func init() {
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
sigServices := signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService}
void = &pb.Void{}
//server setup
kms := &api.KeyManagementServer{SigServices: sigServices}
ss := &api.SignerServer{SigServices: sigServices}
grpcServer = grpc.NewServer()
pb.RegisterKeyManagementServer(grpcServer, kms)
pb.RegisterSignerServer(grpcServer, ss)
lis, err := net.Listen("tcp", "127.0.0.1:7899")
if err != nil {
log.Fatalf("failed to listen %v", err)
}
go grpcServer.Serve(lis)
//client setup
conn, err := grpc.Dial("127.0.0.1:7899")
if err != nil {
log.Fatalf("fail to dial: %v", err)
}
kmClient = pb.NewKeyManagementClient(conn)
sClient = pb.NewSignerClient(conn)
}
func TestSoftwareSignHandler(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
key, err := sigService.CreateKey()
assert.Nil(t, err)
sigRequest := &pb.SignatureRequest{KeyID: key.KeyInfo.KeyID, Content: make([]byte, 10)}
requestJson, _ := json.Marshal(sigRequest)
reader = strings.NewReader(string(requestJson))
request, err := http.NewRequest("POST", signBaseURL, reader)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
assert.Equal(t, 200, res.StatusCode)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var sig *pb.Signature
err = json.Unmarshal(jsonBlob, &sig)
assert.Nil(t, err)
assert.Equal(t, key.KeyInfo.KeyID.ID, sig.KeyInfo.KeyID.ID)
}
func TestKeyInfoHandler(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
key, _ := sigService.CreateKey()
keyInfoURL := fmt.Sprintf("%s/%s", keyInfoBaseURL, key.KeyInfo.KeyID.ID)
request, err := http.NewRequest("GET", keyInfoURL, nil)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var pubKey *pb.PublicKey
err = json.Unmarshal(jsonBlob, &pubKey)
assert.Nil(t, err)
assert.Equal(t, key.KeyInfo.KeyID.ID, pubKey.KeyInfo.KeyID.ID)
assert.Equal(t, 200, res.StatusCode)
}
func BenchmarkSign(b *testing.B) {
blob := []byte("7d16f1d0b95310a7bc557747fc4f20fcd41c1c5095ae42f189df")
keyDB := keys.NewKeyDB()
var sigService = api.NewEdDSASigningService(keyDB)
key, _ := sigService.CreateKey()
privkey, _ := keyDB.GetKey(key.KeyInfo.KeyID)
signer := api.NewEd25519Signer(privkey)
sigRequest := &pb.SignatureRequest{KeyID: key.KeyInfo.KeyID, Content: blob}
for n := 0; n < b.N; n++ {
_, _ = signer.Sign(sigRequest)
}
}
func TestKeyInfoHandlerReturns404WithNonexistentKey(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d"
keyInfoURL := fmt.Sprintf("%s/%s", keyInfoBaseURL, fakeID)
request, err := http.NewRequest("GET", keyInfoURL, nil)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
assert.Equal(t, 404, res.StatusCode)
}
func TestDeleteKeyHandler(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
key, _ := sigService.CreateKey()
requestJson, _ := json.Marshal(key.KeyInfo.KeyID)
reader = strings.NewReader(string(requestJson))
request, err := http.NewRequest("POST", deleteKeyBaseURL, reader)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
assert.Equal(t, 200, res.StatusCode)
}
func TestDeleteKeyHandlerReturns404WithNonexistentKey(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d"
keyID := &pb.KeyID{ID: fakeID}
requestJson, _ := json.Marshal(keyID)
reader = strings.NewReader(string(requestJson))
request, err := http.NewRequest("POST", deleteKeyBaseURL, reader)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
assert.Equal(t, 404, res.StatusCode)
}
func TestSoftwareCreateKeyHandler(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
createKeyURL := fmt.Sprintf("%s/%s", createKeyBaseURL, data.ED25519Key)
request, err := http.NewRequest("POST", createKeyURL, nil)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
assert.Equal(t, 200, res.StatusCode)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var keyInfo *pb.PublicKey
err = json.Unmarshal(jsonBlob, &keyInfo)
assert.Nil(t, err)
}
func TestSoftwareSignWithInvalidRequestHandler(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService})
requestJson := "{\"blob\":\"7d16f1d0b95310a7bc557747fc4f20fcd41c1c5095ae42f189df0717e7d7f4a0a2b55debce630f43c4ac099769c612965e3fda3cd4c0078ee6a460f14fa19307\"}"
reader = strings.NewReader(requestJson)
request, err := http.NewRequest("POST", signBaseURL, reader)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var sig *pb.Signature
err = json.Unmarshal(jsonBlob, &sig)
assert.Equal(t, 400, res.StatusCode)
}
func BenchmarkCreateKey(b *testing.B) {
sigService := api.NewEdDSASigningService(keys.NewKeyDB())
for n := 0; n < b.N; n++ {
_, _ = sigService.CreateKey()
}
}
func main() {
flag.Usage = usage
flag.Parse()
if _DebugAddr != "" {
go debugServer(_DebugAddr)
}
if certFile == "" || keyFile == "" {
usage()
log.Fatalf("Certificate and key are mandatory")
}
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA},
}
tlsConfig.Rand = rand.Reader
sigServices := make(signer.SigningServiceIndex)
if pkcs11Lib != "" {
if pin == "" {
log.Fatalf("Using PIN is mandatory with pkcs11")
}
ctx, session := SetupHSMEnv(pkcs11Lib)
defer cleanup(ctx, session)
sigServices[data.RSAKey] = api.NewRSASigningService(ctx, session)
}
sigServices[data.ED25519Key] = api.EdDSASigningService{KeyDB: keys.NewKeyDB()}
//RPC server setup
kms := &api.KeyManagementServer{SigServices: sigServices}
ss := &api.SignerServer{SigServices: sigServices}
grpcServer := grpc.NewServer()
pb.RegisterKeyManagementServer(grpcServer, kms)
pb.RegisterSignerServer(grpcServer, ss)
lis, err := net.Listen("tcp", _RpcAddr)
if err != nil {
log.Fatalf("failed to listen %v", err)
}
creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
log.Fatalf("failed to generate credentials %v", err)
}
go grpcServer.Serve(creds.NewListener(lis))
//HTTP server setup
server := http.Server{
Addr: _Addr,
Handler: api.Handlers(sigServices),
TLSConfig: tlsConfig,
}
if debug {
log.Println("[Notary-signer RPC Server] : Listening on", _RpcAddr)
log.Println("[Notary-signer Server] : Listening on", _Addr)
}
err = server.ListenAndServeTLS(certFile, keyFile)
if err != nil {
log.Fatalf("[Notary-signer Server] : Failed to start %s", err)
}
}
