Merge branch 'master' into hs/scep-master

smallstep · Feb 19, 2021 · 9e43dc8 · 9e43dc8
2 parents 713b571 + d177279
commit 9e43dc8
Show file tree

Hide file tree

Showing 35 changed files with 2,727 additions and 114 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -18,7 +18,7 @@ env:
 before_script:
   - make bootstrap
 script:
-  - make
+  - make travis
   - make artifacts
 after_success:
   - bash <(curl -s https://codecov.io/bash) -t "$CODECOV_TOKEN" || echo "Codecov did

diff --git a/Makefile b/Makefile
@@ -6,6 +6,8 @@ AWSKMS_BINNAME?=step-awskms-init
 AWSKMS_PKG?=github.com/smallstep/certificates/cmd/step-awskms-init
 YUBIKEY_BINNAME?=step-yubikey-init
 YUBIKEY_PKG?=github.com/smallstep/certificates/cmd/step-yubikey-init
+PKCS11_BINNAME?=step-pkcs11-init
+PKCS11_PKG?=github.com/smallstep/certificates/cmd/step-pkcs11-init
 
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
@@ -16,7 +18,9 @@ OUTPUT_ROOT=output/
 
 all: lint test build
 
-.PHONY: all
+travis: lintcgo testcgo build
+
+.PHONY: all travis
 
 #########################################
 # Bootstrapping
@@ -76,7 +80,7 @@ GOFLAGS := CGO_ENABLED=0
 download:
 	$Q go mod download
 
-build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME)
+build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME) $(PREFIX)bin/$(PKCS11_BINNAME)
 	@echo "Build Complete!"
 
 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
@@ -95,6 +99,10 @@ $(PREFIX)bin/$(YUBIKEY_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(YUBIKEY_BINNAME) $(LDFLAGS) $(YUBIKEY_PKG)
 
+$(PREFIX)bin/$(PKCS11_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(PKCS11_BINNAME) $(LDFLAGS) $(PKCS11_PKG)
+
 # Target to force a build of step-ca without running tests
 simple: build
 
@@ -115,7 +123,10 @@ generate:
 test:
 	$Q $(GOFLAGS) go test -short -coverprofile=coverage.out ./...
 
-.PHONY: test
+testcgo:
+	$Q go test -short -coverprofile=coverage.out ./...
+
+.PHONY: test testcgo
 
 integrate: integration
 
@@ -132,9 +143,12 @@ fmt:
 	$Q gofmt -l -w $(SRC)
 
 lint:
+	$Q $(GOFLAGS) LOG_LEVEL=error golangci-lint run --timeout=30m
+
+lintcgo:
 	$Q LOG_LEVEL=error golangci-lint run --timeout=30m
 
-.PHONY: lint fmt
+.PHONY: fmt lint lintcgo
 
 #########################################
 # Install
@@ -171,6 +185,9 @@ endif
 ifneq ($(YUBIKEY_BINNAME),"")
 	$Q rm -f bin/$(YUBIKEY_BINNAME)
 endif
+ifneq ($(PKCS11_BINNAME),"")
+	$Q rm -f bin/$(PKCS11_BINNAME)
+endif
 
 .PHONY: clean
 

diff --git a/authority/authority.go b/authority/authority.go
@@ -387,3 +387,10 @@ func (a *Authority) Shutdown() error {
 	}
 	return a.db.Shutdown()
 }
+
+// CloseForReload closes internal services, to allow a safe reload.
+func (a *Authority) CloseForReload() {
+	if err := a.keyManager.Close(); err != nil {
+		log.Printf("error closing the key manager: %v", err)
+	}
+}
diff --git a/authority/authority_test.go b/authority/authority_test.go
@@ -306,3 +306,17 @@ func TestNewEmbedded_GetTLSCertificate(t *testing.T) {
 	assert.True(t, cert.Leaf.IPAddresses[0].Equal(net.ParseIP("127.0.0.1")))
 	assert.True(t, cert.Leaf.IPAddresses[1].Equal(net.ParseIP("::1")))
 }
+
+func TestAuthority_CloseForReload(t *testing.T) {
+	tests := []struct {
+		name string
+		auth *Authority
+	}{
+		{"ok", testAuthority(t)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.auth.CloseForReload()
+		})
+	}
+}
diff --git a/ca/ca.go b/ca/ca.go
@@ -250,9 +250,11 @@ func (ca *CA) Reload() error {
 	}
 
 	// 1. Stop previous renewer
-	// 2. Replace ca properties
+	// 2. Safely shutdown any internal resources (e.g. key manager)
+	// 3. Replace ca properties
 	// Do not replace ca.srv
 	ca.renewer.Stop()
+	ca.auth.CloseForReload()
 	ca.auth = newCA.auth
 	ca.config = newCA.config
 	ca.opts = newCA.opts

diff --git a/cmd/step-ca/main.go b/cmd/step-ca/main.go
@@ -31,6 +31,7 @@ import (
 	_ "github.com/smallstep/certificates/kms/sshagentkms"
 
 	// Experimental kms interfaces.
+	_ "github.com/smallstep/certificates/kms/pkcs11"
 	_ "github.com/smallstep/certificates/kms/yubikey"
 
 	// Enabled cas interfaces.

diff --git a/cmd/step-cloudkms-init/main.go b/cmd/step-cloudkms-init/main.go
@@ -234,7 +234,7 @@ func createSSH(c *cloudkms.CloudKMS, project, location, keyRing string, protecti
 	resp, err = c.CreateKey(&apiv1.CreateKeyRequest{
 		Name:               parent + "/ssh-host-key",
 		SignatureAlgorithm: apiv1.ECDSAWithSHA256,
-		ProtectionLevel:    apiv1.Software,
+		ProtectionLevel:    protectionLevel,
 	})
 	if err != nil {
 		return err