Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Log Call-Site Directory

This page lists every production log call-site across all Cosmian KMS components, grouped by domain and crate.

It is not listed in the navigation menu but is accessible via It is not listed in the navigation menu but is accessible via Logging and telemetry.

How to read this page

The index is organised by usage-domains. Within each domain, each table covers one crate (the UI section is an exception). All tables, ui included, have 5 columns:

ColumnMeaning
Levelerror warn info debug trace
MessageConstant log string; interpolated values shown as {name}
FileSource file relative to the crate root
VariablesEach {name} — description; when none
NotesReserved for security flags and operator guidance

Rows are ordered by severity (errorwarninfodebugtrace), then alphabetically by message. Test files are excluded.

Tip: The level filter defaults to error. Switching to all or trace reveals hundreds of rows and the page will become long.


Domain: KMS Server

cosmian_kms_server

Crate path: crate/server RUST_LOG target: cosmian_kms_server

LevelMessageFileVariablesNotes
errorAuthentication method configured, but no authentication providedsrc/middlewares/ensure_auth.rs-Returns 401. Check middleware stack - auth is configured but no bearer/cert/API-token was sent.
errorAWS XKS Sigv4 middleware should not be enabled if the aws_xks_params are not setsrc/routes/aws_xks/sigv4_middleware.rs-Server misconfiguration - enable XKS routes only when aws_xks_params is set.
errorError handling socket client: {}src/socket_server.rs-Unix socket handler crashed. The server continues running.
errorFailed to open index.html: {e:?}src/start_kms_server.rse: caught errorUI not served - verify ui_index_html_folder points to a built UI artifact.
errorSocket server failed to acquire write lock for stop request: {}src/socket_server.rs-Internal threading issue on shutdown. Server may need SIGTERM if it hangs.
errorSocket server failed to connect to itself: {}src/socket_server.rs-Internal stop-signal socket unreachable. Port may be in use by another process.
errorSocket server failed to get local address for stop signalsrc/socket_server.rs-Network/IPC failure. Check connectivity and port availability.
errorSocket server failed to write stop requestsrc/socket_server.rs-Network/IPC failure. Check connectivity and port availability.
errorSocket server stop signal contained error: {}src/socket_server.rs-Stop channel returned an error. Inspect the formatted error value.
errorWindows service failed: {e}src/windows_service.rse: caught errorFatal Windows service error. Check Windows Event Log for the full stack trace.
error{:?} {} 401 unauthorized: Client and server authentication tokens mismatchsrc/middlewares/api_token/api_token_auth.rs-API token mismatch - rotate the kms_api_token_id / kms_api_token config values.
error{status_code} - {message}src/routes/mod.rsstatus_code: HTTP status code
message: human-readable message text
Unhandled HTTP error response emitted to the client.
error{}src/start_kms_server.rs-Catch-all error log. Inspect the formatted value for the actual error.
warnActivate: object {} is already Active, rejectingsrc/core/operations/activate.rs--
warnAWS XKS create: key {uid} already exists (ignoring creation).src/routes/aws_xks/key_metadata.rsuid: KMIP object UID-
warnAzure EKM client authentication is disabled, this should only be done in tests, and won't work for production environments.src/start_kms_server.rs--
warnCould not insert: certificate: AKI: {}, SKI: {}src/core/operations/validate.rs--
warnFailed to persist auto-activation of object {}: {}src/core/retrieve_object_utils.rs--
warnFetch JWKS: {e}src/middlewares/jwt/jwks.rse: caught error-
warnSigV4 failure: {signature_error}src/routes/aws_xks/sigv4_middleware.rssignature_error: SigV4 signature validation error-
warnSocket server: connection failed: {e}src/socket_server.rse: caught error-
warnUI folder invalid or Linux default detected, falling back to: {fallback:#?}src/config/params/server_params.rsfallback: fallback UI folder path-
warn{:?} {} 401 unauthorized, no email in JWTsrc/middlewares/jwt/jwt_token_auth.rs--
warn{:?} {} 401 unauthorized: bad JWTsrc/middlewares/jwt/jwt_token_auth.rs--
warn{error:?}src/middlewares/jwt/jwt_token_auth.rserror: error detail-
warn{status_code} - {message}src/routes/mod.rsstatus_code: HTTP status code
message: human-readable message text
-
warn{status} - {}src/routes/jose/error.rsstatus: HTTP response status-
infoAUTHENTICATION token: {:?}src/routes/google_cse/jwt.rs--
infoAUTHORIZATION token headers: {:?}src/routes/google_cse/jwt.rs--
infoAUTHORIZATION token: {:?}src/routes/google_cse/jwt.rs--
infoazure EKM API enabled at {}src/start_kms_server.rs--
infoCommand line / file config: {clap_config:#?}src/main.rsclap_config: parsed CLI configuration-
infoCreated Key Pair with cryptographic algorithm {:?}src/core/operations/create_key_pair.rs--
infoCreated Object of type {:?}src/core/operations/create.rs--
infoCreating key pair for certification - private key: {sk_uid}, public key: {pk_uid}src/core/operations/certify/resolve_subject.rssk_uid: private key UID
pk_uid: public key UID
-
infoDestroyed objectsrc/core/operations/destroy.rs--
infoEncrypted Data : {encrypted_data:?}src/routes/ms_dke/mod.rsencrypted_data: encrypted data payload-
infoExported object of type: {}src/core/operations/export_get.rs--
infoExtracted IDP Configs: {:#?}src/config/command_line/idp_auth_config.rs--
infoFeature Test enabledsrc/main.rs--
infoFound Google CSE migration key, importing it.src/start_kms_server.rs--
infoGET /access/list/{object_id} {user}src/routes/access.rsobject_id: KMIP object UID
user: authenticated user identity
-
infoGET /access/obtained {user}src/routes/access.rsuser: authenticated user identity-
infoGET /access/owned {user}src/routes/access.rsuser: authenticated user identity-
infoGET /certssrc/routes/google_cse/mod.rs--
infoGET /download-cli {}src/routes/mod.rs--
infoGET /google_cse/status {}src/routes/google_cse/mod.rs--
infoGET /health {}src/routes/health.rs--
infoGET /hsm/status {}src/routes/mod.rs--
infoGET /me {user}src/routes/access.rsuser: authenticated user identity-
infoGET /server-info {}src/routes/mod.rs--
infoGET /version {}src/routes/mod.rs--
infoGET /version {}src/routes/ms_dke/mod.rs--
infoKey pair created for certificationsrc/core/operations/certify/resolve_subject.rs--
infoKMIP Request message with {} operation(s): {:?}src/core/operations/message.rs--
infoKMS Server configuration: {server_params:#?}src/start_kms_server.rsserver_params: server configuration (debug display)-
infoLoad default providersrc/openssl_providers.rs--
infoLoad FIPS providersrc/openssl_providers.rs--
infoLoad legacy providersrc/openssl_providers.rs--
infoNo migration key found, creating new RSA keypair.src/start_kms_server.rs--
infoOpenSSL version: {ossl_version}, in {ossl_dir}, number: {ossl_number:x}src/main.rsossl_version: OpenSSL version string
ossl_dir: OpenSSL modules directory
ossl_number: OpenSSL version number (hex)
-
infoPOST /access/grantsrc/routes/access.rs--
infoPOST /access/revokesrc/routes/access.rs--
infoPOST /aws/kms/xks/v1/health - request id {} - operation {}src/routes/aws_xks/health_status.rs--
infoPOST /ekm/info api-version={} user={}src/routes/azure_ekm/mod.rs--
infoPOST /ekm/{}/metadata api-version={} user={}src/routes/azure_ekm/mod.rs--
infoPOST /ekm/{}/unwrapkey alg={:?} api-version={} user={}src/routes/azure_ekm/mod.rs--
infoPOST /ekm/{}/wrapkey alg={:?} api-version={} user={}src/routes/azure_ekm/mod.rs--
infoPOST /google_cse/delegate: not implemented yetsrc/routes/google_cse/mod.rs--
infoPOST /google_cse/wrapprivatekey: not implemented yetsrc/routes/google_cse/mod.rs--
infoPOST /google_cse/{info_msg}src/routes/google_cse/mod.rsinfo_msg: route info message-
infoPOST /kms/xks/v1/keys/{key_id}/decrypt - operation: {} - id: {} - user: {}src/routes/aws_xks/encrypt_decrypt/decrypt_.rskey_id: XKS key identifier-
infoPOST /kms/xks/v1/keys/{key_id}/encrypt - operation: {} - id: {} - user: {}src/routes/aws_xks/encrypt_decrypt/encrypt_.rskey_id: XKS key identifier-
infoPOST /kms/xks/v1/keys/{key_id}/metadata - operation: {} - id: {} - user: {}src/routes/aws_xks/key_metadata.rskey_id: XKS key identifier-
infoRefreshing JWKSsrc/middlewares/jwt/jwks.rs--
infoResponse TTLV: {ttlv:?}src/routes/kmip.rsttlv: TTLV-encoded response-
infoRevoked object type: {}src/core/operations/revoke.rs--
infoRSA Keypair for Google CSE already exists (detected by UNIQUE constraint). Continuing without error.src/start_kms_server.rs--
infoRSA Keypair for Google CSE already exists (pre-check).src/start_kms_server.rs--
infoRSA Keypair for Google CSE already exists.src/start_kms_server.rs--
infoRSA Keypair for Google CSE created.src/start_kms_server.rs--
infoServer started with --info. Exitingsrc/main.rs--
infoServing index.html from {}src/start_kms_server.rs--
infoServing UI from {}src/start_kms_server.rs--
infoSocket server listening on {}src/socket_server.rs--
infoSocket server shutting down due to stop requestsrc/socket_server.rs--
infoSocket server stop signal sentsrc/socket_server.rs--
infoStarting Cosmian KMS server version {}src/main.rs--
infoStarting the HTTPS KMS server...src/start_kms_server.rs--
infoWindows service received Stop signal, shutting down...src/windows_service.rs--
infoWindows service reporting Running to SCMsrc/windows_service.rs--
infoXKS Decrypt internal error: {:?}src/routes/aws_xks/encrypt_decrypt/decrypt_.rs--
infoXKS Encrypt internal error: {:?}src/routes/aws_xks/encrypt_decrypt/encrypt_.rs--
info{}src/main.rs--
debug<== encrypted {} ciphertextssrc/core/operations/encrypt.rs--
debug==> encrypting {} clear textssrc/core/operations/encrypt.rs--
debug[metrics-cron] Failed to build runtime: {}src/cron.rs--
debug[metrics-cron] Shutdown signal received; stopping cron threadsrc/cron.rs--
debug[OK] base64 of encrypted_dek has been removedsrc/routes/google_cse/operations.rs--
debug[OK] recovered private_key DER bytes (len: {}). Perform RSA decryptionsrc/routes/google_cse/operations.rs--
debug[{idx}] Certificate carries id-ce-noRevAvail (RFC 9608): skipping CRL checksrc/core/operations/validate.rsidx: certificate index in validation chain-
debug[{idx}] Verifying certificate: subject: {:?}src/core/operations/validate.rsidx: certificate index in validation chain-
debugAccess granted on {}src/routes/access.rs--
debugAccess revoke for {}src/routes/access.rs--
debugActivate: object {} current state = {:?}src/core/operations/activate.rs--
debugAdd Attribute: {}src/core/operations/attributes/add.rs--
debugAES-GCM decryption failed (expected for implicit rejection): {e}src/routes/jose/aes_gcm.rse: caught error-
debugafter getting CRL: url: {url}src/core/operations/validate.rsurl: URL-
debugalgorithm: {ca:?}, ciphertext length: {}src/core/operations/encrypt.rsca: cryptographic algorithm-
debugallocation_size: {allocation_size}src/routes/google_cse/operations.rsallocation_size: allocated buffer size×2 in this file
debugAPI token authentication failed: {e:?}src/middlewares/api_token/api_token_middleware.rse: caught error-
debugAuthentication token check: validation disabledsrc/routes/google_cse/operations.rs--
debugBuilding and signing certificatesrc/core/operations/certify/build_certificate.rs--
debugcheck algorithmsrc/routes/google_cse/operations.rs--
debugClient certificate authentication failed: {e:?}src/middlewares/tls_auth.rse: caught error-
debugcomputing resource_key_hashsrc/routes/google_cse/operations.rs--
debugConfiguration TOML: {conf_str}src/config/command_line/clap_config.rsconf_str: configuration TOML string×2 in this file
debugCreate key pair: {request}src/core/operations/create_key_pair.rsrequest: KMIP request (debug display)-
debugcreate_user_decryption_key_: Access Policy: {access_policy:?}src/core/cover_crypt/create_user_decryption_key.rsaccess_policy: Covercrypt access policy expression-
debugCreated secret data with attributes: {}src/core/kms/other_kms_methods.rs--
debugCreated symmetric key with attributes: {}src/core/kms/other_kms_methods.rs--
debugCreating SecretData objectsrc/core/operations/derive_key.rs--
debugCRL list already contains key: {path}src/core/operations/validate.rspath: filesystem path-
debugCRL list already contains key: {url}src/core/operations/validate.rsurl: URL-
debugCSE Error: {:?}src/routes/google_cse/mod.rs--
debugdecode encrypted_deksrc/routes/google_cse/operations.rs--
debugdecrypt private keysrc/routes/google_cse/operations.rs--
debugdecrypt request: {:?}src/routes/aws_xks/encrypt_decrypt/decrypt_.rs--
debugdecrypt_bulk: ==> decrypted {} plaintextssrc/core/operations/decrypt.rs--
debugdecrypt_bulk: ==> decrypting {} ciphertextssrc/core/operations/decrypt.rs--
debugDecryption Oracle for prefix: {prefix}, total ciphertext is {} bytes longsrc/core/operations/decrypt.rsprefix: decryption oracle prefix bytes-
debugDeriveKey operation completed successfullysrc/core/operations/derive_key.rs--
debugDeriveKey operation startingsrc/core/operations/derive_key.rs--
debugDeriveKey: activation_date={:?} <= now, setting state to Activesrc/core/operations/derive_key.rs--
debugDeriveKey: no activation_date or future date, setting state to PreActivesrc/core/operations/derive_key.rs--
debugDeriveKey: No derivation data (info) provided for HKDFsrc/core/operations/derive_key.rs--
debugDeriveKey: No iteration count provided for PBKDF2, using defaultsrc/core/operations/derive_key.rs--
debugEKM Error: {:?}src/routes/azure_ekm/error.rs--
debugEnable Google CSE JWT Authorization: {enable_google_cse_authentication}src/start_kms_server.rsenable_google_cse_authentication: whether Google CSE JWT auth is on-
debugencode base64 wrapped_deksrc/routes/google_cse/operations.rs--
debugencrypt request: {:?}src/routes/aws_xks/encrypt_decrypt/encrypt_.rs--
debugencrypting with RSA {algorithm:?} {padding:?} hashing_fn:{hashing_fn:?} mgf1:{mgf1_hash_fn:?} label_len:{}src/core/operations/encrypt.rsalgorithm: cryptographic algorithm
padding: asymmetric padding scheme
hashing_fn: hash function
mgf1_hash_fn: MGF1 hash function
-
debugenteringsrc/routes/google_cse/jwt.rs--
debugenteringsrc/routes/google_cse/operations.rs-×9 in this file
debugexiting with successsrc/routes/google_cse/operations.rs-×4 in this file
debugexiting with success: decrypt_size: {decrypt_size}src/routes/google_cse/operations.rsdecrypt_size: decrypted payload length×2 in this file
debugexiting with success: {}src/routes/google_cse/operations.rs--
debugexporting private key with format: {:?}src/core/operations/export_get.rs--
debugfetching {jwks_uri}src/middlewares/jwt/jwks.rsjwks_uri: JWKS endpoint URL-
debugfrom_rsasrc/routes/google_cse/operations.rs--
debugGenerated JWT for original KACLS: {jwt:?}src/routes/google_cse/operations.rsjwt: JWT token (debug display)-
debugGet Attributes: available vendor attributes: [{}]src/core/operations/attributes/get.rs--
debugGet Attributes: fallback vendor attribute match {}:{} from object attributessrc/core/operations/attributes/get.rs--
debugGet Attributes: no vendor attributes present on objectsrc/core/operations/attributes/get.rs--
debugGet Attributes: requested vendor attribute not found {}:{}src/core/operations/attributes/get.rs--
debugGet Attributes: returning vendor attribute match {}:{}src/core/operations/attributes/get.rs--
debugGet input certificates as bytessrc/core/operations/validate.rs--
debugget metadata request: {:?}src/routes/aws_xks/key_metadata.rs--
debugget rsa public key on {current_kacls_url}src/routes/google_cse/operations.rscurrent_kacls_url: current KACLS server URL-
debugget_crl_bytes: exiting in success with {} CRLssrc/core/operations/validate.rs--
debugget_statussrc/routes/google_cse/operations.rs--
debugGoogle CSE request authorized for user {authentication_email}src/routes/google_cse/jwt.rsauthentication_email: email from the authentication token-
debugImport: activation_date={:?} <= now, setting state to Activesrc/core/operations/import.rs--
debugImport: no activation_date or future date, setting state to PreActivesrc/core/operations/import.rs--
debugImported object with uid: {}src/core/operations/import.rs--
debugImporting leaf certificate with attributes: {}src/core/operations/import.rs--
debugImporting PKCS12: private_key_id={:?}, leaf_certificate_id={:?}, chain={:?}src/core/operations/import.rs--
debugJWT Access granted to {email}!src/middlewares/jwt/jwt_token_auth.rsemail: user email address-
debugJWT authentication failed: {e:?}src/middlewares/jwt/jwt_middleware.rse: caught error-
debugKey successfully unwrapped with wrapping key: {}src/core/wrapping/unwrap.rs--
debugKey wrap type: {:?}src/core/operations/export_get.rs--
debugKey wrapped successfully by key {}src/core/wrapping/wrap.rs--
debugModifyAttribute: persisting attributes for {}src/core/operations/attributes/modify.rs--
debugno token validationsrc/routes/google_cse/operations.rs--
debugNumber of certificates in chain: {certificates_number}src/core/operations/validate.rscertificates_number: number of certificates in chain-
debugobject is not wrapped, no need to unwrapsrc/core/wrapping/unwrap.rs--
debugObject type: {}, with unique identifier: {}, destroyed by user {}src/core/operations/destroy.rs--
debugObject with unique identifier: {} destroyedsrc/core/operations/destroy.rs--
debugObject with unique identifier: {} revokedsrc/core/operations/revoke.rs--
debugObject with unique identifier: {} revoked by user {}src/core/operations/revoke.rs--
debugOpenSSL Extensions: {}src/core/operations/certify/build_certificate.rs--
debugParent CRL verification: revocation status: {res:?}src/core/operations/validate.rsres: result (debug display)-
debugproxy_config: {config:#?}src/config/params/proxy_params.rsconfig: configuration (debug display)-
debugre-wrapping key with current KMSsrc/routes/google_cse/operations.rs--
debugreading full bytes of CRL: url: {url}src/core/operations/validate.rsurl: URL-
debugRegister: activation_date={:?} <= now, setting state to Activesrc/core/operations/register.rs--
debugRegister: no activation_date or future date, setting state to PreActivesrc/core/operations/register.rs--
debugRegistered object with uid: {}src/core/operations/register.rs--
debugRequest already authenticated, skipping Ensure Auth middlewaresrc/middlewares/ensure_auth.rs--
debugrequest.encrypted_data_encryption_key: {}src/routes/google_cse/operations.rs--
debugRetrieved Attributes for {} {}, tags {:?}src/core/operations/attributes/get.rs--
debugretrieving RSA private key from KMSsrc/routes/google_cse/operations.rs--
debugRevocation status: result: {res:?}src/core/operations/validate.rsres: result (debug display)-
debugRSA key pair generation: size in bits: {key_size_in_bits}src/core/operations/create_key_pair.rskey_size_in_bits: RSA key size in bits-
debugRSA-OAEP encrypt: wrapped CEK ({} bytes) with {} ({} bit key)src/routes/jose/encrypt.rs--
debugRSA-OAEP unwrap failed or CEK size mismatch — using implicit rejectionsrc/routes/jose/decrypt.rs--
debugSet Attribute: {}src/core/operations/attributes/set.rs--
debugSet Object Attribute: {}src/core/operations/attributes/add.rs--
debugSet Object Attribute: {}src/core/operations/attributes/set.rs--
debugSetting key_wrap_type to NotWrapped due to default_unwrap_typessrc/core/operations/export_get.rs--
debugSignature verification result: {validity_indicator:?}src/core/operations/signature_verify.rsvalidity_indicator: signature validity result-
debugsignature_verify: effective CP => alg={:?} pad={:?} hash={:?} dsa={:?} mgf1_hash={:?}src/core/operations/signature_verify.rs--
debugSigv4 Middleware - Adding missing HOST header: {}src/routes/aws_xks/sigv4_middleware.rs--
debugSkipping non-HTTP CRL URI: {url}src/core/operations/validate.rsurl: URL-
debugSocket server received stop signal: {result:?}src/socket_server.rsresult: operation result-
debugsocket server: client connected from {}src/socket_server.rs--
debugsocket server: client {} disconnectedsrc/socket_server.rs--
debugsocket server: received request: {}src/socket_server.rs--
debugsuccesssrc/routes/google_cse/operations.rs--
debugThe wrapping key {wrapping_key_uid} is itself wrapped, unwrapping it firstsrc/core/wrapping/wrap.rswrapping_key_uid: UID of the wrapping key-
debugtls_config: {config:#?}src/config/params/tls_params.rsconfig: configuration (debug display)-
debugToken authentication successfulsrc/middlewares/api_token/api_token_auth.rs--
debugunwrap keysrc/routes/google_cse/operations.rs-×2 in this file
debugUnwrapped cache hitsrc/core/kms/other_kms_methods.rs--
debugUnwrapped cache miss. Calling unwrapsrc/core/kms/other_kms_methods.rs--
debuguser signed data via crypto oracle using: {uid}src/core/operations/sign.rsuid: KMIP object UID-
debugvalidate_tokenssrc/routes/google_cse/operations.rs--
debugwrap deksrc/routes/google_cse/operations.rs-×2 in this file
debugXks Error: {:?}src/routes/aws_xks/error.rs--
debugXKS Proxy - Path not found: {}src/routes/aws_xks/error.rs--
debug{conf:#?}src/config/params/server_params.rsconf: configuration (debug display)-
debug{request}src/core/operations/attributes/modify.rsrequest: KMIP request (debug display)-
debug{request}src/core/operations/attributes/set.rsrequest: KMIP request (debug display)-
debug{res:#?}src/config/params/server_params.rsres: result (debug display)-
debug{ui_index_html_folder:#?}src/config/params/server_params.rsui_index_html_folder: configured UI folder path×2 in this file
debug{wrap_request:?}src/routes/google_cse/jwt.rswrap_request: CSE wrap request (debug display)-
debug{} identifierssrc/core/operations/validate.rs--
trace:src/core/operations/attributes/dispatch_macros.rs
trace: {:?}src/core/operations/attributes/dispatch_macros.rs
trace[api_token_auth] Authorization header received (length: {} chars)src/middlewares/api_token/api_token_auth.rs
trace[api_token_auth] comparing client token ({} chars) with server tokensrc/middlewares/api_token/api_token_auth.rs
trace[destroy-core] certificate zeroization uid={unique_identifier}src/core/operations/destroy.rsunique_identifier — …
trace[destroy-core] opaque object zeroization uid={unique_identifier} len={}src/core/operations/destroy.rsunique_identifier — …
trace[destroy-core] uid={unique_identifier} type={:?} pre-state={:?} object={object}src/core/operations/destroy.rsunique_identifier — …
object — …
trace[destroy] DENY revoke-before-destroy (explicitly activated) uid={} type={:?} state={:?} activation_date={:?} initial_date={:?}src/core/operations/destroy.rs
trace[destroy] Failed to destroy linked private key {}: {:?}. Continuing with public key destruction.src/core/operations/destroy.rs
trace[destroy] policy-eval uid={} type={:?} db_state={:?} attr_state={:?} effective_state={:?} activation_date={:?} policy_state={:?} remove={}src/core/operations/destroy.rs
trace[revoke] proceed-destroyed uid={uid} state={:?}src/core/operations/revoke.rsuid — …
trace[revoke] skip uid={uid} reason=state-not-revocable state={:?}src/core/operations/revoke.rsuid — …
tracealgorithm: {:?}, padding: {:?}, hashing_fn: {:?}src/core/operations/decrypt.rs
tracealgorithm={:?}, data_len={}src/core/operations/hash.rs
traceAll certificates have been sortedsrc/core/operations/validate.rs×2 in this file
traceAlready an unwrapped keysrc/core/kms/other_kms_methods.rs
traceAttribute: Object type {:?} does not have attributes (nor key block)src/core/operations/attributes/add.rs
traceauthentication token validated for {authentication_email}src/routes/google_cse/jwt.rsauthentication_email — …
traceauthorization token validated successfullysrc/routes/google_cse/jwt.rs
traceAuto-activating object {} (activation_date {} <= now {})src/core/retrieve_object_utils.rs
tracebuild_pkcs12_for_private_key: {} with format: {:?}src/core/operations/export_get.rs
tracebuilding chain from leaf certificate: {}src/core/operations/export_get.rs
tracebuilding the PKCS12src/core/operations/export_get.rs
traceCertificate attribute link: {}src/core/operations/certify/certify_op.rs
traceCertificate attributes links: Nonesrc/core/operations/certify/certify_op.rs
tracecertificate parent id is: {}src/core/operations/export_get.rs
traceCertificate parent id is: {parent_id}src/core/operations/export_get.rsparent_id — …
traceCertify KeypairAndSubjectName:{unique_identifier} : keypair data: {keypair_data}src/core/operations/certify/certify_op.rsunique_identifier — …
keypair_data — …
traceCertify X509Req or Certificate:{unique_identifier}src/core/operations/certify/certify_op.rsunique_identifier — …
traceChecking key with ID: {}src/core/retrieve_object_utils.rs
traceChecking permissions to wrap with key {wrapping_key_uid}src/core/wrapping/wrap.rswrapping_key_uid — …
traceChecking usage mask for wrapping key {wrapping_key_uid}src/core/wrapping/wrap.rswrapping_key_uid — …
traceciphertext (ECB): {ciphertext:?}, aad: {aad:?}, padding_method: {padding_method:?}src/core/operations/decrypt.rsciphertext — …
aad — …
padding_method — …
traceClient certificate common name: {}src/middlewares/tls_auth.rs
traceconfigure_cipher_suites: Enable default cipher suites (mozilla_intermediate_v5)src/tls_config.rs
traceconfigure_cipher_suites: Setting custom cipher string: {suites}src/tls_config.rssuites — …
traceConfiguring client certificate verification for {}src/tls_config.rs
traceconverting the private key {} to openssl pkeysrc/core/operations/export_get.rs
tracecreate_base_openssl_acceptor: creating OpenSSL SslAcceptorBuilder for {server_type}src/tls_config.rsserver_type — …
traceCreating object of type {:?} with UID {} and attributes {}src/core/operations/create.rs
traceCreating OpenSSL SslAcceptor for socket serversrc/socket_server.rs
traceCreating OpenSSL SslAcceptorBuilder with TLS parameterssrc/start_kms_server.rs
traceCRL deserialized OK: {crl_path}src/core/operations/validate.rscrl_path — …×2 in this file
tracecryptographic_algorithm: {cryptographic_algorithm}src/core/operations/create_key_pair.rscryptographic_algorithm — …
tracecurve: {curve}src/core/operations/create_key_pair.rscurve — …
traceDecrypt: uid={:?}, data_len={}src/core/operations/decrypt.rs
traceDELETE /v1/crypto/keys/{kid}src/routes/jose/keys.rskid — …
traceDescription: {:?}src/core/operations/attributes/add.rs
traceDiscover versions: {}src/core/operations/discover_versions.rs
traceECB encrypt result: ciphertext_len={}src/core/operations/encrypt.rs
traceECB encrypt: plaintext_len={}, padding_method={padding_method:?}src/core/operations/encrypt.rspadding_method — …
traceeffective RSA CP -> padding={:?} hashing={:?} mgf1={:?} label_len={}src/core/operations/decrypt.rs
traceencrypt result: ciphertext_len={}, tag_len={}src/core/operations/encrypt.rs
traceenteringsrc/routes/google_cse/jwt.rs
traceEntering get_key_and_ciphersrc/core/operations/encrypt.rs
traceEntering import KMIP operation: uid={}, object_type={}src/core/operations/import.rs
traceEntering message KMIP operation: {request}src/core/operations/message.rsrequest — …
traceentering. owm: {}src/core/operations/encrypt.rs
traceexport_get_private_key: {} for operation: {}src/core/operations/export_get.rs
traceExtracting key block for decryption to identify key format type...src/core/operations/decrypt.rs
traceFetching public key: {public_key_name} and attempting to extract RSA modulus and public exponent from key materialsrc/routes/utils.rspublic_key_name — …
traceFound CRL URI: {crl_uri}src/core/operations/validate.rscrl_uri — …
tracefound link to certificate: {}src/core/certificate/find.rs
tracefound link to public key: {}. Will get certificate link from theresrc/core/certificate/find.rs
traceFound uid: {}, attributes: {}src/core/operations/locate.rs
tracefunction={:?}src/core/operations/pkcs11.rs
traceGet Attributes: Attributes: {}src/core/operations/attributes/get.rs
traceGet Attributes: computing LinkType setsrc/core/operations/attributes/get.rs
traceGet Attributes: Requested attributes: {req_attributes:?}src/core/operations/attributes/get.rsreq_attributes — …
traceGet Attributes: Response: {}src/core/operations/attributes/get.rs
traceGet Attributes: Retrieved object for get attributes: {}src/core/operations/attributes/get.rs
traceGET KEY /{} {:?}src/routes/ms_dke/mod.rs
traceGet: {}src/core/operations/get.rs
traceget_crl_bytes: entering: uri_list: {uri_list:?}src/core/operations/validate.rsuri_list — …
tracegot key bytes of length: {}, aead: {:?}. Proceeding to get the nonce...src/core/operations/decrypt.rs
traceHMAC computed: {} bytessrc/core/operations/mac.rs
traceHSM get_key_type probe for '{uid}' failed: {e}; proceeding with destroysrc/core/operations/destroy.rsuid — …
e — …
traceIgnoring tag {x:?} which does not match to an attributesrc/core/operations/attributes/get.rsx — …
traceimport opaque_object: uid={}src/core/operations/import.rs
traceimport secret_data: uid={}src/core/operations/import.rs
traceInternal create key pairsrc/core/operations/create_key_pair.rs
traceInternal create private keysrc/core/kms/other_kms_methods.rs
traceInternal create private key (FIPS build)src/core/kms/other_kms_methods.rs
traceInternal rekey key pair Covercryptsrc/core/cover_crypt/rekey_keys.rs
traceIssuer certificate id: {}src/core/operations/certify/resolve_issuer.rs
traceIssuer private key id: {}src/core/operations/certify/resolve_issuer.rs
traceIssuer Subject name: {:?}src/core/operations/certify/certify_op.rs
traceiv_counter_nonce: {}, ciphertext: {}, authenticated_tag: {}src/routes/google_cse/operations.rs
traceJWT Authentication...src/middlewares/jwt/jwt_token_auth.rs
tracekey id {}src/core/operations/decrypt.rs
tracekey_format_type: {key_format_type:?}src/core/operations/export_get.rskey_format_type — …
tracekey_material key format: {:?}src/core/operations/digest.rs
traceLeaf certificate extracted from PKCS12src/core/operations/import.rs
traceLink: {}src/core/operations/attributes/add.rs
traceLocate: filtering out HSM key {uid_str} — user {user} has no grantssrc/core/operations/locate.rsuid_str — …
user — …
traceMac: algorithm: {algorithm:?}src/core/operations/mac.rsalgorithm — …
traceMac: data len: {}src/core/operations/mac.rs
tracematching on key format type: {:?}src/core/operations/encrypt.rs
tracematching on key format type: {:?}src/core/operations/sign.rs
tracematching on public key format type: {:?}src/core/operations/decrypt.rs
traceModifyAttribute: ActivationDate: {:?}src/core/operations/attributes/modify.rs
traceModifyAttribute: Link: {}src/core/operations/attributes/modify.rs
traceModifyAttribute: Name: {}src/core/operations/attributes/modify.rs
traceModifyAttribute: retrieved target object {}src/core/operations/attributes/modify.rs
traceModifyAttribute: VendorAttribute: {}src/core/operations/attributes/modify.rs
traceName: {name}src/core/operations/attributes/add.rsname — …
traceno effective cryptographic parameters; defaults will applysrc/core/operations/decrypt.rs
traceNo issuer certificate id providedsrc/core/operations/certify/resolve_issuer.rs
traceNo issuer private key id providedsrc/core/operations/certify/resolve_issuer.rs
traceNo UI folder containing index.html found at {}src/start_kms_server.rs
traceNon revocable keys detected: won't be revoked {non_revocable_key_id:?}src/core/operations/revoke.rsnon_revocable_key_id — …
traceNot using Client Certificate Authentication with OpenSSLsrc/start_kms_server.rs
traceOpenSSL Private Key instantiated before signingsrc/core/operations/sign.rs
traceOpenSSL Public Key instantiated before encryptionsrc/core/operations/encrypt.rs
traceOperation processed successfully: {op}src/core/operations/message.rsop — …
traceOperation processing failed: {e}src/core/operations/message.rse — …
traceparams: {server_params:?}src/core/kms/mod.rsserver_params — …
tracePKCS12 parsed successfullysrc/core/operations/import.rs
traceplaintext length: {} bytessrc/core/operations/decrypt.rs
traceplaintext_len={}, nonce_len={}, aad_len={}, padding_method={padding_method:?}src/core/operations/encrypt.rspadding_method — …
tracePOST /v1/crypto/decryptsrc/routes/jose/decrypt.rs
tracePOST /v1/crypto/encrypt kid={} alg={}src/routes/jose/encrypt.rs
tracePOST /v1/crypto/keys kty={}src/routes/jose/keys.rs
tracePOST /v1/crypto/keys/unwrapsrc/routes/jose/unwrap.rs
tracePOST /v1/crypto/mac kid={}src/routes/jose/mac.rs
tracePOST /v1/crypto/sign kid={}src/routes/jose/sign.rs
tracePOST /v1/crypto/verifysrc/routes/jose/verify.rs
tracePOST /{key_name}/{key_id}/Decrypt {encrypted_data:?}src/routes/ms_dke/mod.rskey_name — …
key_id — …
encrypted_data — …
tracepost_process_private_key: operation type: {operation_type:?}src/core/operations/export_get.rsoperation_type — …
tracePrivate key attributes after lifecycle update: {}src/core/operations/create_key_pair.rs
tracePrivate key extracted from PKCS12src/core/operations/import.rs
tracePrivate key linked to leaf certificatesrc/core/operations/import.rs
tracePrivate key operation createdsrc/core/operations/import.rs
tracePrivate key wrapped and cachedsrc/core/operations/import.rs
traceprocess_secret_data: object_with_metadata: {}src/core/operations/export_get.rs
traceprocess_symmetric_key: object_with_metadata: {}src/core/operations/export_get.rs
traceprocessing key_valuesrc/core/operations/digest.rs
traceProcessing KMIP operation: {operation_name} with user: {user:?}src/core/operations/message.rsoperation_name — …
user — …
traceProcessing PKCS12 importsrc/core/operations/import.rs
tracePublic key attributes after lifecycle update: {}src/core/operations/create_key_pair.rs
tracePublic key extracted from PKCS12src/core/operations/import.rs
traceReKey: {}src/core/operations/rekey/symmetric/mod.rs
traceReKeyKeyPair: {}src/core/operations/rekey/keypair/mod.rs
traceRequest: {:?}src/routes/azure_ekm/mod.rs×4 in this file
tracerequest: {username} {}src/start_kms_server.rsusername — …
traceResponse message: {response_message}src/core/operations/message.rsresponse_message — …
traceResponse sent to {}src/socket_server.rs
traceRetrieved certificate: {} for private key: {}src/core/certificate/find.rs
traceRetrieved object for: {}src/core/operations/activate.rs
traceRetrieved object for: {}src/core/operations/attributes/add.rs
traceRetrieved object for: {}src/core/operations/attributes/delete.rs
traceRetrieving certificate for private key: {}src/core/certificate/find.rs
traceRetrieving issuer private key and certificate: private_key_id: {:?}, certificate_id: {:?}src/core/certificate/find.rs
traceRetrieving private key for certificate: certificate_uid_or_tags: {:?}src/core/certificate/find.rs
traceRNGRetrieve: {}src/core/operations/rng_retrieve.rs
traceRoot and possibly leaf removed from initial certificate list. Left: {}src/core/operations/validate.rs
traceSensitive: {:?}src/core/operations/attributes/add.rs
traceSet Attribute: Link: {}src/core/operations/attributes/set.rs
traceSet Attribute: Name: {}src/core/operations/attributes/set.rs
traceSet Attribute: Object type {:?} does not have attributes (nor key block)src/core/operations/attributes/set.rs
traceSet Attribute: Retrieved target objectsrc/core/operations/attributes/set.rs
traceSet Attribute: Vendor Attribute: {}src/core/operations/attributes/set.rs
tracesk_uid: {sk_uid}, pk_uid: {pk_uid}src/core/operations/create_key_pair.rssk_uid — …
pk_uid — …
tracestate_allows: {state_allows}: state: {state}, operation_type: {operation_type}src/core/retrieve_object_utils.rsstate_allows — …
state — …
operation_type — …
traceSubject name: {:?}src/core/operations/certify/certify_op.rs
traceThe wrapping key {wrapping_key_uid} is authorized to wrap keyssrc/core/wrapping/wrap.rswrapping_key_uid — …
traceTLS Authentication...src/middlewares/tls_auth.rs
traceTLS Authentication: no peer certificate foundsrc/middlewares/tls_auth.rs
traceToken authentication using this API token ID: {api_token_id}src/middlewares/api_token/api_token_auth.rsapi_token_id — …
tracetoken decoded with {app_name} jwt configsrc/routes/google_cse/jwt.rsapp_name — …
traceTry to validate token from issuer: {issuer_uri:?}src/routes/google_cse/jwt.rsissuer_uri — …
traceUID: {:?}, State: {:?}, Attributes: {}src/core/operations/locate.rs×2 in this file
traceuid={:?}src/core/operations/mac.rs
traceuid={:?}, data_len={}src/core/operations/encrypt.rs
traceuid={}src/core/operations/mac.rs
traceuid={} remove={} cascade={}src/core/operations/destroy.rs
traceUIDs count (post-truncate): {}src/core/operations/locate.rs
traceupdated_master_secret_key_bytes len: {}src/core/cover_crypt/create_user_decryption_key.rs
traceUser {user} does not have permission for operation {operation_type:?} on object {}src/core/retrieve_object_utils.rsuser — …
operation_type — …
traceUser {user} has permission for operation {operation_type:?} on object {}src/core/retrieve_object_utils.rsuser — …
operation_type — …
traceUsing Client Certificate Authentication with OpenSSLsrc/start_kms_server.rs
tracevalid_jwt headers: {:?}src/routes/google_cse/jwt.rs
tracevalid_jwt user claims: {:?}src/routes/google_cse/jwt.rs
tracevalidate token: KACLS URL {google_cse_kacls_url}src/routes/google_cse/jwt.rsgoogle_cse_kacls_url — …
traceValidate: {}src/core/operations/validate.rs
tracevalidate_cse_authorization_token: KACLS URL {google_cse_kacls_url}src/routes/google_cse/jwt.rsgoogle_cse_kacls_url — …
tracevalidating authentication token, expected JWT issuer: {}src/middlewares/jwt/jwt_config.rs
tracevalidating CSE authorization token, expected issuer : {}src/routes/google_cse/jwt.rs
traceVendor Attribute: {}src/core/operations/attributes/add.rs
traceverify_chain_signature: entering: number of certificates: {}src/core/operations/validate.rs
traceverify_crls: exiting in successsrc/core/operations/validate.rs
traceWaiting for test socket server to start...src/socket_server.rs
tracewrapped_key length: {} charssrc/routes/google_cse/operations.rs
traceWrapping key retrieved successfully: {wrapping_key}src/core/wrapping/wrap.rswrapping_key — …
traceWrapping key with id: {wrapping_key_id}src/core/wrapping/wrap.rswrapping_key_id — …
trace{debug_msg}. Certificate: subject: {:?}, AKI: {:?}, SKI: {:?}src/core/operations/validate.rsdebug_msg — …
trace{info_msg} request receivedsrc/routes/google_cse/mod.rsinfo_msg — …
trace{jwt_authorization_config:#?}src/routes/google_cse/jwt.rsjwt_authorization_config — …
trace{request}src/core/operations/attributes/get.rsrequest — …
trace{request}src/core/operations/check.rsrequest — …
trace{request}src/core/operations/create.rsrequest — …
trace{request}src/core/operations/destroy.rsrequest — …
trace{request}src/core/operations/export.rsrequest — …
trace{request}src/core/operations/query.rsrequest — …
trace{request}src/core/operations/register.rsrequest — …
trace{request}src/core/operations/revoke.rsrequest — …
trace{request}src/core/operations/rng_seed.rsrequest — …
trace{request}src/core/operations/sign.rsrequest — …
trace{request}src/core/operations/signature_verify.rsrequest — …
trace{}src/core/operations/activate.rs
trace{}src/core/operations/attributes/add.rs
trace{}src/core/operations/attributes/delete.rs
trace{}src/core/operations/certify/certify_op.rs
trace{}src/core/operations/locate.rs
errorFailed to convert response message to TTLV: {}src/routes/kmip.rs×2 in this file
errorFailed to find KMIP versionsrc/routes/kmip.rs
errorFailed to parse RequestMessage: {}src/routes/kmip.rs
errorFailed to process request: {}src/routes/kmip.rs×2 in this file
errorOpenSSL does not appear to be available (version number is 0). Please verify that OpenSSL is correctly installed and accessible.src/main.rs
warnAn Edwards Keypair on curve 25519 should not be requested to perform ECDH. Creating anyway.src/core/operations/create_key_pair.rs
warnAn Edwards Keypair on curve 448 should not be requested to perform ECDH. Creating anyway.src/core/operations/create_key_pair.rs
warnCRL signature could not be verified against chain issuers; issuer: {:?}. Continuing with status checks.src/core/operations/validate.rs
warnImport: CRL check could not be completed ({e}), proceeding with {desired_state:?} statesrc/core/operations/import.rse, desired_state
warnThe UI index HTML folder does not contain an index.html file: {ui_index_html_folder:#?}src/config/params/server_params.rsui_index_html_folder
warnUnsupported Block Cipher Mode for AES: {x:?}. The Authenticated Encryption Tag will NOT be extracted.src/routes/kmip.rsx
warnUser-supplied keyUsage in extension config overrides the RFC-mandated PQC keyUsage extension (RFC 9881/9909/9935)src/core/operations/certify/build_certificate.rs
debug...unwrapping the key block with key uid: {unwrapping_key_uid} using an encryption oracle, user: {user}src/core/wrapping/unwrap.rsunwrapping_key_uid, user
debug...unwrapping the key block with key uid: {unwrapping_key_uid} using the KMS, user: {user}src/core/wrapping/unwrap.rsunwrapping_key_uid, user
debug...wrapping the key block with key uid: {wrapping_key_uid} using an encryption oracle, user: {user}src/core/wrapping/wrap.rswrapping_key_uid, user
debug...wrapping the key block with key uid: {wrapping_key_uid} using the KMS, user: {user}src/core/wrapping/wrap.rswrapping_key_uid, user
debug[kms-init] Failed to seed kms.keys.active.count: {e}src/core/kms/mod.rse
debug[kms-init] Failed to seed kms.objects.total: {e}src/core/kms/mod.rse
debug[metrics-cron] Failed to sync kms.keys.active.count: {}src/cron.rs
debug[metrics-cron] Failed to sync kms.objects.total: {}src/cron.rs
debug[metrics-cron] kms.keys.active.count synced to {}src/cron.rs
debug[metrics-cron] kms.objects.total synced to {}src/cron.rs
debug[metrics-cron] reconcile_all_object_counts failed: {}src/cron.rs
debugAPI Token Middleware: An authenticated user was found; there is no need to authenticate twice...src/middlewares/api_token/api_token_middleware.rs
debugDeriveKey: No derivation data provided - this may be acceptable if a Secret Data object identifier is providedsrc/core/operations/derive_key.rs
debugImport: certificate is revoked per CRL check, setting state to Compromisedsrc/core/operations/import.rs
debugJWT: An authenticated user was found; there is no need to authenticate twice...src/middlewares/jwt/jwt_middleware.rs
debugRequest bytes: {}src/routes/kmip.rs
debugRequest TTLV: {ttlv:#?}src/routes/kmip.rsttlv
debugResponse Message Bytes: {}src/routes/kmip.rs
debugResponse Message TTLV: {response_ttlv:#?}src/routes/kmip.rsresponse_ttlv
debugThe user: {user}, is authorized to wrap with the key {wrapping_key_uid}. Encoding: {:?}, format: {}src/core/wrapping/wrap.rsuser, wrapping_key_uid
debugThis is a {major}.{minor} Decrypt message. Extracting Authenticated Encryption Tag of length {len} from Data fieldsrc/routes/kmip.rsmajor, minor, len
traceCertify PublicKeyAndSubjectName:{unique_identifier}: public key: {from_public_key}src/core/operations/certify/certify_op.rsunique_identifier, from_public_key
traceciphertext: {ciphertext:?}, nonce: {nonce:?}, aad: {aad:?}, tag: {tag:?}, padding_method: {padding_method:?}src/core/operations/decrypt.rsciphertext, nonce, aad, tag, padding_method
traceenter export_get op={:?} req={}src/core/operations/export_get.rs×2 in this file
traceget_attribute_list uid={} refs=[{}]src/core/operations/attributes/get_list.rs
tracepost-process symmetric key uid={} final_format={:?}src/core/operations/export_get.rs
traceprocess_symmetric_key enter uid={} requested_format={:?} wrap_type={:?}src/core/operations/export_get.rs
traceprocess_symmetric_key exit uid={} final_format={:?}src/core/operations/export_get.rs
traceprocess_symmetric_key key_block initial format={:?} wrapped={} uid={}src/core/operations/export_get.rs
traceprocess_symmetric_key missing key_value structure uid={}src/core/operations/export_get.rs
traceprocess_symmetric_key set Raw uid={}src/core/operations/export_get.rs
traceprocess_symmetric_key set TransparentSymmetricKey uid={}src/core/operations/export_get.rs
traceprocessing symmetric key uid={} state={:?} requested_format={:?}src/core/operations/export_get.rs
traceRequest Message: {request_message}src/routes/kmip.rsrequest_message
traceResponse Message: {response_message}src/routes/kmip.rsresponse_message
traceretrieved object uid={} type={:?} state={:?} key_fmt={:?}src/core/operations/export_get.rs
traceuid_or_tags: {uid_or_tags:?}, user: {user}, operation_type: {operation_type:?}src/core/retrieve_object_utils.rsuid_or_tags, user, operation_type
errorFailed to convert Response TTLV to bytes: {}: TTLV:\n{:#?}src/routes/kmip.rs
warnFailed to process request:\n{response_message}src/routes/kmip.rsresponse_message
info\n{:?}src/routes/kmip.rs
traceJWK has been found:\n{jwk:?}src/middlewares/jwt/jwt_config.rsjwk
traceJWK has been found:\n{jwk:?}src/routes/google_cse/jwt.rsjwk
warnFailed to persist auto-deactivation of object {}: {}src/core/retrieve_object_utils.rs-×2 in this file
warnfailed to re-wrap dependant {dep_uid} with new key: {e}, skippingsrc/core/operations/rekey/common.rsdep_uid, e-
warnfailed to unwrap dependant {dep_uid}: {e}, skippingsrc/core/operations/rekey/common.rsdep_uid, e-
warnskipping re-wrap of dependant {dep_uid}: owned by '{}', not by '{owner}'src/core/operations/rekey/common.rsdep_uid, owner-
warnwrapped dependant {dep_uid} not found, skippingsrc/core/operations/rekey/common.rsdep_uid-
warn{}: keyset chain depth {} ≥ warn threshold {} for uid {}; consider re-encrypting with the latest keysrc/core/operations/key_ops/crypto_op.rs--
infoRekey finalized: old={} → new={}, user={user}src/core/operations/rekey/common.rsuser-
debug[auto-rotate-cron] Failed to build runtime: {}src/cron.rs--
debug[auto-rotate-cron] Running scheduled key auto-rotation checksrc/cron.rs--
debug[auto-rotate-cron] Shutdown signal received; stopping cron threadsrc/cron.rs--
traceAuto-deactivating object {} (deactivation_date {} <= now {})src/core/retrieve_object_utils.rs-×2 in this file
traceexecute_keyset_try_each: key {} failed for {}: {}src/core/operations/key_ops/crypto_op.rs--
traceHSM ReKey: old={uid} → new={new_uid} (slot={slot_id}, gen={new_gen}), user={user}src/core/operations/rekey/symmetric/hsm.rsuid, new_uid, slot_id, new_gen, user-
traceReCertify: {}src/core/operations/recertify.rs--
traceReKey: resolved keyset ref '{}' → '{}'src/core/operations/rekey/symmetric/mod.rs--
traceSetAttribute: clearing CKA_START_DATE / CKA_END_DATE on HSM key '{}' (rotation disabled)src/core/operations/attributes/set.rs--
traceSetAttribute: writing CKA_LABEL '{}' on HSM key '{}'src/core/operations/attributes/set.rs--
traceSetAttribute: writing CKA_START_DATE={} CKA_END_DATE={} on HSM key '{}'src/core/operations/attributes/set.rs--
tracewalk_keyset_chain: keyset '{}' has {} keys in chainsrc/core/uid_utils.rs--
warnui_session_salt is not configured — using a randomly generated ephemeral session key. Sessions will be invalidated on server restart and are not portable across instances. For persistent sessions and load-balanced deployments, set `ui_session_salt` (or KMS_UI_SESSION_SALT) to a strong random secret value.src/start_kms_server.rs--
traceFound valid JWK in JWKS at `{jwks_uri}`: {jwk:#?}src/middlewares/jwt/jwks.rsjwks_uri, jwk-
traceIgnoring invalid JWK in JWKS at `{jwks_uri}`: {e}: {v:#?}src/middlewares/jwt/jwks.rsjwks_uri, e, v-
tracePKCS#11 `C_CloseSession` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Decrypt` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_DecryptFinal` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_DecryptInit` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_DecryptUpdate` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_DestroyObject` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Encrypt` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_EncryptFinal` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_EncryptInit` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_EncryptUpdate` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Finalize` failed: {e}src/core/operations/pkcs11.rse-
tracePKCS#11 `C_FindObjects` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_FindObjectsFinal` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_FindObjectsInit` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GenerateKey` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GenerateKeyPair` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GenerateRandom` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GetAttributeValue` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GetInfo` failed: {e}src/core/operations/pkcs11.rse-
tracePKCS#11 `C_GetMechanismInfo` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_GetMechanismList` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Initialize` called on already initialized library - treating as successsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Initialize` failed: {e}src/core/operations/pkcs11.rse-
tracePKCS#11 `C_Login` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_Logout` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_OpenSession` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_SeedRandom` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_UnwrapKey` not yet implementedsrc/core/operations/pkcs11.rs--
tracePKCS#11 `C_WrapKey` not yet implementedsrc/core/operations/pkcs11.rs--
traceReKeyKeyPair: resolved keyset ref '{}' → '{}'src/core/operations/rekey/keypair/mod.rs--
warnfind_wrapped_by({old_uid}) failed — skipping re-wrap of dependants: {e}src/core/operations/rekey/common.rsold_uid, e-
warn[auto-rotate] Failed to query keys due for rotation: {e}src/core/operations/auto_rotate.rse-
warn[auto-rotate] Failed to re-arm rotation policy on replacement {new_uid}: {e}src/core/operations/auto_rotate.rsnew_uid, e-
warn[auto-rotate] Failed to retrieve key {uid}: {e}; skippingsrc/core/operations/auto_rotate.rsuid, e-
warn[auto-rotate] Failed to rotate key {uid} (owner={owner}): {e}src/core/operations/auto_rotate.rsuid, owner, e-
warn[auto-rotate] Key {uid} not found; skippingsrc/core/operations/auto_rotate.rsuid-
info[auto-rotate] Found {} key(s) due for rotationsrc/core/operations/auto_rotate.rs--
info[auto-rotate] Key {uid} (owner={owner}) rotation due in {days} day(s) (warning threshold: {threshold} days)src/core/operations/auto_rotate.rsuid, owner, days, threshold-
info[auto-rotate] Key {uid} (owner={owner}, algo={algorithm}) rotated successfullysrc/core/operations/auto_rotate.rsuid, owner, algorithm-
debug[auto-rotate] Failed to query keys for renewal warnings: {e}src/core/operations/auto_rotate.rse-
debug[auto-rotate] No keys due for rotation at {now}src/core/operations/auto_rotate.rsnow-
debug[auto-rotate] rotate_one_key returned: {e}src/core/operations/auto_rotate.rse-
debug[auto-rotate] Skipping HSM key {uid}src/core/operations/auto_rotate.rsuid-
debug[auto-rotate] Skipping {uid}: object type {other:?} has no auto-rotation supportsrc/core/operations/auto_rotate.rsuid, other-
debug[auto-rotate] Skipping {uid}: PublicKey is rotated as part of its paired PrivateKey rotationsrc/core/operations/auto_rotate.rsuid-
debugSetAttribute: implicitly enabling rotate_automatic for key '{}' (RotateInterval > 0 with no explicit RotateAutomatic)src/core/operations/attributes/set.rs--
warnAzure EKM JSON deserialization error: {err}src/routes/azure_ekm/mod.rserr-
warnJWKS endpoint enabled — all active public keys with the "jwks" tag will be publicly exposed (unauthenticated) at `{kms_public_url}/.well-known/jwks.json`. Up to {} keys will be served. Ensure this is intentional. Configure via the `[jwks_endpoint]` section in the server configuration file.src/start_kms_server.rskms_public_url-
warnJWKS response truncated: more than {} eligible public keys foundsrc/routes/jwks.rs--
warnKey uid={uid} found by Locate but missing on retrieve — skippingsrc/routes/jwks.rsuid-
warnSkipping key uid={uid} from JWKS (conversion failed): {e}src/routes/jwks.rsuid, e-
infoGET /.well-known/jwks.jsonsrc/routes/jwks.rs--
traceDELETE /v1/crypto/keys/{kid}/tagssrc/routes/jose/tags.rskid-
traceGET /v1/crypto/keys/{kid}/tagssrc/routes/jose/tags.rskid-
traceJWKS key order is database insertion order — not stable across restarts or backends. Returning {} eligible key(s); consumers must match by `kid`, not position.src/routes/jwks.rs--
tracePOST /v1/crypto/keys/{kid}/tagssrc/routes/jose/tags.rskid-
errorFailed to serialize response to JSON: {e}src/routes/kmip.rse-
infohttp_workers not configured; defaulting to total core count ({total})src/start_kms_server.rstotal-
infoKMS HTTP server configured with {http_workers} worker thread(s)src/start_kms_server.rshttp_workers-
debugPOST /kmip {}.{} Binary. Request: {:?} {}src/routes/kmip.rs--
debugPOST /kmip {}.{} JSON. Request: {:?} {}src/routes/kmip.rs--
debugPOST /kmip/2_1. Request: {:?} {}src/routes/kmip.rs--
warnJOSE CEK cache insert error for {uid}: {e}src/routes/jose/cek_cache.rsuid, e-
warnJOSE CEK cache peek error for {uid}: {e}src/routes/jose/cek_cache.rsuid, e-
warnJOSE CEK cache: failed to construct KMIP SymmetricKey: {e}src/routes/jose/cek_cache.rse-
warnJOSE CEK cache: unexpected CEK length {other} bytes — not an AES-128/192/256 keysrc/routes/jose/cek_cache.rsother-
warnJOSE CEK cache: unexpected object type for {uid}src/routes/jose/cek_cache.rsuid-
debugJOSE CEK cache hit for {uid}src/routes/jose/cek_cache.rsuid-
debugJOSE CEK cached for {uid}src/routes/jose/cek_cache.rsuid-
debugTLS: an authenticated user was already present; skipping certificate checksrc/middlewares/tls_auth.rs--

cosmian_kms_server_database

Crate path: crate/server_database RUST_LOG target: cosmian_kms_server_database

LevelMessageFileVariablesNotes
debugEmpty Redis database detected. Initializing a new database instance.src/stores/redis/redis_with_findex.rs--
debugExisting Redis database detected (version {version}). Using current database.src/stores/redis/redis_with_findex.rsversion: version-
debugListed {} rowssrc/stores/sql/mysql.rs-×2 in this file
debugOwner = {}src/stores/sql/mysql.rs--
debugPG find query: {}src/stores/sql/pgsql.rs--
debugUid = {}src/stores/sql/mysql.rs--
traceCreated in DB: {uid} / {owner}src/stores/sql/mysql.rsuid — …
owner — …
traceDeleted in DB: {uid}src/stores/sql/mysql.rsuid — …
tracefind: tags: {tags:?}src/stores/redis/redis_with_findex.rstags — …
tracefind: uids before permissions: {:?}src/stores/redis/redis_with_findex.rs
tracefind: user must be ownersrc/stores/redis/redis_with_findex.rs
tracefind_: {:?}src/stores/sql/mysql.rs
traceInsert read access right in DB: {uid} / {userid}src/stores/sql/mysql.rsuid — …
userid — …
traceInvalidating the cache for {}src/core/unwrapped_cache.rs
traceRedis DB size: {count}src/stores/redis/redis_with_findex.rscount — …
traceUpdated in DB: {uid}src/stores/sql/mysql.rsuid — …×2 in this file
traceUpserted in DB: {uid}src/stores/sql/mysql.rsuid — …
debug[redis-bootstrap] skipping key {key}: {e}src/stores/redis/objects_db.rskey, e×2 in this file
debug[redis-metrics] reconcile: live_objects={live_count}, non_destroyed_keys={key_count}src/stores/redis/redis_with_findex.rslive_count, key_count
debug[redis-metrics] bootstrapped {} live object(s) into `{}`src/stores/redis/redis_with_findex.rs--
debug[redis-metrics] bootstrapped {} non-destroyed key(s) into `{}`src/stores/redis/redis_with_findex.rs--
debug[redis-scan-rotation] skipping key {key}: {e}src/stores/redis/objects_db.rskey, e-
warnPostgreSQL BEGIN failed — retryingsrc/stores/sql/pgsql.rsattempt, delay_ms, error-
warnPostgreSQL COMMIT failed — retryingsrc/stores/sql/pgsql.rsattempt, delay_ms, error-
warnPostgreSQL pool error — retryingsrc/stores/sql/pgsql.rsattempt, delay_ms, error-
warnPostgreSQL retryable error — retryingsrc/stores/sql/pgsql.rsattempt, delay_ms, error-
warnPostgreSQL transaction body failed — retryingsrc/stores/sql/pgsql.rsattempt, delay_ms, error-
warnwrapping_key_id backfill: skipping object that failed to deserializesrc/stores/sql/sqlite.rs--
warnwrapping_key_id backfill: skipping object that failed to deserializesrc/stores/sql/pgsql.rs--
warnwrapping_key_id backfill: skipping object {id} that failed to deserialize: {e}src/stores/sql/mysql.rsid, e-
debug[redis-scan-wrapped] skipping key {key}: {e}src/stores/redis/objects_db.rskey, e-

cosmian_kms_crypto

Crate path: crate/crypto RUST_LOG target: cosmian_kms_crypto

LevelMessageFileVariablesNotes
errorError verifying ({:?}) signature: {:?}, data: {:?}, error: {err:?}src/crypto/rsa/verify.rserr: error detail-
errorError verifying digest ({:?}) signature: {:?}, data: {:?}, error: {err:?}src/crypto/rsa/verify.rserr: error detail×2 in this file
errorError verifying raw ({:?}) signature: {:?}, data: {:?}, error: {err:?}src/crypto/rsa/verify.rserr: error detail-
warntest_openssl_cli_compat: openssl CLI call failed, skipping test: {output:#?}src/crypto/rsa/ckm_rsa_aes_key_wrap.rsoutput: output-
warntest_openssl_cli_compat: openssl CLI not found, skipping testsrc/crypto/rsa/ckm_rsa_aes_key_wrap.rs--
warntest_openssl_cli_compat: openssl CLI output is not valid UTF-8src/crypto/rsa/ckm_rsa_aes_key_wrap.rs--
info===> Wrapping asymmetric key with asymmetric keysrc/crypto/wrap/tests.rs--
info===> Wrapping asymmetric key with symmetric keysrc/crypto/wrap/tests.rs--
info===> Wrapping symmetric key with asymmetric keysrc/crypto/wrap/tests.rs--
info===> Wrapping symmetric key with symmetric keysrc/crypto/wrap/tests.rs--
infovalue is: {:?}src/openssl/x509_extensions.rs-×2 in this file
debugattribute: {attribute:?}, encryption_hint: {encryption_hint:?}src/crypto/cover_crypt/access_structure.rsattribute: KMIP attribute (debug display)
encryption_hint: encryption hint
-
debugcreate_dk_object: key len: {}, attributes: {attributes}src/crypto/kem.rsattributes: KMIP attribute (debug display)s-
debugcreate_msk_object: key len: {}, attributes: {attributes}src/crypto/cover_crypt/master_keys.rsattributes: KMIP attribute (debug display)s-
debugDecrypted data with user key {} of len (Plain/Enc): {}/{}src/crypto/cover_crypt/decryption.rs--
debugEncrypted data with auth data {:?} of len (Plain/Enc): {}/{}src/crypto/cover_crypt/encryption.rs--
debugRSA key pair generated: private key id: {private_key_uid}src/crypto/rsa/operation.rsprivate_key_uid: private key uid-
debugRSA key pair generation: size in bits: {key_size_in_bits}src/crypto/rsa/operation.rskey_size_in_bits: RSA key size in bits-
debugserver: access_structure: {access_structure:?}src/crypto/cover_crypt/master_keys.rsaccess_structure: Covercrypt access structure-
debugusing GCMsrc/crypto/wrap/wrap_key.rs--
debugwrapping with CKM_RSA (v1.5)src/crypto/wrap/wrap_key.rs--
debugwrapping with CKM_RSA_AES_KEY_WRAP and hashing function: {hashing_fn}src/crypto/wrap/wrap_key.rshashing_fn: hash function-
debugwrapping with CKM_RSA_OAEP and hashing function: {hashing_fn}src/crypto/wrap/wrap_key.rshashing_fn: hash function-
traceAccess Policy: {access_policy:?}src/crypto/cover_crypt/user_key.rsaccess_policy — …
traceauthenticated_encryption_additional_data: {ad:?}src/crypto/cover_crypt/encryption.rsad — …
tracebytes len: {:?}, bits: {}src/crypto/elliptic_curves/operation.rs×2 in this file
tracebytes len: {}, bits: {}src/crypto/rsa/operation.rs×2 in this file
traceChaCha20 (pure) encryption: key_len={}, nonce_len={}, pt_len={}src/crypto/symmetric/symmetric_ciphers.rs
traceCreated user decryption key with access policy: {access_policy:?}src/crypto/cover_crypt/user_key.rsaccess_policy — …
tracedecrypt: ad: {ad:?}src/crypto/cover_crypt/decryption.rsad — …
traceEd25519src/crypto/elliptic_curves/ecies/salsa_sealbox.rs
traceencrypted_bytes len: {}src/crypto/cover_crypt/decryption.rs
traceencrypted_header parsedsrc/crypto/cover_crypt/decryption.rs
traceencryption_policy: {ap:?}src/crypto/cover_crypt/encryption.rsap — …×2 in this file
traceinstantiate enteringsrc/crypto/cover_crypt/decryption.rs
traceInstantiated hybrid Covercrypt encipher for public key id: {public_key_uid}src/crypto/cover_crypt/encryption.rspublic_key_uid — …
traceKey format type: convert Rsa<Public> openssl objectsrc/openssl/public_key.rs
traceKey format type: TransparentDSAPublicKeysrc/openssl/public_key.rs
traceKey format type: TransparentRSAPublicKeysrc/openssl/public_key.rs
tracekey_wrapping_specification: {}src/crypto/wrap/wrap_key.rs
tracenonce_len={}, tag_len={}src/crypto/wrap/wrap_key.rs
traceoutput object: {output}src/crypto/rsa/operation.rsoutput — …
traceprivate key converted OKsrc/crypto/elliptic_curves/operation.rs
tracepublic key converted OKsrc/crypto/elliptic_curves/operation.rs
traceRefreshed user decryption key {usk:?}src/crypto/cover_crypt/user_key.rsusk — …
traceusing RFC-3394 (AES Key Wrap, no padding)src/crypto/wrap/wrap_key.rs
traceusing RFC-5649 (AES Key Wrap with Padding)src/crypto/wrap/wrap_key.rs
tracewith object type: {:?}src/crypto/wrap/wrap_key.rs
tracewrapping key: format={}src/crypto/wrap/wrap_key.rs
traceX25519src/crypto/elliptic_curves/ecies/salsa_sealbox.rs
trace{}src/openssl/public_key.rs
warntest_openssl_cli_compat: openssl version is not OpenSSL 3: {res}, skipping testsrc/crypto/rsa/ckm_rsa_aes_key_wrap.rsres
info\n\next: {:?}src/openssl/x509_extensions.rs×2 in this file
debugInstantiated hybrid CoverCrypt decipher for user decryption key id: {user_decryption_key_uid}src/crypto/cover_crypt/decryption.rsuser_decryption_key_uid
debugsymmetric wrapping using {cryptographic_algorithm} and block_cipher_mode: {:?}, padding_method: {:?}src/crypto/wrap/wrap_key.rscryptographic_algorithm
tracealgorithm: {algorithm:?}, block_cipher_mode: {block_cipher_mode:?}, key_size: {key_size}src/crypto/symmetric/symmetric_ciphers.rsalgorithm, block_cipher_mode, key_size
traceencrypt: sym_cipher: {sym_cipher:?}, key length: {}, nonce length: {}, aad length: {}, plaintext length: {}, padding_method: {padding_method:?}src/crypto/symmetric/symmetric_ciphers.rssym_cipher, padding_method
warnignored `basicConstraints` extension's value: {value}src/openssl/x509_extensions.rsvalue-
infoRFC 3394 is deprecated in favor of RFC 5649 and is supported only for legacy compatibility. Please consider using `BlockCipherMode::AESKeyWrapPadding` (RFC 5649) for new applications instead of `BlockCipherMode::NISTKeyWrap `.src/crypto/symmetric/symmetric_ciphers.rs-×2 in this file

cosmian_kmip

Crate path: crate/kmip RUST_LOG target: cosmian_kmip

LevelMessageFileVariablesNotes
warnCustom attribute name does not start with 'x-' or 'y-': {}src/kmip_1_4/kmip_attributes.rs--
warnFailed to deserialize KMIP 2.1 attribute: {}src/kmip_1_4/kmip_attributes.rs--
warnKMIP 1.4 Lease Time ({v}) exceeds i32::MAX; clamping to {}src/kmip_1_4/kmip_attributes.rsv: parsed value×2 in this file
warnKMIP 2.1 does not support the KMIP 1 attribute {attribute:?}src/kmip_1_4/kmip_attributes.rsattribute: KMIP attribute (debug display)×9 in this file
warnUnexpected value type for y-unsupported-2_1-attribute: {:?}src/kmip_1_4/kmip_attributes.rs--
debug[serialize] writing tag: {}src/ttlv/wire/ttlv_bytes_serializer.rs--
debugConverting KMIP 2.1 QueryResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue: value-
trace... => This is an Object => identifier: key: Objectsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... added a struct field: {key}, the parent struct is now: {:?}src/ttlv/kmip_ttlv_serializer.rskey — …
trace... assuming deserialization of BigInteger: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... assuming deserialization of ByteString: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... coerced ShortUniqueIdentifier ByteString -> hex string: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... coerced {} Enumeration(code={}) -> stringsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... coerced {} Enumeration(name={}) -> stringsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... coerced {} Integer({}) -> stringsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... deserializing an adjacently tagged structuresrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... deserializing enum at rootsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... deserializing enum that is the only child of the current elementsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... deserializing transparent seq with tag: {tag}src/ttlv/kmip_ttlv_deserializer/deserializer.rstag — …
trace... detected VendorAttribute triple children; deserializing element itself as enum variantsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... enum: index: {:#x}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... enum: name: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... identifier: key: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... Seq element added, the current parent value is: {:?}src/ttlv/kmip_ttlv_serializer.rs
trace... str: key: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... structure recognized as byte-like; concatenated len={} for tag {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... structure: 1.4 Objectsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... structure: 2.1 Objectsrc/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... structure: tag: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... tag: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace... text string: value: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
trace===> KeyMaterial: Deserializing Bytes String for key format type: {:?}src/kmip_2_1/kmip_data_structures.rs×2 in this file
trace===> KeyMaterial: Deserializing key format type: {f:?} as structsrc/kmip_1_4/kmip_data_structures.rsf — …
trace===> KeyMaterial: Deserializing Structure for key format type: {f:?}src/kmip_2_1/kmip_data_structures.rsf — …
trace===> KeyMaterial: Deserializing {:?} key format type as seqsrc/kmip_1_4/kmip_data_structures.rs
trace==> Deserializing KeyBlocksrc/kmip_1_4/kmip_data_structures.rs
trace==> Deserializing KeyBlocksrc/kmip_2_1/kmip_data_structures.rs
tracearray_access: next_element_seed in seq: {}, current index: {}, elem at index: {:?}src/ttlv/kmip_ttlv_deserializer/array_deserializer.rs
traceChecking usage mask authorization {:?} for flag: {:?}src/kmip_2_1/kmip_attributes.rs
traceConverting KMIP 2.1 CreateKeyPairResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 CreateResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 DecryptResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 DestroyResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 EncryptResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 GetAttributesResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 GetResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 ImportResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 LocateResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 RegisterResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
traceConverting KMIP 2.1 SignResponse to KMIP 1.4: {value}src/kmip_1_4/kmip_operations.rsvalue — …
tracecurrent struct: {}, num children: {}, next child {:?}src/ttlv/kmip_ttlv_deserializer/structure_walker.rs
tracedeserialize_any of enum variant: name: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any of enum variant: value: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any value of BigInt: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any value of Structure: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any: map access state: key, tag: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any: map access state: {:?}, index: {}, child: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_any: state: {:?}src/ttlv/kmip_ttlv_deserializer/kmip_big_int_deserializer.rs
tracedeserialize_bool: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_bytes: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_bytes_buff: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_char: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_enum: name {name}, element: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rsname — …
tracedeserialize_f32: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_f64: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_i128: element: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_i16 state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_i32: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_i64: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_identifier: map state: {:?}, element: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_ignored_any: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_map: calling Untagged Enum deserializer for: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_new_type_struct with name: {name}, state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rsname — …
tracedeserialize_option: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_seq: child index: {}: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_seq: state: {:?}src/ttlv/kmip_ttlv_deserializer/kmip_big_int_deserializer.rs
tracedeserialize_str: map state: {:?}, element tag: {}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_string: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_struct: name {name}, fields: {fields:?}, element: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rsname — …
fields — …
tracedeserialize_tuple: child index: {}, current : {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_tuple: state: {:?}src/ttlv/kmip_ttlv_deserializer/kmip_big_int_deserializer.rs
tracedeserialize_tuple_struct: name: {name}, len: {len}, state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rsname — …
len — …
tracedeserialize_u16: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_u32: state: {}: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_u64: state: {}: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_u8: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_unit: state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rs
tracedeserialize_unit_struct with name: {name}, state: {:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rsname — …
tracedeserializing bytes string at tag: {}, of len: {}src/ttlv/kmip_ttlv_deserializer/byte_string_deserializer.rs
tracedeserializing OffsetDateTime at tag: {}, value: {}, index: {}src/ttlv/kmip_ttlv_deserializer/offset_date_time_deserializer.rs
traceelement: {:?}src/ttlv/kmip_ttlv_deserializer/enum_walker.rs
traceelement: {:?}src/ttlv/kmip_ttlv_deserializer/structure_walker.rs
traceFinished serializing byte sequence as ByteString, parent: {:?}src/ttlv/kmip_ttlv_serializer.rs
traceFinished serializing the sequence, the parent is: {:?}src/ttlv/kmip_ttlv_serializer.rs
tracefrom_ttlv: {s:?}src/ttlv/kmip_ttlv_deserializer/deserializer.rss — …
traceKey: State ? {:?}src/ttlv/kmip_ttlv_deserializer/adjacently_tagged_structure.rs
tracekey_wrap_type: {key_wrap_type:?}, attributes: {attributes}src/kmip_2_1/requests/import.rskey_wrap_type — …
attributes — …
traceMessageBatchItem operation: {operation:?}src/kmip_1_4/kmip_messages.rsoperation — …
traceMessageBatchItem operation: {operation:?}src/kmip_2_1/kmip_messages.rsoperation — …
traceMessageBatchItem request payload: {request_payload}src/kmip_1_4/kmip_messages.rsrequest_payload — …
traceMessageBatchItem request payload: {request_payload}src/kmip_2_1/kmip_messages.rsrequest_payload — …
traceMessageResponseBatchItem operation: {operation:?}src/kmip_1_4/kmip_messages.rsoperation — …
traceMessageResponseBatchItem operation: {operation:?}src/kmip_2_1/kmip_messages.rsoperation — …
traceMessageResponseBatchItem response payload: {response_payload}src/kmip_1_4/kmip_messages.rsresponse_payload — …
traceMessageResponseBatchItem response payload: {response_payload}src/kmip_2_1/kmip_messages.rsresponse_payload — …
tracenewtype_variant_seed: child index: {}, at root: {}, current tag: {:?}src/ttlv/kmip_ttlv_deserializer/enum_walker.rs
traceNot a BulkDatasrc/kmip_2_1/extra/bulk_data.rs
traceObject Visitor: visit_map: key: {key:?},src/kmip_1_4/kmip_objects.rskey — …
traceObject Visitor: visit_map: key: {key:?},src/kmip_2_1/kmip_objects.rskey — …
traceSeq Element: serializing a seq element with tag {}, stack is: {:?}src/ttlv/kmip_ttlv_serializer.rs
traceseq_access: next_element_seed: state: {:?}src/ttlv/kmip_ttlv_deserializer/kmip_big_int_deserializer.rs
traceserialize_map of len: {len:?}. Current: {:?}src/ttlv/kmip_ttlv_serializer.rslen — …
traceserialize_newtype_variant, name: {name}::{variant} (variant index: {variant_index})src/ttlv/kmip_ttlv_serializer.rsname — …
variant — …
variant_index — …
traceserialize_seq of len: {len:?} in receiver: {:?}src/ttlv/kmip_ttlv_serializer.rslen — …
traceserialize_seq of len: {len:?} in receiver: {:?} (byte accumulation mode)src/ttlv/kmip_ttlv_serializer.rslen — …
traceserialize_struct named: {name} in parent: {:?}src/ttlv/kmip_ttlv_serializer.rsname — …
traceserialize_struct, no parent found, creating a new one with tag: {}src/ttlv/kmip_ttlv_serializer.rs
traceserialize_tuple of len {len}. Current: {:?}src/ttlv/kmip_ttlv_serializer.rslen — …
traceserialize_tuple_struct {name} of len {len}. Current: {:?}src/ttlv/kmip_ttlv_serializer.rsname — …
len — …
traceserialize_unit_variant, name: {name}::{variant}; variant_index: {variant_index}src/ttlv/kmip_ttlv_serializer.rsname — …
variant — …
variant_index — …
traceserializing a struct field with name: {key}, stack: {:?}src/ttlv/kmip_ttlv_serializer.rskey — …
tracestruct_variant with fields: {fields:?}: state: {:?}src/ttlv/kmip_ttlv_deserializer/enum_walker.rsfields — …
traceStructure finalized, stack: {:?}src/ttlv/kmip_ttlv_serializer.rs
tracetag: {:?}, content: {:?}src/ttlv/kmip_ttlv_deserializer/adjacently_tagged_structure.rs
tracetuple_variant of len: {len}, child index: {}, current: {:?}src/ttlv/kmip_ttlv_deserializer/enum_walker.rslen — …
traceunique_identifier: {unique_identifier}src/kmip_2_1/requests/import.rsunique_identifier — …
traceunit_variant: child index: {}, current: {:?}src/ttlv/kmip_ttlv_deserializer/enum_walker.rs
traceUntagged Enum map: next_value_seed: current tag: {:?}, at root: {}src/ttlv/kmip_ttlv_deserializer/untagged_enum_walker.rs
traceValue: State ? {:?}src/ttlv/kmip_ttlv_deserializer/adjacently_tagged_structure.rs
tracevisit_f64: {}src/ttlv/deserialize.rs
tracevisit_i64: {}src/ttlv/deserialize.rs
tracevisit_map: Enumerationsrc/ttlv/deserialize.rs
tracevisit_str: {}src/ttlv/deserialize.rs
tracevisit_u64: {}src/ttlv/deserialize.rs
trace... replacing "Object" with: {name}src/ttlv/kmip_ttlv_serializer.rsname
traceserialize_seq, no parent found. This is a direct vec![] serialization. Creating a new one with tag: {}src/ttlv/kmip_ttlv_serializer.rs
traceserialize_struct_variant {name}::{variant} (variant index: {variant_index}) of len {len}. Current: {:?}src/ttlv/kmip_ttlv_serializer.rsname, variant, variant_index, len
traceserialize_tuple_variant {name}::{variant} (variant index: {variant_index}) of len {len}. Current: {:?}src/ttlv/kmip_ttlv_serializer.rsname, variant, variant_index, len
traceUntagged Enum map: next_key_seed: completed?: {}, at root: {}, index: {}, current tag: {:?}src/ttlv/kmip_ttlv_deserializer/untagged_enum_walker.rs

cosmian_kms_interfaces

Crate path: crate/interfaces RUST_LOG target: cosmian_kms_interfaces

LevelMessageFileVariablesNotes
errorFailed to decode object_id {}src/hsm/hsm_store.rs-Malformed object ID in PKCS#11 session. Key may have been created by a different client.
debugCreated HSM AES Key of length {key_length} with id {uid}src/hsm/hsm_store.rskey_length: key length
uid: KMIP object UID
-
debugCreating RSA keypair with uid: {uid}src/hsm/hsm_store.rsuid: KMIP object UID-
debugHSM find: incompatible filter, skipping HSM search: {e}src/hsm/hsm_store.rse: caught error-
debugIs {owner} an HSM admin? {}src/hsm/hsm_store.rsowner: object owner identity-
debugNo researched_attributes provided. Defaulting to empty filter attributessrc/hsm/hsm_store.rs--
debugsign: using algorithm {algorithm:?} for key {uid}src/hsm/hsm_store.rsalgorithm: cryptographic algorithm
uid: KMIP object UID
-
debugUser '{}' is not an HSM admin; skipping HSM keys for ownership querysrc/hsm/hsm_store.rs--
debugUsing default algorithm to decryptsrc/hsm/hsm_store.rs--
debugUsing default algorithm to encryptsrc/hsm/hsm_store.rs--
debug{e}src/hsm/hsm_store.rse: caught error-
traceFound: {uid}src/hsm/hsm_store.rsuid — …
traceGetting metadata for: {:02X?}src/hsm/hsm_store.rs
warncount_all_non_destroyed not implemented for this ObjectsStore backend — kms.objects.total will read 0 until a real implementation is providedsrc/stores/objects_store.rs
warncount_non_destroyed_keys not implemented for this ObjectsStore backend — kms.keys.active.count will read 0 until a real implementation is providedsrc/stores/objects_store.rs
warnHSM count_non_destroyed_keys: failed to list slots: {e}src/hsm/hsm_store.rse
warnModifyAttribute/SetAttribute on HSM key {uid}: attribute update accepted but not persisted to PKCS#11 slot (HSM does not support KMIP attribute storage)src/hsm/hsm_store.rsuid
debugencrypt: an RSA private key {uid} was specified. Trying to use public key {pk_uid} for encryptionsrc/hsm/hsm_store.rsuid, pk_uid
debugHSM count_non_destroyed_keys: slot {slot_id} query failed: {e}src/hsm/hsm_store.rsslot_id, e
debugHSM key {uid} export failed ({e}); falling back to metadata-only stub for attribute operationssrc/hsm/hsm_store.rsuid, e

cosmian_kms_access

Crate path: crate/access RUST_LOG target: cosmian_kms_access

No production log call-sites in this crate.

cosmian_kms_base_hsm

Crate path: crate/hsm/base_hsm RUST_LOG target: cosmian_kms_base_hsm

LevelMessageFileVariablesNotes
warnHSM library already initialized (CKR_CRYPTOKI_ALREADY_INITIALIZED); continuingsrc/hsm_lib.rs--
warnuser already logged in, ignoring loggingsrc/slots.rs--
debugCreating new session: {session_handle}. Logging in? {logging_in}src/session/session_impl.rssession_handle: session handle
logging_in: logging in
-
debugFound {} possible handlessrc/session/session_impl.rs--
debugInvalid object, skippingsrc/kms_hsm.rs--
debugLogging in session {session_handle} with passwordsrc/slots.rssession_handle: session handle-
debugOpening a session on slot: {slot_id}. Read write? {read_write}. Logging in? {}src/slots.rsslot_id: PKCS#11 slot identifier
read_write: read write
-
debugPerforming multi round AES CBC decryptionsrc/session/session_impl.rs--
debugPerforming multi round AES CBC encryptionsrc/session/session_impl.rs--
debugRetrieved HSM key type for key handle {key_handle}: {key_type:?}src/session/session_impl.rskey_handle: key handle
key_type: key type
-
debugRetrieving HSM key attributes for key handle: {key_handle}src/session/session_impl.rskey_handle: key handle-
debugReusing slot {slot_id}src/base_hsm.rsslot_id: PKCS#11 slot identifier-
debugUsing PKCS#11 library with {:?}src/base_hsm.rs--
traceDoing round with {round_length} bytes. {processed_length} of {total_length} donesrc/session/session_impl.rsround_length — …
processed_length — …
total_length — …
×2 in this file
traceFound {object_count} objectssrc/session/session_impl.rsobject_count — …
debugOAEP hash {hash} not supported: {e}src/session/session_impl.rshash, e-

Domain: CLI (ckms)

cosmian_kms_cli_actions

Crate path: crate/clients/clap RUST_LOG target: cosmian_kms_cli_actions

LevelMessageFileVariablesNotes
info[{email}] - certificate ID used: {certificate_unique_identifier}src/actions/google/key_pairs/create.rsemail: Google Workspace user email
certificate_unique_identifier: KMS UID of the certificate
-
info[{email}] - Import PKCS12 file before using it in Google key pair generationsrc/actions/google/key_pairs/create.rsemail: Google Workspace user email-
infoModifyAttributes response for {effective_uid}: {attribute}src/actions/attributes/modify.rseffective_uid: resolved KMIP object UID
attribute: updated attribute name and value
-
infoSetAttributes response for {unique_identifier}: {attribute}src/actions/attributes/set.rsunique_identifier: KMIP object UID
attribute: attribute name and value that was set
-
debug{decrypt_request}src/actions/cover_crypt/decrypt.rsdecrypt_request: full Covercrypt decrypt request (debug display)-
debug{encrypt_request}src/actions/cover_crypt/encrypt.rsencrypt_request: full Covercrypt encrypt request (debug display)-
debugaccess_structure: {access_structure}src/actions/cover_crypt/keys/create_key_pair.rsaccess_structure: Covercrypt access structure (debug display)-
debugCreating new leaf certificate with attributes: {attributes}src/actions/google/key_pairs/create.rsattributes: X.509 certificate attributes being submitted-
debugGetAttributes response for {unique_identifier}: {attributes}src/actions/attributes/get.rsunique_identifier: KMIP object UID
attributes: structured attributes response
-
debugimport certificate as {format_label} filesrc/actions/certificates/import_certificate.rsformat_label: certificate format name (e.g. PEM, DER)-
debugimport certificate as PKCS12 filesrc/actions/certificates/import_certificate.rs--
debugimport certificate chain as PEM filesrc/actions/certificates/import_certificate.rs--
trace{self}src/actions/attributes/delete.rsself — full delete action configuration (debug display)
trace{self}src/actions/attributes/get.rsself — full get-attributes action configuration (debug display)
trace{self}src/actions/attributes/modify.rsself — full modify action configuration (debug display)
trace{self}src/actions/attributes/set.rsself — full set-attributes action configuration (debug display)
trace{self}src/actions/certificates/export_certificate.rsself — full export action configuration (debug display)
trace{self}src/actions/certificates/import_certificate.rsself — full import action configuration (debug display)
trace{id}src/actions/shared/get_key_uid.rsid — resolved KMIP object UID
tracedata_encryption_algorithm: {data_encryption_algorithm}src/actions/symmetric/encrypt.rsdata_encryption_algorithm — selected symmetric encryption algorithm
traceDetermine the certificate to use - either existing or newly createdsrc/actions/google/key_pairs/create.rs
traceimport certificate as TTLV JSON filesrc/actions/certificates/import_certificate.rs
traceresponse for {unique_identifier}: <none>src/actions/attributes/delete.rsunique_identifier — KMIP object UID (no attribute was present)
traceunwrap using server-side HSM crypto oracle for key: {key_id}src/actions/shared/unwrap_key.rskey_id — UID of the key being unwrapped via the HSM crypto oracle
info[{email}] - Generating new leaf certificate with extensions file: {:?}src/actions/google/key_pairs/create.rsemail
debugGetAttributes response for {unique_identifier}: {}src/actions/attributes/get.rsunique_identifier
debugMoveFileExW(DELAY_UNTIL_REBOOT) failed for '{}'; leftover file is harmless.src/actions/cng.rs
tracedek (len={}): {dek:?}src/actions/symmetric/encrypt.rsdek
tracedek length {}src/actions/symmetric/decrypt.rs×2 in this file
traceencapsulation length {}src/actions/symmetric/decrypt.rs
traceencryption algorithm {:?}, key id {:?}, ciphertext (len={}): {:?}src/actions/symmetric/decrypt.rs
traceLeaf certificate attributes: {}src/actions/certificates/import_certificate.rs
tracepkcs7_object: {:?}src/actions/google/key_pairs/create.rs
traceresponse for {unique_identifier}: {}src/actions/attributes/delete.rsunique_identifier
tracewrapped_key_bytes: {:?}src/actions/google/key_pairs/create.rs

ckms

Crate path: crate/clients/ckms RUST_LOG target: ckms

LevelMessageFileVariablesNotes
infoStarting KMS CLIsrc/commands.rs--
infoStarting KMS CLI configuration wizardsrc/commands.rs--
debugLoading configuration from: {conf_path_buf}src/config.rsconf_path_buf: filesystem path of the configuration file being loaded-
traceConfiguration: {config}src/commands.rsconfig — full resolved CLI configuration (pretty debug display)
infoConfiguration saved at {}src/commands.rs

cosmian_kms_client

Crate path: crate/clients/client RUST_LOG target: cosmian_kms_client

LevelMessageFileVariablesNotes
infoGET {server_url}src/kms_rest_client.rsserver_url: full URL of the GET request being sent-
infoThe decrypted file is available at {output_file}src/file_utils.rsoutput_file: path to the decrypted output file×2 in this file
infoThe encrypted file is available at {output_file}src/file_utils.rsoutput_file: path to the encrypted output file×2 in this file
infoUsing server URL: {}src/http_client/client.rs
trace<==\n{}src/kms_rest_client.rs×2 in this file
trace==>\n{}src/kms_rest_client.rs×2 in this file
warnFailed to set TLS 1.2 cipher list '{}' (using defaults): {}src/http_client/tls.rs
warnFailed to set TLS 1.3 ciphersuites '{}' (using defaults): {}src/http_client/tls.rs
warnUnknown TLS 1.2 IANA cipher suite '{}' (skipping)src/http_client/tls.rs
infoUsing proxy: {:?}src/http_client/client.rs
debugCONNECT tunnel established: {target_host}:{target_port}src/http_client/proxy.rstarget_host, target_port
debugCONNECT tunnel: {proxy_addr} → {target_host}:{target_port}src/http_client/proxy.rsproxy_addr, target_host, target_port
traceError response on {endpoint}: status={status}, body={text}src/kms_rest_client.rsendpoint, status, text
warnckms config: `{}` is deprecated — rename it to `{}` in your ckms.toml to silence this warning.src/http_client/client.rs--

cosmian_kms_client_utils

Crate path: crate/clients/client_utils RUST_LOG target: cosmian_kms_client_utils

LevelMessageFileVariablesNotes
infoWARNING: the PEM file contains multiple objects. Only the private key will be imported. A corresponding public key will be generated automatically.src/import_utils.rs

Domain: PKCS#11

cosmian_pkcs11

Crate path: crate/clients/pkcs11/provider RUST_LOG target: cosmian_pkcs11

LevelMessageFileVariablesNotes
errorC_GetFunctionList: failed to instantiate base KMS client: {}src/lib.rs-PKCS#11 module failed to create the KMS client on load. Check server URL and auth in ckms.toml.
errorFailed to parse EC P256 public key: {:?}src/pkcs11_public_key.rs-HSM returned a malformed EC P256 key. Verify key generation parameters.
errorFailed to parse RSA private key: {:?}src/pkcs11_private_key.rs--
errorFailed to parse RSA public key: {:?}src/pkcs11_public_key.rs--
errorPublic key is not an EC P256 keysrc/pkcs11_private_key.rs--
errorPublic key is not an EC P256 keysrc/pkcs11_public_key.rs--
errorPublic key is not an RSA keysrc/pkcs11_public_key.rs--
errorremote_sign failed for Pkcs11PrivateKey with remote_id {}: {e}src/pkcs11_private_key.rse: caught errorRemote signing via PKCS#11 failed. Check KMS connectivity and key permissions.
errorUnsupported cryptographic algorithm: {:?}src/kms_object.rs--
errorUnsupported key algorithm: {:?}src/kms_object.rs--
errorverify not implemented for Pkcs11PublicKeysrc/pkcs11_public_key.rs--
warncreate_private_key_from_id: {id} has type {:?} (expected PrivateKey), skippingsrc/backend.rsid: object ID-
warncreate_symmetric_key_from_id: {id} has type {:?} (expected SymmetricKey), skippingsrc/backend.rsid: object ID-
debugdecrypt: decrypt_ctx: {ctx:?}src/backend.rsctx: ctx-
debugencrypt: ctx: {ctx:?}src/backend.rsctx: ctx-
debugkms_encrypt_async: ciphertext: {}src/kms_object.rs--
debugkms_import_object_async: label: {label}, data (length): {}src/kms_object.rslabel: label-
debugLocate response: ids: {:?}src/kms_object.rs--
debugLocated objects: tags: {tags:?}, type: {object_type:?} => {uniques_identifiers:?}src/kms_object.rstags: KMIP tag set
object_type: KMIP object type
uniques_identifiers: uniques identifiers
-
debugremote_sign: remote_id: {remote_id}, algorithm: {algorithm:?}src/backend.rsremote_id: remote id
algorithm: cryptographic algorithm
-
debugvol1: {}src/tests.rs--
tracecreate_object: {label:?}src/backend.rslabel — …
tracefind_all_certificatessrc/backend.rs
tracefind_all_data_objects: enteringsrc/backend.rs
tracefind_all_data_objects: found {} objectssrc/backend.rs
tracefind_all_objects: enteringsrc/backend.rs
tracefind_all_objects: found {} keyssrc/backend.rs
tracefind_all_private_keyssrc/backend.rs
tracefind_all_public_keyssrc/backend.rs
tracefind_all_symmetric_keyssrc/backend.rs
tracefind_certificatesrc/backend.rs
tracefind_data_object: {:?}src/backend.rs
tracefind_private_key: {:?}src/backend.rs
tracefind_public_key: {:?}src/backend.rs
tracefind_symmetric_key: {:?}src/backend.rs
traceFound {} objectssrc/kms_object.rs
tracegenerate_key: {algorithm:?}-{key_length}, {label:?}src/backend.rsalgorithm — …
key_length — …
label — …
traceget_kms_certificate_objects_async: found {} Certificate objectssrc/kms_object.rs
traceget_kms_certificate_objects_async: no Certificate objects found for tags: {:?}src/kms_object.rs
traceget_kms_objects_async: no objects found for tags: {:?}src/kms_object.rs
traceget_kms_secret_data_objects_async: found {} SecretData objectssrc/kms_object.rs
traceget_kms_secret_data_objects_async: no SecretData objects found for tags: {:?}src/kms_object.rs
errorC_GetFunctionList: failed to instantiate KMS client: {}. Check that ckms.toml exists alongside the DLL (C:\opt\oracle\extapi\64\pkcs11\ckms.toml), at ~/.cosmian/ckms.toml, or set CKMS_CONF to its path.src/lib.rs
errorC_GetFunctionList: failed to load ckms.toml: {}. Check that ckms.toml exists alongside the DLL (C:\opt\oracle\extapi\64\pkcs11\ckms.toml), at ~/.cosmian/ckms.toml, or set CKMS_CONF to its path.src/lib.rs
warncreate_object_from_attributes: unsupported object type: {other}, skipping {id}src/backend.rsother, id
warncreate_private_key_from_id: unsupported key/algorithm for PrivateKey {id}: {e}, skippingsrc/backend.rsid, e
warncreate_private_key_object: unsupported key/algorithm for PrivateKey {id}: {e}, skippingsrc/backend.rsid, e
warncreate_public_key_object: unsupported key/algorithm for PublicKey {id}: {e}, skippingsrc/backend.rsid, e
warncreate_symmetric_key_from_id: unsupported key/algorithm for SymmetricKey {id}: {e}, skippingsrc/backend.rsid, e
warncreate_symmetric_key_object: unsupported key/algorithm for SymmetricKey {id}: {e}, skippingsrc/backend.rsid, e
warnfind_all_public_keys: failed to build Pkcs11PublicKey for {id}: {e}, skippingsrc/backend.rsid, e
warnfind_all_public_keys: failed to export public key {id}: {e}, skippingsrc/backend.rsid, e
warnfind_all_data_objects: failed to build DataObject for disk-encryption key: {e}, skippingsrc/backend.rse
warnfind_all_data_objects: failed to fetch disk-encryption data objects: {e}, returning empty listsrc/backend.rse
warnfind_all_objects: failed to build DataObject for disk-encryption key: {e}, skippingsrc/backend.rse
warnfind_all_objects: failed to fetch disk-encryption data objects: {e}, returning empty listsrc/backend.rse
tracefind_all_objects: total {} objects (including disk-encryption DataObjects)src/backend.rs
traceget_kms_disk_encryption_data_objects_async: found {} SymmetricKey objectssrc/kms_object.rs
traceget_kms_disk_encryption_data_objects_async: no SymmetricKey objects found for tag: {disk_encryption_tag}src/kms_object.rsdisk_encryption_tag

cosmian_pkcs11_module

Crate path: crate/clients/pkcs11/module RUST_LOG target: cosmian_pkcs11_module

LevelMessageFileVariablesNotes
errorC_GetAttributeValue: error: {e}, session: {:?}, object: {:?}, type: {:?}src/pkcs11.rse: caught error-
errorcertificate: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorData object: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorFailed to extract RSA key parameters: {e:?}src/core/object.rse: caught error- Could not read RSA key components from HSM object. Key may be non-exportable.
errorFailed to parse RSA private key from PKCS#8 DER: {e:?}src/core/object.rse: caught error- HSM returned a malformed RSA PKCS#8 blob. Check HSM firmware and key type.
errorpParameter incorrect: {} != {}src/core/mechanism.rs-PKCS#11 mechanism parameter size mismatch. Client sent the wrong parameter struct.
errorprivate_key: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorprofile: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorpublic_key: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorsymmetric_key: type_ unimplemented: {type_:?}src/core/object.rstype_: type-
errorUnsupported hashAlg: {}src/core/mechanism.rs-PKCS#11 hash algorithm not supported. Use SHA-256 or SHA-384.
errorUnsupported mgf: {}src/core/mechanism.rs-PKCS#11 MGF algorithm not supported. Use MGF1 with a supported hash.
error{}: {}src/pkcs11.rs-Generic two-part error - inspect both values for the error type and detail.
warnload_find_context: id {label} not found in storesrc/sessions.rslabel: label-
infoC_CloseAllSessions: slot: {:?}src/pkcs11.rs--
infoC_CloseSession: session: {:?}src/pkcs11.rs--
infoC_FindObjects: session: {:?}, no more objects to returnsrc/pkcs11.rs--
infoC_FindObjects: session: {:?}, returning {} object with handles {:?}src/pkcs11.rs--
infoC_GetAttributeValue: session: {:?}, object: {:?} [handle: {}], type: {:?}src/pkcs11.rs--
infoC_OpenSession: slot={slotID:?} flags={flags:?} session handle writtensrc/pkcs11.rsslotID: slotID
flags: flags
-
debugC_DestroyObject: session: {hSession:?}, hObject: {hObject}src/pkcs11.rshSession: hSession
hObject: hObject
-
debugCKO_DATA match: remote_id={}, handle={}src/sessions.rs--
debugCKO_DATA search: label_filter={:?}, store has {} DataObjectssrc/sessions.rs--
debugcreate_object: attributes: {attributes:?}src/sessions.rsattributes: KMIP attribute (debug display)s-
debugcreate_object: created object with handle: {handle}src/sessions.rshandle: PKCS#11 object handle-
debugdestroy_object: handle: {handle}src/sessions.rshandle: PKCS#11 object handle×2 in this file
debuggenerate_key: generated key with handle: {handle}src/sessions.rshandle: PKCS#11 object handle-
debuggenerate_key: generating key with mechanism: {:?} and attributes: {:?}src/sessions.rs--
debugload_find_context: display current store: {find_ctx}src/sessions.rsfind_ctx: find ctx-
debugload_find_context: loading for label: {label:?} and attributes: {attributes:?}src/sessions.rslabel: label
attributes: KMIP attribute (debug display)s
-
debugload_find_context: search by id: {label} -> handle: {} -> object: {}: {}src/sessions.rslabel: label-
debugload_find_context_by_class: added {} objects with handles: {:?}src/sessions.rs--
debugmap_oracle_tde_security_to_mk: processing label: {label}src/sessions.rslabel: label-
debugObject: {}, attribute: {:?} => {:?}src/core/object.rs--
debugparse_mechanism: iv: {iv:?}src/core/mechanism.rsiv: iv-
debugparse_mechanism: {mechanism:?}src/core/mechanism.rsmechanism: PKCS#11 mechanism-
debugsession: {h} foundsrc/sessions.rsh: h-
debugSTORE: inserting new object with remote id: {id} and handle: {handle}src/objects_store.rsid: object ID
handle: PKCS#11 object handle
-
debugSTORE: updating object with remote id: {id} and handle: {handle}src/objects_store.rsid: object ID
handle: PKCS#11 object handle
-
traceAttribute::try_from: attribute parsed: {:?} => {:?}src/core/attribute.rs
traceAttribute::try_from: parsing attribute: {:?}src/core/attribute.rs
traceAttribute::try_from: type: {attr_type:?}src/core/attribute.rsattr_type — …
traceAttribute::try_from: value: {val:?}src/core/attribute.rsval — …
traceAttributes::try_from: parsing single attribute: {attr:?}src/core/attribute.rsattr — …
traceC_FindObjects: session: {:?}, objects available: {:?}src/pkcs11.rs
traceC_GetAttributeValue: session: {:?}, object: {:?}src/pkcs11.rs
traceC_GetSessionInfo: session: {:?}, slot: {:?}, state: {:?}, flags: {:?}src/pkcs11.rs
tracecreate_object: class: {class:?}src/sessions.rsclass — …
tracecreate_object: Object not supported: {o}src/sessions.rso — …
traceGenerated random: {}src/pkcs11.rs
traceload_find_context succeededsrc/sessions.rs
infoC_FindObjectsInit: session: {hSession:?}, load Objects Store context for attributes: {attributes:?}src/pkcs11.rshSession, attributes
debugC_CreateObject: session: {hSession:?}, pTemplate: {pTemplate:?}, ulCount: {ulCount:?}, phObject: {phObject:?}src/pkcs11.rshSession, pTemplate, ulCount, phObject
debugC_Decrypt: pEncryptedData: {pEncryptedData:?}, ulEncryptedDataLen: {ulEncryptedDataLen:?}, pData: {pData:?}, pulDataLen: {pulDataLen:?}src/pkcs11.rspEncryptedData, ulEncryptedDataLen, pData, pulDataLen
debugC_Decrypt: session: {:?}, encrypted_data_len: {:?}, cleartext_len: {:?}, ciphertext: {:?}src/pkcs11.rs
debugC_DecryptInit: session: {hSession:?}, hKey: {hKey:?}, mechanism: {mechanism:?}, object: {object:?}src/pkcs11.rshSession, hKey, mechanism, object
debugC_Encrypt: pData: {pData:?}, ulDataLen: {ulDataLen:?}, pEncryptedData: {pEncryptedData:?}, pulEncryptedDataLen: {pulEncryptedDataLen:?}src/pkcs11.rspData, ulDataLen, pEncryptedData, pulEncryptedDataLen
debugC_Encrypt: session: {:?}, plain_data_len: {:?}, ciphertext_len: {:?}, cleartext: {:?}src/pkcs11.rs
debugC_EncryptInit: session: {hSession:?}, hKey: {hKey:?}, mechanism: {mechanism:?}, object: {object:?}src/pkcs11.rshSession, hKey, mechanism, object
debugC_GenerateKey: session: {hSession:?}, pMechanism: {pMechanism:?}, pTemplate: {pTemplate:?}, ulCount: {ulCount:?}, phKey: {phKey:?}src/pkcs11.rshSession, pMechanism, pTemplate, ulCount, phKey
debugload_find_context_by_class: loading for class: {search_class:?} and options: {search_options:?}, attributes: {attributes:?}src/sessions.rssearch_class, search_options, attributes
debugload_find_context_by_class: search by id: {} -> handle: {} -> certificate: {}:{}src/sessions.rs
debugload_find_context_by_class: search by id: {} -> handle: {} -> object: {}:{}src/sessions.rs

Domain: CNG (Windows)

cosmian_cng

Crate path: crate/clients/cng RUST_LOG target: cosmian_cng

LevelMessageFileVariablesNotes
errorCNG KSP decrypt: {e}src/provider.rse: caught errorDecryption via CNG failed. Check key state and CNG provider logs.
errorCNG KSP delete_key: {e}src/provider.rse: caught error-
errorCNG KSP encrypt: {e}src/provider.rse: caught error-
errorCNG KSP enum_keys: {e}src/provider.rse: caught error-
errorCNG KSP export_key private: {e}src/provider.rse: caught error-
errorCNG KSP export_key: {e}src/provider.rse: caught error-
errorCNG KSP finalize_key: {e}src/provider.rse: caught error-
errorCNG KSP import_key attrs: {e}src/provider.rse: caught error-
errorCNG KSP import_key backend: {e}src/provider.rse: caught error-
errorCNG KSP import_key parse blob: {e}src/provider.rse: caught error-
errorCNG KSP open_key attrs({name}): {e}src/provider.rsname: key or object name
e: caught error
-
errorCNG KSP open_key pub({name}): {e}src/provider.rsname: key or object name
e: caught error
-
errorCNG KSP open_key({name}): {e}src/provider.rsname: key or object name
e: caught error
-
errorCNG KSP open_provider: {e}src/provider.rse: caught errorCNG provider DLL failed to load or initialise. Verify the DLL is registered.
errorCNG KSP sign_hash: {e}src/provider.rse: caught errorSigning via CNG failed. Key may be non-exportable or in an invalid state.
errorCNG KSP verify_signature: {e}src/provider.rse: caught error-
infoCNG KSP provider already registered; skipping BCryptRegisterProvidersrc/registry.rs--
infoDLL was locked; old copy renamed to '{}' and scheduled for deletion on reboot.src/registry.rs--
debugBCryptAddContextFunction returned {status:#010x} (may already exist)src/registry.rsstatus: HTTP response status-
debugBCryptRemoveContextFunctionProvider returned {status:#010x}src/registry.rsstatus: HTTP response status-
debugCNG KSP GetKeyStorageInterface calledsrc/lib.rs--
debugCNG KSP register: source dll={}src/registry.rs--
debugCNG KSP unregistersrc/registry.rs--
debugCNG KSP: create_ec_key_pair name={key_name} curve={curve:?}src/backend.rskey_name: CNG key name
curve: elliptic curve identifier
-
debugCNG KSP: create_rsa_key_pair name={key_name} bits={bit_length}src/backend.rskey_name: CNG key name
bit_length: key size in bits
-
debugCNG KSP: decoded PEM to {} bytes DERsrc/key.rs--
debugCNG KSP: decrypt_data uid={uid} len={}src/backend.rsuid: KMIP object UID-
debugCNG KSP: destroy_key uid={uid}src/backend.rsuid: KMIP object UID-
debugCNG KSP: encrypt_data uid={uid} len={}src/backend.rsuid: KMIP object UID-
debugCNG KSP: export_private_key_pkcs8 uid={uid}src/backend.rsuid: KMIP object UID-
debugCNG KSP: export_public_key_spki uid={uid}src/backend.rsuid: KMIP object UID-
debugCNG KSP: finalize import blob len={}, first_bytes={:?}src/key.rs--
debugCNG KSP: finalized key '{}' → priv={}, pub={}src/key.rs--
debugCNG KSP: import_rsa_private_key name={key_name}src/backend.rskey_name: CNG key name-
debugCNG KSP: revoke_key uid={uid}src/backend.rsuid: KMIP object UID-
debugCNG KSP: sign_hash uid={uid} hash_len={}src/backend.rsuid: KMIP object UID-
debugCNG KSP: verify_signature uid={uid} hash_len={} sig_len={}src/backend.rsuid: KMIP object UID-
debugCopying {} -> {}src/registry.rs--
debugMoveFileExW(DELAY_UNTIL_REBOOT) failed for '{}'; leftover file is harmless.src/registry.rs--
traceCNG KSP: list_cng_keyssrc/backend.rs
traceCNG KSP: locate_key_by_name tag={tag}src/backend.rstag — …
traceCNG KSP: locate_public_key_by_name tag={tag}src/backend.rstag — …

Domain: Web UI

The Web UI emits browser console messages via console.*. These are visible in the browser developer tools (F12 → Console tab) and are not captured by RUST_LOG or the OTLP pipeline.

Crate path: ui/src/

LevelMessageFileVariablesNotes
warnrevoke_ttlv_request not available in WASM packagecomponents/common/Locate.tsx--
info[KMS] vendor_id set to "{vendorId}"App.tsxvendorId: vendor identifier string received from the server-
errorAggregate date error:actions/Tokenize/TokenizeAggregateDate.tsx
errorAggregate number error:actions/Tokenize/TokenizeAggregateNumber.tsx
errorCertificate validation failed:pages/LoginPage.tsx
errorError creating FPE key:actions/FPE/FpeKeysCreate.tsx
errorError fetching create permission:actions/Access/AccessObtained.tsx
errorError fetching CSE information:actions/Keys/CseInfo.tsx
errorError fetching Get for ${uid}:components/common/Locate.tsxuid×4 in this file
errorError fetching HSM status:actions/Objects/HsmStatus.tsx
errorError fetching privileged access:actions/Access/AccessGrant.tsx
errorError fetching privileged access:actions/Access/AccessRevoke.tsx
errorError getting attributes:actions/Attributes/AttributeGet.tsx
errorError listing objects:actions/Access/AccessObtained.tsx
errorError listing objects:actions/Objects/ObjectsOwned.tsx
errorError loading certificate algorithms from WASM:actions/Certificates/CertificateCertify.tsx
errorError loading EC algorithms from WASM:actions/EC/ECKeysCreate.tsx
errorError loading hash algorithms from WASM:actions/Symmetric/SymmetricHash.tsx
errorError loading PQC algorithms from WASM:actions/PQC/PqcKeysCreate.tsx
errorError loading symmetric algorithms from WASM:actions/Keys/SymKeysCreate.tsx
errorError parsing tags JSON:actions/CloudProviders/AwsExportKeyMaterial.tsx
errorError parsing tags JSON:utils/azureByok.ts
errorFallback Locate without KFT failed:components/common/Locate.tsx
errorFPE decrypt error:actions/FPE/FpeDecrypt.tsx
errorFPE encrypt error:actions/FPE/FpeEncrypt.tsx
errorHash tokenize error:actions/Tokenize/TokenizeHash.tsx
errorLogin error:contexts/AuthContext.tsx
errorLogin error:pages/LoginPage.tsx
errorNoise tokenize error:actions/Tokenize/TokenizeNoise.tsx
errorScale number error:actions/Tokenize/TokenizeScaleNumber.tsx
errorWASM init failed:App.tsx
errorWord mask error:actions/Tokenize/TokenizeWordMask.tsx
errorWord pattern mask error:actions/Tokenize/TokenizeWordPatternMask.tsx
errorWord tokenize error:actions/Tokenize/TokenizeWordTokenize.tsx
warn[KMS] Could not query server vendor_id, using default:App.tsx
warnState+KFT fallback Locate without KFT failed:components/common/Locate.tsx
warnSymmetric google_cse key check failed:actions/Keys/CseInfo.tsx
debugECSign: signature lengthactions/EC/ECSign.tsx
debugECVerify: dataBuf lenactions/EC/ECVerify.tsx
debugRsaSign: signature lengthactions/RSA/RsaSign.tsx
debugRsaVerify: dataBuf lenactions/RSA/RsaVerify.tsx
errorJWT fallback failed:App.tsx--