func TestHSMCreateKeyHandler(t *testing.T) { ctx, session := SetupHSMEnv(t) defer ctx.Destroy() defer ctx.Finalize() defer ctx.CloseSession(session) defer ctx.Logout(session) // We associate both key types with this signing service to bypass the // ID -> keyType logic in the tests sigService := api.NewRSASigningService(ctx, session) setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService}) createKeyURL := fmt.Sprintf("%s/%s", createKeyBaseURL, data.RSAKey) request, err := http.NewRequest("POST", createKeyURL, nil) assert.Nil(t, err) res, err := http.DefaultClient.Do(request) assert.Nil(t, err) jsonBlob, err := ioutil.ReadAll(res.Body) assert.Nil(t, err) var keyInfo *pb.PublicKey err = json.Unmarshal(jsonBlob, &keyInfo) assert.Nil(t, err) assert.Equal(t, 200, res.StatusCode) }
func TestHSMSignHandler(t *testing.T) { ctx, session := SetupHSMEnv(t) defer ctx.Destroy() defer ctx.Finalize() defer ctx.CloseSession(session) defer ctx.Logout(session) // We associate both key types with this signing service to bypass the // ID -> keyType logic in the tests sigService := api.NewRSASigningService(ctx, session) setup(signer.SigningServiceIndex{data.ED25519Key: sigService, data.RSAKey: sigService}) key, _ := sigService.CreateKey() sigRequest := &pb.SignatureRequest{KeyID: key.KeyInfo.KeyID, Content: make([]byte, 10)} requestJson, _ := json.Marshal(sigRequest) reader = strings.NewReader(string(requestJson)) request, err := http.NewRequest("POST", signBaseURL, reader) assert.Nil(t, err) res, err := http.DefaultClient.Do(request) assert.Nil(t, err) jsonBlob, err := ioutil.ReadAll(res.Body) assert.Nil(t, err) var sig *pb.Signature err = json.Unmarshal(jsonBlob, &sig) assert.Nil(t, err) assert.Equal(t, key.KeyInfo.KeyID.ID, sig.KeyInfo.KeyID.ID) assert.Equal(t, 200, res.StatusCode) }
func main() { flag.Usage = usage flag.Parse() if _DebugAddr != "" { go debugServer(_DebugAddr) } if certFile == "" || keyFile == "" { usage() log.Fatalf("Certificate and key are mandatory") } tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA}, } tlsConfig.Rand = rand.Reader sigServices := make(signer.SigningServiceIndex) if pkcs11Lib != "" { if pin == "" { log.Fatalf("Using PIN is mandatory with pkcs11") } ctx, session := SetupHSMEnv(pkcs11Lib) defer cleanup(ctx, session) sigServices[data.RSAKey] = api.NewRSASigningService(ctx, session) } sigServices[data.ED25519Key] = api.EdDSASigningService{KeyDB: keys.NewKeyDB()} //RPC server setup kms := &api.KeyManagementServer{SigServices: sigServices} ss := &api.SignerServer{SigServices: sigServices} grpcServer := grpc.NewServer() pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) lis, err := net.Listen("tcp", _RpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) if err != nil { log.Fatalf("failed to generate credentials %v", err) } go grpcServer.Serve(creds.NewListener(lis)) //HTTP server setup server := http.Server{ Addr: _Addr, Handler: api.Handlers(sigServices), TLSConfig: tlsConfig, } if debug { log.Println("[Notary-signer RPC Server] : Listening on", _RpcAddr) log.Println("[Notary-signer Server] : Listening on", _Addr) } err = server.ListenAndServeTLS(certFile, keyFile) if err != nil { log.Fatalf("[Notary-signer Server] : Failed to start %s", err) } }