transit: add associated_data support to rewrap endpoint

[mango766]

Description

The transit rewrap endpoint currently does not accept the associated_data parameter, even though both the encrypt and decrypt endpoints support it. This means that ciphertext encrypted with associated data (AD/AAD) using AEAD cipher modes like AES-GCM cannot be rewrapped — the only workaround is to decrypt and re-encrypt as separate API calls, which defeats the purpose of rewrap (avoiding exposure of plaintext to the client).

Fixes #31791

Root Cause

The associated_data support was missing from path_rewrap.go in three places:

1. Endpoint Fields map — the associated_data parameter was not declared in the endpoint schema, so non-batch requests couldn't pass it at all
2. Non-batch request construction — when building a single-item request (non-batch), the AssociatedData field was never populated from the request data
3. Decrypt/encrypt processing loop — no AssocDataFactory was created or passed to DecryptWithOptions or EncryptWithOptions, so even batch requests that included associated_data via mapstructure had it silently ignored

The RewrapBatchRequestItem struct already had an AssociatedData field and the AssocDataFactory type already existed — they just weren't wired up.

Changes

All changes are in builtin/logical/transit/path_rewrap.go:

• Added associated_data field to the endpoint's Fields map (matching the encrypt/decrypt endpoints)
• Populated AssociatedData from d.Get("associated_data") for non-batch requests
• Added AssocDataFactory to the decrypt factory slice (so decryption can verify the AAD)
• Added AssocDataFactory to the encrypt factory slice (so re-encryption preserves the AAD binding)
• Added proper validation that the key type supports associated data (same guard as encrypt/decrypt)

How I verified

• go build ./builtin/logical/transit/... — compiles cleanly
• go test ./builtin/logical/transit/... -run "TestTransit_.*" — all existing tests pass
• Reviewed the pattern against path_encrypt.go and path_decrypt.go to ensure consistency

[vercel]

Someone is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

easonysliu seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[heatherezell]

Please remember to sign the CLA. Thanks!