opentdf · c-r33d · Aug 8, 2025 · Aug 7, 2025 · Aug 7, 2025 · Aug 8, 2025
@@ -267,14 +267,17 @@ func (a *InProcessProvider) FindKeyByID(_ context.Context, id trust.KeyIdentifie
 }
 
 // ListKeys lists all available keys
-func (a *InProcessProvider) ListKeys(ctx context.Context) ([]trust.KeyDetails, error) {
+func (a *InProcessProvider) ListKeys(ctx context.Context, legacyOnly bool) ([]trust.KeyDetails, error) {
 	// This is a limited implementation as CryptoProvider doesn't expose a list of all keys
 	var keys []trust.KeyDetails
 
 	// Try to find keys for known algorithms
 	for _, alg := range []string{AlgorithmRSA2048, AlgorithmECP256R1} {
 		if kids, err := a.cryptoProvider.ListKIDsByAlgorithm(alg); err == nil && len(kids) > 0 {
 			for _, kid := range kids {
+				if legacyOnly && !a.legacyKeys[kid] {
+					continue
+				}
 				keys = append(keys, &KeyDetailsAdapter{
 					id:             trust.KeyIdentifier(kid),
 					algorithm:      alg,

@@ -118,9 +118,12 @@ func (m *MockSecurityProvider) FindKeyByID(_ context.Context, id trust.KeyIdenti
 	return nil, security.ErrCertNotFound
 }
 
-func (m *MockSecurityProvider) ListKeys(_ context.Context) ([]trust.KeyDetails, error) {
+func (m *MockSecurityProvider) ListKeys(_ context.Context, legacyOnly bool) ([]trust.KeyDetails, error) {
 	var keys []trust.KeyDetails
 	for _, key := range m.keys {
+		if legacyOnly && !key.IsLegacy() {
+			continue
+		}
 		keys = append(keys, key)
 	}
 	return keys, nil

@@ -652,7 +652,7 @@ func (p *Provider) listLegacyKeys(ctx context.Context) []trust.KeyIdentifier {
 		return kidsToCheck
 	}
 
-	k, err := p.KeyDelegator.ListKeys(ctx)
+	k, err := p.KeyDelegator.ListKeys(ctx, true)
 	if err != nil {
 		p.Logger.WarnContext(ctx, "checkpoint KeyIndex.ListKeys failed", slog.Any("error", err))
 	} else {

@@ -65,8 +65,19 @@

 func (f *fakeKeyIndex) FindKeyByID(context.Context, trust.KeyIdentifier) (trust.KeyDetails, error) {
 	return nil, errors.New("not implemented")
 }
-func (f *fakeKeyIndex) ListKeys(context.Context) ([]trust.KeyDetails, error) { return f.keys, f.err }
+func (f *fakeKeyIndex) ListKeys(_ context.Context, legacyOnly bool) ([]trust.KeyDetails, error) {
+	if legacyOnly {
+		var legacyKeys []trust.KeyDetails
+		for _, key := range f.keys {
+			if key.IsLegacy() {
+				legacyKeys = append(legacyKeys, key)
+			}
+		}
+		return legacyKeys, f.err
+	}
+	return f.keys, f.err
+}
 
 func TestListLegacyKeys_KeyringPopulated(t *testing.T) {
 	testLogger := logger.CreateTestLogger()

@@ -61,17 +61,23 @@ func convertAlgToEnum(alg string) (policy.Algorithm, error) {
 	}
 }
 
-func (p *KeyIndexer) FindKeyByAlgorithm(ctx context.Context, algorithm string, _ bool) (trust.KeyDetails, error) {
+func (p *KeyIndexer) FindKeyByAlgorithm(ctx context.Context, algorithm string, includeLegacy bool) (trust.KeyDetails, error) {
 	alg, err := convertAlgToEnum(algorithm)
 	if err != nil {
 		return nil, err
 	}
 
+	var legacy bool
+	if !includeLegacy {
+		legacy = false
+	}
+
 	req := &kasregistry.ListKeysRequest{
 		KeyAlgorithm: alg,
 		KasFilter: &kasregistry.ListKeysRequest_KasUri{
 			KasUri: p.kasURI,
 		},
+		Legacy: &legacy,
 	}
 	resp, err := p.sdk.KeyAccessServerRegistry.ListKeys(ctx, req)
 	if err != nil {
@@ -119,11 +125,17 @@ func (p *KeyIndexer) FindKeyByID(ctx context.Context, id trust.KeyIdentifier) (t
 	}, nil
 }
 
-func (p *KeyIndexer) ListKeys(ctx context.Context) ([]trust.KeyDetails, error) {
+func (p *KeyIndexer) ListKeys(ctx context.Context, legacyOnly bool) ([]trust.KeyDetails, error) {
+	var legacy bool
+	if legacyOnly {
+		legacy = true
+	}
+
 	req := &kasregistry.ListKeysRequest{
 		KasFilter: &kasregistry.ListKeysRequest_KasUri{
 			KasUri: p.kasURI,
 		},
+		Legacy: &legacy,
 	}
 	resp, err := p.sdk.KeyAccessServerRegistry.ListKeys(ctx, req)
 	if err != nil {
@@ -151,7 +163,7 @@ func (p *KeyAdapter) Algorithm() string {
 }
 
 func (p *KeyAdapter) IsLegacy() bool {
-	return false
+	return p.key.GetKey().GetLegacy()
 }
 
 // This will point to the correct "manager"

@@ -73,6 +73,26 @@ func (s *KeyIndexTestSuite) TestKeyExportPublicKey_PKCSFormat() {
 	s.Equal(pubCtx.GetPem(), string(base64Pem))
 }
 
+func (s *KeyIndexTestSuite) TestKeyDetails_Legacy() {
+	legacyKey := &KeyAdapter{
+		key: &policy.KasKey{
+			KasId: "test-kas-id",
+			Key: &policy.AsymmetricKey{
+				Id:           "test-id-legacy",
+				KeyId:        "test-key-id-legacy",
+				KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048,
+				KeyStatus:    policy.KeyStatus_KEY_STATUS_ACTIVE,
+				KeyMode:      policy.KeyMode_KEY_MODE_CONFIG_ROOT_KEY,
+				Legacy:       true, // Mark as legacy
+				PublicKeyCtx: &policy.PublicKeyCtx{
+					Pem: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3SEw0TkVrOFpDa0JzNjZXQVpWagpIS3NseDRseWdmaXN3aW42RUx5OU9OczZLVDRYa1crRGxsdExtck14bHZkbzVRaDg1UmFZS01mWUdDTWtPM0dGCkFsK0JOeWFOM1kwa0N1QjNPU2ErTzdyMURhNVZteVVuaEJNbFBrYnVPY1Y0cjlLMUhOSGd3eDl2UFp3RjRpQW8KQStEY1VBcWFEeHlvYjV6enNGZ0hUNjJHLzdLdEtiZ2hYT1dCanRUYUl1ZHpsK2FaSjFPemY0U1RkOXhST2QrMQordVo2VG1ocmFEUm9zdDUrTTZUN0toL2lGWk40TTFUY2hwWXU1TDhKR2tVaG9YaEdZcHUrMGczSzlqYlh6RVh5CnpJU3VXN2d6SGRWYUxvcnBkQlNkRHpOWkNvTFVoL0U1T3d5TFZFQkNKaDZJVUtvdWJ5WHVucnIxQnJmK2tLbEsKeHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
+				},
+			},
+		},
+	}
+	s.True(legacyKey.IsLegacy())
+}
+
 func TestNewPlatformKeyIndexTestSuite(t *testing.T) {
 	suite.Run(t, new(KeyIndexTestSuite))
 }
@@ -74,8 +74,8 @@ func (d *DelegatingKeyService) FindKeyByID(ctx context.Context, id KeyIdentifier
 	return d.index.FindKeyByID(ctx, id)
 }
 
-func (d *DelegatingKeyService) ListKeys(ctx context.Context) ([]KeyDetails, error) {
-	return d.index.ListKeys(ctx)
+func (d *DelegatingKeyService) ListKeys(ctx context.Context, legacyOnly bool) ([]KeyDetails, error) {
+	return d.index.ListKeys(ctx, legacyOnly)
 }
 
 // Implementing KeyManager methods

@@ -69,8 +69,8 @@ func (m *MockKeyIndex) FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDe
 	return &MockKeyDetails{}, args.Error(1)
 }
 
-func (m *MockKeyIndex) ListKeys(ctx context.Context) ([]KeyDetails, error) {
-	args := m.Called(ctx)
+func (m *MockKeyIndex) ListKeys(ctx context.Context, legacyOnly bool) ([]KeyDetails, error) {
+	args := m.Called(ctx, legacyOnly)
 	if a0, ok := args.Get(0).([]KeyDetails); ok {
 		return a0, args.Error(1)
 	}
@@ -218,11 +218,26 @@ func (suite *DelegatingKeyServiceTestSuite) TestFindKeyByID() {
 }
 
 func (suite *DelegatingKeyServiceTestSuite) TestListKeys() {
-	suite.mockIndex.On("ListKeys", mock.Anything).Return([]KeyDetails{&MockKeyDetails{}}, nil)
+	suite.mockIndex.On("ListKeys", mock.Anything, false).Return([]KeyDetails{&MockKeyDetails{}}, nil)
+
+	keys, err := suite.service.ListKeys(context.Background(), false)
+	suite.Require().NoError(err)
+	suite.Len(keys, 1)
+}
+
+func (suite *DelegatingKeyServiceTestSuite) TestListKeys_Legacy() {
+	legacyKey := &MockKeyDetails{}
+	legacyKey.On("IsLegacy").Return(true)
+
+	nonLegacyKey := &MockKeyDetails{}
+	nonLegacyKey.On("IsLegacy").Return(false)
+
+	suite.mockIndex.On("ListKeys", mock.Anything, true).Return([]KeyDetails{legacyKey}, nil)
 
-	keys, err := suite.service.ListKeys(context.Background())
+	keys, err := suite.service.ListKeys(context.Background(), true)
 	suite.Require().NoError(err)
 	suite.Len(keys, 1)
+	suite.True(keys[0].IsLegacy())
 }
 
 func (suite *DelegatingKeyServiceTestSuite) TestDecrypt() {

@@ -64,5 +64,7 @@ type KeyIndex interface {
 	FindKeyByID(ctx context.Context, id KeyIdentifier) (KeyDetails, error)
 
 	// ListKeys returns all available keys
-	ListKeys(ctx context.Context) ([]KeyDetails, error)
+	// If legacyOnly is true, only legacy keys will be returned.
+	// If false, all keys will be returned.
+	ListKeys(ctx context.Context, legacyOnly bool) ([]KeyDetails, error)
 }