diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index f8588b483b4f01b71df3457cdfff0690bd869483..8f8616dfccab4eaa0827bd1390aa714db77cad1d 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -29,6 +29,7 @@ import (
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
"code.fbi.h-da.de/danet/quant/goKMS/kms/peers"
"code.fbi.h-da.de/danet/quant/goKMS/kms/store"
+ kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
"code.fbi.h-da.de/danet/quant/goKMS/kms/util"
pbQS "code.fbi.h-da.de/danet/quipsec/gen/go/quipsec"
"github.com/google/uuid"
@@ -67,7 +68,7 @@ type KMS struct {
kmsUUID uuid.UUID
interComAddr string
quantumAddress string
- tlsData TlsData
+ tlsData kmstls.TlsData
// TODO create a mapping between ids and address
remoteKMSMapping map[string]*RemoteKMS
remoteKMSMappingMutex sync.RWMutex
@@ -88,13 +89,6 @@ type KMS struct {
CKMSAkmsServer *server.AKMSReceiverServer
}
-type TlsData struct {
- TLS bool
- CaFile string
- CertFile string
- KeyFile string
-}
-
// Will keep information about the quantum elements that this EKMS is talking to
// This actually constitutes a quantum element with only a single link
@@ -124,7 +118,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
log.SetReportCaller(false)
}
- tlsData := TlsData{
+ tlsData := kmstls.TlsData{
TLS: config.TLS,
CaFile: config.CAFile,
CertFile: config.CertFile,
@@ -197,7 +191,7 @@ func initializePeers(kms *KMS, config *config.Config) error {
var gRPCTransportCreds credentials.TransportCredentials
if config.TLS {
- gRPCTransportCreds, err = util.GenerateGRPCClientTransportCredsWithTLS(config.CAFile, config.CertFile, config.KeyFile)
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(config.CAFile, config.CertFile, config.KeyFile)
if err != nil {
log.Error(err)
return nil
@@ -239,7 +233,7 @@ func initializePeers(kms *KMS, config *config.Config) error {
return nil
}
-func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData TlsData) {
+func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData kmstls.TlsData) {
interKMSLis, err := net.Listen("tcp", interComAddr)
if err != nil {
log.Fatalf("failed to listen: %v", err)
@@ -247,7 +241,7 @@ func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData Tl
var gRPCTransportCreds credentials.TransportCredentials
if tlsData.TLS {
- gRPCTransportCreds, err = util.GenerateGRPCServerTransportCredsWithTLS(tlsData.CaFile, tlsData.CertFile, tlsData.KeyFile)
+ gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(tlsData.CaFile, tlsData.CertFile, tlsData.KeyFile)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
@@ -502,7 +496,7 @@ func (kms *KMS) GenerateAndSendKSAKey(remoteKMSId string, pathId uuid.UUID, requ
// send to remote
var gRPCTransportCreds credentials.TransportCredentials
if kms.tlsData.TLS {
- gRPCTransportCreds, err = util.GenerateGRPCClientTransportCredsWithTLS(kms.tlsData.CaFile, kms.tlsData.CertFile, kms.tlsData.KeyFile)
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsData.CaFile, kms.tlsData.CertFile, kms.tlsData.KeyFile)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/kmsintercom.go b/goKMS/kms/kmsintercom.go
index 65e205912a3a9f168990d9376f992315fb6e91de..cc5845211a193f1ebed2618bea0bf6978ad1efe7 100644
--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -16,7 +16,7 @@ import (
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
"code.fbi.h-da.de/danet/quant/goKMS/kms/peers"
"code.fbi.h-da.de/danet/quant/goKMS/kms/store"
- "code.fbi.h-da.de/danet/quant/goKMS/kms/util"
+ kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
@@ -288,7 +288,7 @@ func (s *kmsTalkerServer) KeyForwarding(ctx context.Context, in *pb.KeyForwardin
var gRPCTransportCreds credentials.TransportCredentials
if s.KMS.tlsData.TLS {
- gRPCTransportCreds, err = util.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsData.CaFile, s.KMS.tlsData.CertFile, s.KMS.tlsData.KeyFile)
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsData.CaFile, s.KMS.tlsData.CertFile, s.KMS.tlsData.KeyFile)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/tls/tls.go b/goKMS/kms/tls/tls.go
new file mode 100644
index 0000000000000000000000000000000000000000..026119b7b2b5cd0707569a84ef5d193813b8637b
--- /dev/null
+++ b/goKMS/kms/tls/tls.go
@@ -0,0 +1,68 @@
+package kmstls
+
+import (
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "os"
+
+ "google.golang.org/grpc/credentials"
+)
+
+type TlsData struct {
+ TLS bool
+ CaFile string
+ CertFile string
+ KeyFile string
+}
+
+func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+ cp := x509.NewCertPool()
+ b, err := os.ReadFile(caFilePath)
+ if err != nil {
+ return nil, err
+ }
+
+ if !cp.AppendCertsFromPEM(b) {
+ return nil, fmt.Errorf("credentials: failed to append certificates")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ return nil, err
+ }
+
+ tlsConfig := &tls.Config{
+ MinVersion: tls.VersionTLS13,
+ ClientCAs: cp,
+ Certificates: []tls.Certificate{cert},
+ ClientAuth: tls.RequireAndVerifyClientCert,
+ }
+
+ return credentials.NewTLS(tlsConfig), nil
+}
+
+func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+ cp := x509.NewCertPool()
+
+ b, err := os.ReadFile(caFilePath)
+ if err != nil {
+ return nil, err
+ }
+ if !cp.AppendCertsFromPEM(b) {
+ return nil, fmt.Errorf("credentials: failed to append certificates")
+ }
+
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ return nil, err
+ }
+
+ tlsConfig := &tls.Config{
+ MinVersion: tls.VersionTLS13,
+ RootCAs: cp,
+ Certificates: []tls.Certificate{cert},
+ }
+
+ return credentials.NewTLS(tlsConfig), nil
+}
diff --git a/goKMS/kms/util/util.go b/goKMS/kms/util/util.go
index 6885636a423f33d062aa590b078edc9248888e99..14e926490bc655d3f399abe2609ce2e7a396c7ec 100644
--- a/goKMS/kms/util/util.go
+++ b/goKMS/kms/util/util.go
@@ -2,14 +2,10 @@ package util
import (
"bytes"
- "crypto/tls"
- "crypto/x509"
"fmt"
"net/http"
- "os"
"github.com/hashicorp/go-multierror"
- "google.golang.org/grpc/credentials"
)
func RandomItemFromMap[T comparable, M any](m map[T]M) (T, M, error) {
@@ -74,54 +70,3 @@ type KMSInfo struct {
DecryptedMessage string `json:"DecryptedMessage"`
Key string `json:"Key"`
}
-
-func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
- cp := x509.NewCertPool()
- b, err := os.ReadFile(caFilePath)
- if err != nil {
- return nil, err
- }
-
- if !cp.AppendCertsFromPEM(b) {
- return nil, fmt.Errorf("credentials: failed to append certificates")
- }
-
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
- if err != nil {
- return nil, err
- }
-
- tlsConfig := &tls.Config{
- MinVersion: tls.VersionTLS13,
- ClientCAs: cp,
- Certificates: []tls.Certificate{cert},
- ClientAuth: tls.RequireAndVerifyClientCert,
- }
-
- return credentials.NewTLS(tlsConfig), nil
-}
-
-func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
- cp := x509.NewCertPool()
-
- b, err := os.ReadFile(caFilePath)
- if err != nil {
- return nil, err
- }
- if !cp.AppendCertsFromPEM(b) {
- return nil, fmt.Errorf("credentials: failed to append certificates")
- }
-
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
- if err != nil {
- return nil, err
- }
-
- tlsConfig := &tls.Config{
- MinVersion: tls.VersionTLS13,
- RootCAs: cp,
- Certificates: []tls.Certificate{cert},
- }
-
- return credentials.NewTLS(tlsConfig), nil
-}