2020-01-10 02:41:13 +00:00
|
|
|
package apiv1
|
|
|
|
|
|
|
|
import (
|
2020-05-12 01:47:22 +00:00
|
|
|
"crypto"
|
|
|
|
"crypto/x509"
|
2020-01-10 02:41:13 +00:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
)
|
|
|
|
|
2020-05-12 01:47:22 +00:00
|
|
|
// KeyManager is the interface implemented by all the KMS.
|
|
|
|
type KeyManager interface {
|
|
|
|
GetPublicKey(req *GetPublicKeyRequest) (crypto.PublicKey, error)
|
|
|
|
CreateKey(req *CreateKeyRequest) (*CreateKeyResponse, error)
|
|
|
|
CreateSigner(req *CreateSignerRequest) (crypto.Signer, error)
|
|
|
|
Close() error
|
|
|
|
}
|
|
|
|
|
|
|
|
// CertificateManager is the interface implemented by the KMS that can load and
|
|
|
|
// store x509.Certificates.
|
|
|
|
type CertificateManager interface {
|
|
|
|
LoadCerticate(req *LoadCertificateRequest) (*x509.Certificate, error)
|
|
|
|
StoreCertificate(req *StoreCertificateRequest) error
|
|
|
|
}
|
|
|
|
|
2020-01-10 02:41:13 +00:00
|
|
|
// ErrNotImplemented
|
|
|
|
type ErrNotImplemented struct {
|
|
|
|
msg string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (e ErrNotImplemented) Error() string {
|
|
|
|
if e.msg != "" {
|
|
|
|
return e.msg
|
|
|
|
}
|
|
|
|
return "not implemented"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Type represents the KMS type used.
|
|
|
|
type Type string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// DefaultKMS is a KMS implementation using software.
|
|
|
|
DefaultKMS Type = ""
|
|
|
|
// SoftKMS is a KMS implementation using software.
|
2020-01-15 02:42:14 +00:00
|
|
|
SoftKMS Type = "softkms"
|
2020-01-10 02:41:13 +00:00
|
|
|
// CloudKMS is a KMS implementation using Google's Cloud KMS.
|
2020-01-15 02:42:14 +00:00
|
|
|
CloudKMS Type = "cloudkms"
|
2020-01-10 02:41:13 +00:00
|
|
|
// AmazonKMS is a KMS implementation using Amazon AWS KMS.
|
2020-01-15 02:42:14 +00:00
|
|
|
AmazonKMS Type = "awskms"
|
2020-01-10 02:41:13 +00:00
|
|
|
// PKCS11 is a KMS implementation using the PKCS11 standard.
|
2020-01-15 02:42:14 +00:00
|
|
|
PKCS11 Type = "pkcs11"
|
2020-05-08 01:22:09 +00:00
|
|
|
// YubiKey is a KMS implementation using a YubiKey PIV.
|
|
|
|
YubiKey Type = "yubikey"
|
2020-01-10 02:41:13 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type Options struct {
|
2020-01-15 02:42:14 +00:00
|
|
|
// The type of the KMS to use.
|
|
|
|
Type string `json:"type"`
|
|
|
|
|
2020-05-20 00:35:36 +00:00
|
|
|
// Path to the credentials file used in CloudKMS and AmazonKMS.
|
2020-01-10 02:41:13 +00:00
|
|
|
CredentialsFile string `json:"credentialsFile"`
|
2020-01-15 02:42:14 +00:00
|
|
|
|
|
|
|
// Path to the module used with PKCS11 KMS.
|
|
|
|
Module string `json:"module"`
|
|
|
|
|
|
|
|
// Pin used to access the PKCS11 module.
|
|
|
|
Pin string `json:"pin"`
|
2020-05-20 00:35:36 +00:00
|
|
|
|
|
|
|
// Region to use in AmazonKMS.
|
|
|
|
Region string `json:"region"`
|
|
|
|
|
|
|
|
// Profile to use in AmazonKMS.
|
|
|
|
Profile string `json:"profile"`
|
2020-01-10 02:41:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Validate checks the fields in Options.
|
|
|
|
func (o *Options) Validate() error {
|
|
|
|
if o == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
switch Type(strings.ToLower(o.Type)) {
|
2020-05-20 00:35:36 +00:00
|
|
|
case DefaultKMS, SoftKMS, CloudKMS, AmazonKMS:
|
2020-05-08 01:22:09 +00:00
|
|
|
case YubiKey:
|
2020-01-10 02:41:13 +00:00
|
|
|
case PKCS11:
|
|
|
|
return ErrNotImplemented{"support for PKCS11 is not yet implemented"}
|
|
|
|
default:
|
|
|
|
return errors.Errorf("unsupported kms type %s", o.Type)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|