opentdf · strantalis · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
@@ -81,6 +81,14 @@ func (m *MockKeyDetails) System() string {
 	return args.String(0)
 }
 
+func (m *MockKeyDetails) ProviderConfig() *policy.KeyProviderConfig {
+	args := m.Called()
+	if pk, ok := args.Get(0).(*policy.KeyProviderConfig); ok {
+		return pk
+	}
+	return nil
+}
+
 type MockEncapsulator struct {
 	mock.Mock
 }

@@ -11,6 +11,7 @@ import (
 	"log/slog"
 
 	"github.com/opentdf/platform/lib/ocrypto"
+	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/trust"
 )
 
@@ -179,6 +180,10 @@ func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)
 	return "", errors.New("certificates only available for EC keys")
 }
 
+func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig {
+	return nil
+}
+
 // NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider
 func NewSecurityProviderAdapter(cryptoProvider *StandardCrypto, defaultKeys, legacyKeys []string) trust.KeyService {
 	legacyKeysMap := make(map[string]bool, len(legacyKeys))

@@ -16,6 +16,7 @@
 
 	"connectrpc.com/connect"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
+	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/internal/security"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/trust"
@@ -26,12 +27,13 @@
 
 // MockKeyDetails is a test implementation of KeyDetails
 type MockKeyDetails struct {
-	id        trust.KeyIdentifier
-	algorithm string
-	legacy    bool
-	certData  string
-	pemData   string
-	jwkData   string
+	id             trust.KeyIdentifier
+	algorithm      string
+	legacy         bool
+	certData       string
+	pemData        string
+	jwkData        string
+	providerConfig policy.KeyProviderConfig
 }
 
 // Mode is a mock implementation of the Mode method required by the trust.KeyDetails interface.
@@ -80,6 +82,10 @@
 	return m.certData, nil
 }
 
+func (m *MockKeyDetails) ProviderConfig() *policy.KeyProviderConfig {
+	return nil
+}
+
 // MockSecurityProvider is a test implementation of SecurityProvider
 type MockSecurityProvider struct {
 	keys map[trust.KeyIdentifier]*MockKeyDetails

@@ -28,6 +28,7 @@ import (
 
 	"github.com/google/uuid"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
+	"github.com/opentdf/platform/protocol/go/policy"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -49,6 +50,9 @@ func (f *fakeKeyDetails) ExportPublicKey(context.Context, trust.KeyType) (string
 }
 func (f *fakeKeyDetails) ExportCertificate(context.Context) (string, error) { return "", nil }
 func (f *fakeKeyDetails) System() string                                    { return "" }
+func (f *fakeKeyDetails) ProviderConfig() *policy.KeyProviderConfig {
+	return &policy.KeyProviderConfig{}
+}
 
 type fakeKeyIndex struct {
 	keys []trust.KeyDetails

@@ -163,6 +163,10 @@ func (p *KeyAdapter) System() string {
 	return mode
 }
 
+func (p *KeyAdapter) ProviderConfig() *policy.KeyProviderConfig {
+	return p.key.GetKey().GetProviderConfig()
+}
+
 func pemToPublicKey(publicPEM string) (*rsa.PublicKey, error) {
 	// Decode the PEM data
 	block, _ := pem.Decode([]byte(publicPEM))

@@ -30,8 +30,9 @@
 					Pem: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3SEw0TkVrOFpDa0JzNjZXQVpWagpIS3NseDRseWdmaXN3aW42RUx5OU9OczZLVDRYa1crRGxsdExtck14bHZkbzVRaDg1UmFZS01mWUdDTWtPM0dGCkFsK0JOeWFOM1kwa0N1QjNPU2ErTzdyMURhNVZteVVuaEJNbFBrYnVPY1Y0cjlLMUhOSGd3eDl2UFp3RjRpQW8KQStEY1VBcWFEeHlvYjV6enNGZ0hUNjJHLzdLdEtiZ2hYT1dCanRUYUl1ZHpsK2FaSjFPemY0U1RkOXhST2QrMQordVo2VG1ocmFEUm9zdDUrTTZUN0toL2lGWk40TTFUY2hwWXU1TDhKR2tVaG9YaEdZcHUrMGczSzlqYlh6RVh5CnpJU3VXN2d6SGRWYUxvcnBkQlNkRHpOWkNvTFVoL0U1T3d5TFZFQkNKaDZJVUtvdWJ5WHVucnIxQnJmK2tLbEsKeHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
 				},
 				ProviderConfig: &policy.KeyProviderConfig{
-					Id:   "test-provider-id",
-					Name: "openbao",
+					Id:         "test-provider-id",
+					Name:       "openbao",
+					ConfigJson: []byte("config"),
 				},
 			},
 		},
@@ -44,6 +45,7 @@
 	s.Equal("ALGORITHM_RSA_2048", s.rsaKey.Algorithm())
 	s.False(s.rsaKey.IsLegacy())
 	s.Equal("openbao", s.rsaKey.System())
+	s.Equal("config", string(s.rsaKey.ProviderConfig().ConfigJson))
 }
 
 func (s *KeyIndexTestSuite) TestKeyExportPublicKey_JWKFormat() {

@@ -5,6 +5,7 @@ import (
 	"crypto/elliptic"
 	"testing"
 
+	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/suite"
@@ -125,6 +126,14 @@ func (m *MockKeyDetails) System() string {
 	return args.String(0)
 }
 
+func (m *MockKeyDetails) ProviderConfig() *policy.KeyProviderConfig {
+	args := m.Called()
+	if a0, ok := args.Get(0).(*policy.KeyProviderConfig); ok {
+		return a0
+	}
+	return nil
+}
+
 type MockProtectedKey struct {
 	mock.Mock
 }

@@ -2,6 +2,8 @@ package trust
 
 import (
 	"context"
+
+	"github.com/opentdf/platform/protocol/go/policy"
 )
 
 // KeyType represents the format in which a key can be exported
@@ -47,6 +49,9 @@ type KeyDetails interface {
 
 	// Gets the mode indicator for the key; this is used to lookup the appropriate KeyManager.
 	System() string
+
+	// Get the provider configutaiton for the key
+	ProviderConfig() *policy.KeyProviderConfig
 }
 
 // KeyIndex provides methods to locate keys by various criteria