-
Notifications
You must be signed in to change notification settings - Fork 12
/
kmssigner.go
186 lines (148 loc) · 5.23 KB
/
kmssigner.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
// +skip_license_check
// Copyright © 2018 Heptio
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package kmssigner implements a crypto.Signer backed by Google Cloud KMS.
package kmssigner
// This has been modified to suit cert-manager's use case; we add support for SHA512
// digests, which are forced by helm. This is copied across to the cert-manager/release
// project unless/until the changes are merged upstream in:
// https://github.com/heptiolabs/google-kms-pgp/
import (
"crypto"
"crypto/rsa"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
"io"
"time"
"github.com/pkg/errors"
cloudkms "google.golang.org/api/cloudkms/v1"
)
// Signer extends crypto.Signer to provide more key metadata.
type Signer interface {
crypto.Signer
RSAPublicKey() *rsa.PublicKey
CreationTime() time.Time
HashAlgo() crypto.Hash
}
// NewWithExplicitMetadata returns a crypto.Signer backed by the named Google Cloud KMS key,
// but doesn't need the "cloudkms.cryptoKeyVersions.get" permission which would otherwise be required
// for fetching the hash algorithm and creation time.
func NewWithExplicitMetadata(api *cloudkms.Service, name string, hashAlgo crypto.Hash, creationTime time.Time) (Signer, error) {
res, err := api.Projects.Locations.KeyRings.CryptoKeys.CryptoKeyVersions.GetPublicKey(name).Do()
if err != nil {
return nil, errors.WithMessage(err, "could not get public key from Google Cloud KMS API")
}
block, _ := pem.Decode([]byte(res.Pem))
if block == nil || block.Type != "PUBLIC KEY" {
return nil, errors.WithMessage(err, "could not decode public key PEM")
}
pubkey, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, errors.WithMessage(err, "could not parse public key")
}
pubkeyRSA, ok := pubkey.(*rsa.PublicKey)
if !ok {
return nil, errors.WithMessage(err, "public key was not an RSA key as expected")
}
return &kmsSigner{
api: api,
name: name,
pubkey: *pubkeyRSA,
creationTime: creationTime,
pgpDigestAlgo: hashAlgo,
}, nil
}
// New returns a crypto.Signer backed by the named Google Cloud KMS key.
func New(api *cloudkms.Service, name string) (Signer, error) {
metadata, err := api.Projects.Locations.KeyRings.CryptoKeys.CryptoKeyVersions.Get(name).Do()
if err != nil {
return nil, errors.WithMessage(err, "could not get key version from Google Cloud KMS API")
}
var hashAlgo crypto.Hash
switch metadata.Algorithm {
case "RSA_SIGN_PKCS1_2048_SHA256":
hashAlgo = crypto.SHA256
case "RSA_SIGN_PKCS1_3072_SHA256":
hashAlgo = crypto.SHA256
case "RSA_SIGN_PKCS1_4096_SHA256":
hashAlgo = crypto.SHA256
case "RSA_SIGN_PKCS1_4096_SHA512":
hashAlgo = crypto.SHA512
default:
return nil, fmt.Errorf("unsupported key algorithm %q", metadata.Algorithm)
}
creationTime, err := time.Parse(time.RFC3339Nano, metadata.CreateTime)
if err != nil {
return nil, errors.WithMessage(err, "could not parse key creation timestamp")
}
return NewWithExplicitMetadata(api, name, hashAlgo, creationTime)
}
type kmsSigner struct {
api *cloudkms.Service
name string
pubkey rsa.PublicKey
creationTime time.Time
pgpDigestAlgo crypto.Hash
}
func (k *kmsSigner) Public() crypto.PublicKey {
return k.pubkey
}
func (k *kmsSigner) RSAPublicKey() *rsa.PublicKey {
return &k.pubkey
}
func (k *kmsSigner) CreationTime() time.Time {
return k.creationTime
}
func (k *kmsSigner) HashAlgo() crypto.Hash {
return k.pgpDigestAlgo
}
// KMSDigest returns a Digest corresponding to the given digest algorithm, or an error
// if the digest is the incorrect size
func (k *kmsSigner) KMSDigest(digest []byte) (*cloudkms.Digest, error) {
if len(digest) != k.pgpDigestAlgo.Size() {
return nil, fmt.Errorf("expected digest to have length %d but got %d", k.pgpDigestAlgo.Size(), len(digest))
}
encodedDigest := base64.StdEncoding.EncodeToString(digest)
kmsDigest := new(cloudkms.Digest)
switch k.pgpDigestAlgo {
case crypto.SHA256:
kmsDigest.Sha256 = encodedDigest
case crypto.SHA512:
kmsDigest.Sha512 = encodedDigest
default:
panic("unknown digest type")
}
return kmsDigest, nil
}
func (k *kmsSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
kmsDigest, err := k.KMSDigest(digest)
if err != nil {
return nil, fmt.Errorf("input digest must be valid size for given key type: %w", err)
}
sig, err := k.api.Projects.Locations.KeyRings.CryptoKeys.CryptoKeyVersions.AsymmetricSign(
k.name,
&cloudkms.AsymmetricSignRequest{
Digest: kmsDigest,
},
).Do()
if err != nil {
return nil, errors.Wrap(err, "error signing with Google Cloud KMS")
}
res, err := base64.StdEncoding.DecodeString(sig.Signature)
if err != nil {
return nil, errors.WithMessage(err, "invalid Base64 response from Google Cloud KMS AsymmetricSign endpoint")
}
return res, nil
}