Adding tls support for akms-ckms client and server

See merge request !206

Co-authored-by: Malte Bauch <malte.bauch@h-da.de>

akms-simulator/akms-simulator.go

 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"flag"
 	"io"
-	"log"
 	"net/http"
 	"os"
 
@@ -26,11 +28,53 @@ type KSAKey struct {
 }
 
 func main() {
+	tlsCAFile := flag.String("ca", "", "Path to CA certificate file")
+	tlsCertFile := flag.String("cert", "", "Path to certificate file")
+	tlsKeyFile := flag.String("key", "", "Path to key file")
+	flag.Parse()
+
 	logrus.Info("Starting AKMS Simulator...")
 
-	http.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
-	http.HandleFunc("/debug/get_log_file", getLogFile)
-	log.Fatal(http.ListenAndServe(":4444", nil))
+	router := http.NewServeMux()
+
+	router.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
+	router.HandleFunc("/debug/get_log_file", getLogFile)
+
+	server := &http.Server{
+		Addr:    ":4444",
+		Handler: router,
+	}
+
+	if *tlsCAFile != "" && *tlsCertFile != "" && *tlsKeyFile != "" {
+		logrus.Info("TLS enabled")
+		cp := x509.NewCertPool()
+		b, err := os.ReadFile(*tlsCAFile)
+		if err != nil {
+			logrus.Fatalf("Error reading CA file: %s", err)
+		}
+
+		if !cp.AppendCertsFromPEM(b) {
+			logrus.Fatalf("Error appending certs from PEM")
+		}
+
+		cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		if err != nil {
+			logrus.Fatalf("Error loading X509 key pair: %s", err)
+		}
+
+		tlsConfig := &tls.Config{
+			MinVersion:   tls.VersionTLS13,
+			ClientCAs:    cp,
+			Certificates: []tls.Certificate{cert},
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		}
+
+		server.TLSConfig = tlsConfig
+
+		logrus.Fatal(server.ListenAndServeTLS("", ""))
+	} else {
+		logrus.Fatal(server.ListenAndServe())
+	}
 }
 
 func getLogFile(w http.ResponseWriter, r *http.Request) {

config/goKMS/example01.yaml

@@ -7,12 +7,12 @@ AkmsURL: "http://akms-receiver01:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms1-selfsigned.crt"
   KeyFile: "ssl/kms/kms1-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms1-selfsigned.crt"
   KeyFile: "ssl/kms/kms1-selfsigned.key"

config/goKMS/example02.yaml

@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms2-selfsigned.crt"
   KeyFile: "ssl/kms/kms2-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms2-selfsigned.crt"
   KeyFile: "ssl/kms/kms2-selfsigned.key"

config/goKMS/example03.yaml

@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms3-selfsigned.crt"
   KeyFile: "ssl/kms/kms3-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms3-selfsigned.crt"
   KeyFile: "ssl/kms/kms3-selfsigned.key"

config/goKMS/example04.yaml

@@ -7,12 +7,12 @@ AkmsURL: "http://akms-receiver02:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms4-selfsigned.crt"
   KeyFile: "ssl/kms/kms4-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms4-selfsigned.crt"
   KeyFile: "ssl/kms/kms4-selfsigned.key"

goKMS/kms/akms/client/client.go → goKMS/kms/akmsInterface/client/client.go

@@ -3,20 +3,39 @@ package client
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/sirupsen/logrus"
 )
 
 type CkmsAkmsClient struct {
-	url string
+	url        string
+	httpClient *http.Client
 }
 
-func NewCkmsAkmsClient(url string) *CkmsAkmsClient {
-	return &CkmsAkmsClient{
-		url: url,
+func NewCkmsAkmsClient(url string, tlsConfig config.TLSConfig) (*CkmsAkmsClient, error) {
+	client := &http.Client{}
+
+	if tlsConfig.Active {
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConf,
+		}
 	}
+
+	return &CkmsAkmsClient{
+		url:        url,
+		httpClient: client,
+	}, nil
 }
 
 type PushKSAKeyRequest struct {
@@ -38,9 +57,14 @@ func (c *CkmsAkmsClient) SendKSAKeysToRequestingInstances(requestID string, proc
 		return err
 	}
 
-	resp, err := http.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
+	// TODO: also log the response body if request failed
+	resp, err := c.httpClient.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
-		logrus.Errorf("Error sending POST request: %s", err)
+		body, err2 := io.ReadAll(resp.Body)
+		if err2 != nil {
+			logrus.Errorf("Error reading POST response body: %s", err2)
+		}
+		logrus.Errorf("Error sending POST request: %s, received response body: %s", err, string(body))
 		logrus.Errorf("Tried to send request: %s to url: %s", jsonData, c.url)
 		return err
 	}

goKMS/kms/akms/server/server.go → goKMS/kms/akmsInterface/server/server.go

@@ -6,17 +6,20 @@ import (
 	"net/http"
 	"time"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/receiver"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 )
 
 type AKMSReceiverServer struct {
-	server *http.Server
+	server    *http.Server
+	tlsConfig config.TLSConfig
 }
 
-func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error) *AKMSReceiverServer {
+func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error, tlsConfig config.TLSConfig) (*AKMSReceiverServer, error) {
 	router := http.NewServeMux()
 
 	router.HandleFunc("/api/v1/keys/ksa_key_req", ksaReqHandler(eventBus, receiver, generateAndSend))
@@ -26,15 +29,28 @@ func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.R
 		Handler: router,
 	}
 
+	if tlsConfig.Active {
+		tlsLibraryConfig, err := kmstls.GenerateServerTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+		server.TLSConfig = tlsLibraryConfig
+	}
+
 	AKMSReceiver := &AKMSReceiverServer{
-		server: server,
+		server:    server,
+		tlsConfig: tlsConfig,
 	}
 
-	return AKMSReceiver
+	return AKMSReceiver, nil
 }
 
 func (akmsReceiver *AKMSReceiverServer) Serve() {
-	go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+	if akmsReceiver.tlsConfig.Active {
+		go akmsReceiver.server.ListenAndServeTLS("", "") //nolint:errcheck
+	} else {
+		go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+	}
 }
 
 type KeyProperties struct {

goKMS/kms/kms.go

@@ -21,8 +21,8 @@ import (
 
 	pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
 	"code.fbi.h-da.de/danet/quant/goKMS/config"
-	akmsClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/client"
-	akmsServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/server"
+	akmsInterfaceClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/client"
+	akmsInterfaceServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
 	etsi14Server "code.fbi.h-da.de/danet/quant/goKMS/kms/etsi/etsi14/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
@@ -82,8 +82,8 @@ type KMS struct {
 	eventBus            *event.EventBus
 	receiver            *receiver.Receiver
 	// Akms things
-	ckmsAkmsClient *akmsClient.CkmsAkmsClient
-	ckmsAkmsServer *akmsServer.AKMSReceiverServer
+	ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	ckmsAkmsServer *akmsInterfaceServer.AKMSReceiverServer
 	// ETSI14 Server things
 	etsi14Server    *etsi14Server.ETSI14RESTService
 	keyStoreChannel chan []crypto.KSAKey
@@ -118,9 +118,13 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 		log.SetReportCaller(false)
 	}
 
-	var ckmsAkmsClient *akmsClient.CkmsAkmsClient
+	var ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	var err error
 	if config.AkmsURL != "" {
-		ckmsAkmsClient = akmsClient.NewCkmsAkmsClient(config.AkmsURL)
+		ckmsAkmsClient, err = akmsInterfaceClient.NewCkmsAkmsClient(config.AkmsURL, config.AkmsCkmsTLS)
+		if err != nil {
+			log.Fatalf("Failed to setup CkmsAkmsClient: %s", err)
+		}
 	}
 
 	gRPCTimeoutInSecondsDuration := time.Duration(config.GRPCTimeoutInSeconds) * time.Second
@@ -149,14 +153,17 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 	go createdKMS.startGRPC()
 
 	// initialize from config
-	err := createdKMS.initializePeers(config)
+	err = createdKMS.initializePeers(config)
 	if err != nil {
 		log.Fatalf("Failed to initialize peers: %s", err)
 	}
 
 	// Start the akmsCkmsReceiverServer
 	if config.AkmsCkmsServerPort != "" {
-		createdKMS.ckmsAkmsServer = akmsServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey)
+		createdKMS.ckmsAkmsServer, err = akmsInterfaceServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey, config.AkmsCkmsTLS)
+		if err != nil {
+			log.Fatalf("Failed to initialize CkmsAkmsServer: %s", err)
+		}
 		log.Infof("Starting AKMS receiver server on port: %s", config.AkmsCkmsServerPort)
 		go createdKMS.ckmsAkmsServer.Serve()
 	}

goKMS/kms/peers/etsi14Quantummodule.go

@@ -51,7 +51,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
 	}
 
 	if tlsConfig.Active {
-		tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
 		}

goKMS/kms/tls/tls.go

@@ -11,15 +11,15 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsData.Active {
-		creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
+	if tlsConfig.Active {
+		tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -27,9 +27,9 @@ func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (c
 	return gRPCTransportCreds, nil
 }
 
-func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()
-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -38,30 +38,28 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}
 
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
 	}
 
-	tlsConfig := &tls.Config{
+	return &tls.Config{
 		MinVersion:   tls.VersionTLS13,
 		ClientCAs:    cp,
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
+	}, nil
 }
 
 func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
 	if tlsConfig.Active {
-		creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
+		tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -69,10 +67,10 @@ func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig)
 	return gRPCTransportCreds, nil
 }
 
-func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()
 
-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -80,30 +78,6 @@ func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}
 
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig := &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		RootCAs:      cp,
-		Certificates: []tls.Certificate{cert},
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
-}
-
-func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
-	caCert, err := os.ReadFile(tlsConfig.CAFile)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	if !caCertPool.AppendCertsFromPEM(caCert) {
-		return nil, fmt.Errorf("credentials: failed to append certificates")
-	}
-
 	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
@@ -111,7 +85,7 @@ func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 
 	return &tls.Config{
 		MinVersion:   tls.VersionTLS13,
-		RootCAs:      caCertPool,
+		RootCAs:      cp,
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }

integration-tests/code/getKSAKeyTest/getKSA_key_test.go

@@ -10,6 +10,8 @@ import (
 	"os"
 	"testing"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	utils "code.fbi.h-da.de/danet/quant/integration-tests/code/integrationTestUtils"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -87,7 +89,14 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 
 	requestId := uuid.New().String()
 
-	url := fmt.Sprintf("http://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
+	tlsConfig := config.TLSConfig{
+		Active:   true,
+		CAFile:   "../../../artifacts/integration-tests/ssl/ca.crt",
+		CertFile: "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.crt",
+		KeyFile:  "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.key",
+	}
+
+	url := fmt.Sprintf("https://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
 	data := RequestData{
 		ReceivingCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2",
 		RequestID:       requestId,
@@ -99,13 +108,22 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 		},
 	}
 
+	tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+	if err != nil {
+		t.Errorf("Error generating TLS config: %s", err)
+	}
+	transport := &http.Transport{
+		TLSClientConfig: tlsConf,
+	}
+	client := &http.Client{Transport: transport}
+
 	jsonData, err := json.Marshal(data)
 	if err != nil {
 		fmt.Println(err)
 		return
 	}
 
-	resp, err := http.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return
@@ -117,7 +135,7 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 	}
 
 	// Get logfile of akms
-	resp, err = http.Get("http://" + logFileURL + "/debug/get_log_file")
+	resp, err = client.Get("https://" + logFileURL + "/debug/get_log_file")
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return
@@ -143,7 +161,23 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 	assert.NotNil(t, logFile.Body.KSAKeys[0].KeyID)
 	assert.NotNil(t, logFile.Body.KSAKeys[0].Key)
 
-	resp, err = http.Get("http://" + logFileURL2 + "/debug/get_log_file")
+	tlsConfig = config.TLSConfig{
+		Active:   true,
+		CAFile:   "../../../artifacts/integration-tests/ssl/ca.crt",
+		CertFile: "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.crt",
+		KeyFile:  "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.key",
+	}
+
+	tlsConf, err = kmstls.GenerateTLSLibraryConfig(tlsConfig)
+	if err != nil {
+		t.Errorf("Error generating TLS config: %s", err)
+	}
+	transport = &http.Transport{
+		TLSClientConfig: tlsConf,
+	}
+	client = &http.Client{Transport: transport}
+
+	resp, err = client.Get("https://" + logFileURL2 + "/debug/get_log_file")
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return

integration-tests/config/kms/kms_1.yaml

-Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
+Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
 Name: kms01
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
+AkmsURL: "https://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+  Active: true
+  CAFile: "config/ssl/ca.crt"
+  CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+  KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: false
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms1-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 Peers:
-    # peer to kms02
-    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
-      PeerInterComAddr: kms02:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_1
+  # peer to kms02
+  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
+    PeerInterComAddr: kms02:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_1
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2"

integration-tests/config/kms/kms_2.yaml

-Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
+Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
 Name: kms02
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
+AkmsURL: "https://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
 AkmsCkmsServerPort: "9696"
+AkmsCkmsTLS:
+  Active: true
+  CAFile: "config/ssl/ca.crt"
+  CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+  KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: false
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms2-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 Peers:
-    # peer to kms01
-    - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
-      PeerInterComAddr: kms01:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_2
+  # peer to kms01
+  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
+    PeerInterComAddr: kms01:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_2
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"

integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt

@@ -13,4 +13,7 @@ keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names
 [alt_names]
+IP.1 = 127.0.0.1
 DNS.1 = kms01
+DNS.2 = akms-simulator_1
+DNS.3 = akms-simulator_2

integration-tests/config/kms/tlsConfigs/kms2ReqConfig.txt

@@ -13,4 +13,7 @@ keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names
 [alt_names]
+IP.1 = 127.0.0.1
 DNS.1 = kms02
+DNS.2 = akms-simulator_1
+DNS.3 = akms-simulator_2

integration-tests/docker-compose.yml

 services:
-    kms01:
-        image: gokms
-        command:
-            [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml" ]
-        volumes:
-            - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
-            - ../artifacts/integration-tests/ssl:/config/ssl
-        ports:
-            - "127.0.0.1:7030:7030"
-            - "127.0.0.1:9696:9696"
-            - "127.0.0.1:1414:1414"
+  kms01:
+    image: gokms
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
+    volumes:
+      - ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:7030:7030"
+      - "127.0.0.1:9696:9696"
+      - "127.0.0.1:1414:1414"
 
-    kms02:
-        image: gokms
-        command:
-            [ "--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml" ]
-        volumes:
-            - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
-            - ../artifacts/integration-tests/ssl:/config/ssl
-        ports:
-            - "127.0.0.1:7031:7030"
-            - "127.0.0.1:1415:1414"
+  kms02:
+    image: gokms
+    command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
+    volumes:
+      - ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:7031:7030"
+      - "127.0.0.1:1415:1414"
 
-    quantumlayer_1:
-        image: quantumlayer
-        command:
-            [
-                "--log",
-                "debug",
-                "--config",
-                "/tmp/quantumlayer/config/quantumlayer_1.yaml",
-            ]
-        volumes:
-            - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
+  quantumlayer_1:
+    image: quantumlayer
+    command:
+      [
+        "--log",
+        "debug",
+        "--config",
+        "/tmp/quantumlayer/config/quantumlayer_1.yaml",
+      ]
+    volumes:
+      - ./config/quantumlayer/quantumlayer_1.yaml:/tmp/quantumlayer/config/quantumlayer_1.yaml
 
-    quantumlayer_2:
-        image: quantumlayer
-        command:
-            [
-                "--log",
-                "debug",
-                "--config",
-                "/tmp/quantumlayer/config/quantumlayer_2.yaml",
-            ]
-        volumes:
-            - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
+  quantumlayer_2:
+    image: quantumlayer
+    command:
+      [
+        "--log",
+        "debug",
+        "--config",
+        "/tmp/quantumlayer/config/quantumlayer_2.yaml",
+      ]
+    volumes:
+      - ./config/quantumlayer/quantumlayer_2.yaml:/tmp/quantumlayer/config/quantumlayer_2.yaml
 
-    akms-simulator_1:
-        image: akms-simulator
-        ports:
-            - "127.0.0.1:4444:4444"
+  akms-simulator_1:
+    image: akms-simulator
+    ports:
+      - "127.0.0.1:4444:4444"
+    volumes:
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    command:
+      [
+        "--ca",
+        "config/ssl/ca.crt",
+        "--cert",
+        "config/ssl/kms/kms2-selfsigned.crt",
+        "--key",
+        "config/ssl/kms/kms2-selfsigned.key",
+      ]
 
-    akms-simulator_2:
-        image: akms-simulator
-        ports:
-            - "127.0.0.1:4445:4444"
+  akms-simulator_2:
+    image: akms-simulator
+    volumes:
+      - ../artifacts/integration-tests/ssl:/config/ssl
+    ports:
+      - "127.0.0.1:4445:4444"
+    command:
+      [
+        "--ca",
+        "config/ssl/ca.crt",
+        "--cert",
+        "config/ssl/kms/kms1-selfsigned.crt",
+        "--key",
+        "config/ssl/kms/kms1-selfsigned.key",
+      ]
 
-    qkdn-controller:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
-      volumes:
-        - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
-        - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
-      command: --config ./configs/qkdn-gosdn.toml
-      ports:
-        - 0.0.0.0:55055:55055
-        - 127.0.0.1:8080:8080
-        - 127.0.0.1:40000:40000
-      environment:
-        GOSDN_ADMIN_PASSWORD: TestPassword
+  qkdn-controller:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller:qkdn-main
+    volumes:
+      - ./config/controller/qkdn-gosdn.toml:/app/configs/qkdn-gosdn.toml
+      - ./config/controller/gNMISubscriptions.txt:/app/configs/gNMISubscriptions.txt
+    command: --config ./configs/qkdn-gosdn.toml
+    ports:
+      - 0.0.0.0:55055:55055
+      - 127.0.0.1:8080:8080
+      - 127.0.0.1:40000:40000
+    environment:
+      GOSDN_ADMIN_PASSWORD: TestPassword
 
-    plugin-registry:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
+  plugin-registry:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/plugin-registry:qkdn-main
 
-    mongo:
-      image: mongo:7
-      environment:
-        MONGO_INITDB_ROOT_USERNAME: root
-        MONGO_INITDB_ROOT_PASSWORD: example
+  mongo:
+    image: mongo:7
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: root
+      MONGO_INITDB_ROOT_PASSWORD: example
 
-    rabbitmq:
-      image: rabbitmq:3-management
+  rabbitmq:
+    image: rabbitmq:3-management
 
-    routing-app:
-      image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
-      entrypoint: ["./start_ra_sleep.sh"]
-      volumes:
-        - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
-        - ./config/controller/routing-config.yaml:/new/routing-config.yaml
+  routing-app:
+    image: registry.code.fbi.h-da.de/demoquandt/qkdn-controller/routing-app:qkdn-main
+    entrypoint: ["./start_ra_sleep.sh"]
+    volumes:
+      - ./config/controller/start_ra_sleep.sh:/app/start_ra_sleep.sh
+      - ./config/controller/routing-config.yaml:/new/routing-config.yaml