Flow 14 --- Key Revocation Validation (ML-KEM-768)

This scenario validates a full revocation flow for a post-quantum ML-KEM-768 key:

1. List every key currently stored in the tenant.

2. Generate a fresh ML-KEM-768 key (kty="ML-KEM").

3. Export the key's public-only metadata to JSON (illustrative).

4. Revoke the key from secure storage.

5. Attempt to encrypt with the revoked key --- the call must fail.

   Capture and report the expected error as evidence that the key is unusable.

Key points

• End-to-end cycle: inventory ➜ create ➜ export ➜ revoke ➜ failed-use in one run.

• Uses NIST-selected ML-KEM-768 for quantum-safe key establishment.

• Explicitly proves that a revoked key cannot perform cryptographic operations.

• All transient files live in temp_files/, keeping your repository clean.

When to use it

• Compliance & auditing --- demonstrate that revocation policies are enforced immediately.

• CI/CD guardrails --- integrate in pipelines to ensure revoked keys cannot slip through.

• Incident response drills --- validate that compromised keys are rendered inert system-wide.

Shared helper – this code imports the utility class from
example_util.md (configuration, authentication, JSON).

---

Complete Java implementation

src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario14.java

/*
 * Copyright 2025 ANKATech Solutions Inc
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 */
/* *****************************************************************************
 * FILE: ExampleScenario14.java
 * ****************************************************************************/
package co.ankatech.ankasecure.sdk.examples;

import co.ankatech.ankasecure.sdk.AnkaSecureSdk;
import co.ankatech.ankasecure.sdk.exception.AnkaSecureSdkException;
import co.ankatech.ankasecure.sdk.model.EncryptResult;
import co.ankatech.ankasecure.sdk.model.GenerateKeySpec;
import co.ankatech.ankasecure.sdk.model.ExportedKeySpec;
import co.ankatech.ankasecure.sdk.util.FileIO;

import java.nio.file.Path;
import java.util.Properties;

import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;

/**
 * <h2>Scenario&nbsp;14 – Key Revocation Validation (ML-KEM-768)</h2>
 *
 * <p>This scenario validates that a revoked key becomes immediately unusable
 * for cryptographic operations on ANKASecure:</p>
 * <ol>
 *   <li>List the tenant’s initial inventory of keys.</li>
 *   <li>Generate an <code>ML-KEM-768</code> key.</li>
 *   <li>Export its <em>public-only</em> metadata to JSON (illustrative).</li>
 *   <li>Revoke (delete) the key.</li>
 *   <li>Attempt an <em>encrypt</em> operation with the revoked key &mdash;
 *       expect a failure and capture the error as proof of revocation.</li>
 * </ol>
 *
 * <p>All artefacts are written under <kbd>temp_files/</kbd>.</p>
 *
 * @author ANKATech – Security Engineering
 * @since 2.1.0
 */
public final class ExampleScenario14 {

    /* ====================================================================== */
    /** Entry-point. */
    public static void main(final String[] args) {

        System.out.println("===== SCENARIO 14 START =====");
        System.out.println("""
                🔁  Flow 14 – Key Revocation Validation (ML-KEM-768)
                ----------------------------------------------------
                  ✅  List current tenant keys
                  ✅  Generate ML-KEM-768 key
                  ✅  Export public metadata
                  ✅  Revoke the key
                  ❌  Attempt encryption with revoked key (expect failure)
                --------------------------------------------------------------""");

        try {
            ensureTempDir(TEMP_DIR);

            Properties   props = loadProperties();
            AnkaSecureSdk sdk  = authenticate(props);

            runScenario(sdk);

        } catch (Exception ex) {
            fatal("Scenario 14 failed", ex);
        }

        System.out.println("===== SCENARIO 14 END =====");
    }

    /* ====================================================================== */
    /**
     * Executes the revocation-validation workflow.
     *
     * @param sdk an authenticated {@link AnkaSecureSdk} instance
     * @throws Exception on any unexpected failure
     */
    private static void runScenario(final AnkaSecureSdk sdk) throws Exception {

        /* ---------- [1] Inventory snapshot -------------------------------- */
        System.out.println("[1] Current key inventory:");
        System.out.println(sdk.listKeys());

        /* ---------- [2] Create ML-KEM-768 key ----------------------------- */
        String kid = "sc14_kem768_" + System.currentTimeMillis();
        sdk.generateKey(new GenerateKeySpec()
                .setKid(kid)
                .setKty("ML-KEM")
                .setAlg("ML-KEM-768"));
        System.out.println("[2] Key generated            -> kid = " + kid);

        /* ---------- [3] Export public metadata --------------------------- */
        Path exportJson = TEMP_DIR.resolve("sc14_key.json");
        ExportedKeySpec pubMeta = sdk.exportKey(kid);
        FileIO.writeUtf8(exportJson, toJson(pubMeta));
        System.out.println("[3] Metadata exported         -> " + exportJson.toAbsolutePath());

        /* ---------- [4] Revoke the key ----------------------------------- */
        sdk.revokeKey(kid);
        System.out.println("[4] Key revoked               -> kid = " + kid);

        /* ---------- [5] Attempt to use revoked key ----------------------- */
        Path plain     = TEMP_DIR.resolve("sc14_payload.txt");
        Path ciphertext= TEMP_DIR.resolve("sc14_cipher.jwe");

        FileIO.writeUtf8(plain,
                "Scenario-14 – validate encryption failure with revoked key.");

        try {
            EncryptResult encMeta = sdk.encryptFile(kid, plain, ciphertext);
            /* If the call above succeeds, revocation failed – flag error.   */
            System.out.println("""
                    [5] ERROR – encryption succeeded with revoked key!
                        This indicates the key was NOT properly revoked.""");
            printEncryptMeta(encMeta);

        } catch (AnkaSecureSdkException expected) {
            System.out.println("[5] Expected failure captured:");
            System.out.println("    " + expected.getMessage());
            System.out.println("    ✅  Revocation enforced – key unusable.");
        }
    }

    /** Utility class – no instantiation. */
    private ExampleScenario14() {
        /* no-instantiation */
    }
}

How to run

mvn -q compile exec:java\
  -Dexec.mainClass="co.ankatech.ankasecure.sdk.examples.ExampleScenario14"

Expected console milestones

• Tenant key inventory dump

• ML-KEM-768 key creation

• JSON export → sc14_key.json

• Key revocation confirmation

• Encryption attempt fails with clear SDK exception

  ✅ Revocation enforced -- key unusable.

---

Where next?

• Flow 13 --- Legacy RSA-2048 ➜ ML-KEM-768 Migration (PKCS#12 Import)

• Flow 15 --- ML-DSA-87 Sign / Verify (Streaming)

• Integration Examples Overview

© 2025 ANKATech Solutions INC. All rights reserved.