From 6b21e8ad1deb12d1fc52b51cb7c4abe040aa4829 Mon Sep 17 00:00:00 2001
From: Neil-Jocelyn Schark <neil.schark@h-da.de>
Date: Wed, 21 Aug 2024 14:10:41 +0000
Subject: [PATCH] Resolve "Allow SSL config per QuantumModule and per interKMS"
See merge request danet/quant!194
---
README.md | 16 ++++++++--------
goKMS/config/config.go | 24 ++++++++++++------------
goKMS/kms/kms.go | 2 +-
goKMS/kms/peers/etsi14Quantummodule.go | 2 +-
goKMS/kms/tls/tls.go | 4 ++--
goKMS/main.go | 24 +++++++++++++-----------
6 files changed, 37 insertions(+), 35 deletions(-)
diff --git a/README.md b/README.md
index b882bb77..c0dc5474 100644
--- a/README.md
+++ b/README.md
@@ -31,22 +31,17 @@ AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the r
AkmsCkmsServerPort: "9696" # Port of connected AKMS
GRPCTimeoutInSeconds: 10 # Time in seconds for timeout of gRPC connections as a client. Defaults to 10 seconds. Should not be set to 0 or negative values.
GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
- TLS: true # Whether TLS is enabled
+ Active: true # Whether TLS is enabled
CAFile: "ssl/ca.crt" # Path to ca
CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
KmsTLS: # Settings for TLS for inter KMS communication
- TLS: true # Whether TLS is enabled
- CAFile: "ssl/ca.crt" # Path to ca
- CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
- KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
-QuantumModuleTLS: # Settings for TLS for quantum module communication
- TLS: true # Whether TLS is enabled
+ Active: true # Whether TLS is enabled
CAFile: "ssl/ca.crt" # Path to ca
CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
AkmsCkmsTLS: # Settings for TLS for akms ckms interface
- TLS: true # Whether TLS is enabled
+ Active: true # Whether TLS is enabled
CAFile: "ssl/ca.crt" # Path to ca
CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
@@ -57,6 +52,11 @@ Peers: # Peers to other goKMS
Type: danet # type of communication method between KMS (currently only danet supported)
QuantumModule: # Quantum module used for this peer
Type: emulated # Type of the quantum module e.g. emulated or etsi
+ TLS: # Settings for TLS for quantum module communication
+ Active: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
Address: 172.100.20.14 # Address of the quantum module
Hostname: quantumlayer_1 # Optional addressing of the quantum module as hostname
# peer to goKMS03
diff --git a/goKMS/config/config.go b/goKMS/config/config.go
index 7b9aadc9..aba94318 100644
--- a/goKMS/config/config.go
+++ b/goKMS/config/config.go
@@ -14,10 +14,9 @@ type Config struct {
AkmsURL string `yaml:"AkmsURL"`
AkmsCkmsServerPort string `yaml:"AkmsCkmsServerPort"`
GnmiBindAddress string `yaml:"GnmiBindAddress"`
+ KmsTLS TLSConfig `yaml:"KmsTLS"`
Peers []Peer `yaml:"Peers"`
GnmiTLS TLSConfig `yaml:"GnmiTLS"`
- KmsTLS TLSConfig `yaml:"KmsTLS"`
- QuantumModuleTLS TLSConfig `yaml:"QuantumModuleTLS"`
AkmsCkmsTLS TLSConfig `yaml:"AkmsCkmsTLS"`
ETSI14Server *ETSI14Server `yaml:"ETSI14Server,omitempty"`
QkdnManagerServer *QkdnManagerServer `yaml:"QkdnManagerServer,omitempty"`
@@ -32,22 +31,23 @@ type Peer struct {
}
type TLSConfig struct {
- TLS bool `yaml:"TLS"`
+ Active bool `yaml:"Active"`
CAFile string `yaml:"CAFile"`
CertFile string `yaml:"CertFile"`
KeyFile string `yaml:"KeyFile"`
}
type QuantumModule struct {
- QmType string `yaml:"Type"`
- Address string `yaml:"Address"`
- Hostname string `yaml:"Hostname"`
- LocalSAEID string `yaml:"LocalSAEID"`
- TargetSAEID string `yaml:"TargetSAEID"`
- MasterMode bool `yaml:"MasterMode"`
- KeyFetchInterval int `yaml:"KeyFetchInterval"`
- KeyFetchAmount int `yaml:"KeyFetchAmount"`
- MaxKeyFillLevel int `yaml:"MaxKeyFillLevel"`
+ QmType string `yaml:"Type"`
+ TLS TLSConfig `yaml:"TLS"`
+ Address string `yaml:"Address"`
+ Hostname string `yaml:"Hostname"`
+ LocalSAEID string `yaml:"LocalSAEID"`
+ TargetSAEID string `yaml:"TargetSAEID"`
+ MasterMode bool `yaml:"MasterMode"`
+ KeyFetchInterval int `yaml:"KeyFetchInterval"`
+ KeyFetchAmount int `yaml:"KeyFetchAmount"`
+ MaxKeyFillLevel int `yaml:"MaxKeyFillLevel"`
}
type ETSI14Server struct {
diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index c806d8e1..1ade908b 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -195,7 +195,7 @@ func (kms *KMS) initializePeers(config *config.Config) error {
qm = peers.NewDanetQuantumModule(pqm.Address, config.Id)
case "etsi":
qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.LocalSAEID, pqm.TargetSAEID,
- config.QuantumModuleTLS, pqm.MasterMode,
+ peer.QuantumModule.TLS, pqm.MasterMode,
peer.QuantumModule.KeyFetchInterval, int64(peer.QuantumModule.KeyFetchAmount), uint64(peer.QuantumModule.MaxKeyFillLevel))
if err != nil {
log.Fatalf("Failed to create ETSI QKD module: %s", err)
diff --git a/goKMS/kms/peers/etsi14Quantummodule.go b/goKMS/kms/peers/etsi14Quantummodule.go
index ea2e46bd..c2af3318 100644
--- a/goKMS/kms/peers/etsi14Quantummodule.go
+++ b/goKMS/kms/peers/etsi14Quantummodule.go
@@ -50,7 +50,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
Scheme: parsedUrl.Scheme,
}
- if tlsConfig.TLS {
+ if tlsConfig.Active {
tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
if err != nil {
return nil, fmt.Errorf("unable to generate TLS config: %w", err)
diff --git a/goKMS/kms/tls/tls.go b/goKMS/kms/tls/tls.go
index df180446..b32b55cd 100644
--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -13,7 +13,7 @@ import (
func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
var gRPCTransportCreds credentials.TransportCredentials
- if tlsData.TLS {
+ if tlsData.Active {
creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
@@ -55,7 +55,7 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (
func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
var gRPCTransportCreds credentials.TransportCredentials
- if tlsConfig.TLS {
+ if tlsConfig.Active {
creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
if err != nil {
return nil, err
diff --git a/goKMS/main.go b/goKMS/main.go
index b9bbaa48..e3464201 100644
--- a/goKMS/main.go
+++ b/goKMS/main.go
@@ -149,7 +149,7 @@ func main() {
}
// The gnmiTarget implementation uses a flag to pass NO tls, so we have to invert our flag for it to work.
- gnmiInsecure := !kmsConfig.GnmiTLS.TLS
+ gnmiInsecure := !kmsConfig.GnmiTLS.Active
gnmitTarget := gnmitarget.NewGnmiTarget(schema, &gnmitargetygot.Gnmitarget{}, gnmitargetygot.ΓModelData, gnmitargetygot.Unmarshal, gnmitargetygot.ΛEnum, handlers...)
if err := gnmitTarget.Start(*gnmiBindAddress, kmsConfig.GnmiTLS.CertFile, kmsConfig.GnmiTLS.KeyFile, kmsConfig.GnmiTLS.CAFile, gnmiInsecure); err != nil {
log.Fatal(err)
@@ -160,23 +160,25 @@ func outputTlsSettings(config *config.Config) {
currentDirectory, _ := os.Getwd()
log.Debugf("current relative file path: %s", currentDirectory)
- log.Infof("TLS enabled for gNMI: %t", config.GnmiTLS.TLS)
- if config.GnmiTLS.TLS {
+ log.Infof("TLS enabled for gNMI: %t", config.GnmiTLS.Active)
+ if config.GnmiTLS.Active {
log.Infof("TLS filepaths for gNMI: ca: %s, cert: %s, key: %s", config.GnmiTLS.CAFile, config.GnmiTLS.CertFile, config.GnmiTLS.KeyFile)
}
- log.Infof("TLS enabled for KMS: %t", config.KmsTLS.TLS)
- if config.KmsTLS.TLS {
+ log.Infof("TLS enabled for KMS: %t", config.KmsTLS.Active)
+ if config.KmsTLS.Active {
log.Infof("TLS filepaths for KMS: ca: %s, cert: %s, key: %s", config.KmsTLS.CAFile, config.KmsTLS.CertFile, config.KmsTLS.KeyFile)
}
- log.Infof("TLS enabled for Quantum Module: %t", config.QuantumModuleTLS.TLS)
- if config.QuantumModuleTLS.TLS {
- log.Infof("TLS filepaths for Quantum Module: ca: %s, cert: %s, key: %s", config.QuantumModuleTLS.CAFile, config.QuantumModuleTLS.CertFile, config.QuantumModuleTLS.KeyFile)
+ for _, peer := range config.Peers {
+ log.Infof("TLS enabled for Quantum Module for peer %s: %t", peer.PeerId, peer.QuantumModule.TLS.Active)
+ if peer.QuantumModule.TLS.Active {
+ log.Infof("TLS filepaths for Quantum Module for peer %s: ca: %s, cert: %s, key: %s", peer.PeerId, peer.QuantumModule.TLS.CAFile, peer.QuantumModule.TLS.CertFile, peer.QuantumModule.TLS.KeyFile)
+ }
}
- log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.TLS)
- if config.AkmsCkmsTLS.TLS {
+ log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.Active)
+ if config.AkmsCkmsTLS.Active {
log.Infof("TLS filepaths for AKMS-CKMS interface: ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
}
}
@@ -193,7 +195,7 @@ func isFlagPassed(name string) bool {
func overwriteConfigFieldsWithFlags(config *config.Config, gnmiBindAddress *string, gnmiTLS *bool, certFile *string, keyFile *string, caFile *string) {
if isFlagPassed("gnmiTLS") {
- config.GnmiTLS.TLS = *gnmiTLS
+ config.GnmiTLS.Active = *gnmiTLS
}
if isFlagPassed("gnmiBindAddress") {
--
GitLab