.RewrapRequests{
-				Policy: request.PolicyRequest{
+			rewrapReq := kas.RewrapRequestBody{
+				Policy: &kas.PolicyRequest{
 					Body: r.manifest.EncryptionInformation.Policy,
-					ID:   "policy",
+					Id:   "policy",
 				},
-				KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{kaoReq},
+				KeyAccessObjectRequests: []*kas.KeyAccessObjectRequest{kaoReq},
 			}
 			kasReqs[kao.KasURL] = &rewrapReq
 		}
diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go
index 9a5c66ce58..08d726e19f 100644
--- a/sdk/tdf_test.go
+++ b/sdk/tdf_test.go
@@ -6,7 +6,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
-	"encoding/json"
 	"fmt"
 	"io"
 	"log/slog"
@@ -18,7 +17,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/opentdf/platform/service/kas/request"
+	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/ocrypto"
@@ -1439,22 +1438,23 @@ func (f *FakeKas) PublicKey(_ context.Context, _ *kaspb.PublicKeyRequest) (*kasp
 }
 
 func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse {
-	bodyData := request.Body{}
-	err := json.Unmarshal([]byte(rewrapRequest), &bodyData)
+	bodyData := kaspb.RequestBody{}
+	err := protojson.Unmarshal([]byte(rewrapRequest), &bodyData)
 	f.s.Require().NoError(err, "json.Unmarshal failed")
 	resp := &kaspb.RewrapResponse{}
 
-	for _, req := range bodyData.Requests {
-		results := &kaspb.RewrapResult{PolicyId: req.Policy.ID}
+	for _, req := range bodyData.GetRequests() {
+		results := &kaspb.RewrapResult{PolicyId: req.GetPolicy().GetId()}
 		resp.Responses = append(resp.Responses, results)
-		for _, kaoReq := range req.KeyAccessObjectRequests {
-			wrappedKey := kaoReq.WrappedKey
+		for _, kaoReq := range req.GetKeyAccessObjectRequests() {
+			kao := kaoReq.GetKeyAccessObject()
+			wrappedKey := kaoReq.GetKeyAccessObject().GetWrappedKey()
 
 			kasPrivateKey := strings.ReplaceAll(f.privateKey, "\n\t", "\n")
-			if kaoReq.KID != "" && kaoReq.KID != f.KID {
+			if kao.GetKid() != "" && kao.GetKid() != f.KID {
 				// old kid
-				lk, ok := f.legakeys[kaoReq.KID]
-				f.s.Require().True(ok, "unable to find key [%s]", kaoReq.KID)
+				lk, ok := f.legakeys[kaoReq.GetKeyAccessObject().GetKid()]
+				f.s.Require().True(ok, "unable to find key [%s]", kao.GetKid())
 				kasPrivateKey = strings.ReplaceAll(lk.private, "\n\t", "\n")
 			}
 
@@ -1462,14 +1462,14 @@ func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse
 			f.s.Require().NoError(err, "ocrypto.NewAsymDecryption failed")
 			symmetricKey, err := asymDecrypt.Decrypt(wrappedKey)
 			f.s.Require().NoError(err, "ocrypto.Decrypt failed")
-			asymEncrypt, err := ocrypto.NewAsymEncryption(bodyData.ClientPublicKey)
+			asymEncrypt, err := ocrypto.NewAsymEncryption(bodyData.GetClientPublicKey())
 			f.s.Require().NoError(err, "ocrypto.NewAsymEncryption failed")
 			entityWrappedKey, err := asymEncrypt.Encrypt(symmetricKey)
 			f.s.Require().NoError(err, "ocrypto.encrypt failed")
 			kaoResult := &kaspb.KAORewrapResult{
 				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: entityWrappedKey},
 				Status:            "permit",
-				KeyAccessObjectId: kaoReq.KeyAccessObjectID,
+				KeyAccessObjectId: kaoReq.GetKeyAccessObjectId(),
 			}
 			results.Results = append(results.Results, kaoResult)
 		}
diff --git a/service/kas/access/accessPdp.go b/service/kas/access/accessPdp.go
index 07e90a0476..8bdfb87e7b 100644
--- a/service/kas/access/accessPdp.go
+++ b/service/kas/access/accessPdp.go
@@ -5,8 +5,6 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/opentdf/platform/service/kas/request"
-
 	"github.com/opentdf/platform/protocol/go/authorization"
 	"github.com/opentdf/platform/protocol/go/policy"
 )
@@ -20,13 +18,13 @@ const (
 type PDPAccessResult struct {
 	Access bool
 	Error  error
-	Policy *request.Policy
+	Policy *Policy
 }
 
-func (p *Provider) canAccess(ctx context.Context, token *authorization.Token, policies []*request.Policy) ([]PDPAccessResult, error) {
+func (p *Provider) canAccess(ctx context.Context, token *authorization.Token, policies []*Policy) ([]PDPAccessResult, error) {
 	var res []PDPAccessResult
 	var rasList []*authorization.ResourceAttribute
-	idPolicyMap := make(map[string]*request.Policy)
+	idPolicyMap := make(map[string]*Policy)
 	for i, policy := range policies {
 		if len(policy.Body.Dissem) > 0 {
 			// TODO: Move dissems check to the getdecisions endpoint
diff --git a/service/kas/request/attribute.go b/service/kas/access/attribute.go
similarity index 88%
rename from service/kas/request/attribute.go
rename to service/kas/access/attribute.go
index 424da91ce1..27c088d903 100644
--- a/service/kas/request/attribute.go
+++ b/service/kas/access/attribute.go
@@ -1,11 +1,9 @@
-package request
+package access
 
 import (
 	"crypto"
 )
 
-// const schemaVersion = "1.1.0"
-
 type Attribute struct {
 	URI           string           `json:"attribute"` // attribute
 	PublicKey     crypto.PublicKey `json:"pubKey"`    // pubKey
diff --git a/service/kas/request/keyaccess.go b/service/kas/access/keyaccess.go
similarity index 73%
rename from service/kas/request/keyaccess.go
rename to service/kas/access/keyaccess.go
index 1bf67b9223..69cd7fe210 100644
--- a/service/kas/request/keyaccess.go
+++ b/service/kas/access/keyaccess.go
@@ -1,13 +1,13 @@
-package request
+package access
 
 type KeyAccess struct {
 	EncryptedMetadata string      `json:"encryptedMetadata,omitempty"`
 	PolicyBinding     interface{} `json:"policyBinding,omitempty"`
 	Protocol          string      `json:"protocol"`
-	KeyType           string      `json:"type"`
-	KasURL            string      `json:"url"`
+	Type              string      `json:"type"`
+	URL               string      `json:"url"`
 	KID               string      `json:"kid,omitempty"`
-	SplitID           string      `json:"sid,omitempty"`
+	SID               string      `json:"sid,omitempty"`
 	WrappedKey        []byte      `json:"wrappedKey,omitempty"`
 	Header            []byte      `json:"header,omitempty"`
 	Algorithm         string      `json:"algorithm,omitempty"`
diff --git a/service/kas/request/policy.go b/service/kas/access/policy.go
similarity index 98%
rename from service/kas/request/policy.go
rename to service/kas/access/policy.go
index aab7a443ea..c84e19ef77 100644
--- a/service/kas/request/policy.go
+++ b/service/kas/access/policy.go
@@ -1,4 +1,4 @@
-package request
+package access
 
 import (
 	"github.com/google/uuid"
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index a6dd24c855..ef015d89f4 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -2,6 +2,9 @@ package access
 
 import (
 	"bytes"
+
+	"google.golang.org/protobuf/encoding/protojson"
+
 	// "bytes"
 	"context"
 	"crypto"
@@ -31,7 +34,6 @@ import (
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/sdk"
 	"github.com/opentdf/platform/service/internal/security"
-	"github.com/opentdf/platform/service/kas/request"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/logger/audit"
 	ctxAuth "github.com/opentdf/platform/service/pkg/auth"
@@ -49,20 +51,29 @@ type SignedRequestBody struct {
 }
 
 type RequestBody struct {
-	AuthToken       string            `json:"authToken"`
-	KeyAccess       request.KeyAccess `json:"keyAccess"`
-	Policy          string            `json:"policy,omitempty"`
-	Algorithm       string            `json:"algorithm,omitempty"`
-	ClientPublicKey string            `json:"clientPublicKey"`
-	PublicKey       interface{}       `json:"-"`
-	SchemaVersion   string            `json:"schemaVersion,omitempty"`
+	AuthToken       string          `json:"authToken"`
+	KeyAccess       kaspb.KeyAccess `json:"keyAccess"`
+	Policy          string          `json:"policy,omitempty"`
+	Algorithm       string          `json:"algorithm,omitempty"`
+	ClientPublicKey string          `json:"clientPublicKey"`
+	PublicKey       interface{}     `json:"-"`
+	SchemaVersion   string          `json:"schemaVersion,omitempty"`
 }
+
 type entityInfo struct {
 	EntityID string `json:"sub"`
 	ClientID string `json:"clientId"`
 	Token    string `json:"-"`
 }
 
+type kaoResult struct {
+	ID    string
+	Key   []byte
+	Error error
+}
+
+type policyKAOResults map[string]map[string]kaoResult
+
 const (
 	kNanoTDFGMACLength = 8
 	ErrUser            = Error("request error")
@@ -126,32 +137,32 @@ func justRequestBody(ctx context.Context, token jwt.Token, logger logger.Logger)
 	return rbString, nil
 }
 
-func extractAndConvertV1SRTBody(body []byte) (request.Body, error) {
+func extractAndConvertV1SRTBody(body []byte) (kaspb.RequestBody, error) {
 	var requestBody RequestBody
 	if err := json.Unmarshal(body, &requestBody); err != nil {
-		return request.Body{}, err
+		return kaspb.RequestBody{}, err
 	}
 
-	reqs := []*request.RewrapRequests{
+	reqs := []*kaspb.RewrapRequestBody{
 		{
-			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{
-				{KeyAccessObjectID: "kao-0", KeyAccess: requestBody.KeyAccess},
+			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{
+				{KeyAccessObjectId: "kao-0", KeyAccessObject: &requestBody.KeyAccess},
 			},
 			Algorithm: requestBody.Algorithm,
-			Policy: request.PolicyRequest{
-				ID:   "policy-1",
+			Policy: &kaspb.PolicyRequest{
+				Id:   "policy-1",
 				Body: requestBody.Policy,
 			},
 		},
 	}
 
-	return request.Body{
+	return kaspb.RequestBody{
 		ClientPublicKey: requestBody.ClientPublicKey,
 		Requests:        reqs,
 	}, nil
 }
 
-func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*request.Body, bool, error) {
+func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*kaspb.RequestBody, bool, error) {
 	isV1 := false
 	// First load legacy method for verifying SRT
 	if vpk, ok := headers["X-Virtrupubkey"]; ok && len(vpk) == 1 {
@@ -184,10 +195,10 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		}
 	}
 
-	var requestBody request.Body
-	err = json.Unmarshal([]byte(rbString), &requestBody)
+	var requestBody kaspb.RequestBody
+	err = protojson.Unmarshal([]byte(rbString), &requestBody)
 	// if there are no requests then it could be a v1 request
-	if err != nil || len(requestBody.Requests) == 0 {
+	if err != nil || len(requestBody.GetRequests()) == 0 {
 		logger.WarnContext(ctx, "invalid request body! checking v1 SRT")
 		requestBody, err = extractAndConvertV1SRTBody([]byte(rbString))
 		if err != nil {
@@ -195,10 +206,10 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		}
 		isV1 = true
 	}
-	logger.DebugContext(ctx, "extracted request body", slog.Any("requestBody", requestBody))
+	logger.DebugContext(ctx, "extracted request body", slog.Any("requestBody", requestBody.String()))
 
-	logger.DebugContext(ctx, "extract public key", "requestBody.ClientPublicKey", requestBody.ClientPublicKey)
-	block, _ := pem.Decode([]byte(requestBody.ClientPublicKey))
+	logger.DebugContext(ctx, "extract public key", "requestBody.ClientPublicKey", requestBody.GetClientPublicKey())
+	block, _ := pem.Decode([]byte(requestBody.GetClientPublicKey()))
 	if block == nil {
 		logger.WarnContext(ctx, "missing clientPublicKey")
 		return nil, isV1, err400("clientPublicKey failure")
@@ -222,13 +233,13 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	}
 }
 
-func verifyPolicyBinding(ctx context.Context, policy []byte, kao *request.KeyAccessObjectRequest, logger logger.Logger) error {
-	actualHMAC, err := generateHMACDigest(ctx, policy, kao.SymmetricKey, logger)
+func verifyPolicyBinding(ctx context.Context, policy []byte, kao *kaspb.KeyAccessObjectRequest, symKey []byte, logger logger.Logger) error {
+	actualHMAC, err := generateHMACDigest(ctx, policy, symKey, logger)
 	if err != nil {
 		logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
 		return err400("bad request")
 	}
-	policyBinding, err := extractPolicyBinding(kao.PolicyBinding)
+	policyBinding, err := extractPolicyBinding(kao.GetKeyAccessObject().GetPolicyBinding())
 	if err != nil {
 		logger.WarnContext(ctx, "bad policy binding")
 		return err400("bad request")
@@ -252,7 +263,11 @@ func verifyPolicyBinding(ctx context.Context, policy []byte, kao *request.KeyAcc
 	return nil
 }
 
-func extractPolicyBinding(policyBinding interface{}) (string, error) {
+func extractPolicyBinding(policyBindingBytes []byte) (string, error) {
+	var policyBinding interface{}
+	if err := json.Unmarshal(policyBindingBytes, &policyBinding); err != nil {
+		return "", fmt.Errorf("could not decode binding")
+	}
 	switch v := policyBinding.(type) {
 	case string:
 		return v, nil
@@ -289,27 +304,44 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
-func failedKAORewrap(res *kaspb.RewrapResult, kao *request.KeyAccessObjectRequest, err error) {
-	if kao.Processed {
-		return
-	}
-	kao.Processed = true
-	kaoRes := &kaspb.KAORewrapResult{
-		KeyAccessObjectId: kao.KeyAccessObjectID,
-		Status:            kFailedStatus,
-		Result:            &kaspb.KAORewrapResult_Error{Error: err.Error()},
-	}
-	kao.Err = err
-	res.Results = append(res.Results, kaoRes)
+func failedKAORewrap(res map[string]kaoResult, kao *kaspb.KeyAccessObjectRequest, err error) {
+	res[kao.GetKeyAccessObjectId()] = kaoResult{
+		ID:    kao.GetKeyAccessObjectId(),
+		Error: err,
+	}
 }
 
-func markUnproccessedRequests(reqs []*request.RewrapRequests) {
-	for _, req := range reqs {
-		for _, kao := range req.KeyAccessObjectRequests {
-			failedKAORewrap(req.Results, kao, err400("could not process request"))
+func addResultsToResponse(response *kaspb.RewrapResponse, result policyKAOResults) {
+	for policyID, policyMap := range result {
+		policyResults := &kaspb.RewrapResult{
+			PolicyId: policyID,
 		}
+		for kaoID, kaoRes := range policyMap {
+			kaoResult := &kaspb.KAORewrapResult{
+				KeyAccessObjectId: kaoID,
+			}
+			switch {
+			case kaoRes.Error != nil:
+				kaoResult.Status = kFailedStatus
+				kaoResult.Result = &kaspb.KAORewrapResult_Error{Error: kaoRes.Error.Error()}
+			case kaoRes.Key != nil:
+				kaoResult.Status = kPermitStatus
+				kaoResult.Result = &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: kaoRes.Key}
+			default:
+				kaoResult.Status = kFailedStatus
+				kaoResult.Result = &kaspb.KAORewrapResult_Error{Error: "kao not processed by kas"}
+			}
+			policyResults.Results = append(policyResults.Results, kaoResult)
+		}
+		response.Responses = append(response.Responses, policyResults)
 	}
 }
+func getMapValue[Map ~map[K]V, K comparable, V any](m Map) *V {
+	for _, v := range m {
+		return &v
+	}
+	return nil
+}
 
 func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.RewrapRequest]) (*connect.Response[kaspb.RewrapResponse], error) {
 	in := req.Msg
@@ -329,70 +361,65 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 
 	resp := &kaspb.RewrapResponse{}
 
-	var nanoReqs []*request.RewrapRequests
-	var tdf3Reqs []*request.RewrapRequests
-	var requests []*request.RewrapRequests
-	for _, req := range body.Requests {
+	var nanoReqs []*kaspb.RewrapRequestBody
+	var tdf3Reqs []*kaspb.RewrapRequestBody
+	for _, req := range body.GetRequests() {
 		switch {
-		case req.Algorithm == kNanoAlgorithm:
+		case req.GetAlgorithm() == kNanoAlgorithm:
 			nanoReqs = append(nanoReqs, req)
-		case req.Algorithm == "":
+		case req.GetAlgorithm() == "":
 			req.Algorithm = kTDF3Algorithm
 			tdf3Reqs = append(tdf3Reqs, req)
 		default:
 			tdf3Reqs = append(tdf3Reqs, req)
 		}
 	}
+	var results policyKAOResults
 	if len(tdf3Reqs) > 0 {
-		p.tdf3Rewrap(ctx, tdf3Reqs, body.ClientPublicKey, entityInfo)
-		requests = append(requests, tdf3Reqs...)
-	}
-
-	if len(nanoReqs) > 0 {
-		resp.SessionPublicKey = p.nanoTDFRewrap(ctx, nanoReqs, body.ClientPublicKey, entityInfo)
-		requests = append(requests, nanoReqs...)
-	}
-
-	markUnproccessedRequests(requests)
-	for _, req := range requests {
-		resp.Responses = append(resp.Responses, req.Results)
+		results = p.tdf3Rewrap(ctx, tdf3Reqs, body.GetClientPublicKey(), entityInfo)
+		addResultsToResponse(resp, results)
+	} else {
+		resp.SessionPublicKey, results = p.nanoTDFRewrap(ctx, nanoReqs, body.GetClientPublicKey(), entityInfo)
+		addResultsToResponse(resp, results)
 	}
 
 	if isV1 {
-		if len(resp.GetResponses()) != 1 || len(resp.GetResponses()[0].GetResults()) != 1 {
+		if len(results) != 1 {
 			return nil, fmt.Errorf("invalid request")
 		}
-		res := resp.GetResponses()[0].GetResults()[0]
-		if res.GetStatus() == kFailedStatus {
-			return nil, requests[0].KeyAccessObjectRequests[0].Err
+		kaoResults := *getMapValue(results)
+		if len(kaoResults) != 1 {
+			return nil, fmt.Errorf("invalid request")
+		}
+		kao := *getMapValue(kaoResults)
+
+		if kao.Error != nil {
+			return nil, kao.Error
 		}
-		resp.EntityWrappedKey = res.GetKasWrappedKey()
-		resp.Metadata = res.GetMetadata()
+		resp.EntityWrappedKey = kao.Key
 	}
 
 	return connect.NewResponse(resp), err
 }
 
-func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.RewrapRequests) (*request.Policy, error) {
+func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.RewrapRequestBody) (*Policy, map[string]kaoResult, error) {
+	results := make(map[string]kaoResult)
 	anyValidKAOs := false
-	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", req.Policy)
-	sDecPolicy, policyErr := base64.StdEncoding.DecodeString(req.Policy.Body)
-	req.Results = &kaspb.RewrapResult{
-		PolicyId: req.Policy.ID,
-	}
-	policy := &request.Policy{}
+	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", req.GetPolicy())
+	sDecPolicy, policyErr := base64.StdEncoding.DecodeString(req.GetPolicy().GetBody())
+	policy := &Policy{}
 	if policyErr == nil {
 		policyErr = json.Unmarshal(sDecPolicy, policy)
 	}
 
-	for _, kao := range req.KeyAccessObjectRequests {
+	for _, kao := range req.GetKeyAccessObjectRequests() {
 		if policyErr != nil {
-			failedKAORewrap(req.Results, kao, err400("bad request"))
+			failedKAORewrap(results, kao, err400("bad request"))
 			continue
 		}
 		var kidsToCheck []string
-		if kao.KID != "" {
-			kidsToCheck = []string{kao.KID}
+		if kao.GetKeyAccessObject().GetKid() != "" {
+			kidsToCheck = []string{kao.GetKeyAccessObject().GetKid()}
 		} else {
 			p.Logger.InfoContext(ctx, "kid free kao")
 			for _, k := range p.KASConfig.Keyring {
@@ -402,58 +429,63 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *request.Rewrap
 			}
 			if len(kidsToCheck) == 0 {
 				p.Logger.WarnContext(ctx, "failure to find legacy kids for rsa")
-				failedKAORewrap(req.Results, kao, err400("bad request"))
+				failedKAORewrap(results, kao, err400("bad request"))
 				continue
 			}
 		}
 
-		var err error
-		kao.SymmetricKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kidsToCheck[0], "", kao.WrappedKey)
+		symKey, err := p.CryptoProvider.RSADecrypt(crypto.SHA1, kidsToCheck[0], "", kao.GetKeyAccessObject().GetWrappedKey())
 		for _, kid := range kidsToCheck[1:] {
 			p.Logger.WarnContext(ctx, "continue paging through legacy KIDs for kid free kao", "err", err)
 			if err == nil {
 				break
 			}
-			kao.SymmetricKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kid, "", kao.WrappedKey)
+			symKey, err = p.CryptoProvider.RSADecrypt(crypto.SHA1, kid, "", kao.GetKeyAccessObject().GetWrappedKey())
 		}
 		if err != nil {
 			p.Logger.WarnContext(ctx, "failure to decrypt dek", "err", err)
-			failedKAORewrap(req.Results, kao, err400("bad request"))
+			failedKAORewrap(results, kao, err400("bad request"))
 			continue
 		}
 
-		err = verifyPolicyBinding(ctx, []byte(req.Policy.Body), kao, *p.Logger)
+		err = verifyPolicyBinding(ctx, []byte(req.GetPolicy().GetBody()), kao, symKey, *p.Logger)
 		if err != nil {
-			failedKAORewrap(req.Results, kao, err)
+			failedKAORewrap(results, kao, err)
 			continue
 		}
+		results[kao.GetKeyAccessObjectId()] = kaoResult{
+			ID:  kao.GetKeyAccessObjectId(),
+			Key: symKey,
+		}
 
 		anyValidKAOs = true
 	}
 
 	if policyErr != nil {
-		return nil, policyErr
+		return nil, results, policyErr
 	}
 
 	if !anyValidKAOs {
 		p.Logger.WarnContext(ctx, "no valid KAOs found")
-		return policy, fmt.Errorf("no valid KAOs")
+		return policy, results, fmt.Errorf("no valid KAOs")
 	}
 
-	return policy, nil
+	return policy, results, nil
 }
 
-func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapRequests, clientPublicKey string, entity *entityInfo) {
+func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.RewrapRequestBody, clientPublicKey string, entity *entityInfo) policyKAOResults {
 	if p.Tracer != nil {
 		var span trace.Span
 		ctx, span = p.Tracer.Start(ctx, "rewrap-tdf3")
 		defer span.End()
 	}
 
-	var policies []*request.Policy
-	policyReqs := make(map[*request.Policy]*request.RewrapRequests)
+	results := make(policyKAOResults)
+	var policies []*Policy
+	policyReqs := make(map[*Policy]*kaspb.RewrapRequestBody)
 	for _, req := range requests {
-		policy, err := p.verifyRewrapRequests(ctx, req)
+		policy, kaoResults, err := p.verifyRewrapRequests(ctx, req)
+		results[req.GetPolicy().GetId()] = kaoResults
 		if err != nil {
 			continue
 		}
@@ -467,8 +499,8 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 	}
 	pdpAccessResults, accessErr := p.canAccess(ctx, tok, policies)
 	if accessErr != nil {
-		failAllKaos(requests, err403("could not perform access"))
-		return
+		failAllKaos(requests, results, err403("could not perform access"))
+		return results
 	}
 
 	asymEncrypt, err := ocrypto.NewAsymEncryption(clientPublicKey)
@@ -479,61 +511,68 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*request.RewrapReq
 	for _, pdpAccess := range pdpAccessResults {
 		policy := pdpAccess.Policy
 		req, ok := policyReqs[policy]
+		kaoResults := results[req.GetPolicy().GetId()]
 		if !ok { // this should not happen
 			continue
 		}
 		access := pdpAccess.Access
 
 		// Audit the TDF3 Rewrap
-		kasPolicy := request.ConvertToAuditKasPolicy(*policy)
+		kasPolicy := ConvertToAuditKasPolicy(*policy)
 
-		for _, kao := range req.KeyAccessObjectRequests {
-			policyBinding, _ := extractPolicyBinding(kao.PolicyBinding)
+		for _, kao := range req.GetKeyAccessObjectRequests() {
+			kaoRes := kaoResults[kao.GetKeyAccessObjectId()]
+			if kaoRes.Error != nil {
+				continue
+			}
+
+			policyBinding, _ := extractPolicyBinding(kao.GetKeyAccessObject().GetPolicyBinding())
 			auditEventParams := audit.RewrapAuditEventParams{
 				Policy:        kasPolicy,
 				IsSuccess:     access,
 				TDFFormat:     "tdf3",
-				Algorithm:     req.Algorithm,
+				Algorithm:     req.GetAlgorithm(),
 				PolicyBinding: policyBinding,
 			}
 
 			if !access {
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, err403("forbidden"))
+				failedKAORewrap(kaoResults, kao, err403("forbidden"))
 				continue
 			}
 
-			rewrappedKey, err := asymEncrypt.Encrypt(kao.SymmetricKey)
+			rewrappedKey, err := asymEncrypt.Encrypt(kaoRes.Key)
 			if err != nil {
 				p.Logger.WarnContext(ctx, "rewrap: ocrypto.AsymEncryption.encrypt failed", "err", err, "clientPublicKey", clientPublicKey)
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, err400("bad key for rewrap"))
+				failedKAORewrap(kaoResults, kao, err400("bad key for rewrap"))
 				continue
 			}
-			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
-				KeyAccessObjectId: kao.KeyAccessObjectID,
-				Status:            kPermitStatus,
-				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: rewrappedKey},
-			})
+			kaoResults[kao.GetKeyAccessObjectId()] = kaoResult{
+				ID:  kao.GetKeyAccessObjectId(),
+				Key: rewrappedKey,
+			}
 
-			kao.Processed = true
 			p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
 		}
 	}
+	return results
 }
 
-func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.RewrapRequests, clientPublicKey string, entity *entityInfo) string {
+func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.RewrapRequestBody, clientPublicKey string, entity *entityInfo) (string, policyKAOResults) {
+	results := make(policyKAOResults)
 	if p.Tracer != nil {
 		var span trace.Span
 		ctx, span = p.Tracer.Start(ctx, "rewrap-nanotdf")
 		defer span.End()
 	}
 
-	var policies []*request.Policy
-	policyReqs := make(map[*request.Policy]*request.RewrapRequests)
+	var policies []*Policy
+	policyReqs := make(map[*Policy]*kaspb.RewrapRequestBody)
 
 	for _, req := range requests {
-		policy := p.verifyNanoRewrapRequests(ctx, req)
+		policy, kaoResults := p.verifyNanoRewrapRequests(ctx, req)
+		results[req.GetPolicy().GetId()] = kaoResults
 		if policy != nil {
 			policies = append(policies, policy)
 			policyReqs[policy] = req
@@ -547,20 +586,20 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 
 	pdpAccessResults, accessErr := p.canAccess(ctx, tok, policies)
 	if accessErr != nil {
-		failAllKaos(requests, err403("could not perform access"))
-		return ""
+		failAllKaos(requests, results, err403("could not perform access"))
+		return "", results
 	}
 
 	privateKeyHandle, publicKeyHandle, err := p.CryptoProvider.GenerateEphemeralKasKeys()
 	if err != nil {
-		failAllKaos(requests, fmt.Errorf("failed to generate keypair: %w", err))
-		return ""
+		failAllKaos(requests, results, fmt.Errorf("failed to generate keypair: %w", err))
+		return "", results
 	}
 	sessionKey, err := p.CryptoProvider.GenerateNanoTDFSessionKey(privateKeyHandle, []byte(clientPublicKey))
 	if err != nil {
 		p.Logger.DebugContext(ctx, "GenerateNanoTDFSessionKey", "err", err)
-		failAllKaos(requests, fmt.Errorf("failed to generate session key: %w", err))
-		return ""
+		failAllKaos(requests, results, fmt.Errorf("failed to generate session key: %w", err))
+		return "", results
 	}
 
 	for _, pdpAccess := range pdpAccessResults {
@@ -569,60 +608,63 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*request.Rewrap
 		if !ok { // this should not happen
 			continue
 		}
+		kaoResults := results[req.GetPolicy().GetId()]
 		access := pdpAccess.Access
 
 		// Audit the Nano Rewrap
-		kasPolicy := request.ConvertToAuditKasPolicy(*policy)
+		kasPolicy := ConvertToAuditKasPolicy(*policy)
+
+		for _, kao := range req.GetKeyAccessObjectRequests() {
+			kaoInfo := kaoResults[kao.GetKeyAccessObjectId()]
+			if kaoInfo.Error != nil {
+				continue
+			}
 
-		for _, kao := range req.KeyAccessObjectRequests {
 			auditEventParams := audit.RewrapAuditEventParams{
 				Policy:    kasPolicy,
 				IsSuccess: access,
 				TDFFormat: "Nano",
-				Algorithm: req.Algorithm,
+				Algorithm: req.GetAlgorithm(),
 			}
 
 			if !access {
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, err403("forbidden"))
+				failedKAORewrap(kaoResults, kao, err403("forbidden"))
 				continue
 			}
-			cipherText, err := wrapKeyAES(sessionKey, kao.SymmetricKey)
+			cipherText, err := wrapKeyAES(sessionKey, kaoInfo.Key)
 			if err != nil {
 				p.Logger.Audit.RewrapFailure(ctx, auditEventParams)
-				failedKAORewrap(req.Results, kao, err403("forbidden"))
+				failedKAORewrap(kaoResults, kao, err403("forbidden"))
 				continue
 			}
 
-			req.Results.Results = append(req.Results.Results, &kaspb.KAORewrapResult{
-				KeyAccessObjectId: kao.KeyAccessObjectID,
-				Status:            kPermitStatus,
-				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: cipherText},
-			})
+			kaoResults[kao.GetKeyAccessObjectId()] = kaoResult{
+				ID:  kao.GetKeyAccessObjectId(),
+				Key: cipherText,
+			}
 
-			kao.Processed = true
 			p.Logger.Audit.RewrapSuccess(ctx, auditEventParams)
 		}
 	}
-	return string(publicKeyHandle)
+	return string(publicKeyHandle), results
 }
 
-func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.RewrapRequests) *request.Policy {
-	req.Results = &kaspb.RewrapResult{
-		PolicyId: req.Policy.ID,
-	}
-	for _, kao := range req.KeyAccessObjectRequests {
+func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.RewrapRequestBody) (*Policy, map[string]kaoResult) {
+	results := make(map[string]kaoResult)
+
+	for _, kao := range req.GetKeyAccessObjectRequests() {
 		// there should never be multiple KAOs in policy
-		if len(req.KeyAccessObjectRequests) != 1 {
-			failedKAORewrap(req.Results, kao, err400("NanoTDFs should not have multiple KAOs per Policy"))
+		if len(req.GetKeyAccessObjectRequests()) != 1 {
+			failedKAORewrap(results, kao, err400("NanoTDFs should not have multiple KAOs per Policy"))
 			continue
 		}
 
-		headerReader := bytes.NewReader(kao.Header)
+		headerReader := bytes.NewReader(kao.GetKeyAccessObject().GetHeader())
 		header, _, err := sdk.NewNanoTDFHeaderFromReader(headerReader)
 		if err != nil {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to parse NanoTDF header: %w", err))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("failed to parse NanoTDF header: %w", err))
+			return nil, results
 		}
 		// Lookup KID from nano header
 		kid, err := header.GetKasURL().GetIdentifier()
@@ -632,7 +674,7 @@ func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.Re
 			kid, err = p.lookupKid(ctx, security.AlgorithmECP256R1)
 			if err != nil {
 				p.Logger.ErrorContext(ctx, "failure to find default kid for ec", "err", err)
-				failedKAORewrap(req.Results, kao, err400("bad request"))
+				failedKAORewrap(results, kao, err400("bad request"))
 				continue
 			}
 			p.Logger.DebugContext(ctx, "nanoTDFRewrap lookupKid", "kid", kid)
@@ -640,41 +682,44 @@ func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *request.Re
 		p.Logger.DebugContext(ctx, "nanoTDFRewrap", "kid", kid)
 		ecCurve, err := header.ECCurve()
 		if err != nil {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("ECCurve failed: %w", err))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("ECCurve failed: %w", err))
+			return nil, results
 		}
 
 		symmetricKey, err := p.CryptoProvider.GenerateNanoTDFSymmetricKey(kid, header.EphemeralKey, ecCurve)
 		if err != nil {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to generate symmetric key: %w", err))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("failed to generate symmetric key: %w", err))
+			return nil, results
 		}
 
 		// extract the policy
 		policy, err := extractNanoPolicy(symmetricKey, header)
 		if err != nil {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("Error extracting policy: %w", err))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("Error extracting policy: %w", err))
+			return nil, results
 		}
 
 		// check the policy binding
 		verify, err := header.VerifyPolicyBinding()
 		if err != nil {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("failed to verify policy binding: %w", err))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("failed to verify policy binding: %w", err))
+			return nil, results
 		}
 
 		if !verify {
-			failedKAORewrap(req.Results, kao, fmt.Errorf("policy binding verification failed"))
-			return nil
+			failedKAORewrap(results, kao, fmt.Errorf("policy binding verification failed"))
+			return nil, results
+		}
+		results[kao.GetKeyAccessObjectId()] = kaoResult{
+			ID:  kao.GetKeyAccessObjectId(),
+			Key: symmetricKey,
 		}
-		kao.SymmetricKey = symmetricKey
-		return policy
+		return policy, results
 	}
-	return nil
+	return nil, results
 }
 
-func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*request.Policy, error) {
+func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*Policy, error) {
 	gcm, err := ocrypto.NewAESGcm(symmetricKey)
 	if err != nil {
 		return nil, fmt.Errorf("crypto.NewAESGcm:%w", err)
@@ -694,7 +739,7 @@ func extractNanoPolicy(symmetricKey []byte, header sdk.NanoTDFHeader) (*request.
 		return nil, fmt.Errorf("Error decrypting policy body:%w", err)
 	}
 
-	var policy request.Policy
+	var policy Policy
 	err = json.Unmarshal(policyData, &policy)
 	if err != nil {
 		return nil, fmt.Errorf("Error unmarshalling policy:%w", err)
@@ -716,10 +761,10 @@ func wrapKeyAES(sessionKey, dek []byte) ([]byte, error) {
 	return cipherText, nil
 }
 
-func failAllKaos(requests []*request.RewrapRequests, err error) {
-	for _, req := range requests {
-		for _, kao := range req.KeyAccessObjectRequests {
-			failedKAORewrap(req.Results, kao, err)
+func failAllKaos(reqs []*kaspb.RewrapRequestBody, results policyKAOResults, err error) {
+	for _, req := range reqs {
+		for _, kao := range req.GetKeyAccessObjectRequests() {
+			failedKAORewrap(results[req.GetPolicy().GetId()], kao, err)
 		}
 	}
 }
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index ef6cfdaab3..0ec47c81db 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -8,11 +8,12 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
-	"errors"
 	"log/slog"
 	"net/http"
 	"testing"
 
+	"google.golang.org/protobuf/encoding/protojson"
+
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jws"
@@ -25,7 +26,6 @@ import (
 
 	"github.com/google/uuid"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
-	"github.com/opentdf/platform/service/kas/request"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -115,10 +115,10 @@ Dzq7D9lqeqSK/ds7r7hpbs4iIr6KrSuXwlXmYtnhRvKT
 	mockIDPOrigin = "https://keycloak-http/"
 )
 
-func fauxPolicy() *request.Policy {
-	return &request.Policy{
+func fauxPolicy() *Policy {
+	return &Policy{
 		UUID: uuid.MustParse("12345678-1234-1234-1234-1234567890AB"),
-		Body: request.PolicyBody{DataAttributes: []request.Attribute{
+		Body: PolicyBody{DataAttributes: []Attribute{
 			{URI: "https://example.com/attr/Classification/value/S"},
 			{URI: "https://example.com/attr/COI/value/PRX"},
 		}},
@@ -126,9 +126,9 @@ func fauxPolicy() *request.Policy {
 }
 
 func emptyPolicyBytes() []byte {
-	data, err := json.Marshal(request.Policy{
+	data, err := json.Marshal(Policy{
 		UUID: uuid.MustParse("12345678-1234-1234-1234-1234567890AB"),
-		Body: request.PolicyBody{},
+		Body: PolicyBody{},
 	})
 	if err != nil {
 		panic(err)
@@ -201,7 +201,7 @@ type PolicyBinding struct {
 	Hash string `json:"hash"`
 }
 
-func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) request.KeyAccessObjectRequest {
+func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.KeyAccessObjectRequest {
 	policyBytes := fauxPolicyBytes(t)
 	asym, err := ocrypto.NewAsymEncryption(rsaPublicAlt)
 	require.NoError(t, err, "rewrap: NewAsymEncryption failed")
@@ -225,15 +225,17 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) request.KeyAc
 			Hash: base64.StdEncoding.EncodeToString(dst),
 		}
 	}
+	binding, err := json.Marshal(policyBinding)
+	require.NoError(t, err)
 
-	return request.KeyAccessObjectRequest{
-		KeyAccessObjectID: "123",
-		KeyAccess: request.KeyAccess{
+	return kaspb.KeyAccessObjectRequest{
+		KeyAccessObjectId: "123",
+		KeyAccessObject: &kaspb.KeyAccess{
 			KeyType:       "wrapped",
-			KasURL:        "http://127.0.0.1:4000",
+			KasUrl:        "http://127.0.0.1:4000",
 			Protocol:      "kas",
 			WrappedKey:    []byte(base64.StdEncoding.EncodeToString(wrappedKey)),
-			PolicyBinding: policyBinding,
+			PolicyBinding: binding,
 		},
 	}
 }
@@ -281,13 +283,13 @@ func jwtWrongKey(t *testing.T) []byte {
 	return signedMockJWT(t, entityPrivateKey(t))
 }
 
-func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*request.RewrapRequests {
+func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*kaspb.RewrapRequestBody {
 	kaoReq := keyAccessWrappedRaw(t, bindingAsString)
-	return []*request.RewrapRequests{
+	return []*kaspb.RewrapRequestBody{
 		{
-			KeyAccessObjectRequests: []*request.KeyAccessObjectRequest{&kaoReq},
-			Policy: request.PolicyRequest{
-				ID:   "123",
+			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{&kaoReq},
+			Policy: &kaspb.PolicyRequest{
+				Id:   "123",
 				Body: string(policy),
 			},
 		},
@@ -295,11 +297,11 @@ func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*re
 }
 
 func makeRewrapBody(t *testing.T, policy []byte, policyBindingAsString bool) []byte {
-	mockBody := request.Body{
+	mockBody := &kaspb.RequestBody{
 		Requests:        makeRewrapRequests(t, policy, policyBindingAsString),
 		ClientPublicKey: rsaPublicAlt,
 	}
-	bodyData, err := json.Marshal(mockBody)
+	bodyData, err := protojson.Marshal(mockBody)
 
 	require.NoError(t, err)
 	tok := jwt.New()
@@ -364,14 +366,10 @@ func TestParseAndVerifyRequest(t *testing.T) {
 			if tt.goodDPoP {
 				require.NoError(t, err, "failed to parse srt=[%s], tok=[%s]", tt.body, bearer)
 				require.NotNil(t, verified, "unable to load request body")
-				require.NotNil(t, verified.ClientPublicKey, "unable to load public key")
-
-				for _, req := range verified.Requests {
-					req.Results = &kaspb.RewrapResult{}
-					req.KeyAccessObjectRequests[0].SymmetricKey = []byte(plainKey)
+				require.NotNil(t, verified.GetClientPublicKey(), "unable to load public key")
 
-					err := verifyPolicyBinding(context.Background(), []byte(req.Policy.Body), req.KeyAccessObjectRequests[0], *logger)
-					err = errors.Join(err, verified.Requests[0].KeyAccessObjectRequests[0].Err)
+				for _, req := range verified.GetRequests() {
+					err := verifyPolicyBinding(context.Background(), []byte(req.GetPolicy().GetBody()), req.GetKeyAccessObjectRequests()[0], []byte(plainKey), *logger)
 					if !tt.shouldError {
 						require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
 					} else {
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 55d832c735..cf9c691408 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -31,6 +31,39 @@ message LegacyPublicKeyRequest {
   string algorithm = 1;
 }
 
+message KeyAccess {
+  string encrypted_metadata = 1;
+  bytes policy_binding = 2;
+  string protocol = 3;
+  string key_type = 4;
+  string kas_url = 5;
+  string kid = 6;
+  string split_id = 7;
+  bytes wrapped_key = 8;
+  bytes header = 9;
+  string algorithm = 10;
+}
+message PolicyRequest {
+  string id = 1;
+  string body = 2;
+}
+
+message KeyAccessObjectRequest {
+  string key_access_object_id = 1;
+  KeyAccess key_access_object = 2;
+}
+
+message RewrapRequestBody {
+  repeated KeyAccessObjectRequest key_access_object_requests = 1;
+  PolicyRequest policy = 2;
+  string algorithm = 3;
+}
+
+message RequestBody {
+  string client_public_key = 1;
+  repeated RewrapRequestBody requests = 2;
+}
+
 message PublicKeyRequest {
   string algorithm = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "algorithm type rsa:<keysize> or ec:<curvename>"}];
   string fmt = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "response format"}];
diff --git a/service/kas/request/rewrap.go b/service/kas/request/rewrap.go
deleted file mode 100644
index 92fbdd6dbb..0000000000
--- a/service/kas/request/rewrap.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package request
-
-import "github.com/opentdf/platform/protocol/go/kas"
-
-const (
-	PermitStatus = "permit"
-)
-
-type PolicyRequest struct {
-	ID   string `json:"id"`
-	Body string `json:"body"`
-}
-
-type KeyAccessObjectRequest struct {
-	KeyAccessObjectID string `json:"keyAccessObjectId"`
-	KeyAccess         `json:"keyAccessObject"`
-
-	// For Platform Use
-	Processed    bool   `json:"-"`
-	SymmetricKey []byte `json:"-"`
-	Err          error  `json:"-"`
-}
-
-type RewrapRequests struct {
-	KeyAccessObjectRequests []*KeyAccessObjectRequest `json:"keyAccessObjects"`
-	Policy                  PolicyRequest             `json:"policy"`
-	Algorithm               string                    `json:"algorithm,omitempty"`
-
-	// For Platform Use
-	Results *kas.RewrapResult `json:"-"`
-}
-
-type Body struct {
-	Requests        []*RewrapRequests `json:"requests"`
-	ClientPublicKey string            `json:"clientPublicKey"`
-}
diff --git a/service/rttests/rt_test.go b/service/rttests/rt_test.go
index 624f443a80..ba8004a6c2 100644
--- a/service/rttests/rt_test.go
+++ b/service/rttests/rt_test.go
@@ -413,7 +413,11 @@ func bulk(client *sdk.SDK, tdfSuccess []string, tdfFail []string, plaintext stri
 	req.TDFType = sdk.Standard
 	_ = client.BulkDecrypt(context.Background(), req)
 	for _, tdf := range passTDF {
-		builder := tdf.Writer.(*strings.Builder)
+		builder, ok := tdf.Writer.(*strings.Builder)
+		if !ok {
+			return fmt.Errorf("bad writer")
+		}
+
 		if tdf.Error != nil {
 			return tdf.Error
 		}

From 767e621bc230712da00577376c13c0f915516221 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:31:30 -0800
Subject: [PATCH 19/48] tdf3 fix

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index ef015d89f4..9782e23e58 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -51,13 +51,13 @@ type SignedRequestBody struct {
 }
 
 type RequestBody struct {
-	AuthToken       string          `json:"authToken"`
-	KeyAccess       kaspb.KeyAccess `json:"keyAccess"`
-	Policy          string          `json:"policy,omitempty"`
-	Algorithm       string          `json:"algorithm,omitempty"`
-	ClientPublicKey string          `json:"clientPublicKey"`
-	PublicKey       interface{}     `json:"-"`
-	SchemaVersion   string          `json:"schemaVersion,omitempty"`
+	AuthToken       string      `json:"authToken"`
+	KeyAccess       KeyAccess   `json:"keyAccess"`
+	Policy          string      `json:"policy,omitempty"`
+	Algorithm       string      `json:"algorithm,omitempty"`
+	ClientPublicKey string      `json:"clientPublicKey"`
+	PublicKey       interface{} `json:"-"`
+	SchemaVersion   string      `json:"schemaVersion,omitempty"`
 }
 
 type entityInfo struct {
@@ -143,10 +143,27 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.RequestBody, error) {
 		return kaspb.RequestBody{}, err
 	}
 
+	kao := requestBody.KeyAccess
+	binding, err := json.Marshal(kao.PolicyBinding)
+	if err != nil {
+		return kaspb.RequestBody{}, err
+	}
+
 	reqs := []*kaspb.RewrapRequestBody{
 		{
 			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{
-				{KeyAccessObjectId: "kao-0", KeyAccessObject: &requestBody.KeyAccess},
+				{KeyAccessObjectId: "kao-0", KeyAccessObject: &kaspb.KeyAccess{
+					EncryptedMetadata: kao.EncryptedMetadata,
+					PolicyBinding:     binding,
+					Protocol:          kao.Protocol,
+					KeyType:           kao.Type,
+					KasUrl:            kao.URL,
+					Kid:               kao.KID,
+					SplitId:           kao.SID,
+					WrappedKey:        kao.WrappedKey,
+					Header:            kao.Header,
+					Algorithm:         kao.Algorithm,
+				}},
 			},
 			Algorithm: requestBody.Algorithm,
 			Policy: &kaspb.PolicyRequest{

From e29072b5c921451b09be638c0bfbde8f908da3db Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 14:54:33 -0800
Subject: [PATCH 20/48] split key failure

Summary:

Test Plan:
---
 sdk/tdf.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/sdk/tdf.go b/sdk/tdf.go
index 8b59a55d81..d024d286a7 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -1056,19 +1056,31 @@ func (r *Reader) buildKey(_ context.Context, results []KAOResult) error {
 func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocognit // Better readability keeping it as is
 	kasClient := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
 
+	var kaoResults []KAOResult
+	reqFail := func(err error, req *kas.RewrapRequestBody) {
+		for _, kao := range req.GetKeyAccessObjectRequests() {
+			kaoResults = append(kaoResults, KAOResult{
+				KeyAccessObjectID: kao.GetKeyAccessObjectId(),
+				Error:             err,
+			})
+		}
+
+	}
+
 	reqs, err := createRewrapRequest(ctx, r)
 	if err != nil {
 		return err
 	}
-	var kaoResults []KAOResult
 	for _, req := range reqs {
 		policyRes, err := kasClient.unwrap(ctx, req)
 		if err != nil {
-			return err
+			reqFail(err, req)
 		}
 		result, ok := policyRes["policy"]
 		if !ok {
-			return fmt.Errorf("could not find policy in rewrap response")
+			err = fmt.Errorf("could not find policy in rewrap response")
+			reqFail(err, req)
+			return err
 		}
 		kaoResults = append(kaoResults, result...)
 	}

From c62d0856986bdcbf1c89ec8023bf78f12ae0f009 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Fri, 10 Jan 2025 15:01:21 -0800
Subject: [PATCH 21/48] fix return err

Summary:

Test Plan:
---
 sdk/tdf.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/sdk/tdf.go b/sdk/tdf.go
index d024d286a7..1805db5f88 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -1064,7 +1064,6 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 				Error:             err,
 			})
 		}
-
 	}
 
 	reqs, err := createRewrapRequest(ctx, r)
@@ -1080,7 +1079,6 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 		if !ok {
 			err = fmt.Errorf("could not find policy in rewrap response")
 			reqFail(err, req)
-			return err
 		}
 		kaoResults = append(kaoResults, result...)
 	}

From b2de7286912f9ad821beee8a84b9d9422926ead3 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Mon, 13 Jan 2025 10:49:20 -0800
Subject: [PATCH 22/48] better benchmark 0 success handling

Summary:

Test Plan:
---
 examples/cmd/benchmark.go | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/examples/cmd/benchmark.go b/examples/cmd/benchmark.go
index 125fd7afa7..b61dff2ee1 100644
--- a/examples/cmd/benchmark.go
+++ b/examples/cmd/benchmark.go
@@ -202,13 +202,12 @@ func runBenchmark(cmd *cobra.Command, args []string) error {
 		successCount++
 		totalDuration += result
 	}
-	// fixes divide by 0 error
-	if successCount == 0 {
-		successCount = 1
-	}
 
 	totalTime := time.Since(startTime)
-	averageLatency := totalDuration / time.Duration(successCount)
+	var averageLatency time.Duration
+	if successCount > 0 {
+		averageLatency = totalDuration / time.Duration(successCount)
+	}
 	throughput := float64(successCount) / totalTime.Seconds()
 
 	// Print results
@@ -218,7 +217,9 @@ func runBenchmark(cmd *cobra.Command, args []string) error {
 	cmd.Printf("Failed Requests: %d\n", errorCount)
 	cmd.Printf("Concurrent Requests: %d\n", config.ConcurrentRequests)
 	cmd.Printf("Total Time: %s\n", totalTime)
-	cmd.Printf("Average Latency: %s\n", averageLatency)
+	if successCount > 0 {
+		cmd.Printf("Average Latency: %s\n", averageLatency)
+	}
 	cmd.Printf("Throughput: %.2f requests/second\n", throughput)
 
 	if errorCount > 0 {

From f58dd9cfde7b11285c29d2574dbbea79797ca0f4 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Mon, 13 Jan 2025 12:10:33 -0800
Subject: [PATCH 23/48] Better API names

---
 docs/grpc/index.html              | 259 ++++------
 docs/openapi/kas/kas.swagger.json |  42 +-
 protocol/go/kas/kas.pb.go         | 818 +++++++++++++++---------------
 sdk/bulk.go                       |   2 +-
 sdk/kas_client.go                 |  14 +-
 sdk/kas_client_test.go            |  10 +-
 sdk/nanotdf.go                    |  10 +-
 sdk/tdf.go                        |  20 +-
 sdk/tdf_test.go                   |  10 +-
 service/kas/access/rewrap.go      |  62 +--
 service/kas/access/rewrap_test.go |  16 +-
 service/kas/kas.proto             |  63 ++-
 12 files changed, 620 insertions(+), 706 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index b9d10acf1d..6d89a87d5f 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -439,19 +439,15 @@ <h2>Table of Contents</h2>
                 </li>
               
                 <li>
-                  <a href="#kas.KAORewrapResult"><span class="badge">M</span>KAORewrapResult</a>
+                  <a href="#kas.KeyAccess"><span class="badge">M</span>KeyAccess</a>
                 </li>
               
                 <li>
-                  <a href="#kas.KAORewrapResult.MetadataEntry"><span class="badge">M</span>KAORewrapResult.MetadataEntry</a>
+                  <a href="#kas.KeyAccessRewrapResult"><span class="badge">M</span>KeyAccessRewrapResult</a>
                 </li>
               
                 <li>
-                  <a href="#kas.KeyAccess"><span class="badge">M</span>KeyAccess</a>
-                </li>
-              
-                <li>
-                  <a href="#kas.KeyAccessObjectRequest"><span class="badge">M</span>KeyAccessObjectRequest</a>
+                  <a href="#kas.KeyAccessRewrapResult.MetadataEntry"><span class="badge">M</span>KeyAccessRewrapResult.MetadataEntry</a>
                 </li>
               
                 <li>
@@ -459,7 +455,7 @@ <h2>Table of Contents</h2>
                 </li>
               
                 <li>
-                  <a href="#kas.PolicyRequest"><span class="badge">M</span>PolicyRequest</a>
+                  <a href="#kas.PolicyRewrapResult"><span class="badge">M</span>PolicyRewrapResult</a>
                 </li>
               
                 <li>
@@ -471,27 +467,27 @@ <h2>Table of Contents</h2>
                 </li>
               
                 <li>
-                  <a href="#kas.RequestBody"><span class="badge">M</span>RequestBody</a>
+                  <a href="#kas.RewrapRequest"><span class="badge">M</span>RewrapRequest</a>
                 </li>
               
                 <li>
-                  <a href="#kas.RewrapRequest"><span class="badge">M</span>RewrapRequest</a>
+                  <a href="#kas.RewrapResponse"><span class="badge">M</span>RewrapResponse</a>
                 </li>
               
                 <li>
-                  <a href="#kas.RewrapRequestBody"><span class="badge">M</span>RewrapRequestBody</a>
+                  <a href="#kas.UnsignedRewrapRequest"><span class="badge">M</span>UnsignedRewrapRequest</a>
                 </li>
               
                 <li>
-                  <a href="#kas.RewrapResponse"><span class="badge">M</span>RewrapResponse</a>
+                  <a href="#kas.UnsignedRewrapRequest.WithKeyAccessObject"><span class="badge">M</span>UnsignedRewrapRequest.WithKeyAccessObject</a>
                 </li>
               
                 <li>
-                  <a href="#kas.RewrapResponse.MetadataEntry"><span class="badge">M</span>RewrapResponse.MetadataEntry</a>
+                  <a href="#kas.UnsignedRewrapRequest.WithPolicy"><span class="badge">M</span>UnsignedRewrapRequest.WithPolicy</a>
                 </li>
               
                 <li>
-                  <a href="#kas.RewrapResult"><span class="badge">M</span>RewrapResult</a>
+                  <a href="#kas.UnsignedRewrapRequest.WithPolicyRequest"><span class="badge">M</span>UnsignedRewrapRequest.WithPolicyRequest</a>
                 </li>
               
               
@@ -3235,7 +3231,7 @@ <h3 id="kas.InfoResponse">InfoResponse</h3>
 
         
       
-        <h3 id="kas.KAORewrapResult">KAORewrapResult</h3>
+        <h3 id="kas.KeyAccess">KeyAccess</h3>
         <p></p>
 
         
@@ -3246,153 +3242,122 @@ <h3 id="kas.KAORewrapResult">KAORewrapResult</h3>
             <tbody>
               
                 <tr>
-                  <td>metadata</td>
-                  <td><a href="#kas.KAORewrapResult.MetadataEntry">KAORewrapResult.MetadataEntry</a></td>
-                  <td>repeated</td>
-                  <td><p> </p></td>
-                </tr>
-              
-                <tr>
-                  <td>key_access_object_id</td>
+                  <td>encrypted_metadata</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>status</td>
-                  <td><a href="#string">string</a></td>
+                  <td>policy_binding</td>
+                  <td><a href="#bytes">bytes</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>kas_wrapped_key</td>
-                  <td><a href="#bytes">bytes</a></td>
+                  <td>protocol</td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>error</td>
+                  <td>key_type</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
-            </tbody>
-          </table>
-
-          
-
-        
-      
-        <h3 id="kas.KAORewrapResult.MetadataEntry">KAORewrapResult.MetadataEntry</h3>
-        <p></p>
-
-        
-          <table class="field-table">
-            <thead>
-              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
-            </thead>
-            <tbody>
-              
                 <tr>
-                  <td>key</td>
+                  <td>kas_url</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>value</td>
-                  <td><a href="#google.protobuf.Value">google.protobuf.Value</a></td>
+                  <td>kid</td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
-            </tbody>
-          </table>
-
-          
-
-        
-      
-        <h3 id="kas.KeyAccess">KeyAccess</h3>
-        <p></p>
-
-        
-          <table class="field-table">
-            <thead>
-              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
-            </thead>
-            <tbody>
-              
                 <tr>
-                  <td>encrypted_metadata</td>
+                  <td>split_id</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>policy_binding</td>
+                  <td>wrapped_key</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>protocol</td>
-                  <td><a href="#string">string</a></td>
+                  <td>header</td>
+                  <td><a href="#bytes">bytes</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>key_type</td>
+                  <td>algorithm</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
-                <tr>
-                  <td>kas_url</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
+            </tbody>
+          </table>
+
+          
+
+        
+      
+        <h3 id="kas.KeyAccessRewrapResult">KeyAccessRewrapResult</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
               
                 <tr>
-                  <td>kid</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
+                  <td>metadata</td>
+                  <td><a href="#kas.KeyAccessRewrapResult.MetadataEntry">KeyAccessRewrapResult.MetadataEntry</a></td>
+                  <td>repeated</td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>split_id</td>
+                  <td>key_access_object_id</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>wrapped_key</td>
-                  <td><a href="#bytes">bytes</a></td>
+                  <td>status</td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>header</td>
+                  <td>kas_wrapped_key</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>algorithm</td>
+                  <td>error</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
@@ -3405,7 +3370,7 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
 
         
       
-        <h3 id="kas.KeyAccessObjectRequest">KeyAccessObjectRequest</h3>
+        <h3 id="kas.KeyAccessRewrapResult.MetadataEntry">KeyAccessRewrapResult.MetadataEntry</h3>
         <p></p>
 
         
@@ -3416,15 +3381,15 @@ <h3 id="kas.KeyAccessObjectRequest">KeyAccessObjectRequest</h3>
             <tbody>
               
                 <tr>
-                  <td>key_access_object_id</td>
+                  <td>key</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>key_access_object</td>
-                  <td><a href="#kas.KeyAccess">KeyAccess</a></td>
+                  <td>value</td>
+                  <td><a href="#google.protobuf.Value">google.protobuf.Value</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
@@ -3460,7 +3425,7 @@ <h3 id="kas.LegacyPublicKeyRequest">LegacyPublicKeyRequest</h3>
 
         
       
-        <h3 id="kas.PolicyRequest">PolicyRequest</h3>
+        <h3 id="kas.PolicyRewrapResult">PolicyRewrapResult</h3>
         <p></p>
 
         
@@ -3471,16 +3436,16 @@ <h3 id="kas.PolicyRequest">PolicyRequest</h3>
             <tbody>
               
                 <tr>
-                  <td>id</td>
+                  <td>policy_id</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>body</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
+                  <td>results</td>
+                  <td><a href="#kas.KeyAccessRewrapResult">KeyAccessRewrapResult</a></td>
+                  <td>repeated</td>
                   <td><p> </p></td>
                 </tr>
               
@@ -3560,7 +3525,7 @@ <h3 id="kas.PublicKeyResponse">PublicKeyResponse</h3>
 
         
       
-        <h3 id="kas.RequestBody">RequestBody</h3>
+        <h3 id="kas.RewrapRequest">RewrapRequest</h3>
         <p></p>
 
         
@@ -3571,19 +3536,12 @@ <h3 id="kas.RequestBody">RequestBody</h3>
             <tbody>
               
                 <tr>
-                  <td>client_public_key</td>
+                  <td>signed_request_token</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
-                <tr>
-                  <td>requests</td>
-                  <td><a href="#kas.RewrapRequestBody">RewrapRequestBody</a></td>
-                  <td>repeated</td>
-                  <td><p> </p></td>
-                </tr>
-              
             </tbody>
           </table>
 
@@ -3591,7 +3549,7 @@ <h3 id="kas.RequestBody">RequestBody</h3>
 
         
       
-        <h3 id="kas.RewrapRequest">RewrapRequest</h3>
+        <h3 id="kas.RewrapResponse">RewrapResponse</h3>
         <p></p>
 
         
@@ -3602,10 +3560,24 @@ <h3 id="kas.RewrapRequest">RewrapRequest</h3>
             <tbody>
               
                 <tr>
-                  <td>signed_request_token</td>
+                  <td>entity_wrapped_key</td>
+                  <td><a href="#bytes">bytes</a></td>
+                  <td></td>
+                  <td><p>Deprecated </p></td>
+                </tr>
+              
+                <tr>
+                  <td>session_public_key</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p> </p></td>
+                  <td><p>Deprecated </p></td>
+                </tr>
+              
+                <tr>
+                  <td>responses</td>
+                  <td><a href="#kas.PolicyRewrapResult">PolicyRewrapResult</a></td>
+                  <td>repeated</td>
+                  <td><p>New Rewrap API changes </p></td>
                 </tr>
               
             </tbody>
@@ -3615,7 +3587,7 @@ <h3 id="kas.RewrapRequest">RewrapRequest</h3>
 
         
       
-        <h3 id="kas.RewrapRequestBody">RewrapRequestBody</h3>
+        <h3 id="kas.UnsignedRewrapRequest">UnsignedRewrapRequest</h3>
         <p></p>
 
         
@@ -3626,23 +3598,16 @@ <h3 id="kas.RewrapRequestBody">RewrapRequestBody</h3>
             <tbody>
               
                 <tr>
-                  <td>key_access_object_requests</td>
-                  <td><a href="#kas.KeyAccessObjectRequest">KeyAccessObjectRequest</a></td>
-                  <td>repeated</td>
-                  <td><p> </p></td>
-                </tr>
-              
-                <tr>
-                  <td>policy</td>
-                  <td><a href="#kas.PolicyRequest">PolicyRequest</a></td>
+                  <td>client_public_key</td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>algorithm</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
+                  <td>requests</td>
+                  <td><a href="#kas.UnsignedRewrapRequest.WithPolicyRequest">UnsignedRewrapRequest.WithPolicyRequest</a></td>
+                  <td>repeated</td>
                   <td><p> </p></td>
                 </tr>
               
@@ -3653,7 +3618,7 @@ <h3 id="kas.RewrapRequestBody">RewrapRequestBody</h3>
 
         
       
-        <h3 id="kas.RewrapResponse">RewrapResponse</h3>
+        <h3 id="kas.UnsignedRewrapRequest.WithKeyAccessObject">UnsignedRewrapRequest.WithKeyAccessObject</h3>
         <p></p>
 
         
@@ -3664,38 +3629,17 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
             <tbody>
               
                 <tr>
-                  <td>metadata</td>
-                  <td><a href="#kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</a></td>
-                  <td>repeated</td>
-                  <td><p>Deprecated </p></td>
-                </tr>
-              
-                <tr>
-                  <td>entity_wrapped_key</td>
-                  <td><a href="#bytes">bytes</a></td>
-                  <td></td>
-                  <td><p>Deprecated </p></td>
-                </tr>
-              
-                <tr>
-                  <td>session_public_key</td>
+                  <td>key_access_object_id</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>schema_version</td>
-                  <td><a href="#string">string</a></td>
+                  <td>key_access_object</td>
+                  <td><a href="#kas.KeyAccess">KeyAccess</a></td>
                   <td></td>
-                  <td><p>Deprecated </p></td>
-                </tr>
-              
-                <tr>
-                  <td>responses</td>
-                  <td><a href="#kas.RewrapResult">RewrapResult</a></td>
-                  <td>repeated</td>
-                  <td><p>New Rewrap API changes </p></td>
+                  <td><p> </p></td>
                 </tr>
               
             </tbody>
@@ -3705,7 +3649,7 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
 
         
       
-        <h3 id="kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</h3>
+        <h3 id="kas.UnsignedRewrapRequest.WithPolicy">UnsignedRewrapRequest.WithPolicy</h3>
         <p></p>
 
         
@@ -3716,15 +3660,15 @@ <h3 id="kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</h3>
             <tbody>
               
                 <tr>
-                  <td>key</td>
+                  <td>id</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>value</td>
-                  <td><a href="#google.protobuf.Value">google.protobuf.Value</a></td>
+                  <td>body</td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
@@ -3736,7 +3680,7 @@ <h3 id="kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</h3>
 
         
       
-        <h3 id="kas.RewrapResult">RewrapResult</h3>
+        <h3 id="kas.UnsignedRewrapRequest.WithPolicyRequest">UnsignedRewrapRequest.WithPolicyRequest</h3>
         <p></p>
 
         
@@ -3747,16 +3691,23 @@ <h3 id="kas.RewrapResult">RewrapResult</h3>
             <tbody>
               
                 <tr>
-                  <td>policy_id</td>
-                  <td><a href="#string">string</a></td>
+                  <td>key_access_objects</td>
+                  <td><a href="#kas.UnsignedRewrapRequest.WithKeyAccessObject">UnsignedRewrapRequest.WithKeyAccessObject</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>policy</td>
+                  <td><a href="#kas.UnsignedRewrapRequest.WithPolicy">UnsignedRewrapRequest.WithPolicy</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
               
                 <tr>
-                  <td>results</td>
-                  <td><a href="#kas.KAORewrapResult">KAORewrapResult</a></td>
-                  <td>repeated</td>
+                  <td>algorithm</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
                   <td><p> </p></td>
                 </tr>
               
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
index 46409eaa56..dffc423956 100644
--- a/docs/openapi/kas/kas.swagger.json
+++ b/docs/openapi/kas/kas.swagger.json
@@ -130,7 +130,7 @@
     }
   },
   "definitions": {
-    "kasKAORewrapResult": {
+    "kasKeyAccessRewrapResult": {
       "type": "object",
       "properties": {
         "metadata": {
@@ -152,6 +152,21 @@
         }
       }
     },
+    "kasPolicyRewrapResult": {
+      "type": "object",
+      "properties": {
+        "policyId": {
+          "type": "string"
+        },
+        "results": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/kasKeyAccessRewrapResult"
+          }
+        }
+      }
+    },
     "kasPublicKeyResponse": {
       "type": "object",
       "properties": {
@@ -174,20 +189,12 @@
     "kasRewrapResponse": {
       "type": "object",
       "properties": {
-        "metadata": {
-          "type": "object",
-          "additionalProperties": {},
-          "title": "Deprecated"
-        },
         "entityWrappedKey": {
           "type": "string",
           "format": "byte",
           "title": "Deprecated"
         },
         "sessionPublicKey": {
-          "type": "string"
-        },
-        "schemaVersion": {
           "type": "string",
           "title": "Deprecated"
         },
@@ -195,27 +202,12 @@
           "type": "array",
           "items": {
             "type": "object",
-            "$ref": "#/definitions/kasRewrapResult"
+            "$ref": "#/definitions/kasPolicyRewrapResult"
           },
           "title": "New Rewrap API changes"
         }
       }
     },
-    "kasRewrapResult": {
-      "type": "object",
-      "properties": {
-        "policyId": {
-          "type": "string"
-        },
-        "results": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "$ref": "#/definitions/kasKAORewrapResult"
-          }
-        }
-      }
-    },
     "protobufAny": {
       "type": "object",
       "properties": {
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index 0122d16147..b195d8d81a 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -276,17 +276,17 @@ func (x *KeyAccess) GetAlgorithm() string {
 	return ""
 }
 
-type PolicyRequest struct {
+type UnsignedRewrapRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Id   string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	Body string `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
+	ClientPublicKey string                                     `protobuf:"bytes,1,opt,name=client_public_key,json=clientPublicKey,proto3" json:"client_public_key,omitempty"`
+	Requests        []*UnsignedRewrapRequest_WithPolicyRequest `protobuf:"bytes,2,rep,name=requests,proto3" json:"requests,omitempty"`
 }
 
-func (x *PolicyRequest) Reset() {
-	*x = PolicyRequest{}
+func (x *UnsignedRewrapRequest) Reset() {
+	*x = UnsignedRewrapRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -294,13 +294,13 @@ func (x *PolicyRequest) Reset() {
 	}
 }
 
-func (x *PolicyRequest) String() string {
+func (x *UnsignedRewrapRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*PolicyRequest) ProtoMessage() {}
+func (*UnsignedRewrapRequest) ProtoMessage() {}
 
-func (x *PolicyRequest) ProtoReflect() protoreflect.Message {
+func (x *UnsignedRewrapRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -312,36 +312,37 @@ func (x *PolicyRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use PolicyRequest.ProtoReflect.Descriptor instead.
-func (*PolicyRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use UnsignedRewrapRequest.ProtoReflect.Descriptor instead.
+func (*UnsignedRewrapRequest) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{4}
 }
 
-func (x *PolicyRequest) GetId() string {
+func (x *UnsignedRewrapRequest) GetClientPublicKey() string {
 	if x != nil {
-		return x.Id
+		return x.ClientPublicKey
 	}
 	return ""
 }
 
-func (x *PolicyRequest) GetBody() string {
+func (x *UnsignedRewrapRequest) GetRequests() []*UnsignedRewrapRequest_WithPolicyRequest {
 	if x != nil {
-		return x.Body
+		return x.Requests
 	}
-	return ""
+	return nil
 }
 
-type KeyAccessObjectRequest struct {
+type PublicKeyRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	KeyAccessObjectId string     `protobuf:"bytes,1,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
-	KeyAccessObject   *KeyAccess `protobuf:"bytes,2,opt,name=key_access_object,json=keyAccessObject,proto3" json:"key_access_object,omitempty"`
+	Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
+	Fmt       string `protobuf:"bytes,2,opt,name=fmt,proto3" json:"fmt,omitempty"`
+	V         string `protobuf:"bytes,3,opt,name=v,proto3" json:"v,omitempty"`
 }
 
-func (x *KeyAccessObjectRequest) Reset() {
-	*x = KeyAccessObjectRequest{}
+func (x *PublicKeyRequest) Reset() {
+	*x = PublicKeyRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -349,13 +350,13 @@ func (x *KeyAccessObjectRequest) Reset() {
 	}
 }
 
-func (x *KeyAccessObjectRequest) String() string {
+func (x *PublicKeyRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*KeyAccessObjectRequest) ProtoMessage() {}
+func (*PublicKeyRequest) ProtoMessage() {}
 
-func (x *KeyAccessObjectRequest) ProtoReflect() protoreflect.Message {
+func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -367,37 +368,43 @@ func (x *KeyAccessObjectRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use KeyAccessObjectRequest.ProtoReflect.Descriptor instead.
-func (*KeyAccessObjectRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead.
+func (*PublicKeyRequest) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{5}
 }
 
-func (x *KeyAccessObjectRequest) GetKeyAccessObjectId() string {
+func (x *PublicKeyRequest) GetAlgorithm() string {
 	if x != nil {
-		return x.KeyAccessObjectId
+		return x.Algorithm
 	}
 	return ""
 }
 
-func (x *KeyAccessObjectRequest) GetKeyAccessObject() *KeyAccess {
+func (x *PublicKeyRequest) GetFmt() string {
 	if x != nil {
-		return x.KeyAccessObject
+		return x.Fmt
 	}
-	return nil
+	return ""
 }
 
-type RewrapRequestBody struct {
+func (x *PublicKeyRequest) GetV() string {
+	if x != nil {
+		return x.V
+	}
+	return ""
+}
+
+type PublicKeyResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	KeyAccessObjectRequests []*KeyAccessObjectRequest `protobuf:"bytes,1,rep,name=key_access_object_requests,json=keyAccessObjectRequests,proto3" json:"key_access_object_requests,omitempty"`
-	Policy                  *PolicyRequest            `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
-	Algorithm               string                    `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
+	PublicKey string `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
+	Kid       string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
 }
 
-func (x *RewrapRequestBody) Reset() {
-	*x = RewrapRequestBody{}
+func (x *PublicKeyResponse) Reset() {
+	*x = PublicKeyResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -405,13 +412,13 @@ func (x *RewrapRequestBody) Reset() {
 	}
 }
 
-func (x *RewrapRequestBody) String() string {
+func (x *PublicKeyResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*RewrapRequestBody) ProtoMessage() {}
+func (*PublicKeyResponse) ProtoMessage() {}
 
-func (x *RewrapRequestBody) ProtoReflect() protoreflect.Message {
+func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -423,43 +430,35 @@ func (x *RewrapRequestBody) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use RewrapRequestBody.ProtoReflect.Descriptor instead.
-func (*RewrapRequestBody) Descriptor() ([]byte, []int) {
+// Deprecated: Use PublicKeyResponse.ProtoReflect.Descriptor instead.
+func (*PublicKeyResponse) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{6}
 }
 
-func (x *RewrapRequestBody) GetKeyAccessObjectRequests() []*KeyAccessObjectRequest {
-	if x != nil {
-		return x.KeyAccessObjectRequests
-	}
-	return nil
-}
-
-func (x *RewrapRequestBody) GetPolicy() *PolicyRequest {
+func (x *PublicKeyResponse) GetPublicKey() string {
 	if x != nil {
-		return x.Policy
+		return x.PublicKey
 	}
-	return nil
+	return ""
 }
 
-func (x *RewrapRequestBody) GetAlgorithm() string {
+func (x *PublicKeyResponse) GetKid() string {
 	if x != nil {
-		return x.Algorithm
+		return x.Kid
 	}
 	return ""
 }
 
-type RequestBody struct {
+type RewrapRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	ClientPublicKey string               `protobuf:"bytes,1,opt,name=client_public_key,json=clientPublicKey,proto3" json:"client_public_key,omitempty"`
-	Requests        []*RewrapRequestBody `protobuf:"bytes,2,rep,name=requests,proto3" json:"requests,omitempty"`
+	SignedRequestToken string `protobuf:"bytes,1,opt,name=signed_request_token,json=signedRequestToken,proto3" json:"signed_request_token,omitempty"`
 }
 
-func (x *RequestBody) Reset() {
-	*x = RequestBody{}
+func (x *RewrapRequest) Reset() {
+	*x = RewrapRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -467,13 +466,13 @@ func (x *RequestBody) Reset() {
 	}
 }
 
-func (x *RequestBody) String() string {
+func (x *RewrapRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*RequestBody) ProtoMessage() {}
+func (*RewrapRequest) ProtoMessage() {}
 
-func (x *RequestBody) ProtoReflect() protoreflect.Message {
+func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -485,37 +484,35 @@ func (x *RequestBody) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use RequestBody.ProtoReflect.Descriptor instead.
-func (*RequestBody) Descriptor() ([]byte, []int) {
+// Deprecated: Use RewrapRequest.ProtoReflect.Descriptor instead.
+func (*RewrapRequest) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{7}
 }
 
-func (x *RequestBody) GetClientPublicKey() string {
+func (x *RewrapRequest) GetSignedRequestToken() string {
 	if x != nil {
-		return x.ClientPublicKey
+		return x.SignedRequestToken
 	}
 	return ""
 }
 
-func (x *RequestBody) GetRequests() []*RewrapRequestBody {
-	if x != nil {
-		return x.Requests
-	}
-	return nil
-}
-
-type PublicKeyRequest struct {
+type KeyAccessRewrapResult struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
-	Fmt       string `protobuf:"bytes,2,opt,name=fmt,proto3" json:"fmt,omitempty"`
-	V         string `protobuf:"bytes,3,opt,name=v,proto3" json:"v,omitempty"`
+	Metadata          map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	KeyAccessObjectId string                     `protobuf:"bytes,2,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
+	Status            string                     `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
+	// Types that are assignable to Result:
+	//
+	//	*KeyAccessRewrapResult_KasWrappedKey
+	//	*KeyAccessRewrapResult_Error
+	Result isKeyAccessRewrapResult_Result `protobuf_oneof:"result"`
 }
 
-func (x *PublicKeyRequest) Reset() {
-	*x = PublicKeyRequest{}
+func (x *KeyAccessRewrapResult) Reset() {
+	*x = KeyAccessRewrapResult{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -523,13 +520,13 @@ func (x *PublicKeyRequest) Reset() {
 	}
 }
 
-func (x *PublicKeyRequest) String() string {
+func (x *KeyAccessRewrapResult) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*PublicKeyRequest) ProtoMessage() {}
+func (*KeyAccessRewrapResult) ProtoMessage() {}
 
-func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
+func (x *KeyAccessRewrapResult) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -541,43 +538,80 @@ func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead.
-func (*PublicKeyRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use KeyAccessRewrapResult.ProtoReflect.Descriptor instead.
+func (*KeyAccessRewrapResult) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{8}
 }
 
-func (x *PublicKeyRequest) GetAlgorithm() string {
+func (x *KeyAccessRewrapResult) GetMetadata() map[string]*structpb.Value {
 	if x != nil {
-		return x.Algorithm
+		return x.Metadata
 	}
-	return ""
+	return nil
 }
 
-func (x *PublicKeyRequest) GetFmt() string {
+func (x *KeyAccessRewrapResult) GetKeyAccessObjectId() string {
 	if x != nil {
-		return x.Fmt
+		return x.KeyAccessObjectId
 	}
 	return ""
 }
 
-func (x *PublicKeyRequest) GetV() string {
+func (x *KeyAccessRewrapResult) GetStatus() string {
 	if x != nil {
-		return x.V
+		return x.Status
 	}
 	return ""
 }
 
-type PublicKeyResponse struct {
+func (m *KeyAccessRewrapResult) GetResult() isKeyAccessRewrapResult_Result {
+	if m != nil {
+		return m.Result
+	}
+	return nil
+}
+
+func (x *KeyAccessRewrapResult) GetKasWrappedKey() []byte {
+	if x, ok := x.GetResult().(*KeyAccessRewrapResult_KasWrappedKey); ok {
+		return x.KasWrappedKey
+	}
+	return nil
+}
+
+func (x *KeyAccessRewrapResult) GetError() string {
+	if x, ok := x.GetResult().(*KeyAccessRewrapResult_Error); ok {
+		return x.Error
+	}
+	return ""
+}
+
+type isKeyAccessRewrapResult_Result interface {
+	isKeyAccessRewrapResult_Result()
+}
+
+type KeyAccessRewrapResult_KasWrappedKey struct {
+	KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kas_wrapped_key,json=kasWrappedKey,proto3,oneof"`
+}
+
+type KeyAccessRewrapResult_Error struct {
+	Error string `protobuf:"bytes,5,opt,name=error,proto3,oneof"`
+}
+
+func (*KeyAccessRewrapResult_KasWrappedKey) isKeyAccessRewrapResult_Result() {}
+
+func (*KeyAccessRewrapResult_Error) isKeyAccessRewrapResult_Result() {}
+
+type PolicyRewrapResult struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	PublicKey string `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
-	Kid       string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"`
+	PolicyId string                   `protobuf:"bytes,1,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
+	Results  []*KeyAccessRewrapResult `protobuf:"bytes,2,rep,name=results,proto3" json:"results,omitempty"`
 }
 
-func (x *PublicKeyResponse) Reset() {
-	*x = PublicKeyResponse{}
+func (x *PolicyRewrapResult) Reset() {
+	*x = PolicyRewrapResult{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -585,13 +619,13 @@ func (x *PublicKeyResponse) Reset() {
 	}
 }
 
-func (x *PublicKeyResponse) String() string {
+func (x *PolicyRewrapResult) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*PublicKeyResponse) ProtoMessage() {}
+func (*PolicyRewrapResult) ProtoMessage() {}
 
-func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
+func (x *PolicyRewrapResult) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -603,35 +637,40 @@ func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use PublicKeyResponse.ProtoReflect.Descriptor instead.
-func (*PublicKeyResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use PolicyRewrapResult.ProtoReflect.Descriptor instead.
+func (*PolicyRewrapResult) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{9}
 }
 
-func (x *PublicKeyResponse) GetPublicKey() string {
+func (x *PolicyRewrapResult) GetPolicyId() string {
 	if x != nil {
-		return x.PublicKey
+		return x.PolicyId
 	}
 	return ""
 }
 
-func (x *PublicKeyResponse) GetKid() string {
+func (x *PolicyRewrapResult) GetResults() []*KeyAccessRewrapResult {
 	if x != nil {
-		return x.Kid
+		return x.Results
 	}
-	return ""
+	return nil
 }
 
-type RewrapRequest struct {
+type RewrapResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	SignedRequestToken string `protobuf:"bytes,1,opt,name=signed_request_token,json=signedRequestToken,proto3" json:"signed_request_token,omitempty"`
+	// Deprecated
+	EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
+	// Deprecated
+	SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
+	// New Rewrap API changes
+	Responses []*PolicyRewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
 }
 
-func (x *RewrapRequest) Reset() {
-	*x = RewrapRequest{}
+func (x *RewrapResponse) Reset() {
+	*x = RewrapResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -639,13 +678,13 @@ func (x *RewrapRequest) Reset() {
 	}
 }
 
-func (x *RewrapRequest) String() string {
+func (x *RewrapResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*RewrapRequest) ProtoMessage() {}
+func (*RewrapResponse) ProtoMessage() {}
 
-func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
+func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -657,35 +696,43 @@ func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use RewrapRequest.ProtoReflect.Descriptor instead.
-func (*RewrapRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
+func (*RewrapResponse) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{10}
 }
 
-func (x *RewrapRequest) GetSignedRequestToken() string {
+func (x *RewrapResponse) GetEntityWrappedKey() []byte {
 	if x != nil {
-		return x.SignedRequestToken
+		return x.EntityWrappedKey
+	}
+	return nil
+}
+
+func (x *RewrapResponse) GetSessionPublicKey() string {
+	if x != nil {
+		return x.SessionPublicKey
 	}
 	return ""
 }
 
-type KAORewrapResult struct {
+func (x *RewrapResponse) GetResponses() []*PolicyRewrapResult {
+	if x != nil {
+		return x.Responses
+	}
+	return nil
+}
+
+type UnsignedRewrapRequest_WithPolicy struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Metadata          map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	KeyAccessObjectId string                     `protobuf:"bytes,2,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
-	Status            string                     `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
-	// Types that are assignable to Result:
-	//
-	//	*KAORewrapResult_KasWrappedKey
-	//	*KAORewrapResult_Error
-	Result isKAORewrapResult_Result `protobuf_oneof:"result"`
+	Id   string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	Body string `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
 }
 
-func (x *KAORewrapResult) Reset() {
-	*x = KAORewrapResult{}
+func (x *UnsignedRewrapRequest_WithPolicy) Reset() {
+	*x = UnsignedRewrapRequest_WithPolicy{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -693,13 +740,13 @@ func (x *KAORewrapResult) Reset() {
 	}
 }
 
-func (x *KAORewrapResult) String() string {
+func (x *UnsignedRewrapRequest_WithPolicy) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*KAORewrapResult) ProtoMessage() {}
+func (*UnsignedRewrapRequest_WithPolicy) ProtoMessage() {}
 
-func (x *KAORewrapResult) ProtoReflect() protoreflect.Message {
+func (x *UnsignedRewrapRequest_WithPolicy) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -711,80 +758,36 @@ func (x *KAORewrapResult) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use KAORewrapResult.ProtoReflect.Descriptor instead.
-func (*KAORewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{11}
+// Deprecated: Use UnsignedRewrapRequest_WithPolicy.ProtoReflect.Descriptor instead.
+func (*UnsignedRewrapRequest_WithPolicy) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{4, 0}
 }
 
-func (x *KAORewrapResult) GetMetadata() map[string]*structpb.Value {
+func (x *UnsignedRewrapRequest_WithPolicy) GetId() string {
 	if x != nil {
-		return x.Metadata
-	}
-	return nil
-}
-
-func (x *KAORewrapResult) GetKeyAccessObjectId() string {
-	if x != nil {
-		return x.KeyAccessObjectId
+		return x.Id
 	}
 	return ""
 }
 
-func (x *KAORewrapResult) GetStatus() string {
+func (x *UnsignedRewrapRequest_WithPolicy) GetBody() string {
 	if x != nil {
-		return x.Status
-	}
-	return ""
-}
-
-func (m *KAORewrapResult) GetResult() isKAORewrapResult_Result {
-	if m != nil {
-		return m.Result
-	}
-	return nil
-}
-
-func (x *KAORewrapResult) GetKasWrappedKey() []byte {
-	if x, ok := x.GetResult().(*KAORewrapResult_KasWrappedKey); ok {
-		return x.KasWrappedKey
-	}
-	return nil
-}
-
-func (x *KAORewrapResult) GetError() string {
-	if x, ok := x.GetResult().(*KAORewrapResult_Error); ok {
-		return x.Error
+		return x.Body
 	}
 	return ""
 }
 
-type isKAORewrapResult_Result interface {
-	isKAORewrapResult_Result()
-}
-
-type KAORewrapResult_KasWrappedKey struct {
-	KasWrappedKey []byte `protobuf:"bytes,4,opt,name=kas_wrapped_key,json=kasWrappedKey,proto3,oneof"`
-}
-
-type KAORewrapResult_Error struct {
-	Error string `protobuf:"bytes,5,opt,name=error,proto3,oneof"`
-}
-
-func (*KAORewrapResult_KasWrappedKey) isKAORewrapResult_Result() {}
-
-func (*KAORewrapResult_Error) isKAORewrapResult_Result() {}
-
-type RewrapResult struct {
+type UnsignedRewrapRequest_WithKeyAccessObject struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	PolicyId string             `protobuf:"bytes,1,opt,name=policy_id,json=policyId,proto3" json:"policy_id,omitempty"`
-	Results  []*KAORewrapResult `protobuf:"bytes,2,rep,name=results,proto3" json:"results,omitempty"`
+	KeyAccessObjectId string     `protobuf:"bytes,1,opt,name=key_access_object_id,json=keyAccessObjectId,proto3" json:"key_access_object_id,omitempty"`
+	KeyAccessObject   *KeyAccess `protobuf:"bytes,2,opt,name=key_access_object,json=keyAccessObject,proto3" json:"key_access_object,omitempty"`
 }
 
-func (x *RewrapResult) Reset() {
-	*x = RewrapResult{}
+func (x *UnsignedRewrapRequest_WithKeyAccessObject) Reset() {
+	*x = UnsignedRewrapRequest_WithKeyAccessObject{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -792,13 +795,13 @@ func (x *RewrapResult) Reset() {
 	}
 }
 
-func (x *RewrapResult) String() string {
+func (x *UnsignedRewrapRequest_WithKeyAccessObject) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*RewrapResult) ProtoMessage() {}
+func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoMessage() {}
 
-func (x *RewrapResult) ProtoReflect() protoreflect.Message {
+func (x *UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -810,43 +813,37 @@ func (x *RewrapResult) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use RewrapResult.ProtoReflect.Descriptor instead.
-func (*RewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{12}
+// Deprecated: Use UnsignedRewrapRequest_WithKeyAccessObject.ProtoReflect.Descriptor instead.
+func (*UnsignedRewrapRequest_WithKeyAccessObject) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{4, 1}
 }
 
-func (x *RewrapResult) GetPolicyId() string {
+func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObjectId() string {
 	if x != nil {
-		return x.PolicyId
+		return x.KeyAccessObjectId
 	}
 	return ""
 }
 
-func (x *RewrapResult) GetResults() []*KAORewrapResult {
+func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObject() *KeyAccess {
 	if x != nil {
-		return x.Results
+		return x.KeyAccessObject
 	}
 	return nil
 }
 
-type RewrapResponse struct {
+type UnsignedRewrapRequest_WithPolicyRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// Deprecated
-	Metadata map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	// Deprecated
-	EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
-	SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
-	// Deprecated
-	SchemaVersion string `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
-	// New Rewrap API changes
-	Responses []*RewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
+	KeyAccessObjects []*UnsignedRewrapRequest_WithKeyAccessObject `protobuf:"bytes,1,rep,name=key_access_objects,json=keyAccessObjects,proto3" json:"key_access_objects,omitempty"`
+	Policy           *UnsignedRewrapRequest_WithPolicy            `protobuf:"bytes,2,opt,name=policy,proto3" json:"policy,omitempty"`
+	Algorithm        string                                       `protobuf:"bytes,3,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
 }
 
-func (x *RewrapResponse) Reset() {
-	*x = RewrapResponse{}
+func (x *UnsignedRewrapRequest_WithPolicyRequest) Reset() {
+	*x = UnsignedRewrapRequest_WithPolicyRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_kas_kas_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -854,13 +851,13 @@ func (x *RewrapResponse) Reset() {
 	}
 }
 
-func (x *RewrapResponse) String() string {
+func (x *UnsignedRewrapRequest_WithPolicyRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*RewrapResponse) ProtoMessage() {}
+func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoMessage() {}
 
-func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
+func (x *UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_kas_kas_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -872,46 +869,32 @@ func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
-func (*RewrapResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{13}
+// Deprecated: Use UnsignedRewrapRequest_WithPolicyRequest.ProtoReflect.Descriptor instead.
+func (*UnsignedRewrapRequest_WithPolicyRequest) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{4, 2}
 }
 
-func (x *RewrapResponse) GetMetadata() map[string]*structpb.Value {
+func (x *UnsignedRewrapRequest_WithPolicyRequest) GetKeyAccessObjects() []*UnsignedRewrapRequest_WithKeyAccessObject {
 	if x != nil {
-		return x.Metadata
+		return x.KeyAccessObjects
 	}
 	return nil
 }
 
-func (x *RewrapResponse) GetEntityWrappedKey() []byte {
+func (x *UnsignedRewrapRequest_WithPolicyRequest) GetPolicy() *UnsignedRewrapRequest_WithPolicy {
 	if x != nil {
-		return x.EntityWrappedKey
+		return x.Policy
 	}
 	return nil
 }
 
-func (x *RewrapResponse) GetSessionPublicKey() string {
-	if x != nil {
-		return x.SessionPublicKey
-	}
-	return ""
-}
-
-func (x *RewrapResponse) GetSchemaVersion() string {
+func (x *UnsignedRewrapRequest_WithPolicyRequest) GetAlgorithm() string {
 	if x != nil {
-		return x.SchemaVersion
+		return x.Algorithm
 	}
 	return ""
 }
 
-func (x *RewrapResponse) GetResponses() []*RewrapResult {
-	if x != nil {
-		return x.Responses
-	}
-	return nil
-}
-
 var File_kas_kas_proto protoreflect.FileDescriptor
 
 var file_kas_kas_proto_rawDesc = []byte{
@@ -951,141 +934,135 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20,
 	0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61,
 	0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x22, 0x33, 0x0a, 0x0d, 0x50, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f,
-	0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0x85,
-	0x01, 0x0a, 0x16, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
-	0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79,
-	0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69,
-	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x3a, 0x0a, 0x11, 0x6b, 0x65,
-	0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0xb7, 0x01, 0x0a, 0x11, 0x52, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x58, 0x0a, 0x1a,
+	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x22, 0x95, 0x04, 0x0a, 0x15, 0x55, 0x6e,
+	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f,
+	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x48, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x2c, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57, 0x69,
+	0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52,
+	0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x1a, 0x30, 0x0a, 0x0a, 0x57, 0x69, 0x74,
+	0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x1a, 0x82, 0x01, 0x0a, 0x13,
+	0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a,
+	0x65, 0x63, 0x74, 0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73,
+	0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
+	0x63, 0x74, 0x49, 0x64, 0x12, 0x3a, 0x0a, 0x11, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x0e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52,
+	0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74,
+	0x1a, 0xce, 0x01, 0x0a, 0x11, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x5c, 0x0a, 0x12, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65,
+	0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57,
+	0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
+	0x63, 0x74, 0x52, 0x10, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a,
+	0x65, 0x63, 0x74, 0x73, 0x12, 0x3d, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67,
+	0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x2e, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
+	0x6d, 0x22, 0xb1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69,
+	0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e,
+	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72,
+	0x73, 0x61, 0x3a, 0x3c, 0x6b, 0x65, 0x79, 0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20,
+	0x65, 0x63, 0x3a, 0x3c, 0x63, 0x75, 0x72, 0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09,
+	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d,
+	0x74, 0x12, 0x22, 0x0a, 0x01, 0x76, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41,
+	0x11, 0x32, 0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69,
+	0x6f, 0x6e, 0x52, 0x01, 0x76, 0x22, 0x44, 0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52,
+	0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14,
+	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e,
+	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04,
+	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xc7, 0x02, 0x0a,
+	0x15, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x44, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f, 0x0a, 0x14,
 	0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63,
-	0x74, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x17, 0x6b,
-	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x2a, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
-	0x22, 0x6d, 0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x6f, 0x64, 0x79, 0x12,
-	0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x6c, 0x69, 0x65,
-	0x6e, 0x74, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x08, 0x72,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e,
-	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x42, 0x6f, 0x64, 0x79, 0x52, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x22,
-	0xb1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e, 0x61, 0x6c,
-	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72, 0x73, 0x61,
-	0x3a, 0x3c, 0x6b, 0x65, 0x79, 0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20, 0x65, 0x63,
-	0x3a, 0x3c, 0x63, 0x75, 0x72, 0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09, 0x61, 0x6c,
-	0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d, 0x74, 0x12,
-	0x22, 0x0a, 0x01, 0x76, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32,
-	0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
-	0x52, 0x01, 0x76, 0x22, 0x44, 0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52, 0x65, 0x77,
-	0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14, 0x73, 0x69,
-	0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74, 0x6f, 0x6b,
-	0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04, 0x08, 0x02,
-	0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xbb, 0x02, 0x0a, 0x0f, 0x4b,
-	0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x3e,
-	0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x22, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f,
-	0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a,
-	0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65,
-	0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12,
-	0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73, 0x5f, 0x77,
-	0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c,
-	0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65,
-	0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
-	0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08,
-	0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x5b, 0x0a, 0x0c, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x2e, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73,
-	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x41, 0x4f,
-	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65,
-	0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xd8, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3d, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
-	0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73,
-	0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74,
-	0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0c, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70,
-	0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x63, 0x68,
-	0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x2f, 0x0a, 0x09, 0x72, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e,
-	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
-	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
-	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
-	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
-	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
-	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
-	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
-	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
-	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
-	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
-	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
-	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
-	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
-	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
-	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
-	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
-	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
-	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a,
+	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73, 0x5f, 0x77, 0x72, 0x61,
+	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00,
+	0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12,
+	0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
+	0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75,
+	0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08, 0x0a, 0x06,
+	0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x67, 0x0a, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x72, 0x65, 0x73,
+	0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
+	0xaf, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61,
+	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79,
+	0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65,
+	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x35,
+	0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65,
+	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x04, 0x10,
+	0x05, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73,
+	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78,
+	0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75,
+	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41,
+	0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15,
+	0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69,
+	0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09,
+	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a,
+	0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e,
+	0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d,
+	0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74,
+	0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64,
+	0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43,
+	0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d,
+	0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65,
+	0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03,
+	0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2,
+	0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1100,49 +1077,46 @@ func file_kas_kas_proto_rawDescGZIP() []byte {
 	return file_kas_kas_proto_rawDescData
 }
 
-var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
+var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
 var file_kas_kas_proto_goTypes = []interface{}{
-	(*InfoRequest)(nil),            // 0: kas.InfoRequest
-	(*InfoResponse)(nil),           // 1: kas.InfoResponse
-	(*LegacyPublicKeyRequest)(nil), // 2: kas.LegacyPublicKeyRequest
-	(*KeyAccess)(nil),              // 3: kas.KeyAccess
-	(*PolicyRequest)(nil),          // 4: kas.PolicyRequest
-	(*KeyAccessObjectRequest)(nil), // 5: kas.KeyAccessObjectRequest
-	(*RewrapRequestBody)(nil),      // 6: kas.RewrapRequestBody
-	(*RequestBody)(nil),            // 7: kas.RequestBody
-	(*PublicKeyRequest)(nil),       // 8: kas.PublicKeyRequest
-	(*PublicKeyResponse)(nil),      // 9: kas.PublicKeyResponse
-	(*RewrapRequest)(nil),          // 10: kas.RewrapRequest
-	(*KAORewrapResult)(nil),        // 11: kas.KAORewrapResult
-	(*RewrapResult)(nil),           // 12: kas.RewrapResult
-	(*RewrapResponse)(nil),         // 13: kas.RewrapResponse
-	nil,                            // 14: kas.KAORewrapResult.MetadataEntry
-	nil,                            // 15: kas.RewrapResponse.MetadataEntry
-	(*structpb.Value)(nil),         // 16: google.protobuf.Value
-	(*wrapperspb.StringValue)(nil), // 17: google.protobuf.StringValue
+	(*InfoRequest)(nil),                               // 0: kas.InfoRequest
+	(*InfoResponse)(nil),                              // 1: kas.InfoResponse
+	(*LegacyPublicKeyRequest)(nil),                    // 2: kas.LegacyPublicKeyRequest
+	(*KeyAccess)(nil),                                 // 3: kas.KeyAccess
+	(*UnsignedRewrapRequest)(nil),                     // 4: kas.UnsignedRewrapRequest
+	(*PublicKeyRequest)(nil),                          // 5: kas.PublicKeyRequest
+	(*PublicKeyResponse)(nil),                         // 6: kas.PublicKeyResponse
+	(*RewrapRequest)(nil),                             // 7: kas.RewrapRequest
+	(*KeyAccessRewrapResult)(nil),                     // 8: kas.KeyAccessRewrapResult
+	(*PolicyRewrapResult)(nil),                        // 9: kas.PolicyRewrapResult
+	(*RewrapResponse)(nil),                            // 10: kas.RewrapResponse
+	(*UnsignedRewrapRequest_WithPolicy)(nil),          // 11: kas.UnsignedRewrapRequest.WithPolicy
+	(*UnsignedRewrapRequest_WithKeyAccessObject)(nil), // 12: kas.UnsignedRewrapRequest.WithKeyAccessObject
+	(*UnsignedRewrapRequest_WithPolicyRequest)(nil),   // 13: kas.UnsignedRewrapRequest.WithPolicyRequest
+	nil,                            // 14: kas.KeyAccessRewrapResult.MetadataEntry
+	(*structpb.Value)(nil),         // 15: google.protobuf.Value
+	(*wrapperspb.StringValue)(nil), // 16: google.protobuf.StringValue
 }
 var file_kas_kas_proto_depIdxs = []int32{
-	3,  // 0: kas.KeyAccessObjectRequest.key_access_object:type_name -> kas.KeyAccess
-	5,  // 1: kas.RewrapRequestBody.key_access_object_requests:type_name -> kas.KeyAccessObjectRequest
-	4,  // 2: kas.RewrapRequestBody.policy:type_name -> kas.PolicyRequest
-	6,  // 3: kas.RequestBody.requests:type_name -> kas.RewrapRequestBody
-	14, // 4: kas.KAORewrapResult.metadata:type_name -> kas.KAORewrapResult.MetadataEntry
-	11, // 5: kas.RewrapResult.results:type_name -> kas.KAORewrapResult
-	15, // 6: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
-	12, // 7: kas.RewrapResponse.responses:type_name -> kas.RewrapResult
-	16, // 8: kas.KAORewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
-	16, // 9: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
-	8,  // 10: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
-	2,  // 11: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
-	10, // 12: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
-	9,  // 13: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
-	17, // 14: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
-	13, // 15: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
-	13, // [13:16] is the sub-list for method output_type
-	10, // [10:13] is the sub-list for method input_type
-	10, // [10:10] is the sub-list for extension type_name
-	10, // [10:10] is the sub-list for extension extendee
-	0,  // [0:10] is the sub-list for field type_name
+	13, // 0: kas.UnsignedRewrapRequest.requests:type_name -> kas.UnsignedRewrapRequest.WithPolicyRequest
+	14, // 1: kas.KeyAccessRewrapResult.metadata:type_name -> kas.KeyAccessRewrapResult.MetadataEntry
+	8,  // 2: kas.PolicyRewrapResult.results:type_name -> kas.KeyAccessRewrapResult
+	9,  // 3: kas.RewrapResponse.responses:type_name -> kas.PolicyRewrapResult
+	3,  // 4: kas.UnsignedRewrapRequest.WithKeyAccessObject.key_access_object:type_name -> kas.KeyAccess
+	12, // 5: kas.UnsignedRewrapRequest.WithPolicyRequest.key_access_objects:type_name -> kas.UnsignedRewrapRequest.WithKeyAccessObject
+	11, // 6: kas.UnsignedRewrapRequest.WithPolicyRequest.policy:type_name -> kas.UnsignedRewrapRequest.WithPolicy
+	15, // 7: kas.KeyAccessRewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
+	5,  // 8: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
+	2,  // 9: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
+	7,  // 10: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
+	6,  // 11: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
+	16, // 12: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
+	10, // 13: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
+	11, // [11:14] is the sub-list for method output_type
+	8,  // [8:11] is the sub-list for method input_type
+	8,  // [8:8] is the sub-list for extension type_name
+	8,  // [8:8] is the sub-list for extension extendee
+	0,  // [0:8] is the sub-list for field type_name
 }
 
 func init() { file_kas_kas_proto_init() }
@@ -1200,7 +1174,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PolicyRequest); i {
+			switch v := v.(*UnsignedRewrapRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1212,7 +1186,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KeyAccessObjectRequest); i {
+			switch v := v.(*PublicKeyRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1224,7 +1198,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapRequestBody); i {
+			switch v := v.(*PublicKeyResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1236,7 +1210,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RequestBody); i {
+			switch v := v.(*RewrapRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1248,7 +1222,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyRequest); i {
+			switch v := v.(*KeyAccessRewrapResult); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1260,7 +1234,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyResponse); i {
+			switch v := v.(*PolicyRewrapResult); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1272,7 +1246,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapRequest); i {
+			switch v := v.(*RewrapResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1284,7 +1258,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KAORewrapResult); i {
+			switch v := v.(*UnsignedRewrapRequest_WithPolicy); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1296,7 +1270,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapResult); i {
+			switch v := v.(*UnsignedRewrapRequest_WithKeyAccessObject); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1308,7 +1282,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapResponse); i {
+			switch v := v.(*UnsignedRewrapRequest_WithPolicyRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1320,9 +1294,9 @@ func file_kas_kas_proto_init() {
 			}
 		}
 	}
-	file_kas_kas_proto_msgTypes[11].OneofWrappers = []interface{}{
-		(*KAORewrapResult_KasWrappedKey)(nil),
-		(*KAORewrapResult_Error)(nil),
+	file_kas_kas_proto_msgTypes[8].OneofWrappers = []interface{}{
+		(*KeyAccessRewrapResult_KasWrappedKey)(nil),
+		(*KeyAccessRewrapResult_Error)(nil),
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -1330,7 +1304,7 @@ func file_kas_kas_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_kas_kas_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   16,
+			NumMessages:   15,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/sdk/bulk.go b/sdk/bulk.go
index 05d6d8e54e..90d30ebf43 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -63,7 +63,7 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 
 // BulkDecrypt
 func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
-	kasRewrapRequests := make(map[string][]*kas.RewrapRequestBody)
+	kasRewrapRequests := make(map[string][]*kas.UnsignedRewrapRequest_WithPolicyRequest)
 	tdfDecryptors := make(map[string]Decryptor)
 	policyTDF := make(map[string]*BulkTDF)
 
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index 9132767a03..34ad4e69a6 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -35,7 +35,7 @@ type KAOResult struct {
 }
 
 type Decryptor interface {
-	CreateRewrapRequest(ctx context.Context) (map[string]*kas.RewrapRequestBody, error)
+	CreateRewrapRequest(ctx context.Context) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error)
 	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
 }
 
@@ -48,12 +48,12 @@ func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTo
 }
 
 // there is no connection caching as of now
-func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.RewrapRequestBody, pubKey string) (*kas.RewrapResponse, error) {
+func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.UnsignedRewrapRequest_WithPolicyRequest, pubKey string) (*kas.RewrapResponse, error) {
 	rewrapRequest, err := k.getRewrapRequest(requests, pubKey)
 	if err != nil {
 		return nil, err
 	}
-	grpcAddress, err := getGRPCAddress(requests[0].GetKeyAccessObjectRequests()[0].GetKeyAccessObject().GetKasUrl())
+	grpcAddress, err := getGRPCAddress(requests[0].GetKeyAccessObjects()[0].GetKeyAccessObject().GetKasUrl())
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +73,7 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.Rewra
 
 	return response, nil
 }
-func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.RewrapRequestBody) (map[string][]KAOResult, error) {
+func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]KAOResult, error) {
 	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
@@ -130,7 +130,7 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.RewrapReque
 	return policyResults, nil
 }
 
-func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.RewrapRequestBody) (map[string][]KAOResult, error) {
+func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]KAOResult, error) {
 	if k.sessionKey == nil {
 		return nil, fmt.Errorf("session key is nil")
 	}
@@ -195,8 +195,8 @@ func getGRPCAddress(kasURL string) (string, error) {
 	return net.JoinHostPort(parsedURL.Hostname(), port), nil
 }
 
-func (k *KASClient) getRewrapRequest(reqs []*kas.RewrapRequestBody, pubKey string) (*kas.RewrapRequest, error) {
-	requestBody := &kas.RequestBody{
+func (k *KASClient) getRewrapRequest(reqs []*kas.UnsignedRewrapRequest_WithPolicyRequest, pubKey string) (*kas.RewrapRequest, error) {
+	requestBody := &kas.UnsignedRewrapRequest{
 		ClientPublicKey: pubKey,
 		Requests:        reqs,
 	}
diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index 39287e6a14..4b29df6303 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -66,9 +66,9 @@ func TestCreatingRequest(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	keyAccess := []*kaspb.RewrapRequestBody{
+	keyAccess := []*kaspb.UnsignedRewrapRequest_WithPolicyRequest{
 		{
-			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{
+			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 				{
 					KeyAccessObject: &kaspb.KeyAccess{
 						KeyType:           "type1",
@@ -101,7 +101,7 @@ func TestCreatingRequest(t *testing.T) {
 	rb, ok := tok.Get("requestBody")
 	require.True(t, ok, "didn't contain a request body")
 	requestBodyJSON, _ := rb.(string)
-	var requestBody kaspb.RequestBody
+	var requestBody kaspb.UnsignedRewrapRequest
 
 	require.NoError(t, protojson.Unmarshal([]byte(requestBodyJSON), &requestBody), "error unmarshaling request body")
 
@@ -109,8 +109,8 @@ func TestCreatingRequest(t *testing.T) {
 	require.NoError(t, err, "NewAsymEncryption failed, incorrect public key include")
 
 	require.Len(t, requestBody.GetRequests(), 1)
-	require.Len(t, requestBody.GetRequests()[0].GetKeyAccessObjectRequests(), 1)
-	kao := requestBody.GetRequests()[0].GetKeyAccessObjectRequests()[0]
+	require.Len(t, requestBody.GetRequests()[0].GetKeyAccessObjects(), 1)
+	kao := requestBody.GetRequests()[0].GetKeyAccessObjects()[0]
 	var policyBinding map[string]interface{}
 	err = json.Unmarshal(kao.GetKeyAccessObject().GetPolicyBinding(), &policyBinding)
 	require.NoError(t, err)
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index 6ffc6c577c..ed92566ba2 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -920,7 +920,7 @@ func (n *NanoTDFDecryptHandler) getRawHeader() []byte {
 	return n.headerBuf
 }
 
-func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[string]*kas.RewrapRequestBody, error) {
+func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error) {
 	var err error
 	var headerSize uint32
 	n.header, headerSize, err = NewNanoTDFHeaderFromReader(n.reader)
@@ -942,19 +942,19 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[stri
 		return nil, err
 	}
 
-	req := &kas.RewrapRequestBody{
-		KeyAccessObjectRequests: []*kas.KeyAccessObjectRequest{
+	req := &kas.UnsignedRewrapRequest_WithPolicyRequest{
+		KeyAccessObjects: []*kas.UnsignedRewrapRequest_WithKeyAccessObject{
 			{
 				KeyAccessObjectId: "kao-0",
 				KeyAccessObject:   &kas.KeyAccess{KasUrl: kasURL, Header: headerBuf, Algorithm: "ec:secp256r1"},
 			},
 		},
-		Policy: &kas.PolicyRequest{
+		Policy: &kas.UnsignedRewrapRequest_WithPolicy{
 			Id: "policy",
 		},
 		Algorithm: "ec:secp256r1",
 	}
-	return map[string]*kas.RewrapRequestBody{kasURL: req}, nil
+	return map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest{kasURL: req}, nil
 }
 
 func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []KAOResult) (uint32, error) {
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 1805db5f88..1a11817f4f 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -94,7 +94,7 @@ func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []KAOResult) (
 	return uint32(n), err
 }
 
-func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (map[string]*kas.RewrapRequestBody, error) {
+func (r *tdf3DecryptHandler) CreateRewrapRequest(ctx context.Context) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error) {
 	return createRewrapRequest(ctx, r.reader)
 }
 
@@ -821,8 +821,8 @@ func (r *Reader) UnsafePayloadKeyRetrieval() ([]byte, error) {
 	return r.payloadKey, nil
 }
 
-func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.RewrapRequestBody, error) {
-	kasReqs := make(map[string]*kas.RewrapRequestBody)
+func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error) {
+	kasReqs := make(map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest)
 	for i, kao := range r.manifest.EncryptionInformation.KeyAccessObjs {
 		kaoID := fmt.Sprintf("kao-%d", i)
 		key, err := ocrypto.Base64Decode([]byte(kao.WrappedKey))
@@ -833,7 +833,7 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.RewrapRe
 		if err != nil {
 			return nil, err
 		}
-		kaoReq := &kas.KeyAccessObjectRequest{
+		kaoReq := &kas.UnsignedRewrapRequest_WithKeyAccessObject{
 			KeyAccessObjectId: kaoID,
 			KeyAccessObject: &kas.KeyAccess{
 				KeyType:       kao.KeyType,
@@ -846,14 +846,14 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.RewrapRe
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {
-			req.KeyAccessObjectRequests = append(req.KeyAccessObjectRequests, kaoReq)
+			req.KeyAccessObjects = append(req.KeyAccessObjects, kaoReq)
 		} else {
-			rewrapReq := kas.RewrapRequestBody{
-				Policy: &kas.PolicyRequest{
+			rewrapReq := kas.UnsignedRewrapRequest_WithPolicyRequest{
+				Policy: &kas.UnsignedRewrapRequest_WithPolicy{
 					Body: r.manifest.EncryptionInformation.Policy,
 					Id:   "policy",
 				},
-				KeyAccessObjectRequests: []*kas.KeyAccessObjectRequest{kaoReq},
+				KeyAccessObjects: []*kas.UnsignedRewrapRequest_WithKeyAccessObject{kaoReq},
 			}
 			kasReqs[kao.KasURL] = &rewrapReq
 		}
@@ -1057,8 +1057,8 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn
 	kasClient := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
 
 	var kaoResults []KAOResult
-	reqFail := func(err error, req *kas.RewrapRequestBody) {
-		for _, kao := range req.GetKeyAccessObjectRequests() {
+	reqFail := func(err error, req *kas.UnsignedRewrapRequest_WithPolicyRequest) {
+		for _, kao := range req.GetKeyAccessObjects() {
 			kaoResults = append(kaoResults, KAOResult{
 				KeyAccessObjectID: kao.GetKeyAccessObjectId(),
 				Error:             err,
diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go
index 08d726e19f..2c55de0e14 100644
--- a/sdk/tdf_test.go
+++ b/sdk/tdf_test.go
@@ -1438,15 +1438,15 @@ func (f *FakeKas) PublicKey(_ context.Context, _ *kaspb.PublicKeyRequest) (*kasp
 }
 
 func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse {
-	bodyData := kaspb.RequestBody{}
+	bodyData := kaspb.UnsignedRewrapRequest{}
 	err := protojson.Unmarshal([]byte(rewrapRequest), &bodyData)
 	f.s.Require().NoError(err, "json.Unmarshal failed")
 	resp := &kaspb.RewrapResponse{}
 
 	for _, req := range bodyData.GetRequests() {
-		results := &kaspb.RewrapResult{PolicyId: req.GetPolicy().GetId()}
+		results := &kaspb.PolicyRewrapResult{PolicyId: req.GetPolicy().GetId()}
 		resp.Responses = append(resp.Responses, results)
-		for _, kaoReq := range req.GetKeyAccessObjectRequests() {
+		for _, kaoReq := range req.GetKeyAccessObjects() {
 			kao := kaoReq.GetKeyAccessObject()
 			wrappedKey := kaoReq.GetKeyAccessObject().GetWrappedKey()
 
@@ -1466,8 +1466,8 @@ func (f *FakeKas) getRewrapResponse(rewrapRequest string) *kaspb.RewrapResponse
 			f.s.Require().NoError(err, "ocrypto.NewAsymEncryption failed")
 			entityWrappedKey, err := asymEncrypt.Encrypt(symmetricKey)
 			f.s.Require().NoError(err, "ocrypto.encrypt failed")
-			kaoResult := &kaspb.KAORewrapResult{
-				Result:            &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: entityWrappedKey},
+			kaoResult := &kaspb.KeyAccessRewrapResult{
+				Result:            &kaspb.KeyAccessRewrapResult_KasWrappedKey{KasWrappedKey: entityWrappedKey},
 				Status:            "permit",
 				KeyAccessObjectId: kaoReq.GetKeyAccessObjectId(),
 			}
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 9782e23e58..caf76d7e2b 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -137,21 +137,21 @@ func justRequestBody(ctx context.Context, token jwt.Token, logger logger.Logger)
 	return rbString, nil
 }
 
-func extractAndConvertV1SRTBody(body []byte) (kaspb.RequestBody, error) {
+func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error) {
 	var requestBody RequestBody
 	if err := json.Unmarshal(body, &requestBody); err != nil {
-		return kaspb.RequestBody{}, err
+		return kaspb.UnsignedRewrapRequest{}, err
 	}
 
 	kao := requestBody.KeyAccess
 	binding, err := json.Marshal(kao.PolicyBinding)
 	if err != nil {
-		return kaspb.RequestBody{}, err
+		return kaspb.UnsignedRewrapRequest{}, err
 	}
 
-	reqs := []*kaspb.RewrapRequestBody{
+	reqs := []*kaspb.UnsignedRewrapRequest_WithPolicyRequest{
 		{
-			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{
+			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 				{KeyAccessObjectId: "kao-0", KeyAccessObject: &kaspb.KeyAccess{
 					EncryptedMetadata: kao.EncryptedMetadata,
 					PolicyBinding:     binding,
@@ -166,20 +166,20 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.RequestBody, error) {
 				}},
 			},
 			Algorithm: requestBody.Algorithm,
-			Policy: &kaspb.PolicyRequest{
+			Policy: &kaspb.UnsignedRewrapRequest_WithPolicy{
 				Id:   "policy-1",
 				Body: requestBody.Policy,
 			},
 		},
 	}
 
-	return kaspb.RequestBody{
+	return kaspb.UnsignedRewrapRequest{
 		ClientPublicKey: requestBody.ClientPublicKey,
 		Requests:        reqs,
 	}, nil
 }
 
-func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*kaspb.RequestBody, bool, error) {
+func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRequest, logger logger.Logger) (*kaspb.UnsignedRewrapRequest, bool, error) {
 	isV1 := false
 	// First load legacy method for verifying SRT
 	if vpk, ok := headers["X-Virtrupubkey"]; ok && len(vpk) == 1 {
@@ -212,7 +212,7 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 		}
 	}
 
-	var requestBody kaspb.RequestBody
+	var requestBody kaspb.UnsignedRewrapRequest
 	err = protojson.Unmarshal([]byte(rbString), &requestBody)
 	// if there are no requests then it could be a v1 request
 	if err != nil || len(requestBody.GetRequests()) == 0 {
@@ -250,7 +250,7 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	}
 }
 
-func verifyPolicyBinding(ctx context.Context, policy []byte, kao *kaspb.KeyAccessObjectRequest, symKey []byte, logger logger.Logger) error {
+func verifyPolicyBinding(ctx context.Context, policy []byte, kao *kaspb.UnsignedRewrapRequest_WithKeyAccessObject, symKey []byte, logger logger.Logger) error {
 	actualHMAC, err := generateHMACDigest(ctx, policy, symKey, logger)
 	if err != nil {
 		logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
@@ -321,7 +321,7 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
-func failedKAORewrap(res map[string]kaoResult, kao *kaspb.KeyAccessObjectRequest, err error) {
+func failedKAORewrap(res map[string]kaoResult, kao *kaspb.UnsignedRewrapRequest_WithKeyAccessObject, err error) {
 	res[kao.GetKeyAccessObjectId()] = kaoResult{
 		ID:    kao.GetKeyAccessObjectId(),
 		Error: err,
@@ -330,23 +330,23 @@ func failedKAORewrap(res map[string]kaoResult, kao *kaspb.KeyAccessObjectRequest
 
 func addResultsToResponse(response *kaspb.RewrapResponse, result policyKAOResults) {
 	for policyID, policyMap := range result {
-		policyResults := &kaspb.RewrapResult{
+		policyResults := &kaspb.PolicyRewrapResult{
 			PolicyId: policyID,
 		}
 		for kaoID, kaoRes := range policyMap {
-			kaoResult := &kaspb.KAORewrapResult{
+			kaoResult := &kaspb.KeyAccessRewrapResult{
 				KeyAccessObjectId: kaoID,
 			}
 			switch {
 			case kaoRes.Error != nil:
 				kaoResult.Status = kFailedStatus
-				kaoResult.Result = &kaspb.KAORewrapResult_Error{Error: kaoRes.Error.Error()}
+				kaoResult.Result = &kaspb.KeyAccessRewrapResult_Error{Error: kaoRes.Error.Error()}
 			case kaoRes.Key != nil:
 				kaoResult.Status = kPermitStatus
-				kaoResult.Result = &kaspb.KAORewrapResult_KasWrappedKey{KasWrappedKey: kaoRes.Key}
+				kaoResult.Result = &kaspb.KeyAccessRewrapResult_KasWrappedKey{KasWrappedKey: kaoRes.Key}
 			default:
 				kaoResult.Status = kFailedStatus
-				kaoResult.Result = &kaspb.KAORewrapResult_Error{Error: "kao not processed by kas"}
+				kaoResult.Result = &kaspb.KeyAccessRewrapResult_Error{Error: "kao not processed by kas"}
 			}
 			policyResults.Results = append(policyResults.Results, kaoResult)
 		}
@@ -378,8 +378,8 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 
 	resp := &kaspb.RewrapResponse{}
 
-	var nanoReqs []*kaspb.RewrapRequestBody
-	var tdf3Reqs []*kaspb.RewrapRequestBody
+	var nanoReqs []*kaspb.UnsignedRewrapRequest_WithPolicyRequest
+	var tdf3Reqs []*kaspb.UnsignedRewrapRequest_WithPolicyRequest
 	for _, req := range body.GetRequests() {
 		switch {
 		case req.GetAlgorithm() == kNanoAlgorithm:
@@ -419,7 +419,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 	return connect.NewResponse(resp), err
 }
 
-func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.RewrapRequestBody) (*Policy, map[string]kaoResult, error) {
+func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.UnsignedRewrapRequest_WithPolicyRequest) (*Policy, map[string]kaoResult, error) {
 	results := make(map[string]kaoResult)
 	anyValidKAOs := false
 	p.Logger.DebugContext(ctx, "extracting policy", "requestBody.policy", req.GetPolicy())
@@ -429,7 +429,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.RewrapRe
 		policyErr = json.Unmarshal(sDecPolicy, policy)
 	}
 
-	for _, kao := range req.GetKeyAccessObjectRequests() {
+	for _, kao := range req.GetKeyAccessObjects() {
 		if policyErr != nil {
 			failedKAORewrap(results, kao, err400("bad request"))
 			continue
@@ -490,7 +490,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.RewrapRe
 	return policy, results, nil
 }
 
-func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.RewrapRequestBody, clientPublicKey string, entity *entityInfo) policyKAOResults {
+func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.UnsignedRewrapRequest_WithPolicyRequest, clientPublicKey string, entity *entityInfo) policyKAOResults {
 	if p.Tracer != nil {
 		var span trace.Span
 		ctx, span = p.Tracer.Start(ctx, "rewrap-tdf3")
@@ -499,7 +499,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.RewrapReque
 
 	results := make(policyKAOResults)
 	var policies []*Policy
-	policyReqs := make(map[*Policy]*kaspb.RewrapRequestBody)
+	policyReqs := make(map[*Policy]*kaspb.UnsignedRewrapRequest_WithPolicyRequest)
 	for _, req := range requests {
 		policy, kaoResults, err := p.verifyRewrapRequests(ctx, req)
 		results[req.GetPolicy().GetId()] = kaoResults
@@ -537,7 +537,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.RewrapReque
 		// Audit the TDF3 Rewrap
 		kasPolicy := ConvertToAuditKasPolicy(*policy)
 
-		for _, kao := range req.GetKeyAccessObjectRequests() {
+		for _, kao := range req.GetKeyAccessObjects() {
 			kaoRes := kaoResults[kao.GetKeyAccessObjectId()]
 			if kaoRes.Error != nil {
 				continue
@@ -576,7 +576,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.RewrapReque
 	return results
 }
 
-func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.RewrapRequestBody, clientPublicKey string, entity *entityInfo) (string, policyKAOResults) {
+func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.UnsignedRewrapRequest_WithPolicyRequest, clientPublicKey string, entity *entityInfo) (string, policyKAOResults) {
 	results := make(policyKAOResults)
 	if p.Tracer != nil {
 		var span trace.Span
@@ -585,7 +585,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.RewrapRe
 	}
 
 	var policies []*Policy
-	policyReqs := make(map[*Policy]*kaspb.RewrapRequestBody)
+	policyReqs := make(map[*Policy]*kaspb.UnsignedRewrapRequest_WithPolicyRequest)
 
 	for _, req := range requests {
 		policy, kaoResults := p.verifyNanoRewrapRequests(ctx, req)
@@ -631,7 +631,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.RewrapRe
 		// Audit the Nano Rewrap
 		kasPolicy := ConvertToAuditKasPolicy(*policy)
 
-		for _, kao := range req.GetKeyAccessObjectRequests() {
+		for _, kao := range req.GetKeyAccessObjects() {
 			kaoInfo := kaoResults[kao.GetKeyAccessObjectId()]
 			if kaoInfo.Error != nil {
 				continue
@@ -667,12 +667,12 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.RewrapRe
 	return string(publicKeyHandle), results
 }
 
-func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.RewrapRequestBody) (*Policy, map[string]kaoResult) {
+func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.UnsignedRewrapRequest_WithPolicyRequest) (*Policy, map[string]kaoResult) {
 	results := make(map[string]kaoResult)
 
-	for _, kao := range req.GetKeyAccessObjectRequests() {
+	for _, kao := range req.GetKeyAccessObjects() {
 		// there should never be multiple KAOs in policy
-		if len(req.GetKeyAccessObjectRequests()) != 1 {
+		if len(req.GetKeyAccessObjects()) != 1 {
 			failedKAORewrap(results, kao, err400("NanoTDFs should not have multiple KAOs per Policy"))
 			continue
 		}
@@ -778,9 +778,9 @@ func wrapKeyAES(sessionKey, dek []byte) ([]byte, error) {
 	return cipherText, nil
 }
 
-func failAllKaos(reqs []*kaspb.RewrapRequestBody, results policyKAOResults, err error) {
+func failAllKaos(reqs []*kaspb.UnsignedRewrapRequest_WithPolicyRequest, results policyKAOResults, err error) {
 	for _, req := range reqs {
-		for _, kao := range req.GetKeyAccessObjectRequests() {
+		for _, kao := range req.GetKeyAccessObjects() {
 			failedKAORewrap(results[req.GetPolicy().GetId()], kao, err)
 		}
 	}
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index 0ec47c81db..1de3ad9487 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -201,7 +201,7 @@ type PolicyBinding struct {
 	Hash string `json:"hash"`
 }
 
-func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.KeyAccessObjectRequest {
+func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.UnsignedRewrapRequest_WithKeyAccessObject {
 	policyBytes := fauxPolicyBytes(t)
 	asym, err := ocrypto.NewAsymEncryption(rsaPublicAlt)
 	require.NoError(t, err, "rewrap: NewAsymEncryption failed")
@@ -228,7 +228,7 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.KeyAcce
 	binding, err := json.Marshal(policyBinding)
 	require.NoError(t, err)
 
-	return kaspb.KeyAccessObjectRequest{
+	return kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 		KeyAccessObjectId: "123",
 		KeyAccessObject: &kaspb.KeyAccess{
 			KeyType:       "wrapped",
@@ -283,12 +283,12 @@ func jwtWrongKey(t *testing.T) []byte {
 	return signedMockJWT(t, entityPrivateKey(t))
 }
 
-func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*kaspb.RewrapRequestBody {
+func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*kaspb.UnsignedRewrapRequest_WithPolicyRequest {
 	kaoReq := keyAccessWrappedRaw(t, bindingAsString)
-	return []*kaspb.RewrapRequestBody{
+	return []*kaspb.UnsignedRewrapRequest_WithPolicyRequest{
 		{
-			KeyAccessObjectRequests: []*kaspb.KeyAccessObjectRequest{&kaoReq},
-			Policy: &kaspb.PolicyRequest{
+			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{&kaoReq},
+			Policy: &kaspb.UnsignedRewrapRequest_WithPolicy{
 				Id:   "123",
 				Body: string(policy),
 			},
@@ -297,7 +297,7 @@ func makeRewrapRequests(t *testing.T, policy []byte, bindingAsString bool) []*ka
 }
 
 func makeRewrapBody(t *testing.T, policy []byte, policyBindingAsString bool) []byte {
-	mockBody := &kaspb.RequestBody{
+	mockBody := &kaspb.UnsignedRewrapRequest{
 		Requests:        makeRewrapRequests(t, policy, policyBindingAsString),
 		ClientPublicKey: rsaPublicAlt,
 	}
@@ -369,7 +369,7 @@ func TestParseAndVerifyRequest(t *testing.T) {
 				require.NotNil(t, verified.GetClientPublicKey(), "unable to load public key")
 
 				for _, req := range verified.GetRequests() {
-					err := verifyPolicyBinding(context.Background(), []byte(req.GetPolicy().GetBody()), req.GetKeyAccessObjectRequests()[0], []byte(plainKey), *logger)
+					err := verifyPolicyBinding(context.Background(), []byte(req.GetPolicy().GetBody()), req.GetKeyAccessObjects()[0], []byte(plainKey), *logger)
 					if !tt.shouldError {
 						require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
 					} else {
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index cf9c691408..594882595c 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -43,27 +43,26 @@ message KeyAccess {
   bytes header = 9;
   string algorithm = 10;
 }
-message PolicyRequest {
-  string id = 1;
-  string body = 2;
-}
 
-message KeyAccessObjectRequest {
-  string key_access_object_id = 1;
-  KeyAccess key_access_object = 2;
-}
+message UnsignedRewrapRequest {
+  message WithPolicy {
+    string id = 1;
+    string body = 2;
+  }
+  message WithKeyAccessObject {
+    string key_access_object_id = 1;
+    KeyAccess key_access_object = 2;
+  }
 
-message RewrapRequestBody {
-  repeated KeyAccessObjectRequest key_access_object_requests = 1;
-  PolicyRequest policy = 2;
-  string algorithm = 3;
-}
+  message WithPolicyRequest {
+    repeated WithKeyAccessObject key_access_objects = 1;
+    WithPolicy policy = 2;
+    string algorithm = 3;
+  }
 
-message RequestBody {
   string client_public_key = 1;
-  repeated RewrapRequestBody requests = 2;
+  repeated WithPolicyRequest requests = 2;
 }
-
 message PublicKeyRequest {
   string algorithm = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "algorithm type rsa:<keysize> or ec:<curvename>"}];
   string fmt = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "response format"}];
@@ -81,32 +80,30 @@ message RewrapRequest {
   string signed_request_token = 1;
 }
 
-message KAORewrapResult {
-	map<string, google.protobuf.Value> metadata = 1;
-	string key_access_object_id = 2;
-	string status = 3;
-	oneof result { 
-		bytes kas_wrapped_key = 4;
-		string error = 5;
-	}
-}
 
-message RewrapResult {
-	string policy_id = 1;
-	repeated KAORewrapResult results = 2;
+message KeyAccessRewrapResult {
+  map<string, google.protobuf.Value> metadata = 1;
+  string key_access_object_id = 2;
+  string status = 3;
+  oneof result {
+    bytes kas_wrapped_key = 4;
+    string error = 5;
+  }
 }
 
+message PolicyRewrapResult {
+  string policy_id = 1;
+  repeated KeyAccessRewrapResult results = 2;
+}
 
 message RewrapResponse {
-	// Deprecated
-  map<string, google.protobuf.Value> metadata = 1;
+  reserved 1,4;
   // Deprecated
   bytes entity_wrapped_key = 2;
-  string session_public_key = 3;
   // Deprecated
-  string schema_version = 4;
+  string session_public_key = 3;
 	// New Rewrap API changes
-	repeated RewrapResult responses = 5;
+	repeated PolicyRewrapResult responses = 5;
 }
 
 // Get app info from the root path

From f4ee70bec190432d24246baf16ca0aa6794f9517 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Mon, 13 Jan 2025 12:15:08 -0800
Subject: [PATCH 24/48] fix reserve

---
 protocol/go/kas/kas.pb.go | 76 ++++++++++++++++++++-------------------
 service/kas/kas.proto     |  1 +
 2 files changed, 40 insertions(+), 37 deletions(-)

diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index b195d8d81a..17cfa4ffdd 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -1016,7 +1016,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73,
 	0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
 	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
-	0xaf, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0xc9, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
 	0x73, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61,
 	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10,
 	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79,
@@ -1027,42 +1027,44 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65,
 	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70,
 	0x6f, 0x6e, 0x73, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x04, 0x10,
-	0x05, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76,
-	0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73,
-	0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78,
-	0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41,
-	0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15,
-	0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69,
-	0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77,
-	0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09,
-	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a,
-	0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e,
-	0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53,
-	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d,
-	0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74,
-	0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
-	0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64,
-	0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43,
-	0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d,
-	0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
-	0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65,
-	0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03,
-	0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2,
-	0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x05, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x0e, 0x73, 0x63, 0x68,
+	0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x32, 0xce, 0x02, 0x0a, 0x0d,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a,
+	0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07,
+	0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f,
+	0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69,
+	0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61,
+	0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61,
+	0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e,
+	0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32,
+	0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73,
+	0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90,
+	0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b,
+	0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30,
+	0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b,
+	0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92,
+	0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65,
+	0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+	0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65,
+	0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74,
+	0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f,
+	0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05,
+	0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08,
+	0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70,
+	0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03,
+	0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c,
+	0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61,
+	0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 594882595c..0ce0533336 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -98,6 +98,7 @@ message PolicyRewrapResult {
 
 message RewrapResponse {
   reserved 1,4;
+  reserved "metadata", "schema_version";
   // Deprecated
   bytes entity_wrapped_key = 2;
   // Deprecated

From c4daf53e66c3e9a542f569f8322481a51adbf532 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Wed, 15 Jan 2025 11:59:10 -0800
Subject: [PATCH 25/48] change in bulk req api

---
 examples/cmd/benchmark_bulk.go |  7 +++----
 sdk/bulk.go                    | 10 ++++++++--
 service/rttests/rt_test.go     |  4 +---
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index 13090ed509..a2241f8b1a 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -109,16 +109,15 @@ func runBenchmarkBulk(cmd *cobra.Command, args []string) error {
 		cipher, _ := io.ReadAll(file)
 
 		file.Seek(0, 0)
-		bulkReq := client.CreateBulkRewrapRequest()
 		format := sdk.Nano
+		var bulkTdfs []*sdk.BulkTDF
 		if config.TDFFormat == "tdf3" {
 			format = sdk.Standard
 		}
 		for i := 0; i < config.RequestCount; i++ {
-			bulkReq.AppendTDFs(&sdk.BulkTDF{Reader: bytes.NewReader(cipher), Writer: io.Discard})
+			bulkTdfs = append(bulkTdfs, &sdk.BulkTDF{Reader: bytes.NewReader(cipher), Writer: io.Discard})
 		}
-		bulkReq.TDFType = format
-		err = client.BulkDecrypt(ctx.Background(), bulkReq)
+		err = client.BulkDecrypt(ctx.Background(), sdk.WithTDFs(bulkTdfs...), sdk.WithTDFType(format))
 		if err != nil {
 			if errList, ok := sdk.IsPartialFailure(err); ok {
 				errors = errList
diff --git a/sdk/bulk.go b/sdk/bulk.go
index 90d30ebf43..81a5b54310 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -40,8 +40,13 @@ func WithTDFs(tdfs ...*BulkTDF) BulkDecryptOption {
 		request.AppendTDFs(tdfs...)
 	}
 }
+func WithTDFType(tdfType TdfType) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) {
+		request.TDFType = tdfType
+	}
+}
 
-func (s SDK) CreateBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptRequest {
+func createBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptRequest {
 	req := &BulkDecryptRequest{}
 	for _, opt := range options {
 		opt(req)
@@ -62,7 +67,8 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 }
 
 // BulkDecrypt
-func (s SDK) BulkDecrypt(ctx context.Context, bulkReq *BulkDecryptRequest) error {
+func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
+	bulkReq := createBulkRewrapRequest(opts...)
 	kasRewrapRequests := make(map[string][]*kas.UnsignedRewrapRequest_WithPolicyRequest)
 	tdfDecryptors := make(map[string]Decryptor)
 	policyTDF := make(map[string]*BulkTDF)
diff --git a/service/rttests/rt_test.go b/service/rttests/rt_test.go
index ba8004a6c2..f911fcfc4e 100644
--- a/service/rttests/rt_test.go
+++ b/service/rttests/rt_test.go
@@ -409,9 +409,7 @@ func bulk(client *sdk.SDK, tdfSuccess []string, tdfFail []string, plaintext stri
 		failTDF = append(failTDF, &sdk.BulkTDF{Writer: buf, Reader: file})
 	}
 
-	req := client.CreateBulkRewrapRequest(sdk.WithTDFs(passTDF...), sdk.WithTDFs(failTDF...))
-	req.TDFType = sdk.Standard
-	_ = client.BulkDecrypt(context.Background(), req)
+	_ = client.BulkDecrypt(context.Background(), sdk.WithTDFs(passTDF...), sdk.WithTDFs(failTDF...), sdk.WithTDFType(sdk.Standard))
 	for _, tdf := range passTDF {
 		builder, ok := tdf.Writer.(*strings.Builder)
 		if !ok {

From 9d86ec39c671e7fdc0d0b6428d3ab3ebe8af3b35 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Wed, 15 Jan 2025 14:21:06 -0800
Subject: [PATCH 26/48] Deprecate rather than reserve

---
 docs/grpc/index.html              |  89 ++++++++++++++-
 docs/openapi/kas/kas.swagger.json |  13 ++-
 protocol/go/kas/kas.pb.go         | 177 ++++++++++++++++++------------
 service/kas/kas.proto             |  10 +-
 4 files changed, 206 insertions(+), 83 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 6d89a87d5f..dfac721241 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -474,6 +474,10 @@ <h2>Table of Contents</h2>
                   <a href="#kas.RewrapResponse"><span class="badge">M</span>RewrapResponse</a>
                 </li>
               
+                <li>
+                  <a href="#kas.RewrapResponse.MetadataEntry"><span class="badge">M</span>RewrapResponse.MetadataEntry</a>
+                </li>
+              
                 <li>
                   <a href="#kas.UnsignedRewrapRequest"><span class="badge">M</span>UnsignedRewrapRequest</a>
                 </li>
@@ -3559,18 +3563,32 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
             </thead>
             <tbody>
               
+                <tr>
+                  <td>metadata</td>
+                  <td><a href="#kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</a></td>
+                  <td>repeated</td>
+                  <td><p><strong>Deprecated.</strong>  </p></td>
+                </tr>
+              
                 <tr>
                   <td>entity_wrapped_key</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
-                  <td><p>Deprecated </p></td>
+                  <td><p><strong>Deprecated.</strong>  </p></td>
                 </tr>
               
                 <tr>
                   <td>session_public_key</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p>Deprecated </p></td>
+                  <td><p><strong>Deprecated.</strong>  </p></td>
+                </tr>
+              
+                <tr>
+                  <td>schema_version</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p><strong>Deprecated.</strong>  </p></td>
                 </tr>
               
                 <tr>
@@ -3584,6 +3602,73 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
           </table>
 
           
+            
+            
+            <h4>Fields with deprecated option</h4>
+            <table>
+              <thead>
+                <tr>
+                  <td>Name</td>
+                  <td>Option</td>
+                </tr>
+              </thead>
+              <tbody>
+              
+                <tr>
+                  <td>metadata</td>
+                  <td><p>true</p></td>
+                </tr>
+              
+                <tr>
+                  <td>entity_wrapped_key</td>
+                  <td><p>true</p></td>
+                </tr>
+              
+                <tr>
+                  <td>session_public_key</td>
+                  <td><p>true</p></td>
+                </tr>
+              
+                <tr>
+                  <td>schema_version</td>
+                  <td><p>true</p></td>
+                </tr>
+              
+              </tbody>
+            </table>
+            
+          
+
+        
+      
+        <h3 id="kas.RewrapResponse.MetadataEntry">RewrapResponse.MetadataEntry</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>key</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>value</td>
+                  <td><a href="#google.protobuf.Value">google.protobuf.Value</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
 
         
       
diff --git a/docs/openapi/kas/kas.swagger.json b/docs/openapi/kas/kas.swagger.json
index dffc423956..d422537e3c 100644
--- a/docs/openapi/kas/kas.swagger.json
+++ b/docs/openapi/kas/kas.swagger.json
@@ -189,14 +189,19 @@
     "kasRewrapResponse": {
       "type": "object",
       "properties": {
+        "metadata": {
+          "type": "object",
+          "additionalProperties": {}
+        },
         "entityWrappedKey": {
           "type": "string",
-          "format": "byte",
-          "title": "Deprecated"
+          "format": "byte"
         },
         "sessionPublicKey": {
-          "type": "string",
-          "title": "Deprecated"
+          "type": "string"
+        },
+        "schemaVersion": {
+          "type": "string"
         },
         "responses": {
           "type": "array",
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index 17cfa4ffdd..14344c301c 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -661,10 +661,14 @@ type RewrapResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	// Deprecated
+	// Deprecated: Marked as deprecated in kas/kas.proto.
+	Metadata map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// Deprecated: Marked as deprecated in kas/kas.proto.
 	EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
-	// Deprecated
+	// Deprecated: Marked as deprecated in kas/kas.proto.
 	SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
+	// Deprecated: Marked as deprecated in kas/kas.proto.
+	SchemaVersion string `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
 	// New Rewrap API changes
 	Responses []*PolicyRewrapResult `protobuf:"bytes,5,rep,name=responses,proto3" json:"responses,omitempty"`
 }
@@ -701,6 +705,15 @@ func (*RewrapResponse) Descriptor() ([]byte, []int) {
 	return file_kas_kas_proto_rawDescGZIP(), []int{10}
 }
 
+// Deprecated: Marked as deprecated in kas/kas.proto.
+func (x *RewrapResponse) GetMetadata() map[string]*structpb.Value {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
+// Deprecated: Marked as deprecated in kas/kas.proto.
 func (x *RewrapResponse) GetEntityWrappedKey() []byte {
 	if x != nil {
 		return x.EntityWrappedKey
@@ -708,6 +721,7 @@ func (x *RewrapResponse) GetEntityWrappedKey() []byte {
 	return nil
 }
 
+// Deprecated: Marked as deprecated in kas/kas.proto.
 func (x *RewrapResponse) GetSessionPublicKey() string {
 	if x != nil {
 		return x.SessionPublicKey
@@ -715,6 +729,14 @@ func (x *RewrapResponse) GetSessionPublicKey() string {
 	return ""
 }
 
+// Deprecated: Marked as deprecated in kas/kas.proto.
+func (x *RewrapResponse) GetSchemaVersion() string {
+	if x != nil {
+		return x.SchemaVersion
+	}
+	return ""
+}
+
 func (x *RewrapResponse) GetResponses() []*PolicyRewrapResult {
 	if x != nil {
 		return x.Responses
@@ -1016,55 +1038,65 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73,
 	0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
 	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
-	0xc9, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10,
-	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79,
-	0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65,
-	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x35,
-	0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65,
-	0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x04, 0x10,
-	0x05, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x0e, 0x73, 0x63, 0x68,
-	0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x32, 0xce, 0x02, 0x0a, 0x0d,
-	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a,
-	0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73,
-	0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07,
-	0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f,
-	0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69,
-	0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61,
-	0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61,
-	0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
-	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e,
-	0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32,
-	0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73,
-	0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90,
-	0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b,
-	0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30,
-	0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b,
-	0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92,
-	0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65,
-	0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65,
-	0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74,
-	0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f,
-	0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05,
-	0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08,
-	0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70,
-	0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03,
-	0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c,
-	0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61,
-	0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0xee, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x41, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x02, 0x18, 0x01, 0x52, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x30, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f,
+	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0c, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61,
+	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
+	0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
+	0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x0e, 0x73, 0x63, 0x68,
+	0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x35, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
+	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
+	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
+	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
+	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
+	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
+	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
+	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
+	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
+	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
+	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
+	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
+	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
+	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
+	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
+	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
+	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
+	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
+	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
+	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
+	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
+	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
+	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
+	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
+	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1079,7 +1111,7 @@ func file_kas_kas_proto_rawDescGZIP() []byte {
 	return file_kas_kas_proto_rawDescData
 }
 
-var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
+var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
 var file_kas_kas_proto_goTypes = []interface{}{
 	(*InfoRequest)(nil),                               // 0: kas.InfoRequest
 	(*InfoResponse)(nil),                              // 1: kas.InfoResponse
@@ -1096,29 +1128,32 @@ var file_kas_kas_proto_goTypes = []interface{}{
 	(*UnsignedRewrapRequest_WithKeyAccessObject)(nil), // 12: kas.UnsignedRewrapRequest.WithKeyAccessObject
 	(*UnsignedRewrapRequest_WithPolicyRequest)(nil),   // 13: kas.UnsignedRewrapRequest.WithPolicyRequest
 	nil,                            // 14: kas.KeyAccessRewrapResult.MetadataEntry
-	(*structpb.Value)(nil),         // 15: google.protobuf.Value
-	(*wrapperspb.StringValue)(nil), // 16: google.protobuf.StringValue
+	nil,                            // 15: kas.RewrapResponse.MetadataEntry
+	(*structpb.Value)(nil),         // 16: google.protobuf.Value
+	(*wrapperspb.StringValue)(nil), // 17: google.protobuf.StringValue
 }
 var file_kas_kas_proto_depIdxs = []int32{
 	13, // 0: kas.UnsignedRewrapRequest.requests:type_name -> kas.UnsignedRewrapRequest.WithPolicyRequest
 	14, // 1: kas.KeyAccessRewrapResult.metadata:type_name -> kas.KeyAccessRewrapResult.MetadataEntry
 	8,  // 2: kas.PolicyRewrapResult.results:type_name -> kas.KeyAccessRewrapResult
-	9,  // 3: kas.RewrapResponse.responses:type_name -> kas.PolicyRewrapResult
-	3,  // 4: kas.UnsignedRewrapRequest.WithKeyAccessObject.key_access_object:type_name -> kas.KeyAccess
-	12, // 5: kas.UnsignedRewrapRequest.WithPolicyRequest.key_access_objects:type_name -> kas.UnsignedRewrapRequest.WithKeyAccessObject
-	11, // 6: kas.UnsignedRewrapRequest.WithPolicyRequest.policy:type_name -> kas.UnsignedRewrapRequest.WithPolicy
-	15, // 7: kas.KeyAccessRewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
-	5,  // 8: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
-	2,  // 9: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
-	7,  // 10: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
-	6,  // 11: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
-	16, // 12: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
-	10, // 13: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
-	11, // [11:14] is the sub-list for method output_type
-	8,  // [8:11] is the sub-list for method input_type
-	8,  // [8:8] is the sub-list for extension type_name
-	8,  // [8:8] is the sub-list for extension extendee
-	0,  // [0:8] is the sub-list for field type_name
+	15, // 3: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
+	9,  // 4: kas.RewrapResponse.responses:type_name -> kas.PolicyRewrapResult
+	3,  // 5: kas.UnsignedRewrapRequest.WithKeyAccessObject.key_access_object:type_name -> kas.KeyAccess
+	12, // 6: kas.UnsignedRewrapRequest.WithPolicyRequest.key_access_objects:type_name -> kas.UnsignedRewrapRequest.WithKeyAccessObject
+	11, // 7: kas.UnsignedRewrapRequest.WithPolicyRequest.policy:type_name -> kas.UnsignedRewrapRequest.WithPolicy
+	16, // 8: kas.KeyAccessRewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
+	16, // 9: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
+	5,  // 10: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
+	2,  // 11: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
+	7,  // 12: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
+	6,  // 13: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
+	17, // 14: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
+	10, // 15: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
+	13, // [13:16] is the sub-list for method output_type
+	10, // [10:13] is the sub-list for method input_type
+	10, // [10:10] is the sub-list for extension type_name
+	10, // [10:10] is the sub-list for extension extendee
+	0,  // [0:10] is the sub-list for field type_name
 }
 
 func init() { file_kas_kas_proto_init() }
@@ -1306,7 +1341,7 @@ func file_kas_kas_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_kas_kas_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   15,
+			NumMessages:   16,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 0ce0533336..8eb40d1670 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -97,12 +97,10 @@ message PolicyRewrapResult {
 }
 
 message RewrapResponse {
-  reserved 1,4;
-  reserved "metadata", "schema_version";
-  // Deprecated
-  bytes entity_wrapped_key = 2;
-  // Deprecated
-  string session_public_key = 3;
+  map<string, google.protobuf.Value> metadata = 1 [deprecated = true];
+  bytes entity_wrapped_key = 2 [deprecated = true];
+  string session_public_key = 3 [deprecated = true];
+  string schema_version = 4 [deprecated = true];
 	// New Rewrap API changes
 	repeated PolicyRewrapResult responses = 5;
 }

From 5bc55fe054277c5549f0171f9c07a19870b92b1c Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Wed, 15 Jan 2025 14:26:36 -0800
Subject: [PATCH 27/48] undeprecated session key

---
 docs/grpc/index.html         |   7 +--
 protocol/go/kas/kas.pb.go    | 104 +++++++++++++++++------------------
 service/kas/access/rewrap.go |   2 +-
 service/kas/kas.proto        |   2 +-
 4 files changed, 54 insertions(+), 61 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index dfac721241..8b8fe900a9 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -3581,7 +3581,7 @@ <h3 id="kas.RewrapResponse">RewrapResponse</h3>
                   <td>session_public_key</td>
                   <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p><strong>Deprecated.</strong>  </p></td>
+                  <td><p> </p></td>
                 </tr>
               
                 <tr>
@@ -3624,11 +3624,6 @@ <h4>Fields with deprecated option</h4>
                   <td><p>true</p></td>
                 </tr>
               
-                <tr>
-                  <td>session_public_key</td>
-                  <td><p>true</p></td>
-                </tr>
-              
                 <tr>
                   <td>schema_version</td>
                   <td><p>true</p></td>
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index 14344c301c..c2837fc668 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -665,7 +665,6 @@ type RewrapResponse struct {
 	Metadata map[string]*structpb.Value `protobuf:"bytes,1,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// Deprecated: Marked as deprecated in kas/kas.proto.
 	EntityWrappedKey []byte `protobuf:"bytes,2,opt,name=entity_wrapped_key,json=entityWrappedKey,proto3" json:"entity_wrapped_key,omitempty"`
-	// Deprecated: Marked as deprecated in kas/kas.proto.
 	SessionPublicKey string `protobuf:"bytes,3,opt,name=session_public_key,json=sessionPublicKey,proto3" json:"session_public_key,omitempty"`
 	// Deprecated: Marked as deprecated in kas/kas.proto.
 	SchemaVersion string `protobuf:"bytes,4,opt,name=schema_version,json=schemaVersion,proto3" json:"schema_version,omitempty"`
@@ -721,7 +720,6 @@ func (x *RewrapResponse) GetEntityWrappedKey() []byte {
 	return nil
 }
 
-// Deprecated: Marked as deprecated in kas/kas.proto.
 func (x *RewrapResponse) GetSessionPublicKey() string {
 	if x != nil {
 		return x.SessionPublicKey
@@ -1038,7 +1036,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73,
 	0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
 	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
-	0xee, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0xea, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
 	0x73, 0x65, 0x12, 0x41, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01,
 	0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61,
 	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
@@ -1046,57 +1044,57 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x30, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f,
 	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
 	0x0c, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
+	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
 	0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x0e, 0x73, 0x63, 0x68,
-	0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28,
-	0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x35, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f,
-	0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
-	0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
-	0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
-	0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d,
-	0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a,
-	0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79,
-	0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09,
-	0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12,
-	0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72,
-	0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a,
-	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01,
-	0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54,
-	0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43,
-	0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74,
-	0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f,
-	0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45,
-	0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e,
-	0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b,
-	0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02,
-	0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
-	0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f,
+	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18,
+	0x01, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
+	0x12, 0x35, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64,
+	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75,
+	0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x32, 0xce, 0x02, 0x0a,
+	0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69,
+	0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61,
+	0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a,
+	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16,
+	0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67,
+	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b,
+	0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69,
+	0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03,
+	0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61,
+	0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79,
+	0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32,
+	0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f,
+	0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01,
+	0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b,
+	0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73,
+	0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
+	0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
+	0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62,
+	0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32,
+	0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42,
+	0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f,
+	0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02,
+	0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73,
+	0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b,
+	0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index caf76d7e2b..a5e682c291 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -413,7 +413,7 @@ func (p *Provider) Rewrap(ctx context.Context, req *connect.Request[kaspb.Rewrap
 		if kao.Error != nil {
 			return nil, kao.Error
 		}
-		resp.EntityWrappedKey = kao.Key
+		resp.EntityWrappedKey = kao.Key //nolint:staticcheck // deprecated but keeping behavior for backwards compatibility
 	}
 
 	return connect.NewResponse(resp), err
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 8eb40d1670..a3faeb939e 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -99,7 +99,7 @@ message PolicyRewrapResult {
 message RewrapResponse {
   map<string, google.protobuf.Value> metadata = 1 [deprecated = true];
   bytes entity_wrapped_key = 2 [deprecated = true];
-  string session_public_key = 3 [deprecated = true];
+  string session_public_key = 3;
   string schema_version = 4 [deprecated = true];
 	// New Rewrap API changes
 	repeated PolicyRewrapResult responses = 5;

From b5996e261ff7f9593e4b926fe7754752cf474270 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:03:36 -0800
Subject: [PATCH 28/48] Update examples/cmd/benchmark_bulk.go

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 examples/cmd/benchmark_bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index a2241f8b1a..3cf59614bb 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -2,7 +2,7 @@ package cmd
 
 import (
 	"bytes"
-	ctx "context"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"

From 845bea6487f3a9725bf363a97f3f280e78795328 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:03:53 -0800
Subject: [PATCH 29/48] Update examples/cmd/benchmark_bulk.go

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 examples/cmd/benchmark_bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index 3cf59614bb..ba56ede544 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -117,7 +117,7 @@ func runBenchmarkBulk(cmd *cobra.Command, args []string) error {
 		for i := 0; i < config.RequestCount; i++ {
 			bulkTdfs = append(bulkTdfs, &sdk.BulkTDF{Reader: bytes.NewReader(cipher), Writer: io.Discard})
 		}
-		err = client.BulkDecrypt(ctx.Background(), sdk.WithTDFs(bulkTdfs...), sdk.WithTDFType(format))
+		err = client.BulkDecrypt(context.Background(), sdk.WithTDFs(bulkTdfs...), sdk.WithTDFType(format))
 		if err != nil {
 			if errList, ok := sdk.IsPartialFailure(err); ok {
 				errors = errList

From b1ae6dfb561c92a9d2c3668a15b6a988887cab3d Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:04:15 -0800
Subject: [PATCH 30/48] Update examples/cmd/benchmark_bulk.go

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 examples/cmd/benchmark_bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index ba56ede544..e0e6956d0c 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -49,7 +49,7 @@ func runBenchmarkBulk(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
-	var dataAttributes = []string{"https://example.com/attr/attr1/value/value1"}
+dataAttributes := []string{"https://example.com/attr/attr1/value/value1"}
 	if config.TDFFormat == NanoTDF {
 		nanoTDFConfig, err := client.NewNanoTDFConfig()
 		if err != nil {

From a5f962786b55fc2078ee91a8b0c47a29e2553a08 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:05:09 -0800
Subject: [PATCH 31/48] Update examples/cmd/benchmark_bulk.go

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>

From bcedd0b658af9b712f9cd6b90744e119affb2639 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:09:05 -0800
Subject: [PATCH 32/48] bulk errors fix

Summary:

Test Plan:
---
 examples/cmd/benchmark_bulk.go |  2 +-
 sdk/bulk.go                    | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index e0e6956d0c..13441f9b5b 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -119,7 +119,7 @@ dataAttributes := []string{"https://example.com/attr/attr1/value/value1"}
 		}
 		err = client.BulkDecrypt(context.Background(), sdk.WithTDFs(bulkTdfs...), sdk.WithTDFType(format))
 		if err != nil {
-			if errList, ok := sdk.IsPartialFailure(err); ok {
+			if errList, ok := sdk.FromBulkErrors(err); ok {
 				errors = errList
 			} else {
 				requestFailure = err
diff --git a/sdk/bulk.go b/sdk/bulk.go
index 81a5b54310..2c4eff6958 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -20,15 +20,15 @@ type BulkDecryptRequest struct {
 	TDFType TdfType
 }
 
-type BulkDecryptionErrors []error
+type BulkErrors []error
 
-func (b BulkDecryptionErrors) Error() string {
+func (b BulkErrors) Error() string {
 	return fmt.Sprintf("Some TDFs could not be Decrypted: %s", errors.Join(b...).Error())
 }
 
-// IsPartialFailure Returns List of Decrypt Failures and true if is decryption failures
-func IsPartialFailure(err error) ([]error, bool) {
-	var list BulkDecryptionErrors
+// FromBulkErrors Returns List of Decrypt Failures and true if is decryption failures
+func FromBulkErrors(err error) ([]error, bool) {
+	var list BulkErrors
 	ok := errors.As(err, &list)
 	return list, ok
 }
@@ -131,7 +131,7 @@ func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	}
 
 	if len(errList) != 0 {
-		return BulkDecryptionErrors(errList)
+		return BulkErrors(errList)
 	}
 
 	return nil

From 14c2d9642baf5ed8988b8a342c87c0183683febc Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:10:09 -0800
Subject: [PATCH 33/48] appendTDFs changes

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 sdk/bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 2c4eff6958..1e47e3e16e 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -137,7 +137,7 @@ func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	return nil
 }
 
-func (b *BulkDecryptRequest) AppendTDFs(tdfs ...*BulkTDF) {
+func (b *BulkDecryptRequest) appendTDFs(tdfs ...*BulkTDF) {
 	b.TDFs = append(
 		b.TDFs,
 		tdfs...,

From b6ac8bba9d5c5e39e2e3dde311b6cb7152896a3f Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:11:15 -0800
Subject: [PATCH 34/48] Fix appendTDFs refactor

Summary:

Test Plan:
---
 sdk/bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 1e47e3e16e..7ef00f99be 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -37,7 +37,7 @@ type BulkDecryptOption func(request *BulkDecryptRequest)
 
 func WithTDFs(tdfs ...*BulkTDF) BulkDecryptOption {
 	return func(request *BulkDecryptRequest) {
-		request.AppendTDFs(tdfs...)
+		request.appendTDFs(tdfs...)
 	}
 }
 func WithTDFType(tdfType TdfType) BulkDecryptOption {

From 83dda1dd17622e2e2ab4111fc91c098c8130e554 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:12:49 -0800
Subject: [PATCH 35/48] decryptor changes

Summary:

Test Plan:
---
 sdk/bulk.go       | 4 ++--
 sdk/kas_client.go | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 7ef00f99be..9514879ca1 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -54,7 +54,7 @@ func createBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptRequest {
 	return req
 }
 
-func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
+func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (decryptor, error) {
 	switch tdfType {
 	case Nano:
 		decryptor := createNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
@@ -70,7 +70,7 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (Decryptor, error) {
 func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	bulkReq := createBulkRewrapRequest(opts...)
 	kasRewrapRequests := make(map[string][]*kas.UnsignedRewrapRequest_WithPolicyRequest)
-	tdfDecryptors := make(map[string]Decryptor)
+	tdfDecryptors := make(map[string]decryptor)
 	policyTDF := make(map[string]*BulkTDF)
 
 	for i, tdf := range bulkReq.TDFs {
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index 34ad4e69a6..bb78407794 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -34,7 +34,7 @@ type KAOResult struct {
 	KeyAccessObjectID string
 }
 
-type Decryptor interface {
+type decryptor interface {
 	CreateRewrapRequest(ctx context.Context) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error)
 	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
 }
@@ -73,6 +73,7 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.Unsig
 
 	return response, nil
 }
+
 func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]KAOResult, error) {
 	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
 	if err != nil {

From 0b0281ef81b04adc95841b4b5e725790c9bb9bbf Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:13:33 -0800
Subject: [PATCH 36/48] kaoresult changes

Summary:

Test Plan:
---
 sdk/bulk.go       |  4 ++--
 sdk/kas_client.go | 28 ++++++++++++++--------------
 sdk/nanotdf.go    |  4 ++--
 sdk/tdf.go        |  8 ++++----
 4 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 9514879ca1..7a93e98837 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -95,10 +95,10 @@ func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	}
 
 	kasClient := newKASClient(s.dialOptions, s.tokenSource, s.kasSessionKey)
-	allRewrapResp := make(map[string][]KAOResult)
+	allRewrapResp := make(map[string][]kaoResult)
 	var err error
 	for _, rewrapRequests := range kasRewrapRequests {
-		var rewrapResp map[string][]KAOResult
+		var rewrapResp map[string][]kaoResult
 		switch bulkReq.TDFType {
 		case Nano:
 			rewrapResp, err = kasClient.nanoUnwrap(ctx, rewrapRequests...)
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index bb78407794..e74e125d0e 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -28,7 +28,7 @@ type KASClient struct {
 	sessionKey        *ocrypto.RsaKeyPair
 }
 
-type KAOResult struct {
+type kaoResult struct {
 	SymmetricKey      []byte
 	Error             error
 	KeyAccessObjectID string
@@ -36,7 +36,7 @@ type KAOResult struct {
 
 type decryptor interface {
 	CreateRewrapRequest(ctx context.Context) (map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest, error)
-	Decrypt(ctx context.Context, results []KAOResult) (uint32, error)
+	Decrypt(ctx context.Context, results []kaoResult) (uint32, error)
 }
 
 func newKASClient(dialOptions []grpc.DialOption, accessTokenSource auth.AccessTokenSource, sessionKey *ocrypto.RsaKeyPair) *KASClient {
@@ -74,7 +74,7 @@ func (k *KASClient) makeRewrapRequest(ctx context.Context, requests []*kas.Unsig
 	return response, nil
 }
 
-func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]KAOResult, error) {
+func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]kaoResult, error) {
 	keypair, err := ocrypto.NewECKeyPair(ocrypto.ECCModeSecp256r1)
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.NewECKeyPair failed :%w", err)
@@ -109,20 +109,20 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRew
 		return nil, fmt.Errorf("ocrypto.NewAESGcm failed:%w", err)
 	}
 
-	policyResults := make(map[string][]KAOResult)
+	policyResults := make(map[string][]kaoResult)
 	for _, results := range response.GetResponses() {
-		var kaoKeys []KAOResult
+		var kaoKeys []kaoResult
 		for _, kao := range results.GetResults() {
 			if kao.GetStatus() == "permit" {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := aesGcm.Decrypt(wrappedKey)
 				if err != nil {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
+					kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
 				} else {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
+					kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
 				}
 			} else {
-				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
+				kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
 			}
 		}
 		policyResults[results.GetPolicyId()] = kaoKeys
@@ -131,7 +131,7 @@ func (k *KASClient) nanoUnwrap(ctx context.Context, requests ...*kas.UnsignedRew
 	return policyResults, nil
 }
 
-func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]KAOResult, error) {
+func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.UnsignedRewrapRequest_WithPolicyRequest) (map[string][]kaoResult, error) {
 	if k.sessionKey == nil {
 		return nil, fmt.Errorf("session key is nil")
 	}
@@ -154,20 +154,20 @@ func (k *KASClient) unwrap(ctx context.Context, requests ...*kas.UnsignedRewrapR
 		return nil, fmt.Errorf("ocrypto.NewAsymDecryption failed: %w", err)
 	}
 
-	policyResults := make(map[string][]KAOResult)
+	policyResults := make(map[string][]kaoResult)
 	for _, results := range response.GetResponses() {
-		var kaoKeys []KAOResult
+		var kaoKeys []kaoResult
 		for _, kao := range results.GetResults() {
 			if kao.GetStatus() == "permit" {
 				wrappedKey := kao.GetKasWrappedKey()
 				key, err := asymDecryption.Decrypt(wrappedKey)
 				if err != nil {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
+					kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: err})
 				} else {
-					kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
+					kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), SymmetricKey: key})
 				}
 			} else {
-				kaoKeys = append(kaoKeys, KAOResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
+				kaoKeys = append(kaoKeys, kaoResult{KeyAccessObjectID: kao.GetKeyAccessObjectId(), Error: errors.New(kao.GetError())})
 			}
 		}
 		policyResults[results.GetPolicyId()] = kaoKeys
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index ed92566ba2..b2999a0464 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -957,7 +957,7 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[stri
 	return map[string]*kas.UnsignedRewrapRequest_WithPolicyRequest{kasURL: req}, nil
 }
 
-func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []KAOResult) (uint32, error) {
+func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []kaoResult) (uint32, error) {
 	var err error
 	if len(result) != 1 {
 		return 0, fmt.Errorf("improper result from kas")
@@ -1029,7 +1029,7 @@ func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io
 	if err != nil {
 		return 0, err
 	}
-	return handler.Decrypt(ctx, []KAOResult{{SymmetricKey: symmetricKey}})
+	return handler.Decrypt(ctx, []kaoResult{{SymmetricKey: symmetricKey}})
 }
 
 func (s SDK) getNanoRewrapKey(ctx context.Context, decryptor *NanoTDFDecryptHandler) ([]byte, error) {
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 1a11817f4f..1584362e96 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -80,7 +80,7 @@ type tdf3DecryptHandler struct {
 	reader *Reader
 }
 
-func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []KAOResult) (uint32, error) {
+func (r *tdf3DecryptHandler) Decrypt(ctx context.Context, results []kaoResult) (uint32, error) {
 	err := r.reader.buildKey(ctx, results)
 	if err != nil {
 		return 0, err
@@ -867,7 +867,7 @@ func getIdx(kaoID string) int {
 	return idx
 }
 
-func (r *Reader) buildKey(_ context.Context, results []KAOResult) error {
+func (r *Reader) buildKey(_ context.Context, results []kaoResult) error {
 	var unencryptedMetadata []byte
 	var payloadKey [kKeySize]byte
 	knownSplits := make(map[string]bool)
@@ -1056,10 +1056,10 @@ func (r *Reader) buildKey(_ context.Context, results []KAOResult) error {
 func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocognit // Better readability keeping it as is
 	kasClient := newKASClient(r.dialOptions, r.tokenSource, &r.kasSessionKey)
 
-	var kaoResults []KAOResult
+	var kaoResults []kaoResult
 	reqFail := func(err error, req *kas.UnsignedRewrapRequest_WithPolicyRequest) {
 		for _, kao := range req.GetKeyAccessObjects() {
-			kaoResults = append(kaoResults, KAOResult{
+			kaoResults = append(kaoResults, kaoResult{
 				KeyAccessObjectID: kao.GetKeyAccessObjectId(),
 				Error:             err,
 			})

From fcfcfb066b6c6cc2610a0f4fa48f99bc70b7d478 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:14:38 -0800
Subject: [PATCH 37/48] remove leading newline in imports

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 sdk/kas_client_test.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index 4b29df6303..599db54601 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -8,7 +8,6 @@ import (
 
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"google.golang.org/protobuf/encoding/protojson"
-
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"

From 3e780fb9be1721bafe056715bcb51376b5800b7f Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:20:27 -0800
Subject: [PATCH 38/48] fix imports

Summary:

Test Plan:
---
 service/kas/access/rewrap.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index a5e682c291..9b69d56b5f 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -2,10 +2,6 @@ package access
 
 import (
 	"bytes"
-
-	"google.golang.org/protobuf/encoding/protojson"
-
-	// "bytes"
 	"context"
 	"crypto"
 	"crypto/ecdsa"
@@ -30,6 +26,7 @@ import (
 	"github.com/opentdf/platform/lib/ocrypto"
 	"github.com/opentdf/platform/protocol/go/authorization"
 	"go.opentelemetry.io/otel/trace"
+	"google.golang.org/protobuf/encoding/protojson"
 
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/sdk"

From ec1ad1171638bd04ab985f43599f0f9a592994f9 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:21:06 -0800
Subject: [PATCH 39/48] kas proto json name fixes

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 service/kas/kas.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index a3faeb939e..98e3df51ff 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -35,8 +35,8 @@ message KeyAccess {
   string encrypted_metadata = 1;
   bytes policy_binding = 2;
   string protocol = 3;
-  string key_type = 4;
-  string kas_url = 5;
+  string key_type = 4 [json_name = "type"];
+  string kas_url = 5 [json_name = "url"];
   string kid = 6;
   string split_id = 7;
   bytes wrapped_key = 8;

From 07d85486c37003532a4baf1f88654f51d87e89f8 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:21:18 -0800
Subject: [PATCH 40/48] kas proto json name fixes

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 service/kas/kas.proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 98e3df51ff..d4a34b56c5 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -38,7 +38,7 @@ message KeyAccess {
   string key_type = 4 [json_name = "type"];
   string kas_url = 5 [json_name = "url"];
   string kid = 6;
-  string split_id = 7;
+  string split_id = 7 [json_name = "sid"];
   bytes wrapped_key = 8;
   bytes header = 9;
   string algorithm = 10;

From 534224b205e52d1c09b68bf670efc941a0730e04 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:24:13 -0800
Subject: [PATCH 41/48] Apply suggestions from code review

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 service/kas/kas.proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index d4a34b56c5..38dca791d0 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -41,7 +41,7 @@ message KeyAccess {
   string split_id = 7 [json_name = "sid"];
   bytes wrapped_key = 8;
   bytes header = 9;
-  string algorithm = 10;
+  string algorithm = 10 [json_name = "alg"];
 }
 
 message UnsignedRewrapRequest {

From 7174052fa45bbf419a56c754464e56737044d397 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:28:08 -0800
Subject: [PATCH 42/48] make all

Summary:

Test Plan:
---
 protocol/go/kas/kas.pb.go | 33 ++++++++++++++++-----------------
 sdk/kas_client_test.go    |  4 ++--
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index c2837fc668..a393729cc6 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -165,13 +165,13 @@ type KeyAccess struct {
 	EncryptedMetadata string `protobuf:"bytes,1,opt,name=encrypted_metadata,json=encryptedMetadata,proto3" json:"encrypted_metadata,omitempty"`
 	PolicyBinding     []byte `protobuf:"bytes,2,opt,name=policy_binding,json=policyBinding,proto3" json:"policy_binding,omitempty"`
 	Protocol          string `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
-	KeyType           string `protobuf:"bytes,4,opt,name=key_type,json=keyType,proto3" json:"key_type,omitempty"`
-	KasUrl            string `protobuf:"bytes,5,opt,name=kas_url,json=kasUrl,proto3" json:"kas_url,omitempty"`
+	KeyType           string `protobuf:"bytes,4,opt,name=key_type,json=type,proto3" json:"key_type,omitempty"`
+	KasUrl            string `protobuf:"bytes,5,opt,name=kas_url,json=url,proto3" json:"kas_url,omitempty"`
 	Kid               string `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
-	SplitId           string `protobuf:"bytes,7,opt,name=split_id,json=splitId,proto3" json:"split_id,omitempty"`
+	SplitId           string `protobuf:"bytes,7,opt,name=split_id,json=sid,proto3" json:"split_id,omitempty"`
 	WrappedKey        []byte `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
 	Header            []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
-	Algorithm         string `protobuf:"bytes,10,opt,name=algorithm,proto3" json:"algorithm,omitempty"`
+	Algorithm         string `protobuf:"bytes,10,opt,name=algorithm,json=alg,proto3" json:"algorithm,omitempty"`
 }
 
 func (x *KeyAccess) Reset() {
@@ -935,7 +935,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x22, 0xb5, 0x02, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12,
+	0x6d, 0x22, 0xa5, 0x02, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12,
 	0x2d, 0x0a, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x74,
 	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x65, 0x6e, 0x63,
 	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x25,
@@ -943,18 +943,17 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x69,
 	0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
 	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x07,
-	0x6b, 0x61, 0x73, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b,
-	0x61, 0x73, 0x55, 0x72, 0x6c, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x70, 0x6c, 0x69, 0x74,
-	0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x70, 0x6c, 0x69, 0x74,
-	0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65,
-	0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
-	0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20,
-	0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61,
-	0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x22, 0x95, 0x04, 0x0a, 0x15, 0x55, 0x6e,
+	0x6c, 0x12, 0x16, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x07, 0x6b, 0x61, 0x73,
+	0x5f, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12,
+	0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69,
+	0x64, 0x12, 0x15, 0x0a, 0x08, 0x73, 0x70, 0x6c, 0x69, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x69, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70,
+	0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x77,
+	0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61,
+	0x64, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65,
+	0x72, 0x12, 0x16, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x0a,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x95, 0x04, 0x0a, 0x15, 0x55, 0x6e,
 	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75,
 	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f,
diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index 599db54601..83d399bfcd 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -6,17 +6,17 @@ import (
 	"net/http"
 	"testing"
 
-	kaspb "github.com/opentdf/platform/protocol/go/kas"
-	"google.golang.org/protobuf/encoding/protojson"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/lib/ocrypto"
+	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/sdk/auth"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/encoding/protojson"
 )
 
 type FakeAccessTokenSource struct {

From 6f654b02a76ed4c3a81f3f03df38b74a5f0db365 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 09:47:04 -0800
Subject: [PATCH 43/48] Formatting

Summary:

Test Plan:
---
 examples/cmd/benchmark_bulk.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/cmd/benchmark_bulk.go b/examples/cmd/benchmark_bulk.go
index 13441f9b5b..c989142c79 100644
--- a/examples/cmd/benchmark_bulk.go
+++ b/examples/cmd/benchmark_bulk.go
@@ -49,7 +49,7 @@ func runBenchmarkBulk(cmd *cobra.Command, args []string) error {
 		}
 	}()
 
-dataAttributes := []string{"https://example.com/attr/attr1/value/value1"}
+	dataAttributes := []string{"https://example.com/attr/attr1/value/value1"}
 	if config.TDFFormat == NanoTDF {
 		nanoTDFConfig, err := client.NewNanoTDFConfig()
 		if err != nil {

From df08c9514b626f008ef921529260980b0ec04900 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 10:39:05 -0800
Subject: [PATCH 44/48] Change policybinding message

Summary:

Test Plan:
---
 docs/grpc/index.html              |  44 ++-
 protocol/go/kas/kas.pb.go         | 581 +++++++++++++++++-------------
 sdk/kas_client_test.go            |  27 +-
 sdk/nanotdf.go                    |   2 +-
 sdk/tdf.go                        |  49 ++-
 service/kas/access/rewrap.go      |  31 +-
 service/kas/access/rewrap_test.go |  15 +-
 service/kas/kas.proto             |   9 +-
 8 files changed, 434 insertions(+), 324 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 8b8fe900a9..4c0b460917 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -454,6 +454,10 @@ <h2>Table of Contents</h2>
                   <a href="#kas.LegacyPublicKeyRequest"><span class="badge">M</span>LegacyPublicKeyRequest</a>
                 </li>
               
+                <li>
+                  <a href="#kas.PolicyBinding"><span class="badge">M</span>PolicyBinding</a>
+                </li>
+              
                 <li>
                   <a href="#kas.PolicyRewrapResult"><span class="badge">M</span>PolicyRewrapResult</a>
                 </li>
@@ -3254,7 +3258,7 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
               
                 <tr>
                   <td>policy_binding</td>
-                  <td><a href="#bytes">bytes</a></td>
+                  <td><a href="#kas.PolicyBinding">PolicyBinding</a></td>
                   <td></td>
                   <td><p> </p></td>
                 </tr>
@@ -3308,13 +3312,6 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
                   <td><p> </p></td>
                 </tr>
               
-                <tr>
-                  <td>algorithm</td>
-                  <td><a href="#string">string</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
-              
             </tbody>
           </table>
 
@@ -3429,6 +3426,37 @@ <h3 id="kas.LegacyPublicKeyRequest">LegacyPublicKeyRequest</h3>
 
         
       
+        <h3 id="kas.PolicyBinding">PolicyBinding</h3>
+        <p></p>
+
+        
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+              
+                <tr>
+                  <td>algorithm</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+                <tr>
+                  <td>hash</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+              
+            </tbody>
+          </table>
+
+          
+
+        
+      
         <h3 id="kas.PolicyRewrapResult">PolicyRewrapResult</h3>
         <p></p>
 
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index a393729cc6..5527a50d10 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -157,27 +157,81 @@ func (x *LegacyPublicKeyRequest) GetAlgorithm() string {
 	return ""
 }
 
+type PolicyBinding struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Algorithm string `protobuf:"bytes,1,opt,name=algorithm,json=alg,proto3" json:"algorithm,omitempty"`
+	Hash      string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
+}
+
+func (x *PolicyBinding) Reset() {
+	*x = PolicyBinding{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_kas_kas_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *PolicyBinding) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PolicyBinding) ProtoMessage() {}
+
+func (x *PolicyBinding) ProtoReflect() protoreflect.Message {
+	mi := &file_kas_kas_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PolicyBinding.ProtoReflect.Descriptor instead.
+func (*PolicyBinding) Descriptor() ([]byte, []int) {
+	return file_kas_kas_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *PolicyBinding) GetAlgorithm() string {
+	if x != nil {
+		return x.Algorithm
+	}
+	return ""
+}
+
+func (x *PolicyBinding) GetHash() string {
+	if x != nil {
+		return x.Hash
+	}
+	return ""
+}
+
 type KeyAccess struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	EncryptedMetadata string `protobuf:"bytes,1,opt,name=encrypted_metadata,json=encryptedMetadata,proto3" json:"encrypted_metadata,omitempty"`
-	PolicyBinding     []byte `protobuf:"bytes,2,opt,name=policy_binding,json=policyBinding,proto3" json:"policy_binding,omitempty"`
-	Protocol          string `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
-	KeyType           string `protobuf:"bytes,4,opt,name=key_type,json=type,proto3" json:"key_type,omitempty"`
-	KasUrl            string `protobuf:"bytes,5,opt,name=kas_url,json=url,proto3" json:"kas_url,omitempty"`
-	Kid               string `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
-	SplitId           string `protobuf:"bytes,7,opt,name=split_id,json=sid,proto3" json:"split_id,omitempty"`
-	WrappedKey        []byte `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
-	Header            []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
-	Algorithm         string `protobuf:"bytes,10,opt,name=algorithm,json=alg,proto3" json:"algorithm,omitempty"`
+	EncryptedMetadata string         `protobuf:"bytes,1,opt,name=encrypted_metadata,json=encryptedMetadata,proto3" json:"encrypted_metadata,omitempty"`
+	PolicyBinding     *PolicyBinding `protobuf:"bytes,2,opt,name=policy_binding,json=policyBinding,proto3" json:"policy_binding,omitempty"`
+	Protocol          string         `protobuf:"bytes,3,opt,name=protocol,proto3" json:"protocol,omitempty"`
+	KeyType           string         `protobuf:"bytes,4,opt,name=key_type,json=type,proto3" json:"key_type,omitempty"`
+	KasUrl            string         `protobuf:"bytes,5,opt,name=kas_url,json=url,proto3" json:"kas_url,omitempty"`
+	Kid               string         `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
+	SplitId           string         `protobuf:"bytes,7,opt,name=split_id,json=sid,proto3" json:"split_id,omitempty"`
+	WrappedKey        []byte         `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
+	Header            []byte         `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
 }
 
 func (x *KeyAccess) Reset() {
 	*x = KeyAccess{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[3]
+		mi := &file_kas_kas_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -190,7 +244,7 @@ func (x *KeyAccess) String() string {
 func (*KeyAccess) ProtoMessage() {}
 
 func (x *KeyAccess) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[3]
+	mi := &file_kas_kas_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -203,7 +257,7 @@ func (x *KeyAccess) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KeyAccess.ProtoReflect.Descriptor instead.
 func (*KeyAccess) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{3}
+	return file_kas_kas_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *KeyAccess) GetEncryptedMetadata() string {
@@ -213,7 +267,7 @@ func (x *KeyAccess) GetEncryptedMetadata() string {
 	return ""
 }
 
-func (x *KeyAccess) GetPolicyBinding() []byte {
+func (x *KeyAccess) GetPolicyBinding() *PolicyBinding {
 	if x != nil {
 		return x.PolicyBinding
 	}
@@ -269,13 +323,6 @@ func (x *KeyAccess) GetHeader() []byte {
 	return nil
 }
 
-func (x *KeyAccess) GetAlgorithm() string {
-	if x != nil {
-		return x.Algorithm
-	}
-	return ""
-}
-
 type UnsignedRewrapRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -288,7 +335,7 @@ type UnsignedRewrapRequest struct {
 func (x *UnsignedRewrapRequest) Reset() {
 	*x = UnsignedRewrapRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[4]
+		mi := &file_kas_kas_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -301,7 +348,7 @@ func (x *UnsignedRewrapRequest) String() string {
 func (*UnsignedRewrapRequest) ProtoMessage() {}
 
 func (x *UnsignedRewrapRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[4]
+	mi := &file_kas_kas_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -314,7 +361,7 @@ func (x *UnsignedRewrapRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UnsignedRewrapRequest.ProtoReflect.Descriptor instead.
 func (*UnsignedRewrapRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{4}
+	return file_kas_kas_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *UnsignedRewrapRequest) GetClientPublicKey() string {
@@ -344,7 +391,7 @@ type PublicKeyRequest struct {
 func (x *PublicKeyRequest) Reset() {
 	*x = PublicKeyRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[5]
+		mi := &file_kas_kas_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -357,7 +404,7 @@ func (x *PublicKeyRequest) String() string {
 func (*PublicKeyRequest) ProtoMessage() {}
 
 func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[5]
+	mi := &file_kas_kas_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -370,7 +417,7 @@ func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead.
 func (*PublicKeyRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{5}
+	return file_kas_kas_proto_rawDescGZIP(), []int{6}
 }
 
 func (x *PublicKeyRequest) GetAlgorithm() string {
@@ -406,7 +453,7 @@ type PublicKeyResponse struct {
 func (x *PublicKeyResponse) Reset() {
 	*x = PublicKeyResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[6]
+		mi := &file_kas_kas_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -419,7 +466,7 @@ func (x *PublicKeyResponse) String() string {
 func (*PublicKeyResponse) ProtoMessage() {}
 
 func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[6]
+	mi := &file_kas_kas_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -432,7 +479,7 @@ func (x *PublicKeyResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PublicKeyResponse.ProtoReflect.Descriptor instead.
 func (*PublicKeyResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{6}
+	return file_kas_kas_proto_rawDescGZIP(), []int{7}
 }
 
 func (x *PublicKeyResponse) GetPublicKey() string {
@@ -460,7 +507,7 @@ type RewrapRequest struct {
 func (x *RewrapRequest) Reset() {
 	*x = RewrapRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[7]
+		mi := &file_kas_kas_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -473,7 +520,7 @@ func (x *RewrapRequest) String() string {
 func (*RewrapRequest) ProtoMessage() {}
 
 func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[7]
+	mi := &file_kas_kas_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -486,7 +533,7 @@ func (x *RewrapRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapRequest.ProtoReflect.Descriptor instead.
 func (*RewrapRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{7}
+	return file_kas_kas_proto_rawDescGZIP(), []int{8}
 }
 
 func (x *RewrapRequest) GetSignedRequestToken() string {
@@ -514,7 +561,7 @@ type KeyAccessRewrapResult struct {
 func (x *KeyAccessRewrapResult) Reset() {
 	*x = KeyAccessRewrapResult{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[8]
+		mi := &file_kas_kas_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -527,7 +574,7 @@ func (x *KeyAccessRewrapResult) String() string {
 func (*KeyAccessRewrapResult) ProtoMessage() {}
 
 func (x *KeyAccessRewrapResult) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[8]
+	mi := &file_kas_kas_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -540,7 +587,7 @@ func (x *KeyAccessRewrapResult) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KeyAccessRewrapResult.ProtoReflect.Descriptor instead.
 func (*KeyAccessRewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{8}
+	return file_kas_kas_proto_rawDescGZIP(), []int{9}
 }
 
 func (x *KeyAccessRewrapResult) GetMetadata() map[string]*structpb.Value {
@@ -613,7 +660,7 @@ type PolicyRewrapResult struct {
 func (x *PolicyRewrapResult) Reset() {
 	*x = PolicyRewrapResult{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[9]
+		mi := &file_kas_kas_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -626,7 +673,7 @@ func (x *PolicyRewrapResult) String() string {
 func (*PolicyRewrapResult) ProtoMessage() {}
 
 func (x *PolicyRewrapResult) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[9]
+	mi := &file_kas_kas_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -639,7 +686,7 @@ func (x *PolicyRewrapResult) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PolicyRewrapResult.ProtoReflect.Descriptor instead.
 func (*PolicyRewrapResult) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{9}
+	return file_kas_kas_proto_rawDescGZIP(), []int{10}
 }
 
 func (x *PolicyRewrapResult) GetPolicyId() string {
@@ -675,7 +722,7 @@ type RewrapResponse struct {
 func (x *RewrapResponse) Reset() {
 	*x = RewrapResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[10]
+		mi := &file_kas_kas_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -688,7 +735,7 @@ func (x *RewrapResponse) String() string {
 func (*RewrapResponse) ProtoMessage() {}
 
 func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[10]
+	mi := &file_kas_kas_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -701,7 +748,7 @@ func (x *RewrapResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RewrapResponse.ProtoReflect.Descriptor instead.
 func (*RewrapResponse) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{10}
+	return file_kas_kas_proto_rawDescGZIP(), []int{11}
 }
 
 // Deprecated: Marked as deprecated in kas/kas.proto.
@@ -754,7 +801,7 @@ type UnsignedRewrapRequest_WithPolicy struct {
 func (x *UnsignedRewrapRequest_WithPolicy) Reset() {
 	*x = UnsignedRewrapRequest_WithPolicy{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[11]
+		mi := &file_kas_kas_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -767,7 +814,7 @@ func (x *UnsignedRewrapRequest_WithPolicy) String() string {
 func (*UnsignedRewrapRequest_WithPolicy) ProtoMessage() {}
 
 func (x *UnsignedRewrapRequest_WithPolicy) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[11]
+	mi := &file_kas_kas_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -780,7 +827,7 @@ func (x *UnsignedRewrapRequest_WithPolicy) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UnsignedRewrapRequest_WithPolicy.ProtoReflect.Descriptor instead.
 func (*UnsignedRewrapRequest_WithPolicy) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{4, 0}
+	return file_kas_kas_proto_rawDescGZIP(), []int{5, 0}
 }
 
 func (x *UnsignedRewrapRequest_WithPolicy) GetId() string {
@@ -809,7 +856,7 @@ type UnsignedRewrapRequest_WithKeyAccessObject struct {
 func (x *UnsignedRewrapRequest_WithKeyAccessObject) Reset() {
 	*x = UnsignedRewrapRequest_WithKeyAccessObject{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[12]
+		mi := &file_kas_kas_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -822,7 +869,7 @@ func (x *UnsignedRewrapRequest_WithKeyAccessObject) String() string {
 func (*UnsignedRewrapRequest_WithKeyAccessObject) ProtoMessage() {}
 
 func (x *UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[12]
+	mi := &file_kas_kas_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -835,7 +882,7 @@ func (x *UnsignedRewrapRequest_WithKeyAccessObject) ProtoReflect() protoreflect.
 
 // Deprecated: Use UnsignedRewrapRequest_WithKeyAccessObject.ProtoReflect.Descriptor instead.
 func (*UnsignedRewrapRequest_WithKeyAccessObject) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{4, 1}
+	return file_kas_kas_proto_rawDescGZIP(), []int{5, 1}
 }
 
 func (x *UnsignedRewrapRequest_WithKeyAccessObject) GetKeyAccessObjectId() string {
@@ -865,7 +912,7 @@ type UnsignedRewrapRequest_WithPolicyRequest struct {
 func (x *UnsignedRewrapRequest_WithPolicyRequest) Reset() {
 	*x = UnsignedRewrapRequest_WithPolicyRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_kas_kas_proto_msgTypes[13]
+		mi := &file_kas_kas_proto_msgTypes[14]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -878,7 +925,7 @@ func (x *UnsignedRewrapRequest_WithPolicyRequest) String() string {
 func (*UnsignedRewrapRequest_WithPolicyRequest) ProtoMessage() {}
 
 func (x *UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_kas_kas_proto_msgTypes[13]
+	mi := &file_kas_kas_proto_msgTypes[14]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -891,7 +938,7 @@ func (x *UnsignedRewrapRequest_WithPolicyRequest) ProtoReflect() protoreflect.Me
 
 // Deprecated: Use UnsignedRewrapRequest_WithPolicyRequest.ProtoReflect.Descriptor instead.
 func (*UnsignedRewrapRequest_WithPolicyRequest) Descriptor() ([]byte, []int) {
-	return file_kas_kas_proto_rawDescGZIP(), []int{4, 2}
+	return file_kas_kas_proto_rawDescGZIP(), []int{5, 2}
 }
 
 func (x *UnsignedRewrapRequest_WithPolicyRequest) GetKeyAccessObjects() []*UnsignedRewrapRequest_WithKeyAccessObject {
@@ -935,165 +982,169 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x22, 0xa5, 0x02, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12,
-	0x2d, 0x0a, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x65, 0x6e, 0x63,
-	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x25,
-	0x0a, 0x0e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x69,
-	0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x16, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x07, 0x6b, 0x61, 0x73,
-	0x5f, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12,
-	0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69,
-	0x64, 0x12, 0x15, 0x0a, 0x08, 0x73, 0x70, 0x6c, 0x69, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x69, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, 0x61, 0x70,
-	0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x77,
-	0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61,
-	0x64, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65,
-	0x72, 0x12, 0x16, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x0a,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x22, 0x95, 0x04, 0x0a, 0x15, 0x55, 0x6e,
-	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x12, 0x2a, 0x0a, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f,
-	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12,
-	0x48, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x2c, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64,
-	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57, 0x69,
-	0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52,
-	0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x1a, 0x30, 0x0a, 0x0a, 0x57, 0x69, 0x74,
-	0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x1a, 0x82, 0x01, 0x0a, 0x13,
-	0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a,
-	0x65, 0x63, 0x74, 0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73,
-	0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
-	0x63, 0x74, 0x49, 0x64, 0x12, 0x3a, 0x0a, 0x11, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65,
-	0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x0e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52,
-	0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74,
-	0x1a, 0xce, 0x01, 0x0a, 0x11, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x5c, 0x0a, 0x12, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63,
-	0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65,
-	0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57,
-	0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65,
-	0x63, 0x74, 0x52, 0x10, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a,
-	0x65, 0x63, 0x74, 0x73, 0x12, 0x3d, 0x0a, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67,
-	0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x2e, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
-	0x6d, 0x22, 0xb1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69,
-	0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72,
-	0x73, 0x61, 0x3a, 0x3c, 0x6b, 0x65, 0x79, 0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20,
-	0x65, 0x63, 0x3a, 0x3c, 0x63, 0x75, 0x72, 0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09,
-	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d,
-	0x74, 0x12, 0x22, 0x0a, 0x01, 0x76, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41,
-	0x11, 0x32, 0x0f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69,
-	0x6f, 0x6e, 0x52, 0x01, 0x76, 0x22, 0x44, 0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75,
-	0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52,
-	0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14,
-	0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74,
-	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e,
-	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04,
-	0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xc7, 0x02, 0x0a,
-	0x15, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x44, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b,
-	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74,
-	0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f, 0x0a, 0x14,
+	0x6d, 0x22, 0x3b, 0x0a, 0x0d, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x69, 0x6e, 0x64, 0x69,
+	0x6e, 0x67, 0x12, 0x16, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x6c, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x61,
+	0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x22, 0xa1,
+	0x02, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x2d, 0x0a, 0x12,
+	0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x39, 0x0a, 0x0e, 0x70,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x0d, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42,
+	0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x07, 0x6b, 0x61,
+	0x73, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c,
+	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
+	0x69, 0x64, 0x12, 0x15, 0x0a, 0x08, 0x73, 0x70, 0x6c, 0x69, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x07,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x69, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x77, 0x72, 0x61,
+	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a,
+	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65,
+	0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64,
+	0x65, 0x72, 0x22, 0x95, 0x04, 0x0a, 0x15, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52,
+	0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2a, 0x0a, 0x11,
+	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x48, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x73, 0x1a, 0x30, 0x0a, 0x0a, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
+	0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x62, 0x6f, 0x64, 0x79, 0x1a, 0x82, 0x01, 0x0a, 0x13, 0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x2f, 0x0a, 0x14,
 	0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63,
-	0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41,
-	0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a,
-	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x61, 0x73, 0x5f, 0x77, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00,
-	0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12,
-	0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00,
-	0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08, 0x0a, 0x06,
-	0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22, 0x67, 0x0a, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x72, 0x65, 0x73,
-	0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73,
-	0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
-	0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
-	0xea, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x12, 0x41, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61,
-	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
-	0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x02, 0x18, 0x01, 0x52, 0x08, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x30, 0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f,
-	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0c, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69,
-	0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29, 0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f,
-	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18,
-	0x01, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
-	0x12, 0x35, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x32, 0xce, 0x02, 0x0a,
-	0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69,
-	0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61,
-	0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a,
-	0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16,
-	0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c,
-	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67,
-	0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b,
-	0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69,
-	0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03,
-	0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61,
-	0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79,
-	0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e,
-	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32,
-	0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f,
-	0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f, 0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01,
-	0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a, 0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b,
-	0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53, 0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73,
-	0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
-	0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e,
-	0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62,
-	0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32,
-	0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42,
-	0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f,
-	0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61, 0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02,
-	0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73,
-	0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b,
-	0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x3a, 0x0a,
+	0x11, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65,
+	0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b,
+	0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x0f, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x1a, 0xce, 0x01, 0x0a, 0x11, 0x57, 0x69,
+	0x74, 0x68, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x5c, 0x0a, 0x12, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62,
+	0x6a, 0x65, 0x63, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x6b, 0x61,
+	0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57, 0x69, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x41,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x10, 0x6b, 0x65, 0x79,
+	0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x12, 0x3d, 0x0a,
+	0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x77, 0x72,
+	0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x57, 0x69, 0x74, 0x68, 0x50, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1c, 0x0a, 0x09,
+	0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x22, 0xb1, 0x01, 0x0a, 0x10, 0x50,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x51, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x42, 0x33, 0x92, 0x41, 0x30, 0x32, 0x2e, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74,
+	0x68, 0x6d, 0x20, 0x74, 0x79, 0x70, 0x65, 0x20, 0x72, 0x73, 0x61, 0x3a, 0x3c, 0x6b, 0x65, 0x79,
+	0x73, 0x69, 0x7a, 0x65, 0x3e, 0x20, 0x6f, 0x72, 0x20, 0x65, 0x63, 0x3a, 0x3c, 0x63, 0x75, 0x72,
+	0x76, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x3e, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74,
+	0x68, 0x6d, 0x12, 0x26, 0x0a, 0x03, 0x66, 0x6d, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42,
+	0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x20, 0x66,
+	0x6f, 0x72, 0x6d, 0x61, 0x74, 0x52, 0x03, 0x66, 0x6d, 0x74, 0x12, 0x22, 0x0a, 0x01, 0x76, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x14, 0x92, 0x41, 0x11, 0x32, 0x0f, 0x72, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x01, 0x76, 0x22, 0x44,
+	0x0a, 0x11, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b,
+	0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x6b, 0x69, 0x64, 0x22, 0x4f, 0x0a, 0x0d, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x14, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f,
+	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x12, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x06, 0x62,
+	0x65, 0x61, 0x72, 0x65, 0x72, 0x22, 0xc7, 0x02, 0x0a, 0x15, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12,
+	0x44, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73,
+	0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x2e, 0x4d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x6d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f, 0x0a, 0x14, 0x6b, 0x65, 0x79, 0x5f, 0x61, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x5f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4f, 0x62,
+	0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x28,
+	0x0a, 0x0f, 0x6b, 0x61, 0x73, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x0d, 0x6b, 0x61, 0x73, 0x57, 0x72,
+	0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f,
+	0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
+	0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x08, 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x22,
+	0x67, 0x0a, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52,
+	0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5f,
+	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+	0x49, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4b, 0x65, 0x79, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52,
+	0x07, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0xea, 0x02, 0x0a, 0x0e, 0x52, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x08, 0x6d,
+	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e,
+	0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79,
+	0x42, 0x02, 0x18, 0x01, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x30,
+	0x0a, 0x12, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64,
+	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79,
+	0x12, 0x2c, 0x0a, 0x12, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x73, 0x65,
+	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x29,
+	0x0a, 0x0e, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0d, 0x73, 0x63, 0x68, 0x65,
+	0x6d, 0x61, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x35, 0x0a, 0x09, 0x72, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x6b,
+	0x61, 0x73, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52,
+	0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x09, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x73,
+	0x1a, 0x53, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x32, 0xce, 0x02, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x69, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69,
+	0x63, 0x4b, 0x65, 0x79, 0x12, 0x15, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69,
+	0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x6b, 0x61,
+	0x73, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x2d, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12,
+	0x00, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32,
+	0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90,
+	0x02, 0x01, 0x12, 0x78, 0x0a, 0x0f, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x50, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x4c, 0x65, 0x67, 0x61,
+	0x63, 0x79, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x22, 0x2a, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x6b, 0x61, 0x73, 0x5f, 0x70,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x90, 0x02, 0x01, 0x12, 0x58, 0x0a, 0x06,
+	0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x12, 0x12, 0x2e, 0x6b, 0x61, 0x73, 0x2e, 0x52, 0x65, 0x77,
+	0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x6b, 0x61, 0x73,
+	0x2e, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x25, 0x92, 0x41, 0x09, 0x4a, 0x07, 0x0a, 0x03, 0x32, 0x30, 0x30, 0x12, 0x00, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x6b, 0x61, 0x73, 0x2f, 0x76, 0x32, 0x2f,
+	0x72, 0x65, 0x77, 0x72, 0x61, 0x70, 0x42, 0xe2, 0x01, 0x92, 0x41, 0x73, 0x12, 0x71, 0x0a, 0x1a,
+	0x4f, 0x70, 0x65, 0x6e, 0x54, 0x44, 0x46, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x41, 0x63, 0x63, 0x65,
+	0x73, 0x73, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2a, 0x4c, 0x0a, 0x12, 0x42, 0x53,
+	0x44, 0x20, 0x33, 0x2d, 0x43, 0x6c, 0x61, 0x75, 0x73, 0x65, 0x20, 0x43, 0x6c, 0x65, 0x61, 0x72,
+	0x12, 0x36, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x62, 0x61, 0x63,
+	0x6b, 0x65, 0x6e, 0x64, 0x2f, 0x62, 0x6c, 0x6f, 0x62, 0x2f, 0x6d, 0x61, 0x73, 0x74, 0x65, 0x72,
+	0x2f, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x32, 0x05, 0x31, 0x2e, 0x35, 0x2e, 0x30, 0x0a,
+	0x07, 0x63, 0x6f, 0x6d, 0x2e, 0x6b, 0x61, 0x73, 0x42, 0x08, 0x4b, 0x61, 0x73, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
+	0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x6b, 0x61,
+	0x73, 0xa2, 0x02, 0x03, 0x4b, 0x58, 0x58, 0xaa, 0x02, 0x03, 0x4b, 0x61, 0x73, 0xca, 0x02, 0x03,
+	0x4b, 0x61, 0x73, 0xe2, 0x02, 0x0f, 0x4b, 0x61, 0x73, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74,
+	0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x03, 0x4b, 0x61, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1108,49 +1159,51 @@ func file_kas_kas_proto_rawDescGZIP() []byte {
 	return file_kas_kas_proto_rawDescData
 }
 
-var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
+var file_kas_kas_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
 var file_kas_kas_proto_goTypes = []interface{}{
 	(*InfoRequest)(nil),                               // 0: kas.InfoRequest
 	(*InfoResponse)(nil),                              // 1: kas.InfoResponse
 	(*LegacyPublicKeyRequest)(nil),                    // 2: kas.LegacyPublicKeyRequest
-	(*KeyAccess)(nil),                                 // 3: kas.KeyAccess
-	(*UnsignedRewrapRequest)(nil),                     // 4: kas.UnsignedRewrapRequest
-	(*PublicKeyRequest)(nil),                          // 5: kas.PublicKeyRequest
-	(*PublicKeyResponse)(nil),                         // 6: kas.PublicKeyResponse
-	(*RewrapRequest)(nil),                             // 7: kas.RewrapRequest
-	(*KeyAccessRewrapResult)(nil),                     // 8: kas.KeyAccessRewrapResult
-	(*PolicyRewrapResult)(nil),                        // 9: kas.PolicyRewrapResult
-	(*RewrapResponse)(nil),                            // 10: kas.RewrapResponse
-	(*UnsignedRewrapRequest_WithPolicy)(nil),          // 11: kas.UnsignedRewrapRequest.WithPolicy
-	(*UnsignedRewrapRequest_WithKeyAccessObject)(nil), // 12: kas.UnsignedRewrapRequest.WithKeyAccessObject
-	(*UnsignedRewrapRequest_WithPolicyRequest)(nil),   // 13: kas.UnsignedRewrapRequest.WithPolicyRequest
-	nil,                            // 14: kas.KeyAccessRewrapResult.MetadataEntry
-	nil,                            // 15: kas.RewrapResponse.MetadataEntry
-	(*structpb.Value)(nil),         // 16: google.protobuf.Value
-	(*wrapperspb.StringValue)(nil), // 17: google.protobuf.StringValue
+	(*PolicyBinding)(nil),                             // 3: kas.PolicyBinding
+	(*KeyAccess)(nil),                                 // 4: kas.KeyAccess
+	(*UnsignedRewrapRequest)(nil),                     // 5: kas.UnsignedRewrapRequest
+	(*PublicKeyRequest)(nil),                          // 6: kas.PublicKeyRequest
+	(*PublicKeyResponse)(nil),                         // 7: kas.PublicKeyResponse
+	(*RewrapRequest)(nil),                             // 8: kas.RewrapRequest
+	(*KeyAccessRewrapResult)(nil),                     // 9: kas.KeyAccessRewrapResult
+	(*PolicyRewrapResult)(nil),                        // 10: kas.PolicyRewrapResult
+	(*RewrapResponse)(nil),                            // 11: kas.RewrapResponse
+	(*UnsignedRewrapRequest_WithPolicy)(nil),          // 12: kas.UnsignedRewrapRequest.WithPolicy
+	(*UnsignedRewrapRequest_WithKeyAccessObject)(nil), // 13: kas.UnsignedRewrapRequest.WithKeyAccessObject
+	(*UnsignedRewrapRequest_WithPolicyRequest)(nil),   // 14: kas.UnsignedRewrapRequest.WithPolicyRequest
+	nil,                            // 15: kas.KeyAccessRewrapResult.MetadataEntry
+	nil,                            // 16: kas.RewrapResponse.MetadataEntry
+	(*structpb.Value)(nil),         // 17: google.protobuf.Value
+	(*wrapperspb.StringValue)(nil), // 18: google.protobuf.StringValue
 }
 var file_kas_kas_proto_depIdxs = []int32{
-	13, // 0: kas.UnsignedRewrapRequest.requests:type_name -> kas.UnsignedRewrapRequest.WithPolicyRequest
-	14, // 1: kas.KeyAccessRewrapResult.metadata:type_name -> kas.KeyAccessRewrapResult.MetadataEntry
-	8,  // 2: kas.PolicyRewrapResult.results:type_name -> kas.KeyAccessRewrapResult
-	15, // 3: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
-	9,  // 4: kas.RewrapResponse.responses:type_name -> kas.PolicyRewrapResult
-	3,  // 5: kas.UnsignedRewrapRequest.WithKeyAccessObject.key_access_object:type_name -> kas.KeyAccess
-	12, // 6: kas.UnsignedRewrapRequest.WithPolicyRequest.key_access_objects:type_name -> kas.UnsignedRewrapRequest.WithKeyAccessObject
-	11, // 7: kas.UnsignedRewrapRequest.WithPolicyRequest.policy:type_name -> kas.UnsignedRewrapRequest.WithPolicy
-	16, // 8: kas.KeyAccessRewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
-	16, // 9: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
-	5,  // 10: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
-	2,  // 11: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
-	7,  // 12: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
-	6,  // 13: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
-	17, // 14: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
-	10, // 15: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
-	13, // [13:16] is the sub-list for method output_type
-	10, // [10:13] is the sub-list for method input_type
-	10, // [10:10] is the sub-list for extension type_name
-	10, // [10:10] is the sub-list for extension extendee
-	0,  // [0:10] is the sub-list for field type_name
+	3,  // 0: kas.KeyAccess.policy_binding:type_name -> kas.PolicyBinding
+	14, // 1: kas.UnsignedRewrapRequest.requests:type_name -> kas.UnsignedRewrapRequest.WithPolicyRequest
+	15, // 2: kas.KeyAccessRewrapResult.metadata:type_name -> kas.KeyAccessRewrapResult.MetadataEntry
+	9,  // 3: kas.PolicyRewrapResult.results:type_name -> kas.KeyAccessRewrapResult
+	16, // 4: kas.RewrapResponse.metadata:type_name -> kas.RewrapResponse.MetadataEntry
+	10, // 5: kas.RewrapResponse.responses:type_name -> kas.PolicyRewrapResult
+	4,  // 6: kas.UnsignedRewrapRequest.WithKeyAccessObject.key_access_object:type_name -> kas.KeyAccess
+	13, // 7: kas.UnsignedRewrapRequest.WithPolicyRequest.key_access_objects:type_name -> kas.UnsignedRewrapRequest.WithKeyAccessObject
+	12, // 8: kas.UnsignedRewrapRequest.WithPolicyRequest.policy:type_name -> kas.UnsignedRewrapRequest.WithPolicy
+	17, // 9: kas.KeyAccessRewrapResult.MetadataEntry.value:type_name -> google.protobuf.Value
+	17, // 10: kas.RewrapResponse.MetadataEntry.value:type_name -> google.protobuf.Value
+	6,  // 11: kas.AccessService.PublicKey:input_type -> kas.PublicKeyRequest
+	2,  // 12: kas.AccessService.LegacyPublicKey:input_type -> kas.LegacyPublicKeyRequest
+	8,  // 13: kas.AccessService.Rewrap:input_type -> kas.RewrapRequest
+	7,  // 14: kas.AccessService.PublicKey:output_type -> kas.PublicKeyResponse
+	18, // 15: kas.AccessService.LegacyPublicKey:output_type -> google.protobuf.StringValue
+	11, // 16: kas.AccessService.Rewrap:output_type -> kas.RewrapResponse
+	14, // [14:17] is the sub-list for method output_type
+	11, // [11:14] is the sub-list for method input_type
+	11, // [11:11] is the sub-list for extension type_name
+	11, // [11:11] is the sub-list for extension extendee
+	0,  // [0:11] is the sub-list for field type_name
 }
 
 func init() { file_kas_kas_proto_init() }
@@ -1196,7 +1249,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KeyAccess); i {
+			switch v := v.(*PolicyBinding); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1208,7 +1261,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnsignedRewrapRequest); i {
+			switch v := v.(*KeyAccess); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1220,7 +1273,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyRequest); i {
+			switch v := v.(*UnsignedRewrapRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1232,7 +1285,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PublicKeyResponse); i {
+			switch v := v.(*PublicKeyRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1244,7 +1297,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapRequest); i {
+			switch v := v.(*PublicKeyResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1256,7 +1309,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*KeyAccessRewrapResult); i {
+			switch v := v.(*RewrapRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1268,7 +1321,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*PolicyRewrapResult); i {
+			switch v := v.(*KeyAccessRewrapResult); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1280,7 +1333,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RewrapResponse); i {
+			switch v := v.(*PolicyRewrapResult); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1292,7 +1345,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnsignedRewrapRequest_WithPolicy); i {
+			switch v := v.(*RewrapResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1304,7 +1357,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnsignedRewrapRequest_WithKeyAccessObject); i {
+			switch v := v.(*UnsignedRewrapRequest_WithPolicy); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1316,6 +1369,18 @@ func file_kas_kas_proto_init() {
 			}
 		}
 		file_kas_kas_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnsignedRewrapRequest_WithKeyAccessObject); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_kas_kas_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*UnsignedRewrapRequest_WithPolicyRequest); i {
 			case 0:
 				return &v.state
@@ -1328,7 +1393,7 @@ func file_kas_kas_proto_init() {
 			}
 		}
 	}
-	file_kas_kas_proto_msgTypes[8].OneofWrappers = []interface{}{
+	file_kas_kas_proto_msgTypes[9].OneofWrappers = []interface{}{
 		(*KeyAccessRewrapResult_KasWrappedKey)(nil),
 		(*KeyAccessRewrapResult_Error)(nil),
 	}
@@ -1338,7 +1403,7 @@ func file_kas_kas_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_kas_kas_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   16,
+			NumMessages:   17,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/sdk/kas_client_test.go b/sdk/kas_client_test.go
index 83d399bfcd..a45f321194 100644
--- a/sdk/kas_client_test.go
+++ b/sdk/kas_client_test.go
@@ -2,7 +2,6 @@ package sdk
 
 import (
 	"context"
-	"encoding/json"
 	"net/http"
 	"testing"
 
@@ -28,6 +27,7 @@ type FakeAccessTokenSource struct {
 func (fake FakeAccessTokenSource) AccessToken(context.Context, *http.Client) (auth.AccessToken, error) {
 	return auth.AccessToken(fake.accessToken), nil
 }
+
 func (fake FakeAccessTokenSource) MakeToken(tokenMaker func(jwk.Key) ([]byte, error)) ([]byte, error) {
 	return tokenMaker(fake.dpopKey)
 }
@@ -59,10 +59,6 @@ func TestCreatingRequest(t *testing.T) {
 	require.NoError(t, err, "error creating RSA Key")
 
 	client := newKASClient(dialOption, tokenSource, &kasKey)
-	policyBindingBytes, err := json.Marshal(PolicyBinding{
-		Alg:  "HS256",
-		Hash: "somehash",
-	})
 	require.NoError(t, err)
 
 	keyAccess := []*kaspb.UnsignedRewrapRequest_WithPolicyRequest{
@@ -70,11 +66,14 @@ func TestCreatingRequest(t *testing.T) {
 			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 				{
 					KeyAccessObject: &kaspb.KeyAccess{
-						KeyType:           "type1",
-						KasUrl:            "https://kas.example.org",
-						Protocol:          "protocol one",
-						WrappedKey:        []byte("wrapped"),
-						PolicyBinding:     policyBindingBytes,
+						KeyType:    "type1",
+						KasUrl:     "https://kas.example.org",
+						Protocol:   "protocol one",
+						WrappedKey: []byte("wrapped"),
+						PolicyBinding: &kaspb.PolicyBinding{
+							Hash:      "somehash",
+							Algorithm: "HS256",
+						},
 						EncryptedMetadata: "encrypted",
 					},
 				},
@@ -110,15 +109,13 @@ func TestCreatingRequest(t *testing.T) {
 	require.Len(t, requestBody.GetRequests(), 1)
 	require.Len(t, requestBody.GetRequests()[0].GetKeyAccessObjects(), 1)
 	kao := requestBody.GetRequests()[0].GetKeyAccessObjects()[0]
-	var policyBinding map[string]interface{}
-	err = json.Unmarshal(kao.GetKeyAccessObject().GetPolicyBinding(), &policyBinding)
-	require.NoError(t, err)
+	policyBinding := kao.GetKeyAccessObject().GetPolicyBinding()
 
 	assert.Equal(t, "https://kas.example.org", kao.GetKeyAccessObject().GetKasUrl(), "incorrect kasURL")
 	assert.Equal(t, "protocol one", kao.GetKeyAccessObject().GetProtocol(), "incorrect protocol")
 	assert.Equal(t, []byte("wrapped"), kao.GetKeyAccessObject().GetWrappedKey(), "incorrect wrapped key")
-	assert.Equal(t, "HS256", policyBinding["alg"], "incorrect policy binding")
-	assert.Equal(t, "somehash", policyBinding["hash"], "incorrect policy binding")
+	assert.Equal(t, "HS256", policyBinding.GetAlgorithm(), "incorrect policy binding")
+	assert.Equal(t, "somehash", policyBinding.GetHash(), "incorrect policy binding")
 	assert.Equal(t, "encrypted", kao.GetKeyAccessObject().GetEncryptedMetadata(), "incorrect encrypted metadata")
 }
 
diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
index b2999a0464..601068af23 100644
--- a/sdk/nanotdf.go
+++ b/sdk/nanotdf.go
@@ -946,7 +946,7 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[stri
 		KeyAccessObjects: []*kas.UnsignedRewrapRequest_WithKeyAccessObject{
 			{
 				KeyAccessObjectId: "kao-0",
-				KeyAccessObject:   &kas.KeyAccess{KasUrl: kasURL, Header: headerBuf, Algorithm: "ec:secp256r1"},
+				KeyAccessObject:   &kas.KeyAccess{KasUrl: kasURL, Header: headerBuf},
 			},
 		},
 		Policy: &kas.UnsignedRewrapRequest_WithPolicy{
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 1584362e96..7edb645751 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -246,8 +246,7 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 			EncryptedSize: int64(len(cipherData)),
 		}
 
-		tdfObject.manifest.EncryptionInformation.IntegrityInformation.Segments =
-			append(tdfObject.manifest.EncryptionInformation.IntegrityInformation.Segments, segmentInfo)
+		tdfObject.manifest.EncryptionInformation.IntegrityInformation.Segments = append(tdfObject.manifest.EncryptionInformation.IntegrityInformation.Segments, segmentInfo)
 
 		totalSegments--
 		readPos += readSize
@@ -311,7 +310,7 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R
 
 		encoded := ocrypto.Base64Encode([]byte(completeHashBuilder.String()))
 
-		var assertionSigningKey = AssertionKey{}
+		assertionSigningKey := AssertionKey{}
 
 		// Set default to HS256 and payload key
 		assertionSigningKey.Alg = AssertionKeyAlgHS256
@@ -670,8 +669,8 @@ func (r *Reader) ReadAt(buf []byte, offset int64) (int, error) { //nolint:funlen
 	}
 
 	defaultSegmentSize := r.manifest.EncryptionInformation.IntegrityInformation.DefaultSegmentSize
-	var start = math.Floor(float64(offset) / float64(defaultSegmentSize))
-	var end = math.Ceil(float64(offset+int64(len(buf))) / float64(defaultSegmentSize))
+	start := math.Floor(float64(offset) / float64(defaultSegmentSize))
+	end := math.Ceil(float64(offset+int64(len(buf))) / float64(defaultSegmentSize))
 
 	firstSegment := int64(start)
 	lastSegment := int64(end)
@@ -829,20 +828,40 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.Unsigned
 		if err != nil {
 			return nil, fmt.Errorf("could not decode wrapper key: %w", err)
 		}
-		binding, err := json.Marshal(kao.PolicyBinding)
-		if err != nil {
-			return nil, err
+		var alg string
+		var hash string
+		invalidPolicy := false
+		switch policyBinding := kao.PolicyBinding.(type) {
+		case string:
+			hash = policyBinding
+		case map[string]interface{}:
+			var ok bool
+			hash, ok = policyBinding["hash"].(string)
+			invalidPolicy = !ok
+			alg, ok = policyBinding["alg"].(string)
+			invalidPolicy = invalidPolicy || !ok
+		case (PolicyBinding):
+			hash = policyBinding.Hash
+			alg = policyBinding.Alg
+		default:
+			invalidPolicy = true
+		}
+		if invalidPolicy {
+			return nil, fmt.Errorf("invalid policy object: %s", kao.PolicyBinding)
 		}
 		kaoReq := &kas.UnsignedRewrapRequest_WithKeyAccessObject{
 			KeyAccessObjectId: kaoID,
 			KeyAccessObject: &kas.KeyAccess{
-				KeyType:       kao.KeyType,
-				KasUrl:        kao.KasURL,
-				Kid:           kao.KID,
-				Protocol:      kao.Protocol,
-				PolicyBinding: binding,
-				SplitId:       kao.SplitID,
-				WrappedKey:    key,
+				KeyType:  kao.KeyType,
+				KasUrl:   kao.KasURL,
+				Kid:      kao.KID,
+				Protocol: kao.Protocol,
+				PolicyBinding: &kas.PolicyBinding{
+					Hash:      hash,
+					Algorithm: alg,
+				},
+				SplitId:    kao.SplitID,
+				WrappedKey: key,
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 9b69d56b5f..5587cf7e4d 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -38,10 +38,12 @@ import (
 	"google.golang.org/grpc/status"
 )
 
-const kTDF3Algorithm = "rsa:2048"
-const kNanoAlgorithm = "ec:secp256r1"
-const kFailedStatus = "fail"
-const kPermitStatus = "permit"
+const (
+	kTDF3Algorithm = "rsa:2048"
+	kNanoAlgorithm = "ec:secp256r1"
+	kFailedStatus  = "fail"
+	kPermitStatus  = "permit"
+)
 
 type SignedRequestBody struct {
 	RequestBody string `json:"requestBody"`
@@ -141,7 +143,7 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 	}
 
 	kao := requestBody.KeyAccess
-	binding, err := json.Marshal(kao.PolicyBinding)
+	binding, err := extractPolicyBinding(kao.PolicyBinding)
 	if err != nil {
 		return kaspb.UnsignedRewrapRequest{}, err
 	}
@@ -151,7 +153,7 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 				{KeyAccessObjectId: "kao-0", KeyAccessObject: &kaspb.KeyAccess{
 					EncryptedMetadata: kao.EncryptedMetadata,
-					PolicyBinding:     binding,
+					PolicyBinding:     &kaspb.PolicyBinding{Hash: binding},
 					Protocol:          kao.Protocol,
 					KeyType:           kao.Type,
 					KasUrl:            kao.URL,
@@ -159,7 +161,6 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 					SplitId:           kao.SID,
 					WrappedKey:        kao.WrappedKey,
 					Header:            kao.Header,
-					Algorithm:         kao.Algorithm,
 				}},
 			},
 			Algorithm: requestBody.Algorithm,
@@ -253,12 +254,8 @@ func verifyPolicyBinding(ctx context.Context, policy []byte, kao *kaspb.Unsigned
 		logger.WarnContext(ctx, "unable to generate policy hmac", "err", err)
 		return err400("bad request")
 	}
-	policyBinding, err := extractPolicyBinding(kao.GetKeyAccessObject().GetPolicyBinding())
-	if err != nil {
-		logger.WarnContext(ctx, "bad policy binding")
-		return err400("bad request")
-	}
 
+	policyBinding := kao.GetKeyAccessObject().GetPolicyBinding().GetHash()
 	expectedHMAC := make([]byte, base64.StdEncoding.DecodedLen(len(policyBinding)))
 	n, err := base64.StdEncoding.Decode(expectedHMAC, []byte(policyBinding))
 	if err == nil {
@@ -277,11 +274,7 @@ func verifyPolicyBinding(ctx context.Context, policy []byte, kao *kaspb.Unsigned
 	return nil
 }
 
-func extractPolicyBinding(policyBindingBytes []byte) (string, error) {
-	var policyBinding interface{}
-	if err := json.Unmarshal(policyBindingBytes, &policyBinding); err != nil {
-		return "", fmt.Errorf("could not decode binding")
-	}
+func extractPolicyBinding(policyBinding interface{}) (string, error) {
 	switch v := policyBinding.(type) {
 	case string:
 		return v, nil
@@ -318,6 +311,7 @@ func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, err
 
 	return info, nil
 }
+
 func failedKAORewrap(res map[string]kaoResult, kao *kaspb.UnsignedRewrapRequest_WithKeyAccessObject, err error) {
 	res[kao.GetKeyAccessObjectId()] = kaoResult{
 		ID:    kao.GetKeyAccessObjectId(),
@@ -350,6 +344,7 @@ func addResultsToResponse(response *kaspb.RewrapResponse, result policyKAOResult
 		response.Responses = append(response.Responses, policyResults)
 	}
 }
+
 func getMapValue[Map ~map[K]V, K comparable, V any](m Map) *V {
 	for _, v := range m {
 		return &v
@@ -540,7 +535,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.UnsignedRew
 				continue
 			}
 
-			policyBinding, _ := extractPolicyBinding(kao.GetKeyAccessObject().GetPolicyBinding())
+			policyBinding := kao.GetKeyAccessObject().GetPolicyBinding().GetHash()
 			auditEventParams := audit.RewrapAuditEventParams{
 				Policy:        kasPolicy,
 				IsSuccess:     access,
diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
index 1de3ad9487..14ad8b6207 100644
--- a/service/kas/access/rewrap_test.go
+++ b/service/kas/access/rewrap_test.go
@@ -215,17 +215,18 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.Unsigne
 	dst := make([]byte, hex.EncodedLen(len(bindingBytes)))
 	hex.Encode(dst, bindingBytes)
 
-	var policyBinding interface{}
+	var policyBinding *kaspb.PolicyBinding
 
 	if policyBindingAsString {
-		policyBinding = base64.StdEncoding.EncodeToString(dst)
-	} else {
-		policyBinding = PolicyBinding{
-			Alg:  "HS256",
+		policyBinding = &kaspb.PolicyBinding{
 			Hash: base64.StdEncoding.EncodeToString(dst),
 		}
+	} else {
+		policyBinding = &kaspb.PolicyBinding{
+			Algorithm: "HS256",
+			Hash:      base64.StdEncoding.EncodeToString(dst),
+		}
 	}
-	binding, err := json.Marshal(policyBinding)
 	require.NoError(t, err)
 
 	return kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
@@ -235,7 +236,7 @@ func keyAccessWrappedRaw(t *testing.T, policyBindingAsString bool) kaspb.Unsigne
 			KasUrl:        "http://127.0.0.1:4000",
 			Protocol:      "kas",
 			WrappedKey:    []byte(base64.StdEncoding.EncodeToString(wrappedKey)),
-			PolicyBinding: binding,
+			PolicyBinding: policyBinding,
 		},
 	}
 }
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 38dca791d0..3125403609 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -31,17 +31,22 @@ message LegacyPublicKeyRequest {
   string algorithm = 1;
 }
 
+message PolicyBinding {
+  string algorithm = 1 [json_name = "alg"];
+	string hash = 2;
+}
+
 message KeyAccess {
   string encrypted_metadata = 1;
-  bytes policy_binding = 2;
+  PolicyBinding policy_binding = 2;
   string protocol = 3;
   string key_type = 4 [json_name = "type"];
   string kas_url = 5 [json_name = "url"];
   string kid = 6;
   string split_id = 7 [json_name = "sid"];
   bytes wrapped_key = 8;
+	// header is only used for NanoTDFs
   bytes header = 9;
-  string algorithm = 10 [json_name = "alg"];
 }
 
 message UnsignedRewrapRequest {

From c77992a3998dfee0e04932e64b7c54bd8028cde4 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 10:40:44 -0800
Subject: [PATCH 45/48] proto gen

---
 docs/grpc/index.html      | 2 +-
 protocol/go/kas/kas.pb.go | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 4c0b460917..dea63f4b0f 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -3309,7 +3309,7 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
                   <td>header</td>
                   <td><a href="#bytes">bytes</a></td>
                   <td></td>
-                  <td><p> </p></td>
+                  <td><p>header is only used for NanoTDFs </p></td>
                 </tr>
               
             </tbody>
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index 5527a50d10..7451da9c9f 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -225,7 +225,8 @@ type KeyAccess struct {
 	Kid               string         `protobuf:"bytes,6,opt,name=kid,proto3" json:"kid,omitempty"`
 	SplitId           string         `protobuf:"bytes,7,opt,name=split_id,json=sid,proto3" json:"split_id,omitempty"`
 	WrappedKey        []byte         `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
-	Header            []byte         `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
+	// header is only used for NanoTDFs
+	Header []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
 }
 
 func (x *KeyAccess) Reset() {

From 0ddfa1234c4b566217e0782f6636852b3d120e3b Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 11:11:16 -0800
Subject: [PATCH 46/48] ignore binding errors for nano

---
 service/kas/access/rewrap.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 5587cf7e4d..d57a34cdb7 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -143,17 +143,15 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 	}
 
 	kao := requestBody.KeyAccess
-	binding, err := extractPolicyBinding(kao.PolicyBinding)
-	if err != nil {
-		return kaspb.UnsignedRewrapRequest{}, err
-	}
+	// ignore errors, maybe nanoTDF
+	binding, _ := extractPolicyBinding(kao.PolicyBinding)
 
 	reqs := []*kaspb.UnsignedRewrapRequest_WithPolicyRequest{
 		{
 			KeyAccessObjects: []*kaspb.UnsignedRewrapRequest_WithKeyAccessObject{
 				{KeyAccessObjectId: "kao-0", KeyAccessObject: &kaspb.KeyAccess{
 					EncryptedMetadata: kao.EncryptedMetadata,
-					PolicyBinding:     &kaspb.PolicyBinding{Hash: binding},
+					PolicyBinding:     &kaspb.PolicyBinding{Hash: binding, Algorithm: kao.Algorithm},
 					Protocol:          kao.Protocol,
 					KeyType:           kao.Type,
 					KasUrl:            kao.URL,

From 35b15c2cb0700da409a90ff7c411d0cc7de15509 Mon Sep 17 00:00:00 2001
From: Dominic Reed <dominic.reed@virtru.com>
Date: Thu, 16 Jan 2025 14:00:41 -0800
Subject: [PATCH 47/48] add docs to bulk API

Summary:

Test Plan:
---
 sdk/bulk.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index 7a93e98837..d009241ea2 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -9,6 +9,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/kas"
 )
 
+// BulkTDF: Reader is TDF Content. Writer writes encrypted data. Error is the error that occurs if decrypting fails.
 type BulkTDF struct {
 	Reader io.ReadSeeker
 	Writer io.Writer
@@ -20,6 +21,7 @@ type BulkDecryptRequest struct {
 	TDFType TdfType
 }
 
+// BulkErrors List of Errors that Failed during Bulk Decryption
 type BulkErrors []error
 
 func (b BulkErrors) Error() string {
@@ -35,11 +37,14 @@ func FromBulkErrors(err error) ([]error, bool) {
 
 type BulkDecryptOption func(request *BulkDecryptRequest)
 
+// WithTDFs Adds Lists of TDFs to be decrypted
 func WithTDFs(tdfs ...*BulkTDF) BulkDecryptOption {
 	return func(request *BulkDecryptRequest) {
 		request.appendTDFs(tdfs...)
 	}
 }
+
+// WithTDFType Type of TDFs to be decrypted
 func WithTDFType(tdfType TdfType) BulkDecryptOption {
 	return func(request *BulkDecryptRequest) {
 		request.TDFType = tdfType
@@ -66,7 +71,7 @@ func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (decryptor, error) {
 	return nil, fmt.Errorf("unknown tdf type: %s", tdfType)
 }
 
-// BulkDecrypt
+// BulkDecrypt Decrypts a list of BulkTDF and if a partial failure of TDFs unable to be decrypted, BulkErrors would be returned.
 func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	bulkReq := createBulkRewrapRequest(opts...)
 	kasRewrapRequests := make(map[string][]*kas.UnsignedRewrapRequest_WithPolicyRequest)

From 9a0c5a1a5df83f4e8415e7594bf38a71bb03ad53 Mon Sep 17 00:00:00 2001
From: dominic reed <dominic.reed@virtru.com>
Date: Fri, 17 Jan 2025 13:04:13 -0800
Subject: [PATCH 48/48] unwrap errors

Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
---
 sdk/bulk.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk/bulk.go b/sdk/bulk.go
index d009241ea2..f878ec27fb 100644
--- a/sdk/bulk.go
+++ b/sdk/bulk.go
@@ -24,6 +24,10 @@ type BulkDecryptRequest struct {
 // BulkErrors List of Errors that Failed during Bulk Decryption
 type BulkErrors []error
 
+func (b BulkErrors) Unwrap() []error {
+	return b
+}
+
 func (b BulkErrors) Error() string {
 	return fmt.Sprintf("Some TDFs could not be Decrypted: %s", errors.Join(b...).Error())
 }