-
Notifications
You must be signed in to change notification settings - Fork 458
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #539 from azdagron/keymanager-refactor
Server CA refactor to use KeyManager instead of ServerCA plugin
- Loading branch information
Showing
80 changed files
with
4,442 additions
and
3,204 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Server plugin: KeyManager "disk" | ||
|
||
The `disk` key manager maintains a set of private keys that are persisted to | ||
disk. | ||
|
||
The plugin accepts the following configuration options: | ||
|
||
| Configuration | Description | | ||
| -------------- | ------------------------------------- | | ||
| keys_path | Path to the keys file on disk | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Server plugin: KeyManager "memory" | ||
|
||
The `memory` key manager creates and maintains a set of private keys held | ||
only in memory. | ||
|
||
It has no configuration. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
package cryptoutil | ||
|
||
import ( | ||
"context" | ||
"crypto" | ||
"crypto/ecdsa" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"errors" | ||
"fmt" | ||
|
||
"github.com/spiffe/spire/proto/server/keymanager" | ||
) | ||
|
||
func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool { | ||
return a.E == b.E && a.N.Cmp(b.N) == 0 | ||
} | ||
|
||
func ECDSAPublicKeyEqual(a, b *ecdsa.PublicKey) bool { | ||
return a.Curve == b.Curve && a.X.Cmp(b.X) == 0 && a.Y.Cmp(b.Y) == 0 | ||
} | ||
|
||
func ECDSAKeyMatches(privateKey *ecdsa.PrivateKey, publicKey *ecdsa.PublicKey) bool { | ||
return ECDSAPublicKeyEqual(&privateKey.PublicKey, publicKey) | ||
} | ||
|
||
func GetPublicKey(ctx context.Context, km keymanager.KeyManager, keyId string) (crypto.PublicKey, error) { | ||
resp, err := km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{ | ||
KeyId: keyId, | ||
}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if resp.PublicKey == nil { | ||
return nil, errors.New("response missing public key") | ||
} | ||
publicKey, err := x509.ParsePKIXPublicKey(resp.PublicKey.PkixData) | ||
if err != nil { | ||
return nil, fmt.Errorf("unable to parse public key pkix data: %v", err) | ||
} | ||
return publicKey, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
package cryptoutil | ||
|
||
import ( | ||
"context" | ||
"crypto" | ||
"crypto/x509" | ||
"errors" | ||
"fmt" | ||
"io" | ||
|
||
"github.com/spiffe/spire/proto/server/keymanager" | ||
) | ||
|
||
type KeyManagerSigner struct { | ||
km keymanager.KeyManager | ||
keyId string | ||
publicKey crypto.PublicKey | ||
} | ||
|
||
var _ crypto.Signer = (*KeyManagerSigner)(nil) | ||
|
||
func NewKeyManagerSigner(km keymanager.KeyManager, keyId string, publicKey crypto.PublicKey) *KeyManagerSigner { | ||
return &KeyManagerSigner{ | ||
km: km, | ||
keyId: keyId, | ||
publicKey: publicKey, | ||
} | ||
} | ||
|
||
func (s *KeyManagerSigner) Public() crypto.PublicKey { | ||
return s.publicKey | ||
} | ||
|
||
func (s *KeyManagerSigner) SignContext(ctx context.Context, digest []byte, opts crypto.SignerOpts) ([]byte, error) { | ||
resp, err := s.km.SignData(ctx, &keymanager.SignDataRequest{ | ||
KeyId: s.keyId, | ||
Data: digest, | ||
HashAlgorithm: keymanager.HashAlgorithm(opts.HashFunc()), | ||
}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if len(resp.Signature) == 0 { | ||
return nil, fmt.Errorf("response missing signature data") | ||
} | ||
return resp.Signature, nil | ||
} | ||
|
||
func (s *KeyManagerSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { | ||
// rand is purposefully ignored since it can't be communicated between | ||
// the plugin boundary. The crypto.Signer interface implies this is ok | ||
// when it says "possibly using entropy from rand". | ||
return s.SignContext(context.Background(), digest, opts) | ||
} | ||
|
||
func GenerateKeyAndSigner(ctx context.Context, km keymanager.KeyManager, keyId string, algorithm keymanager.KeyAlgorithm) (*KeyManagerSigner, error) { | ||
resp, err := km.GenerateKey(ctx, &keymanager.GenerateKeyRequest{ | ||
KeyId: keyId, | ||
KeyAlgorithm: algorithm, | ||
}) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if resp.PublicKey == nil { | ||
return nil, errors.New("response missing public key") | ||
} | ||
publicKey, err := x509.ParsePKIXPublicKey(resp.PublicKey.PkixData) | ||
if err != nil { | ||
return nil, fmt.Errorf("unable to parse public key pkix data: %v", err) | ||
} | ||
return NewKeyManagerSigner(km, keyId, publicKey), nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
package diskutil | ||
|
||
import ( | ||
"io/ioutil" | ||
"os" | ||
) | ||
|
||
func AtomicWriteFile(path string, data []byte, mode os.FileMode) error { | ||
if err := ioutil.WriteFile(path+".tmp", data, mode); err != nil { | ||
return err | ||
} | ||
|
||
if err := os.Rename(path+".tmp", path); err != nil { | ||
return err | ||
} | ||
|
||
return nil | ||
} |
Oops, something went wrong.