func TestHSMCreateKeyHandler(t *testing.T) {
ctx, session := SetupHSMEnv(t)
defer ctx.Destroy()
defer ctx.Finalize()
defer ctx.CloseSession(session)
defer ctx.Logout(session)
cryptoService := api.NewRSAHardwareCryptoService(ctx, session)
setup(signer.CryptoServiceIndex{data.RSAKey: cryptoService})
createKeyURL := fmt.Sprintf("%s/%s", createKeyBaseURL, data.RSAKey)
request, err := http.NewRequest("POST", createKeyURL, nil)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var keyInfo *pb.PublicKey
err = json.Unmarshal(jsonBlob, &keyInfo)
assert.Nil(t, err)
assert.Equal(t, 200, res.StatusCode)
}
func TestHSMSignHandler(t *testing.T) {
ctx, session := SetupHSMEnv(t)
defer ctx.Destroy()
defer ctx.Finalize()
defer ctx.CloseSession(session)
defer ctx.Logout(session)
cryptoService := api.NewRSAHardwareCryptoService(ctx, session)
setup(signer.CryptoServiceIndex{data.RSAKey: cryptoService})
tufKey, _ := cryptoService.Create("", data.RSAKey)
sigRequest := &pb.SignatureRequest{KeyID: &pb.KeyID{ID: tufKey.ID()}, Content: make([]byte, 10)}
requestJson, _ := json.Marshal(sigRequest)
reader = strings.NewReader(string(requestJson))
request, err := http.NewRequest("POST", signBaseURL, reader)
assert.Nil(t, err)
res, err := http.DefaultClient.Do(request)
assert.Nil(t, err)
jsonBlob, err := ioutil.ReadAll(res.Body)
assert.Nil(t, err)
var sig *pb.Signature
err = json.Unmarshal(jsonBlob, &sig)
assert.Nil(t, err)
assert.Equal(t, tufKey.ID, sig.KeyInfo.KeyID.ID)
assert.Equal(t, 200, res.StatusCode)
}
func main() {
flag.Usage = usage
flag.Parse()
if debug {
go debugServer(debugAddr)
}
// when the signer starts print the version for debugging and issue logs later
logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit)
filename := filepath.Base(configFile)
ext := filepath.Ext(configFile)
configPath := filepath.Dir(configFile)
viper.SetConfigType(strings.TrimPrefix(ext, "."))
viper.SetConfigName(strings.TrimSuffix(filename, ext))
viper.AddConfigPath(configPath)
err := viper.ReadInConfig()
if err != nil {
logrus.Error("Viper Error: ", err.Error())
logrus.Error("Could not read config at ", configFile)
os.Exit(1)
}
logrus.SetLevel(logrus.Level(viper.GetInt("logging.level")))
certFile := viper.GetString("server.cert_file")
keyFile := viper.GetString("server.key_file")
if certFile == "" || keyFile == "" {
usage()
log.Fatalf("Certificate and key are mandatory")
}
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA},
}
tlsConfig.Rand = rand.Reader
cryptoServices := make(signer.CryptoServiceIndex)
pin := viper.GetString(pinCode)
pkcs11Lib := viper.GetString("crypto.pkcs11lib")
if pkcs11Lib != "" {
if pin == "" {
log.Fatalf("Using PIN is mandatory with pkcs11")
}
ctx, session := SetupHSMEnv(pkcs11Lib, pin)
defer cleanup(ctx, session)
cryptoServices[data.RSAKey] = api.NewRSAHardwareCryptoService(ctx, session)
}
configDBType := strings.ToLower(viper.GetString("storage.backend"))
dbURL := viper.GetString("storage.db_url")
if configDBType != dbType || dbURL == "" {
usage()
log.Fatalf("Currently only a MySQL database backend is supported.")
}
dbSQL, err := sql.Open(configDBType, dbURL)
if err != nil {
log.Fatalf("failed to open the database: %s, %v", dbURL, err)
}
defaultAlias := viper.GetString(defaultAliasEnv)
logrus.Debug("Default Alias: ", defaultAlias)
keyStore, err := signer.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL)
if err != nil {
log.Fatalf("failed to create a new keydbstore: %v", err)
}
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoServices[data.ED25519Key] = cryptoService
cryptoServices[data.ECDSAKey] = cryptoService
//RPC server setup
kms := &api.KeyManagementServer{CryptoServices: cryptoServices}
ss := &api.SignerServer{CryptoServices: cryptoServices}
grpcServer := grpc.NewServer()
pb.RegisterKeyManagementServer(grpcServer, kms)
pb.RegisterSignerServer(grpcServer, ss)
rpcAddr := viper.GetString("server.grpc_addr")
lis, err := net.Listen("tcp", rpcAddr)
if err != nil {
log.Fatalf("failed to listen %v", err)
}
creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
log.Fatalf("failed to generate credentials %v", err)
}
go grpcServer.Serve(creds.NewListener(lis))
httpAddr := viper.GetString("server.http_addr")
if httpAddr == "" {
log.Fatalf("Server address is required")
}
//HTTP server setup
server := http.Server{
Addr: httpAddr,
Handler: api.Handlers(cryptoServices),
TLSConfig: tlsConfig,
}
if debug {
log.Println("RPC server listening on", rpcAddr)
log.Println("HTTP server listening on", httpAddr)
}
err = server.ListenAndServeTLS(certFile, keyFile)
if err != nil {
log.Fatal("HTTP server failed to start:", err)
}
}
func main() {
flag.Usage = usage
flag.Parse()
if debug {
go debugServer(debugAddr)
}
// when the signer starts print the version for debugging and issue logs later
logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit)
filename := filepath.Base(configFile)
ext := filepath.Ext(configFile)
configPath := filepath.Dir(configFile)
mainViper.SetConfigType(strings.TrimPrefix(ext, "."))
mainViper.SetConfigName(strings.TrimSuffix(filename, ext))
mainViper.AddConfigPath(configPath)
err := mainViper.ReadInConfig()
if err != nil {
logrus.Error("Viper Error: ", err.Error())
logrus.Error("Could not read config at ", configFile)
os.Exit(1)
}
logrus.SetLevel(logrus.Level(mainViper.GetInt("logging.level")))
tlsConfig, err := signerTLS(mainViper, true)
if err != nil {
logrus.Fatalf(err.Error())
}
cryptoServices := make(signer.CryptoServiceIndex)
pin := mainViper.GetString(pinCode)
pkcs11Lib := mainViper.GetString("crypto.pkcs11lib")
if pkcs11Lib != "" {
if pin == "" {
log.Fatalf("Using PIN is mandatory with pkcs11")
}
ctx, session := SetupHSMEnv(pkcs11Lib, pin)
defer cleanup(ctx, session)
cryptoServices[data.RSAKey] = api.NewRSAHardwareCryptoService(ctx, session)
}
configDBType := strings.ToLower(mainViper.GetString("storage.backend"))
dbURL := mainViper.GetString("storage.db_url")
if configDBType != dbType || dbURL == "" {
usage()
log.Fatalf("Currently only a MySQL database backend is supported.")
}
dbSQL, err := sql.Open(configDBType, dbURL)
if err != nil {
log.Fatalf("failed to open the database: %s, %v", dbURL, err)
}
defaultAlias := mainViper.GetString(defaultAliasEnv)
logrus.Debug("Default Alias: ", defaultAlias)
keyStore, err := signer.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL)
if err != nil {
log.Fatalf("failed to create a new keydbstore: %v", err)
}
health.RegisterPeriodicFunc(
"DB operational", keyStore.HealthCheck, time.Second*60)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoServices[data.ED25519Key] = cryptoService
cryptoServices[data.ECDSAKey] = cryptoService
//RPC server setup
kms := &api.KeyManagementServer{CryptoServices: cryptoServices,
HealthChecker: health.CheckStatus}
ss := &api.SignerServer{CryptoServices: cryptoServices,
HealthChecker: health.CheckStatus}
rpcAddr := mainViper.GetString("server.grpc_addr")
lis, err := net.Listen("tcp", rpcAddr)
if err != nil {
log.Fatalf("failed to listen %v", err)
}
creds := credentials.NewTLS(tlsConfig)
opts := []grpc.ServerOption{grpc.Creds(creds)}
grpcServer := grpc.NewServer(opts...)
pb.RegisterKeyManagementServer(grpcServer, kms)
pb.RegisterSignerServer(grpcServer, ss)
go grpcServer.Serve(lis)
httpAddr := mainViper.GetString("server.http_addr")
if httpAddr == "" {
log.Fatalf("Server address is required")
}
//HTTP server setup
server := http.Server{
Addr: httpAddr,
Handler: api.Handlers(cryptoServices),
TLSConfig: tlsConfig,
}
if debug {
log.Println("RPC server listening on", rpcAddr)
log.Println("HTTP server listening on", httpAddr)
}
err = server.ListenAndServeTLS("", "")
if err != nil {
log.Fatal("HTTPS server failed to start:", err)
}
}