Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Async krill signer 1142 #1151

Merged
merged 4 commits into from
Nov 6, 2023
Merged

Async krill signer 1142 #1151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
426eb15
Fix clippy warnings.
Oct 25, 2023
18337c8
Push impl Signer down to SignerProviders.
Oct 26, 2023
6e7e34b
Merge branch 'main' into async-krill-signer-1142
Oct 27, 2023
9236904
Merge branch 'prep-0.15.0-rc1' into async-krill-signer-1142
Nov 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 91 additions & 21 deletions src/commons/crypto/signing/dispatch/krillsigner.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ impl KrillSigner {

pub fn create_key(&self) -> CryptoResult<KeyIdentifier> {
self.router
.get_default_signer()
.create_key(PublicKeyFormat::Rsa)
.map_err(crypto::Error::signer)
}
Expand All @@ -208,47 +209,71 @@ impl KrillSigner {

/// Creates a new self-signed (TA) IdCert
pub fn create_self_signed_id_cert(&self) -> CryptoResult<IdCert> {
let key = self.create_key()?;
let signer = self.router.get_default_signer();

let key = signer.create_key(PublicKeyFormat::Rsa).map_err(crypto::Error::signer)?;

let validity = Validity::new(
Time::five_minutes_ago(),
Time::years_from_now(ID_CERTIFICATE_VALIDITY_YEARS),
);

IdCert::new_ta(validity, &key, &self.router).map_err(crypto::Error::signer)
IdCert::new_ta(validity, &key, signer.as_ref()).map_err(crypto::Error::signer)
}

pub fn destroy_key(&self, key_id: &KeyIdentifier) -> CryptoResult<()> {
self.router.destroy_key(key_id).map_err(crypto::Error::key_error)
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;
signer.destroy_key(key_id).map_err(crypto::Error::key_error)
}

pub fn get_key_info(&self, key_id: &KeyIdentifier) -> CryptoResult<PublicKey> {
self.router.get_key_info(key_id).map_err(crypto::Error::key_error)
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

signer.get_key_info(key_id).map_err(crypto::Error::key_error)
}

pub fn random_serial(&self) -> CryptoResult<Serial> {
Serial::random(&self.router).map_err(crypto::Error::signer)
Serial::random(self.router.get_default_signer().as_ref()).map_err(crypto::Error::signer)
}

pub fn sign<D: AsRef<[u8]> + ?Sized>(&self, key_id: &KeyIdentifier, data: &D) -> CryptoResult<RpkiSignature> {
self.router
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

signer
.sign(key_id, RpkiSignatureAlgorithm::default(), data)
.map_err(crypto::Error::signing)
}

pub fn sign_one_off<D: AsRef<[u8]> + ?Sized>(&self, data: &D) -> CryptoResult<(RpkiSignature, PublicKey)> {
self.router
let signer = self.router.get_one_off_signer();

signer
.sign_one_off(RpkiSignatureAlgorithm::default(), data)
.map_err(crypto::Error::signer)
}

pub fn sign_csr(&self, base_repo: &RepoInfo, name_space: &str, key: &KeyIdentifier) -> CryptoResult<RpkiCaCsr> {
let signing_key_id = self.router.get_key_info(key).map_err(crypto::Error::key_error)?;
pub fn sign_csr(&self, base_repo: &RepoInfo, name_space: &str, key_id: &KeyIdentifier) -> CryptoResult<RpkiCaCsr> {
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

let signing_key_id = signer.get_key_info(key_id).map_err(crypto::Error::key_error)?;
let mft_file_name = ObjectName::mft_for_key(&signing_key_id.key_identifier());

// The rpki-rs library returns a signed and encoded CSR for a CA certificate.
let signed_and_encoded_csr = Csr::construct_rpki_ca(
&self.router,
key,
signer.as_ref(),
key_id,
&base_repo.ca_repository(name_space),
&base_repo.resolve(name_space, mft_file_name.as_ref()),
base_repo.rpki_notify(),
Expand All @@ -260,11 +285,21 @@ impl KrillSigner {
}

pub fn sign_cert(&self, tbs: TbsCert, key_id: &KeyIdentifier) -> CryptoResult<Cert> {
tbs.into_cert(&self.router, key_id).map_err(crypto::Error::signing)
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

tbs.into_cert(signer.as_ref(), key_id).map_err(crypto::Error::signing)
}

pub fn sign_crl(&self, tbs: TbsCertList<Vec<CrlEntry>>, key_id: &KeyIdentifier) -> CryptoResult<Crl> {
tbs.into_crl(&self.router, key_id).map_err(crypto::Error::signing)
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

tbs.into_crl(signer.as_ref(), key_id).map_err(crypto::Error::signing)
}

pub fn sign_manifest(
Expand All @@ -273,8 +308,13 @@ impl KrillSigner {
builder: SignedObjectBuilder,
key_id: &KeyIdentifier,
) -> CryptoResult<Manifest> {
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

content
.into_manifest(builder, &self.router, key_id)
.into_manifest(builder, signer.as_ref(), key_id)
.map_err(crypto::Error::signing)
}

Expand All @@ -284,8 +324,13 @@ impl KrillSigner {
object_builder: SignedObjectBuilder,
key_id: &KeyIdentifier,
) -> CryptoResult<Roa> {
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

roa_builder
.finalize(object_builder, &self.router, key_id)
.finalize(object_builder, signer.as_ref(), key_id)
.map_err(crypto::Error::signing)
}

Expand All @@ -295,16 +340,26 @@ impl KrillSigner {
object_builder: SignedObjectBuilder,
key_id: &KeyIdentifier,
) -> CryptoResult<Aspa> {
let signer = self
.router
.get_signer_for_key(key_id)
.map_err(crypto::Error::key_error)?;

aspa_builder
.finalize(object_builder, &self.router, key_id)
.finalize(object_builder, signer.as_ref(), key_id)
.map_err(crypto::Error::signing)
}

pub fn sign_rta(&self, rta_builder: &mut rta::RtaBuilder, ee: Cert) -> CryptoResult<()> {
let key = ee.subject_key_identifier();
let key_id = ee.subject_key_identifier();
let signer = self
.router
.get_signer_for_key(&key_id)
.map_err(crypto::Error::key_error)?;

rta_builder.push_cert(ee);
rta_builder
.sign(&self.router, &key, None, None)
.sign(signer.as_ref(), &key_id, None, None)
.map_err(crypto::Error::signing)
}

Expand All @@ -313,15 +368,25 @@ impl KrillSigner {
message: provisioning::Message,
signing_key: &KeyIdentifier,
) -> CryptoResult<provisioning::ProvisioningCms> {
provisioning::ProvisioningCms::create(message, signing_key, &self.router).map_err(crypto::Error::signing)
let signer = self
.router
.get_signer_for_key(signing_key)
.map_err(crypto::Error::key_error)?;

provisioning::ProvisioningCms::create(message, signing_key, signer.as_ref()).map_err(crypto::Error::signing)
}

pub fn create_rfc8181_cms(
&self,
message: publication::Message,
signing_key: &KeyIdentifier,
) -> CryptoResult<publication::PublicationCms> {
publication::PublicationCms::create(message, signing_key, &self.router).map_err(crypto::Error::signing)
let signer = self
.router
.get_signer_for_key(signing_key)
.map_err(crypto::Error::key_error)?;

publication::PublicationCms::create(message, signing_key, signer.as_ref()).map_err(crypto::Error::signing)
}

pub fn create_ta_signed_message(
Expand All @@ -330,9 +395,14 @@ impl KrillSigner {
validity_days: i64,
signing_key: &KeyIdentifier,
) -> CryptoResult<SignedMessage> {
let signer = self
.router
.get_signer_for_key(signing_key)
.map_err(crypto::Error::key_error)?;

let validity = SignSupport::sign_validity_days(validity_days);

SignedMessage::create(data, validity, signing_key, &self.router).map_err(crypto::Error::signing)
SignedMessage::create(data, validity, signing_key, signer.as_ref()).map_err(crypto::Error::signing)
}
}

Expand Down
49 changes: 28 additions & 21 deletions src/commons/crypto/signing/dispatch/signerprovider.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use rpki::crypto::{
signer::{KeyError, SigningAlgorithm},
KeyIdentifier, PublicKey, PublicKeyFormat, RpkiSignature, Signature, SignatureAlgorithm, SigningError,
KeyIdentifier, PublicKey, PublicKeyFormat, RpkiSignature, Signature, SignatureAlgorithm, Signer, SigningError,
};

use crate::commons::crypto::{
Expand Down Expand Up @@ -165,22 +165,6 @@ impl SignerProvider {
signer.wipe_all_keys()
}
}
}

// Implement the functions defined by the `Signer` trait because `SignerRouter` expects to invoke them, but as the
// dispatching is not trait based we don't actually have to implement the `Signer` trait.
impl SignerProvider {
pub fn create_key(&self, algorithm: PublicKeyFormat) -> Result<KeyIdentifier, SignerError> {
match self {
SignerProvider::OpenSsl(_, signer) => signer.create_key(algorithm),
#[cfg(feature = "hsm")]
SignerProvider::Kmip(_, signer) => signer.create_key(algorithm),
#[cfg(feature = "hsm")]
SignerProvider::Pkcs11(_, signer) => signer.create_key(algorithm),
#[cfg(all(test, feature = "hsm"))]
SignerProvider::Mock(_, signer) => signer.create_key(algorithm),
}
}

/// Import an existing private key. Only supported for OpenSslSigner. Other
/// signers will return an error.
Expand All @@ -195,8 +179,27 @@ impl SignerProvider {
SignerProvider::Mock(_, _) => Err(SignerError::other("import key not supported for the mock signer")),
}
}
}

// Implement the functions defined by the `Signer` trait because `SignerRouter` expects to invoke them, but as the
// dispatching is not trait based we don't actually have to implement the `Signer` trait.
impl Signer for SignerProvider {
type KeyId = KeyIdentifier;
type Error = SignerError;

fn create_key(&self, algorithm: PublicKeyFormat) -> Result<KeyIdentifier, SignerError> {
match self {
SignerProvider::OpenSsl(_, signer) => signer.create_key(algorithm),
#[cfg(feature = "hsm")]
SignerProvider::Kmip(_, signer) => signer.create_key(algorithm),
#[cfg(feature = "hsm")]
SignerProvider::Pkcs11(_, signer) => signer.create_key(algorithm),
#[cfg(all(test, feature = "hsm"))]
SignerProvider::Mock(_, signer) => signer.create_key(algorithm),
}
}

pub fn get_key_info(&self, key: &KeyIdentifier) -> Result<PublicKey, KeyError<SignerError>> {
fn get_key_info(&self, key: &KeyIdentifier) -> Result<PublicKey, KeyError<SignerError>> {
match self {
SignerProvider::OpenSsl(_, signer) => signer.get_key_info(key),
#[cfg(feature = "hsm")]
Expand All @@ -208,7 +211,7 @@ impl SignerProvider {
}
}

pub fn destroy_key(&self, key: &KeyIdentifier) -> Result<(), KeyError<SignerError>> {
fn destroy_key(&self, key: &KeyIdentifier) -> Result<(), KeyError<SignerError>> {
match self {
SignerProvider::OpenSsl(_, signer) => signer.destroy_key(key),
#[cfg(feature = "hsm")]
Expand All @@ -220,7 +223,7 @@ impl SignerProvider {
}
}

pub fn sign<Alg: SignatureAlgorithm, D: AsRef<[u8]> + ?Sized>(
fn sign<Alg: SignatureAlgorithm, D: AsRef<[u8]> + ?Sized>(
&self,
key: &KeyIdentifier,
algorithm: Alg,
Expand All @@ -242,7 +245,7 @@ impl SignerProvider {
}
}

pub fn sign_one_off<Alg: SignatureAlgorithm, D: AsRef<[u8]> + ?Sized>(
fn sign_one_off<Alg: SignatureAlgorithm, D: AsRef<[u8]> + ?Sized>(
&self,
algorithm: Alg,
data: &D,
Expand All @@ -262,4 +265,8 @@ impl SignerProvider {
SignerProvider::Mock(_, signer) => signer.sign_one_off(algorithm, data),
}
}

fn rand(&self, target: &mut [u8]) -> Result<(), Self::Error> {
openssl::rand::rand_bytes(target).map_err(SignerError::OpenSslError)
}
}
Loading
Loading