// set up the GRPC server func setupGRPCServer(signerConfig signer.Config) (*grpc.Server, net.Listener, error) { //RPC server setup kms := &api.KeyManagementServer{ CryptoServices: signerConfig.CryptoServices, } ss := &api.SignerServer{ CryptoServices: signerConfig.CryptoServices, } hs := ghealth.NewServer() lis, err := net.Listen("tcp", signerConfig.GRPCAddr) if err != nil { return nil, nil, fmt.Errorf("grpc server failed to listen on %s: %v", signerConfig.GRPCAddr, err) } creds := credentials.NewTLS(signerConfig.TLSConfig) opts := []grpc.ServerOption{grpc.Creds(creds)} grpcServer := grpc.NewServer(opts...) pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) healthpb.RegisterHealthServer(grpcServer, hs) // Set status for both of the grpc service "KeyManagement" and "Signer", these are // the only two we have at present, if we add more grpc service in the future, // we should add a new line for that service here as well. hs.SetServingStatus(notary.HealthCheckKeyManagement, healthpb.HealthCheckResponse_SERVING) hs.SetServingStatus(notary.HealthCheckSigner, healthpb.HealthCheckResponse_SERVING) return grpcServer, lis, nil }
func init() { pr = func(string, string, bool, int) (string, bool, error) { return "passphrase", false, nil } keyStore := trustmanager.NewKeyMemoryStore(pr) cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices := signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService} void = &pb.Void{} fakeHealth := func() map[string]string { return health } //server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices, HealthChecker: fakeHealth} ss := &api.SignerServer{CryptoServices: cryptoServices, HealthChecker: fakeHealth} grpcServer = grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) lis, err := net.Listen("tcp", "127.0.0.1:7899") if err != nil { log.Fatalf("failed to listen %v", err) } go grpcServer.Serve(lis) //client setup conn, err := grpc.Dial("127.0.0.1:7899", grpc.WithInsecure()) if err != nil { log.Fatalf("fail to dial: %v", err) } kmClient = pb.NewKeyManagementClient(conn) sClient = pb.NewSignerClient(conn) }
func init() { sigService := api.NewEdDSASigningService(keys.NewKeyDB()) sigServices := signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService} void = &pb.Void{} //server setup kms := &api.KeyManagementServer{SigServices: sigServices} ss := &api.SignerServer{SigServices: sigServices} grpcServer = grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) lis, err := net.Listen("tcp", "127.0.0.1:7899") if err != nil { log.Fatalf("failed to listen %v", err) } go grpcServer.Serve(lis) //client setup conn, err := grpc.Dial("127.0.0.1:7899") if err != nil { log.Fatalf("fail to dial: %v", err) } kmClient = pb.NewKeyManagementClient(conn) sClient = pb.NewSignerClient(conn) }
func getStubbedHealthServer(hs *health.Server) *grpc.Server { s := stubServer{healthServer: hs} gServer := grpc.NewServer() pb.RegisterKeyManagementServer(gServer, s) pb.RegisterSignerServer(gServer, s) if s.healthServer != nil { healthpb.RegisterHealthServer(gServer, s.healthServer) } return gServer }
func setUpSignerServer(t *testing.T, store trustmanager.KeyStore) *grpc.Server { cryptoService := cryptoservice.NewCryptoService(store) cryptoServices := signer.CryptoServiceIndex{ data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService, } //server setup grpcServer := grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, &api.KeyManagementServer{ CryptoServices: cryptoServices, }) pb.RegisterSignerServer(grpcServer, &api.SignerServer{ CryptoServices: cryptoServices, }) return grpcServer }
// set up the GRPC server func setupGRPCServer(grpcAddr string, tlsConfig *tls.Config, cryptoServices signer.CryptoServiceIndex) (*grpc.Server, net.Listener, error) { //RPC server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} ss := &api.SignerServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} lis, err := net.Listen("tcp", grpcAddr) if err != nil { return nil, nil, fmt.Errorf("grpc server failed to listen on %s: %v", grpcAddr, err) } creds := credentials.NewTLS(tlsConfig) opts := []grpc.ServerOption{grpc.Creds(creds)} grpcServer := grpc.NewServer(opts...) pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) return grpcServer, lis, nil }
func main() { flag.Usage = usage flag.Parse() if debug { go debugServer(debugAddr) } // when the signer starts print the version for debugging and issue logs later logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit) filename := filepath.Base(configFile) ext := filepath.Ext(configFile) configPath := filepath.Dir(configFile) mainViper.SetConfigType(strings.TrimPrefix(ext, ".")) mainViper.SetConfigName(strings.TrimSuffix(filename, ext)) mainViper.AddConfigPath(configPath) err := mainViper.ReadInConfig() if err != nil { logrus.Error("Viper Error: ", err.Error()) logrus.Error("Could not read config at ", configFile) os.Exit(1) } logrus.SetLevel(logrus.Level(mainViper.GetInt("logging.level"))) tlsConfig, err := signerTLS(mainViper, true) if err != nil { logrus.Fatalf(err.Error()) } cryptoServices := make(signer.CryptoServiceIndex) configDBType := strings.ToLower(mainViper.GetString("storage.backend")) dbURL := mainViper.GetString("storage.db_url") if configDBType != dbType || dbURL == "" { usage() log.Fatalf("Currently only a MySQL database backend is supported.") } dbSQL, err := sql.Open(configDBType, dbURL) if err != nil { log.Fatalf("failed to open the database: %s, %v", dbURL, err) } defaultAlias := mainViper.GetString(defaultAliasEnv) logrus.Debug("Default Alias: ", defaultAlias) keyStore, err := keydbstore.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL) if err != nil { log.Fatalf("failed to create a new keydbstore: %v", err) } health.RegisterPeriodicFunc( "DB operational", keyStore.HealthCheck, time.Second*60) cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices[data.ED25519Key] = cryptoService cryptoServices[data.ECDSAKey] = cryptoService //RPC server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} ss := &api.SignerServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} rpcAddr := mainViper.GetString("server.grpc_addr") lis, err := net.Listen("tcp", rpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds := credentials.NewTLS(tlsConfig) opts := []grpc.ServerOption{grpc.Creds(creds)} grpcServer := grpc.NewServer(opts...) pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) go grpcServer.Serve(lis) httpAddr := mainViper.GetString("server.http_addr") if httpAddr == "" { log.Fatalf("Server address is required") } //HTTP server setup server := http.Server{ Addr: httpAddr, Handler: api.Handlers(cryptoServices), TLSConfig: tlsConfig, } if debug { log.Println("RPC server listening on", rpcAddr) log.Println("HTTP server listening on", httpAddr) } err = server.ListenAndServeTLS("", "") if err != nil { log.Fatal("HTTPS server failed to start:", err) } }
func main() { flag.Usage = usage flag.Parse() if debug { go debugServer(debugAddr) } // when the signer starts print the version for debugging and issue logs later logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit) filename := filepath.Base(configFile) ext := filepath.Ext(configFile) configPath := filepath.Dir(configFile) viper.SetConfigType(strings.TrimPrefix(ext, ".")) viper.SetConfigName(strings.TrimSuffix(filename, ext)) viper.AddConfigPath(configPath) err := viper.ReadInConfig() if err != nil { logrus.Error("Viper Error: ", err.Error()) logrus.Error("Could not read config at ", configFile) os.Exit(1) } logrus.SetLevel(logrus.Level(viper.GetInt("logging.level"))) certFile := viper.GetString("server.cert_file") keyFile := viper.GetString("server.key_file") if certFile == "" || keyFile == "" { usage() log.Fatalf("Certificate and key are mandatory") } tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA}, } tlsConfig.Rand = rand.Reader cryptoServices := make(signer.CryptoServiceIndex) pin := viper.GetString(pinCode) pkcs11Lib := viper.GetString("crypto.pkcs11lib") if pkcs11Lib != "" { if pin == "" { log.Fatalf("Using PIN is mandatory with pkcs11") } ctx, session := SetupHSMEnv(pkcs11Lib, pin) defer cleanup(ctx, session) cryptoServices[data.RSAKey] = api.NewRSAHardwareCryptoService(ctx, session) } configDBType := strings.ToLower(viper.GetString("storage.backend")) dbURL := viper.GetString("storage.db_url") if configDBType != dbType || dbURL == "" { usage() log.Fatalf("Currently only a MySQL database backend is supported.") } dbSQL, err := sql.Open(configDBType, dbURL) if err != nil { log.Fatalf("failed to open the database: %s, %v", dbURL, err) } defaultAlias := viper.GetString(defaultAliasEnv) logrus.Debug("Default Alias: ", defaultAlias) keyStore, err := signer.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL) if err != nil { log.Fatalf("failed to create a new keydbstore: %v", err) } cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices[data.ED25519Key] = cryptoService cryptoServices[data.ECDSAKey] = cryptoService //RPC server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices} ss := &api.SignerServer{CryptoServices: cryptoServices} grpcServer := grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) rpcAddr := viper.GetString("server.grpc_addr") lis, err := net.Listen("tcp", rpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) if err != nil { log.Fatalf("failed to generate credentials %v", err) } go grpcServer.Serve(creds.NewListener(lis)) httpAddr := viper.GetString("server.http_addr") if httpAddr == "" { log.Fatalf("Server address is required") } //HTTP server setup server := http.Server{ Addr: httpAddr, Handler: api.Handlers(cryptoServices), TLSConfig: tlsConfig, } if debug { log.Println("RPC server listening on", rpcAddr) log.Println("HTTP server listening on", httpAddr) } err = server.ListenAndServeTLS(certFile, keyFile) if err != nil { log.Fatal("HTTP server failed to start:", err) } }
func main() { flag.Usage = usage flag.Parse() if _DebugAddr != "" { go debugServer(_DebugAddr) } if certFile == "" || keyFile == "" { usage() log.Fatalf("Certificate and key are mandatory") } tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA}, } tlsConfig.Rand = rand.Reader sigServices := make(signer.SigningServiceIndex) if pkcs11Lib != "" { if pin == "" { log.Fatalf("Using PIN is mandatory with pkcs11") } ctx, session := SetupHSMEnv(pkcs11Lib) defer cleanup(ctx, session) sigServices[data.RSAKey] = api.NewRSASigningService(ctx, session) } sigServices[data.ED25519Key] = api.EdDSASigningService{KeyDB: keys.NewKeyDB()} //RPC server setup kms := &api.KeyManagementServer{SigServices: sigServices} ss := &api.SignerServer{SigServices: sigServices} grpcServer := grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) lis, err := net.Listen("tcp", _RpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) if err != nil { log.Fatalf("failed to generate credentials %v", err) } go grpcServer.Serve(creds.NewListener(lis)) //HTTP server setup server := http.Server{ Addr: _Addr, Handler: api.Handlers(sigServices), TLSConfig: tlsConfig, } if debug { log.Println("[Notary-signer RPC Server] : Listening on", _RpcAddr) log.Println("[Notary-signer Server] : Listening on", _Addr) } err = server.ListenAndServeTLS(certFile, keyFile) if err != nil { log.Fatalf("[Notary-signer Server] : Failed to start %s", err) } }