This project is a WORK IN PROGRESS

A pure-Rust implementation of the OASIS Key Management Interoperability Protocol (KMIP), targeting KMIP 1.0–1.4. The workspace provides a typed synchronous client, server-side primitives for building a KMIP service, and the underlying TTLV (Tag-Type-Length-Value) codec as a standalone crate that can be reused in isolation.

The crates are not yet published to crates.io. Add as git dependencies:

[dependencies]
kmip = { git = "https://github.com/phsym/kmip-rs" }

Connect to a KMIP server with rustls (the default TLS backend) and create an AES-256 symmetric key:

use kmip::{
    CryptographicUsageMask,
    attributes::{Attribute, CryptographicLength},
    client::ClientBuilder,
    enums::{CryptographicAlgorithm, ObjectType},
    payloads::CreateRequestPayload,
    types::TemplateAttribute,
};

let mut client = ClientBuilder::new()
    .add_root_certificate_file("ca.pem").unwrap()
    .identity_file("client.pem", "client.key").unwrap()
    .connect_rustls("kmip.example.com:5696", "kmip.example.com").unwrap();

let response = client.request(CreateRequestPayload {
    object_type: ObjectType::SymmetricKey,
    attributes: TemplateAttribute::new(vec![
        Attribute::new(CryptographicAlgorithm::AES),
        Attribute::new(CryptographicLength(256)),
        Attribute::new(
            CryptographicUsageMask::Encrypt | CryptographicUsageMask::Decrypt,
        ),
    ]),
}).unwrap();

println!("created key: {:?}", response);

The same operation written with the fluent helpers on Client:

use kmip::{CryptographicUsageMask, client::ClientBuilder};

let mut client = ClientBuilder::new()
    .add_root_certificate_file("ca.pem").unwrap()
    .identity_file("client.pem", "client.key").unwrap()
    .connect_rustls("kmip.example.com:5696", "kmip.example.com").unwrap();

let response = client
    .create()
    .aes(256, CryptographicUsageMask::Encrypt | CryptographicUsageMask::Decrypt)
    .exec().unwrap();

println!("created key: {:?}", response);

Each operation has a dedicated builder under client::exec (create, create_keypair, register, rekey, locate, get, encrypt, decrypt, sign, add_attribute, …). For batched requests use client.batch(...), and for raw RequestMessage exchange use client.roundtrip(&msg). Protocol version is auto-negotiated against the server's Discover Versions response.

The kmip crate compiles against several TLS implementations, selected via mutually-exclusive Cargo features. Each backend exposes its own builder method:

The ttlv crate has its own feature flags (xml, text, derive, chrono, serde, arbitrary, bitflags), all opt-in (empty default set) — see ttlv/README.md. When using kmip you don't need to set them: kmip already enables the ttlv features it depends on.

Rust 1.88.0, edition 2024. The MSRV is checked in CI; bumping it is considered a non-breaking change.

Legend:

• N/A : Not Applicable
• ✅ : Fully compatible
• ❌ : Not implemented or reviewed
• 🚧 : Work in progress / Partially compatible
• 💀 : Deprecated

Licensed under either of

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.