From 9a9029b97dcbd64d996190e636162588e68a8ace Mon Sep 17 00:00:00 2001
From: Neil-Jocelyn Schark <neil.schark@h-da.de>
Date: Thu, 12 Sep 2024 12:19:19 +0000
Subject: [PATCH] Adding tls support for akms-ckms client and server
See merge request danet/quant!206
Co-authored-by: Malte Bauch <malte.bauch@h-da.de>
---
akms-simulator/akms-simulator.go | 52 +++++-
config/goKMS/example01.yaml | 4 +-
config/goKMS/example02.yaml | 4 +-
config/goKMS/example03.yaml | 4 +-
config/goKMS/example04.yaml | 4 +-
.../{akms => akmsInterface}/client/client.go | 36 +++-
.../{akms => akmsInterface}/server/server.go | 26 ++-
goKMS/kms/kms.go | 23 ++-
goKMS/kms/peers/etsi14Quantummodule.go | 2 +-
goKMS/kms/tls/tls.go | 54 ++----
.../code/getKSAKeyTest/getKSA_key_test.go | 42 ++++-
integration-tests/config/kms/kms_1.yaml | 27 +--
integration-tests/config/kms/kms_2.yaml | 27 +--
.../config/kms/tlsConfigs/kms1ReqConfig.txt | 3 +
.../config/kms/tlsConfigs/kms2ReqConfig.txt | 3 +
integration-tests/docker-compose.yml | 176 ++++++++++--------
16 files changed, 311 insertions(+), 176 deletions(-)
rename goKMS/kms/{akms => akmsInterface}/client/client.go (57%)
rename goKMS/kms/{akms => akmsInterface}/server/server.go (80%)
diff --git a/akms-simulator/akms-simulator.go b/akms-simulator/akms-simulator.go
index a355c0e2..6edfe88c 100644
--- a/akms-simulator/akms-simulator.go
+++ b/akms-simulator/akms-simulator.go
@@ -1,9 +1,11 @@
package main
import (
+ "crypto/tls"
+ "crypto/x509"
"encoding/json"
+ "flag"
"io"
- "log"
"net/http"
"os"
@@ -26,11 +28,53 @@ type KSAKey struct {
}
func main() {
+ tlsCAFile := flag.String("ca", "", "Path to CA certificate file")
+ tlsCertFile := flag.String("cert", "", "Path to certificate file")
+ tlsKeyFile := flag.String("key", "", "Path to key file")
+ flag.Parse()
+
logrus.Info("Starting AKMS Simulator...")
- http.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
- http.HandleFunc("/debug/get_log_file", getLogFile)
- log.Fatal(http.ListenAndServe(":4444", nil))
+ router := http.NewServeMux()
+
+ router.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
+ router.HandleFunc("/debug/get_log_file", getLogFile)
+
+ server := &http.Server{
+ Addr: ":4444",
+ Handler: router,
+ }
+
+ if *tlsCAFile != "" && *tlsCertFile != "" && *tlsKeyFile != "" {
+ logrus.Info("TLS enabled")
+ cp := x509.NewCertPool()
+ b, err := os.ReadFile(*tlsCAFile)
+ if err != nil {
+ logrus.Fatalf("Error reading CA file: %s", err)
+ }
+
+ if !cp.AppendCertsFromPEM(b) {
+ logrus.Fatalf("Error appending certs from PEM")
+ }
+
+ cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+ if err != nil {
+ logrus.Fatalf("Error loading X509 key pair: %s", err)
+ }
+
+ tlsConfig := &tls.Config{
+ MinVersion: tls.VersionTLS13,
+ ClientCAs: cp,
+ Certificates: []tls.Certificate{cert},
+ ClientAuth: tls.RequireAndVerifyClientCert,
+ }
+
+ server.TLSConfig = tlsConfig
+
+ logrus.Fatal(server.ListenAndServeTLS("", ""))
+ } else {
+ logrus.Fatal(server.ListenAndServe())
+ }
}
func getLogFile(w http.ResponseWriter, r *http.Request) {
diff --git a/config/goKMS/example01.yaml b/config/goKMS/example01.yaml
index 30950bfb..5582421a 100644
--- a/config/goKMS/example01.yaml
+++ b/config/goKMS/example01.yaml
@@ -7,12 +7,12 @@ AkmsURL: "http://akms-receiver01:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms1-selfsigned.crt"
KeyFile: "ssl/kms/kms1-selfsigned.key"
QuantumModuleTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms1-selfsigned.crt"
KeyFile: "ssl/kms/kms1-selfsigned.key"
diff --git a/config/goKMS/example02.yaml b/config/goKMS/example02.yaml
index f99a774e..c7c48a3e 100644
--- a/config/goKMS/example02.yaml
+++ b/config/goKMS/example02.yaml
@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms2-selfsigned.crt"
KeyFile: "ssl/kms/kms2-selfsigned.key"
QuantumModuleTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms2-selfsigned.crt"
KeyFile: "ssl/kms/kms2-selfsigned.key"
diff --git a/config/goKMS/example03.yaml b/config/goKMS/example03.yaml
index fdf66fe2..cb3c2b89 100644
--- a/config/goKMS/example03.yaml
+++ b/config/goKMS/example03.yaml
@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms3-selfsigned.crt"
KeyFile: "ssl/kms/kms3-selfsigned.key"
QuantumModuleTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms3-selfsigned.crt"
KeyFile: "ssl/kms/kms3-selfsigned.key"
diff --git a/config/goKMS/example04.yaml b/config/goKMS/example04.yaml
index a52d5484..817e1404 100644
--- a/config/goKMS/example04.yaml
+++ b/config/goKMS/example04.yaml
@@ -7,12 +7,12 @@ AkmsURL: "http://akms-receiver02:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms4-selfsigned.crt"
KeyFile: "ssl/kms/kms4-selfsigned.key"
QuantumModuleTLS:
- TLS: false
+ Active: false
CAFile: "ssl/ca.crt"
CertFile: "ssl/kms/kms4-selfsigned.crt"
KeyFile: "ssl/kms/kms4-selfsigned.key"
diff --git a/goKMS/kms/akms/client/client.go b/goKMS/kms/akmsInterface/client/client.go
similarity index 57%
rename from goKMS/kms/akms/client/client.go
rename to goKMS/kms/akmsInterface/client/client.go
index 6a1a0757..703912a8 100644
--- a/goKMS/kms/akms/client/client.go
+++ b/goKMS/kms/akmsInterface/client/client.go
@@ -3,20 +3,39 @@ package client
import (
"bytes"
"encoding/json"
+ "fmt"
+ "io"
"net/http"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
+ kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
"github.com/sirupsen/logrus"
)
type CkmsAkmsClient struct {
- url string
+ url string
+ httpClient *http.Client
}
-func NewCkmsAkmsClient(url string) *CkmsAkmsClient {
- return &CkmsAkmsClient{
- url: url,
+func NewCkmsAkmsClient(url string, tlsConfig config.TLSConfig) (*CkmsAkmsClient, error) {
+ client := &http.Client{}
+
+ if tlsConfig.Active {
+ tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+ if err != nil {
+ return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+ }
+
+ client.Transport = &http.Transport{
+ TLSClientConfig: tlsConf,
+ }
}
+
+ return &CkmsAkmsClient{
+ url: url,
+ httpClient: client,
+ }, nil
}
type PushKSAKeyRequest struct {
@@ -38,9 +57,14 @@ func (c *CkmsAkmsClient) SendKSAKeysToRequestingInstances(requestID string, proc
return err
}
- resp, err := http.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
+ // TODO: also log the response body if request failed
+ resp, err := c.httpClient.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
if err != nil {
- logrus.Errorf("Error sending POST request: %s", err)
+ body, err2 := io.ReadAll(resp.Body)
+ if err2 != nil {
+ logrus.Errorf("Error reading POST response body: %s", err2)
+ }
+ logrus.Errorf("Error sending POST request: %s, received response body: %s", err, string(body))
logrus.Errorf("Tried to send request: %s to url: %s", jsonData, c.url)
return err
}
diff --git a/goKMS/kms/akms/server/server.go b/goKMS/kms/akmsInterface/server/server.go
similarity index 80%
rename from goKMS/kms/akms/server/server.go
rename to goKMS/kms/akmsInterface/server/server.go
index 76e7e439..c80409af 100644
--- a/goKMS/kms/akms/server/server.go
+++ b/goKMS/kms/akmsInterface/server/server.go
@@ -6,17 +6,20 @@ import (
"net/http"
"time"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
"code.fbi.h-da.de/danet/quant/goKMS/kms/receiver"
+ kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
"github.com/google/uuid"
"github.com/sirupsen/logrus"
)
type AKMSReceiverServer struct {
- server *http.Server
+ server *http.Server
+ tlsConfig config.TLSConfig
}
-func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error) *AKMSReceiverServer {
+func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error, tlsConfig config.TLSConfig) (*AKMSReceiverServer, error) {
router := http.NewServeMux()
router.HandleFunc("/api/v1/keys/ksa_key_req", ksaReqHandler(eventBus, receiver, generateAndSend))
@@ -26,15 +29,28 @@ func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.R
Handler: router,
}
+ if tlsConfig.Active {
+ tlsLibraryConfig, err := kmstls.GenerateServerTLSLibraryConfig(tlsConfig)
+ if err != nil {
+ return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+ }
+ server.TLSConfig = tlsLibraryConfig
+ }
+
AKMSReceiver := &AKMSReceiverServer{
- server: server,
+ server: server,
+ tlsConfig: tlsConfig,
}
- return AKMSReceiver
+ return AKMSReceiver, nil
}
func (akmsReceiver *AKMSReceiverServer) Serve() {
- go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+ if akmsReceiver.tlsConfig.Active {
+ go akmsReceiver.server.ListenAndServeTLS("", "") //nolint:errcheck
+ } else {
+ go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+ }
}
type KeyProperties struct {
diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index 1ade908b..4b7cb5f2 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -21,8 +21,8 @@ import (
pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
"code.fbi.h-da.de/danet/quant/goKMS/config"
- akmsClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/client"
- akmsServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/server"
+ akmsInterfaceClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/client"
+ akmsInterfaceServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/server"
"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
etsi14Server "code.fbi.h-da.de/danet/quant/goKMS/kms/etsi/etsi14/server"
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
@@ -82,8 +82,8 @@ type KMS struct {
eventBus *event.EventBus
receiver *receiver.Receiver
// Akms things
- ckmsAkmsClient *akmsClient.CkmsAkmsClient
- ckmsAkmsServer *akmsServer.AKMSReceiverServer
+ ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+ ckmsAkmsServer *akmsInterfaceServer.AKMSReceiverServer
// ETSI14 Server things
etsi14Server *etsi14Server.ETSI14RESTService
keyStoreChannel chan []crypto.KSAKey
@@ -118,9 +118,13 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
log.SetReportCaller(false)
}
- var ckmsAkmsClient *akmsClient.CkmsAkmsClient
+ var ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+ var err error
if config.AkmsURL != "" {
- ckmsAkmsClient = akmsClient.NewCkmsAkmsClient(config.AkmsURL)
+ ckmsAkmsClient, err = akmsInterfaceClient.NewCkmsAkmsClient(config.AkmsURL, config.AkmsCkmsTLS)
+ if err != nil {
+ log.Fatalf("Failed to setup CkmsAkmsClient: %s", err)
+ }
}
gRPCTimeoutInSecondsDuration := time.Duration(config.GRPCTimeoutInSeconds) * time.Second
@@ -149,14 +153,17 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
go createdKMS.startGRPC()
// initialize from config
- err := createdKMS.initializePeers(config)
+ err = createdKMS.initializePeers(config)
if err != nil {
log.Fatalf("Failed to initialize peers: %s", err)
}
// Start the akmsCkmsReceiverServer
if config.AkmsCkmsServerPort != "" {
- createdKMS.ckmsAkmsServer = akmsServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey)
+ createdKMS.ckmsAkmsServer, err = akmsInterfaceServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey, config.AkmsCkmsTLS)
+ if err != nil {
+ log.Fatalf("Failed to initialize CkmsAkmsServer: %s", err)
+ }
log.Infof("Starting AKMS receiver server on port: %s", config.AkmsCkmsServerPort)
go createdKMS.ckmsAkmsServer.Serve()
}
diff --git a/goKMS/kms/peers/etsi14Quantummodule.go b/goKMS/kms/peers/etsi14Quantummodule.go
index a53e5053..0bd98eea 100644
--- a/goKMS/kms/peers/etsi14Quantummodule.go
+++ b/goKMS/kms/peers/etsi14Quantummodule.go
@@ -51,7 +51,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
}
if tlsConfig.Active {
- tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
+ tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
if err != nil {
return nil, fmt.Errorf("unable to generate TLS config: %w", err)
}
diff --git a/goKMS/kms/tls/tls.go b/goKMS/kms/tls/tls.go
index b32b55cd..9f3dc73f 100644
--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -11,15 +11,15 @@ import (
"google.golang.org/grpc/credentials/insecure"
)
-func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
var gRPCTransportCreds credentials.TransportCredentials
- if tlsData.Active {
- creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
+ if tlsConfig.Active {
+ tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
if err != nil {
return nil, err
}
- gRPCTransportCreds = creds
+ gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
} else {
gRPCTransportCreds = insecure.NewCredentials()
}
@@ -27,9 +27,9 @@ func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (c
return gRPCTransportCreds, nil
}
-func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFile)
+ b, err := os.ReadFile(tlsConfig.CAFile)
if err != nil {
return nil, err
}
@@ -38,30 +38,28 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
if err != nil {
return nil, err
}
- tlsConfig := &tls.Config{
+ return &tls.Config{
MinVersion: tls.VersionTLS13,
ClientCAs: cp,
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
- }
-
- return credentials.NewTLS(tlsConfig), nil
+ }, nil
}
func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
var gRPCTransportCreds credentials.TransportCredentials
if tlsConfig.Active {
- creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
+ tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
if err != nil {
return nil, err
}
- gRPCTransportCreds = creds
+ gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
} else {
gRPCTransportCreds = insecure.NewCredentials()
}
@@ -69,10 +67,10 @@ func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig)
return gRPCTransportCreds, nil
}
-func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFile)
+ b, err := os.ReadFile(tlsConfig.CAFile)
if err != nil {
return nil, err
}
@@ -80,30 +78,6 @@ func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
- if err != nil {
- return nil, err
- }
-
- tlsConfig := &tls.Config{
- MinVersion: tls.VersionTLS13,
- RootCAs: cp,
- Certificates: []tls.Certificate{cert},
- }
-
- return credentials.NewTLS(tlsConfig), nil
-}
-
-func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
- caCert, err := os.ReadFile(tlsConfig.CAFile)
- if err != nil {
- return nil, err
- }
- caCertPool := x509.NewCertPool()
- if !caCertPool.AppendCertsFromPEM(caCert) {
- return nil, fmt.Errorf("credentials: failed to append certificates")
- }
-
cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
if err != nil {
return nil, err
@@ -111,7 +85,7 @@ func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
return &tls.Config{
MinVersion: tls.VersionTLS13,
- RootCAs: caCertPool,
+ RootCAs: cp,
Certificates: []tls.Certificate{cert},
}, nil
}
diff --git a/integration-tests/code/getKSAKeyTest/getKSA_key_test.go b/integration-tests/code/getKSAKeyTest/getKSA_key_test.go
index e1e8464b..8fcc7004 100644
--- a/integration-tests/code/getKSAKeyTest/getKSA_key_test.go
+++ b/integration-tests/code/getKSAKeyTest/getKSA_key_test.go
@@ -10,6 +10,8 @@ import (
"os"
"testing"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
+ kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
utils "code.fbi.h-da.de/danet/quant/integration-tests/code/integrationTestUtils"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
@@ -87,7 +89,14 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
requestId := uuid.New().String()
- url := fmt.Sprintf("http://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
+ tlsConfig := config.TLSConfig{
+ Active: true,
+ CAFile: "../../../artifacts/integration-tests/ssl/ca.crt",
+ CertFile: "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.crt",
+ KeyFile: "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.key",
+ }
+
+ url := fmt.Sprintf("https://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
data := RequestData{
ReceivingCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2",
RequestID: requestId,
@@ -99,13 +108,22 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
},
}
+ tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+ if err != nil {
+ t.Errorf("Error generating TLS config: %s", err)
+ }
+ transport := &http.Transport{
+ TLSClientConfig: tlsConf,
+ }
+ client := &http.Client{Transport: transport}
+
jsonData, err := json.Marshal(data)
if err != nil {
fmt.Println(err)
return
}
- resp, err := http.Post(url, "application/json", bytes.NewBuffer(jsonData))
+ resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
if err != nil {
t.Errorf("Error making HTTP request: %s", err)
return
@@ -117,7 +135,7 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
}
// Get logfile of akms
- resp, err = http.Get("http://" + logFileURL + "/debug/get_log_file")
+ resp, err = client.Get("https://" + logFileURL + "/debug/get_log_file")
if err != nil {
t.Errorf("Error making HTTP request: %s", err)
return
@@ -143,7 +161,23 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
assert.NotNil(t, logFile.Body.KSAKeys[0].KeyID)
assert.NotNil(t, logFile.Body.KSAKeys[0].Key)
- resp, err = http.Get("http://" + logFileURL2 + "/debug/get_log_file")
+ tlsConfig = config.TLSConfig{
+ Active: true,
+ CAFile: "../../../artifacts/integration-tests/ssl/ca.crt",
+ CertFile: "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.crt",
+ KeyFile: "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.key",
+ }
+
+ tlsConf, err = kmstls.GenerateTLSLibraryConfig(tlsConfig)
+ if err != nil {
+ t.Errorf("Error generating TLS config: %s", err)
+ }
+ transport = &http.Transport{
+ TLSClientConfig: tlsConf,
+ }
+ client = &http.Client{Transport: transport}
+
+ resp, err = client.Get("https://" + logFileURL2 + "/debug/get_log_file")
if err != nil {
t.Errorf("Error making HTTP request: %s", err)
return
diff --git a/integration-tests/config/kms/kms_1.yaml b/integration-tests/config/kms/kms_1.yaml
index 03e20b22..d57612d8 100644
--- a/integration-tests/config/kms/kms_1.yaml
+++ b/integration-tests/config/kms/kms_1.yaml
@@ -1,24 +1,29 @@
-Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
+Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
Name: kms01
InterComAddr: 0.0.0.0:50910
QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
+AkmsURL: "https://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+ Active: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms1-selfsigned.key"
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: true
+ Active: false
CAFile: "config/ssl/ca.crt"
CertFile: "config/ssl/kms/kms1-selfsigned.crt"
KeyFile: "config/ssl/kms/kms1-selfsigned.key"
Peers:
- # peer to kms02
- - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
- PeerInterComAddr: kms02:50910
- Type: danet
- # quantum module of type emulated at the given address
- QuantumModule:
- Type: emulated
- Hostname: quantumlayer_1
+ # peer to kms02
+ - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
+ PeerInterComAddr: kms02:50910
+ Type: danet
+ # quantum module of type emulated at the given address
+ QuantumModule:
+ Type: emulated
+ Hostname: quantumlayer_1
ETSI14Server:
Address: ":1414"
RemoteCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/integration-tests/config/kms/kms_2.yaml b/integration-tests/config/kms/kms_2.yaml
index cfbd6c5f..6bdbd365 100644
--- a/integration-tests/config/kms/kms_2.yaml
+++ b/integration-tests/config/kms/kms_2.yaml
@@ -1,24 +1,29 @@
-Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
+Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
Name: kms02
InterComAddr: 0.0.0.0:50910
QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
+AkmsURL: "https://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+ Active: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms2-selfsigned.key"
GRPCTimeoutInSeconds: 600
KmsTLS:
- TLS: true
+ Active: false
CAFile: "config/ssl/ca.crt"
CertFile: "config/ssl/kms/kms2-selfsigned.crt"
KeyFile: "config/ssl/kms/kms2-selfsigned.key"
Peers:
- # peer to kms01
- - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
- PeerInterComAddr: kms01:50910
- Type: danet
- # quantum module of type emulated at the given address
- QuantumModule:
- Type: emulated
- Hostname: quantumlayer_2
+ # peer to kms01
+ - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
+ PeerInterComAddr: kms01:50910
+ Type: danet
+ # quantum module of type emulated at the given address
+ QuantumModule:
+ Type: emulated
+ Hostname: quantumlayer_2
ETSI14Server:
Address: ":1414"
RemoteCKMSID: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt b/integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt
index 7171d575..4d46bd8d 100644
--- a/integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt
+++ b/integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt
@@ -13,4 +13,7 @@ keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
+IP.1 = 127.0.0.1
DNS.1 = kms01
+DNS.2 = akms-simulator_1
+DNS.3 = akms-simulator_2
diff --git a/integration-tests/config/kms/tlsConfigs/kms2ReqConfig.txt b/integration-tests/config/kms/tlsConfigs/kms2ReqConfig.txt
index c990896c..8701d1e0 100644
--- a/integration-tests/config/kms/tlsConfigs/kms2ReqConfig.txt
+++ b/integration-tests/config/kms/tlsConfigs/kms2ReqConfig.txt
@@ -13,4 +13,7 @@ keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
+IP.1 = 127.0.0.1
DNS.1 = kms02
+DNS.2 = akms-simulator_1
+DNS.3 = akms-simulator_2
diff --git a/integration-tests/docker-compose.yml b/integration-tests/docker-compose.yml
index b8a05d76..72213b09 100644
--- a/integration-tests/docker-compose.yml
+++ b/integration-tests/docker-compose.yml
@@ -1,89 +1,109 @@
services:
- kms01:
- image: gokms
- command:
- [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml" ]
- volumes:
- - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
- - ../artifacts/integration-tests/ssl:/config/ssl
- ports:
- - "127.0.0.1:7030:7030"
- - "127.0.0.1:9696:9696"
- - "127.0.0.1:1414:1414"
+ kms01:
+ image: gokms
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
+ volumes:
+ - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
+ - ../artifacts/integration-tests/ssl:/config/ssl
+ ports:
+ - "127.0.0.1:7030:7030"
+ - "127.0.0.1:9696:9696"
+ - "127.0.0.1:1414:1414"
- kms02:
- image: gokms
- command:
- [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml" ]
- volumes:
- - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
- - ../artifacts/integration-tests/ssl:/config/ssl
- ports:
- - "127.0.0.1:7031:7030"
- - "127.0.0.1:1415:1414"
+ kms02:
+ image: gokms
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
+ volumes:
+ - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
+ - ../artifacts/integration-tests/ssl:/config/ssl
+ ports:
+ - "127.0.0.1:7031:7030"
+ - "127.0.0.1:1415:1414"
- quantumlayer_1:
- image: quantumlayer
- command:
- [
- "--log",
- "debug",
- "--config",
- "/tmp/quantumlayer/config/quantumlayer_1.yaml",
- ]
- volumes:
- - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
+ quantumlayer_1:
+ image: quantumlayer
+ command:
+ [
+ "--log",
+ "debug",
+ "--config",
+ "/tmp/quantumlayer/config/quantumlayer_1.yaml",
+ ]
+ volumes:
+ - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
- quantumlayer_2:
- image: quantumlayer
- command:
- [
- "--log",
- "debug",
- "--config",
- "/tmp/quantumlayer/config/quantumlayer_2.yaml",
- ]
- volumes:
- - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
+ quantumlayer_2:
+ image: quantumlayer
+ command:
+ [
+ "--log",
+ "debug",
+ "--config",
+ "/tmp/quantumlayer/config/quantumlayer_2.yaml",
+ ]
+ volumes:
+ - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
- akms-simulator_1:
- image: akms-simulator
- ports:
- - "127.0.0.1:4444:4444"
+ akms-simulator_1:
+ image: akms-simulator
+ ports:
+ - "127.0.0.1:4444:4444"
+ volumes:
+ - ../artifacts/integration-tests/ssl:/config/ssl
+ command:
+ [
+ "--ca",
+ "config/ssl/ca.crt",
+ "--cert",
+ "config/ssl/kms/kms2-selfsigned.crt",
+ "--key",
+ "config/ssl/kms/kms2-selfsigned.key",
+ ]
- akms-simulator_2:
- image: akms-simulator
- ports:
- - "127.0.0.1:4445:4444"
+ akms-simulator_2:
+ image: akms-simulator
+ volumes:
+ - ../artifacts/integration-tests/ssl:/config/ssl
+ ports:
+ - "127.0.0.1:4445:4444"
+ command:
+ [
+ "--ca",
+ "config/ssl/ca.crt",
+ "--cert",
+ "config/ssl/kms/kms1-selfsigned.crt",
+ "--key",
+ "config/ssl/kms/kms1-selfsigned.key",
+ ]
- qkdn-controller:
- image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
- volumes:
- - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
- - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
- command: --config ./configs/qkdn-gosdn.toml
- ports:
- - 0.0.0.0:55055:55055
- - 127.0.0.1:8080:8080
- - 127.0.0.1:40000:40000
- environment:
- GOSDN_ADMIN_PASSWORD: TestPassword
+ qkdn-controller:
+ image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
+ volumes:
+ - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
+ - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
+ command: --config ./configs/qkdn-gosdn.toml
+ ports:
+ - 0.0.0.0:55055:55055
+ - 127.0.0.1:8080:8080
+ - 127.0.0.1:40000:40000
+ environment:
+ GOSDN_ADMIN_PASSWORD: TestPassword
- plugin-registry:
- image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
+ plugin-registry:
+ image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
- mongo:
- image: mongo:7
- environment:
- MONGO_INITDB_ROOT_USERNAME: root
- MONGO_INITDB_ROOT_PASSWORD: example
+ mongo:
+ image: mongo:7
+ environment:
+ MONGO_INITDB_ROOT_USERNAME: root
+ MONGO_INITDB_ROOT_PASSWORD: example
- rabbitmq:
- image: rabbitmq:3-management
+ rabbitmq:
+ image: rabbitmq:3-management
- routing-app:
- image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
- entrypoint: ["./start_ra_sleep.sh"]
- volumes:
- - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
- - ./config/controller/routing-config.yaml:/new/routing-config.yaml
+ routing-app:
+ image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
+ entrypoint: ["./start_ra_sleep.sh"]
+ volumes:
+ - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
+ - ./config/controller/routing-config.yaml:/new/routing-config.yaml
--
GitLab