New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Various cspki improvements #293
Conversation
@jvehent is this ready for review? |
yeah let's land this and I'll make other PRs for the following patches. the rewrite of crypto11 means it'll take me a while to get the rest out the door... |
OK I wasn't sure if it was still WIP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r+
} | ||
} | ||
err = s.findAndSetEE(conf, tx) | ||
if err != nil { | ||
if err == nil { | ||
log.Printf("contentsignaturepki %q: reusing existing EE %q", s.ID, s.eeLabel) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
if err == nil { | ||
log.Printf("contentsignaturepki %q: reusing existing EE %q", s.ID, s.eeLabel) | ||
} else { | ||
// No suitable end-entity found, making a new chain | ||
if err == database.ErrNoSuitableEEFound { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could flatten these down to one else if
ladder or switch case
though I'm not sure if that's idiomatic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
funny enough, I did this a few minutes ago because I thought it looked ugly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯 mind reader
I think we should stick to crypto11 <1.0 and upgrade later since that'll be a major change. |
Pull Request Test Coverage Report for Build 2853
💛 - Coveralls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r+ w/ nit and question
} | ||
s.issuerPriv, s.issuerPub, s.rand, _, err = conf.GetKeysAndRand() | ||
// we need to parse or retrieve from the hsm the issuer private key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A handle for the issuer private key, right? We shouldn't require it to be exportable to the autograph CU.
@@ -76,7 +74,7 @@ func (s *ContentSigner) makeChain() (chain string, name string, err error) { | |||
// valid for longer than that to account for clock skew | |||
notAfter := time.Now().UTC().Add(s.validity + s.clockSkewTolerance) | |||
|
|||
block, _ := pem.Decode([]byte(s.PublicKey)) | |||
block, _ := pem.Decode([]byte(s.IssuerCert)) | |||
if block == nil { | |||
err = errors.New("no pem block found in signer public key configuration") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: does this log msg need to be updated?
Also, is this PR returning the EE pub key in the sig req response now? |
Alright, I ended up adding 9e335e4 to this PR after all. It's what we discussed yesterday wrt to multiple instances initializing in parallel without blocking, which will be required if we want to initialize signers on-demand rather that at init time. |
@g-k r? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r+ w/ nits
if err != nil { | ||
return errors.Wrapf(err, "contentsignaturepki %q: failed to generate end entity", s.ID) | ||
} | ||
// make the certificate and upload the chain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we should log the handle, ID, and label of any keys were generate
err = s.makeAndUploadChain() | ||
if err != nil { | ||
return errors.Wrapf(err, "contentsignaturepki %q: failed to make chain and x5u", s.ID) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: logging the chain and upload location on success would be useful
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
WIP