opentdf · strantalis · Jun 5, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
diff --git a/protocol/go/CHANGELOG.md b/protocol/go/CHANGELOG.md
@@ -28,7 +28,7 @@ const (
 	validKeyID3              = "key_id_3"
 	keyID4                   = "key_id_4"
 	notFoundKasUUID          = "123e4567-e89b-12d3-a456-426614174000"
-	keyCtx                   = `eyJrZXkiOiJ2YWx1ZSJ9Cg==`
+	keyCtx                   = `YS1wZW0K`
 	providerConfigID         = "123e4567-e89b-12d3-a456-426614174000"
 	rotateKey                = "rotate_key"
 	nonRotateKey             = "non_rotate_key"
@@ -903,6 +903,10 @@ func (s *KasRegistryKeySuite) Test_SetBaseKey_Insert_Success() {
 	s.NotNil(newBaseKey)
 	s.Nil(newBaseKey.GetPreviousBaseKey())
 	s.Equal(key.GetKasKey().GetKey().GetKeyId(), newBaseKey.GetNewBaseKey().GetPublicKey().GetKid())
+	s.Equal(key.GetKasKey().GetKey().GetKeyAlgorithm(), newBaseKey.GetNewBaseKey().GetPublicKey().GetAlgorithm())
+	decodedKeyCtx, err := base64.StdEncoding.DecodeString(keyCtx)
+	s.Require().NoError(err)
+	s.Equal(string(decodedKeyCtx), newBaseKey.GetNewBaseKey().GetPublicKey().GetPem())
 }
 
 func (s *KasRegistryKeySuite) Test_SetBaseKey_CannotSetPublicKeyOnlyKey_Fails() {

@@ -1,11 +1,9 @@
 package db
 
 import (
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strconv"
 
 	"github.com/opentdf/platform/protocol/go/common"
 	"github.com/opentdf/platform/protocol/go/policy"
@@ -125,7 +123,7 @@ func KasKeysProtoJSON(keysJSON []byte) ([]*policy.KasKey, error) {
 	return keys, nil
 }
 
-func formatAlg(alg policy.Algorithm) (string, error) {
+func FormatAlg(alg policy.Algorithm) (string, error) {
 	switch alg {
 	case policy.Algorithm_ALGORITHM_RSA_2048:
 		return "rsa:2048", nil
@@ -151,24 +149,6 @@ func UnmarshalSimpleKasKey(keysJSON []byte) (*kasregistry.SimpleKasKey, error) {
 		if err := protojson.Unmarshal(keysJSON, key); err != nil {
 			return nil, err
 		}
-
-		// In the db, this is stored as an integer, which is parsed to a string
-		// and then converted to the correct algorithm format.
-		alg, err := strconv.ParseInt(key.GetPublicKey().GetAlgorithm(), 10, 32)
-		if err != nil {
-			return nil, err
-		}
-		algorithm, err := formatAlg(policy.Algorithm(alg))
-		if err != nil {
-			return nil, err
-		}
-		// The pem should always be present and base64 encoded, as it is required for creating a key.
-		pem, err := base64.StdEncoding.DecodeString(key.GetPublicKey().GetPem())
-		if err != nil {
-			return nil, err
-		}
-		key.PublicKey.Pem = string(pem)
-		key.PublicKey.Algorithm = algorithm
 	}
 	return key, nil
 }
@@ -782,6 +782,19 @@
 		return err
 	}
 
+	if baseKey != nil {
+		algorithm, err := db.FormatAlg(baseKey.GetPublicKey().GetAlgorithm())
+		if err != nil {
+			return fmt.Errorf("failed to format algorithm: %w", err)
+		}
+		publicKey, ok := keyMap["public_key"].(map[string]any)
+		if !ok {
+			return fmt.Errorf("failed to cast public_key")
+		}
+		publicKey["algorithm"] = algorithm
+		keyMap["public_key"] = publicKey
+	}
+
 	wellknownconfiguration.UpdateConfigurationBaseKey(keyMap)
 	return nil
 }

diff --git a/service/policy/db/models.go b/service/policy/db/models.go
@@ -1700,9 +1700,9 @@ SELECT
     DISTINCT JSONB_BUILD_OBJECT(
        'kas_uri', kas.uri,
        'public_key', JSONB_BUILD_OBJECT(
-            'algorithm', kask.key_algorithm::TEXT,
+            'algorithm', kask.key_algorithm::INTEGER,
             'kid', kask.key_id,
-            'pem', kask.public_key_ctx ->> 'pem'
+            'pem', CONVERT_FROM(DECODE(kask.public_key_ctx ->> 'pem', 'base64'), 'UTF8')
        )
     ) AS base_keys
 FROM base_keys bk

@@ -605,7 +605,7 @@
 }
 
 message SimpleKasPublicKey {
-  string algorithm = 1;
+  Algorithm algorithm = 1;
   string kid = 2;
   string pem = 3;
 }