forked from TrueCloudLab/certificates
Refactor the initialization of KeyManagers.
This commit is contained in:
Mariano Cano
parent
c02fe77998
commit
63e36ecd7a
7 changed files with 81 additions and 62 deletions
|
|
@ -1,11 +1,28 @@
|
|||
package apiv1
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/x509"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
// KeyManager is the interface implemented by all the KMS.
|
||||
type KeyManager interface {
|
||||
GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
|
||||
CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
|
||||
CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
|
||||
Close() error
|
||||
}
|
||||
|
||||
// CertificateManager is the interface implemented by the KMS that can load and
|
||||
// store x509.Certificates.
|
||||
type CertificateManager interface {
|
||||
LoadCerticate(req *LoadCertificateRequest) (*x509.Certificate, error)
|
||||
StoreCertificate(req *StoreCertificateRequest) error
|
||||
}
|
||||
|
||||
// ErrNotImplemented
|
||||
type ErrNotImplemented struct {
|
||||
msg string
|
||||
|
|
|
|||
27
kms/apiv1/registry.go
Normal file
27
kms/apiv1/registry.go
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
package apiv1
|
||||
|
||||
import (
|
||||
"context"
|
||||
"sync"
|
||||
)
|
||||
|
||||
var registry = new(sync.Map)
|
||||
|
||||
// KeyManagerNewFunc is the type that represents the method to initialize a new
|
||||
// KeyManager.
|
||||
type KeyManagerNewFunc func(ctx context.Context, opts Options) (KeyManager, error)
|
||||
|
||||
// Register adds to the registry a method to create a KeyManager of type t.
|
||||
func Register(t Type, fn KeyManagerNewFunc) {
|
||||
registry.Store(t, fn)
|
||||
}
|
||||
|
||||
// LoadKeyManagerNewFunc returns the function initialize a KayManager.
|
||||
func LoadKeyManagerNewFunc(t Type) (KeyManagerNewFunc, bool) {
|
||||
v, ok := registry.Load(t)
|
||||
if !ok {
|
||||
return nil, false
|
||||
}
|
||||
fn, ok := v.(KeyManagerNewFunc)
|
||||
return fn, ok
|
||||
}
|
||||
|
|
@ -93,6 +93,12 @@ func New(ctx context.Context, opts apiv1.Options) (*CloudKMS, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
apiv1.Register(apiv1.CloudKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
|
||||
return New(ctx, opts)
|
||||
})
|
||||
}
|
||||
|
||||
// NewCloudKMS creates a CloudKMS with a given client.
|
||||
func NewCloudKMS(client KeyManagementClient) *CloudKMS {
|
||||
return &CloudKMS{
|
||||
|
|
|
|||
36
kms/kms.go
36
kms/kms.go
|
|
@ -2,30 +2,18 @@ package kms
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/x509"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/kms/apiv1"
|
||||
"github.com/smallstep/certificates/kms/cloudkms"
|
||||
"github.com/smallstep/certificates/kms/softkms"
|
||||
"github.com/smallstep/certificates/kms/yubikey"
|
||||
)
|
||||
|
||||
// KeyManager is the interface implemented by all the KMS.
|
||||
type KeyManager interface {
|
||||
GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)
|
||||
CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)
|
||||
CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)
|
||||
Close() error
|
||||
}
|
||||
type KeyManager = apiv1.KeyManager
|
||||
|
||||
// CertificateManager is the interface implemented by the KMS that can load and store x509.Certificates.
|
||||
type CertificateManager interface {
|
||||
LoadCerticate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)
|
||||
StoreCertificate(req *apiv1.StoreCertificateRequest) error
|
||||
}
|
||||
// CertificateManager is the interface implemented by the KMS that can load and
|
||||
// store x509.Certificates.
|
||||
type CertificateManager = apiv1.CertificateManager
|
||||
|
||||
// New initializes a new KMS from the given type.
|
||||
func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
|
||||
|
|
@ -33,14 +21,14 @@ func New(ctx context.Context, opts apiv1.Options) (KeyManager, error) {
|
|||
return nil, err
|
||||
}
|
||||
|
||||
switch apiv1.Type(strings.ToLower(opts.Type)) {
|
||||
case apiv1.DefaultKMS, apiv1.SoftKMS:
|
||||
return softkms.New(ctx, opts)
|
||||
case apiv1.CloudKMS:
|
||||
return cloudkms.New(ctx, opts)
|
||||
case apiv1.YubiKey:
|
||||
return yubikey.New(ctx, opts)
|
||||
default:
|
||||
t := apiv1.Type(strings.ToLower(opts.Type))
|
||||
if t == apiv1.DefaultKMS {
|
||||
t = apiv1.SoftKMS
|
||||
}
|
||||
|
||||
fn, ok := apiv1.LoadKeyManagerNewFunc(t)
|
||||
if !ok {
|
||||
return nil, errors.Errorf("unsupported kms type '%s'", opts.Type)
|
||||
}
|
||||
return fn(ctx, opts)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -52,6 +52,12 @@ func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) {
|
|||
return &SoftKMS{}, nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
apiv1.Register(apiv1.SoftKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
|
||||
return New(ctx, opts)
|
||||
})
|
||||
}
|
||||
|
||||
// Close is a noop that just returns nil.
|
||||
func (k *SoftKMS) Close() error {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -42,6 +42,12 @@ func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
func init() {
|
||||
apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
|
||||
return New(ctx, opts)
|
||||
})
|
||||
}
|
||||
|
||||
// LoadCertificate implements kms.CertificateManager and loads a certificate
|
||||
// from the YubiKey.
|
||||
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {
|
||||
|
|
|
|||
|
|
@ -4,47 +4,16 @@ package yubikey
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/x509"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/kms/apiv1"
|
||||
)
|
||||
|
||||
// YubiKey implements the KMS interface on a YubiKey.
|
||||
type YubiKey struct{}
|
||||
|
||||
// New always fails without CGO.
|
||||
func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
|
||||
return nil, errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// LoadCertificate always fails without CGO.
|
||||
func (k *YubiKey) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error) {
|
||||
return nil, errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// StoreCertificate always fails without CGO.
|
||||
func (k *YubiKey) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
|
||||
return errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// GetPublicKey always fails without CGO.
|
||||
func (k *YubiKey) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
||||
return nil, errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// CreateKey always fails without CGO.
|
||||
func (k *YubiKey) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
|
||||
return nil, errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// CreateSigner always fails without CGO.
|
||||
func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error) {
|
||||
return nil, errors.New("YubiKey is not supported without cgo")
|
||||
}
|
||||
|
||||
// Close always fails without CGO.
|
||||
func (k *YubiKey) Close() error {
|
||||
return errors.New("YubiKey is not supported without cgo")
|
||||
func init() {
|
||||
apiv1.Register(apiv1.YubiKey, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
|
||||
name := filepath.Base(os.Args[0])
|
||||
return nil, errors.Errorf("unsupported kms type 'yubikey': %s is compiled without cgo support", name)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue