Adding tls support for akms-ckms client and server

beb43b7b · Malte Bauch · 44c022ca · beb43b7b · beb43b7b · beb43b7b
Commit beb43b7b authored 8 months ago by Malte Bauch
--- a/goKMS/kms/akms/client/client.go
+++ b/goKMS/kms/akms/client/client.go
@@ -3,20 +3,39 @@ package client
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"

+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/sirupsen/logrus"
 )

 type CkmsAkmsClient struct {
-	url string
+	url        string
+	httpClient *http.Client
 }

-func NewCkmsAkmsClient(url string) *CkmsAkmsClient {
-	return &CkmsAkmsClient{
-		url: url,
+func NewCkmsAkmsClient(url string, tlsConfig config.TLSConfig) (*CkmsAkmsClient, error) {
+	client := &http.Client{}
+
+	if tlsConfig.Active {
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConf,
+		}
 	}
+
+	return &CkmsAkmsClient{
+		url:        url,
+		httpClient: client,
+	}, nil
 }

 type PushKSAKeyRequest struct {
@@ -38,9 +57,14 @@ func (c *CkmsAkmsClient) SendKSAKeysToRequestingInstances(requestID string, proc
 		return err
 	}

-	resp, err := http.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
+	// TODO: also log the response body if request failed
+	resp, err := c.httpClient.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
-		logrus.Errorf("Error sending POST request: %s", err)
+		body, err2 := io.ReadAll(resp.Body)
+		if err2 != nil {
+			logrus.Errorf("Error reading POST response body: %s", err2)
+		}
+		logrus.Errorf("Error sending POST request: %s, received response body: %s", err, string(body))
 		logrus.Errorf("Tried to send request: %s to url: %s", jsonData, c.url)
 		return err
 	}

--- a/goKMS/kms/akms/server/server.go
+++ b/goKMS/kms/akms/server/server.go
@@ -6,8 +6,10 @@ import (
 	"net/http"
 	"time"

+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/receiver"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 )
@@ -16,7 +18,7 @@ type AKMSReceiverServer struct {
 	server *http.Server
 }

-func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error) *AKMSReceiverServer {
+func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error, tlsConfig config.TLSConfig) (*AKMSReceiverServer, error) {
 	router := http.NewServeMux()

 	router.HandleFunc("/api/v1/keys/ksa_key_req", ksaReqHandler(eventBus, receiver, generateAndSend))
@@ -26,11 +28,19 @@ func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.R
 		Handler: router,
 	}

+	if tlsConfig.Active {
+		tlsLibraryConfig, err := kmstls.GenerateServerTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+		server.TLSConfig = tlsLibraryConfig
+	}
+
 	AKMSReceiver := &AKMSReceiverServer{
 		server: server,
 	}

-	return AKMSReceiver
+	return AKMSReceiver, nil
 }

 func (akmsReceiver *AKMSReceiverServer) Serve() {

--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -21,8 +21,8 @@ import (

 	pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
 	"code.fbi.h-da.de/danet/quant/goKMS/config"
-	akmsClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/client"
-	akmsServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/server"
+	akmsInterfaceClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/client"
+	akmsInterfaceServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
 	etsi14Server "code.fbi.h-da.de/danet/quant/goKMS/kms/etsi/etsi14/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
@@ -82,8 +82,8 @@ type KMS struct {
 	eventBus            *event.EventBus
 	receiver            *receiver.Receiver
 	// Akms things
-	ckmsAkmsClient *akmsClient.CkmsAkmsClient
-	ckmsAkmsServer *akmsServer.AKMSReceiverServer
+	ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	ckmsAkmsServer *akmsInterfaceServer.AKMSReceiverServer
 	// ETSI14 Server things
 	etsi14Server    *etsi14Server.ETSI14RESTService
 	keyStoreChannel chan []crypto.KSAKey
@@ -118,9 +118,13 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 		log.SetReportCaller(false)
 	}

-	var ckmsAkmsClient *akmsClient.CkmsAkmsClient
+	var ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	var err error
 	if config.AkmsURL != "" {
-		ckmsAkmsClient = akmsClient.NewCkmsAkmsClient(config.AkmsURL)
+		ckmsAkmsClient, err = akmsInterfaceClient.NewCkmsAkmsClient(config.AkmsURL, config.AkmsCkmsTLS)
+		if err != nil {
+			log.Fatalf("Failed to setup CkmsAkmsClient: %s", err)
+		}
 	}

 	gRPCTimeoutInSecondsDuration := time.Duration(config.GRPCTimeoutInSeconds) * time.Second
@@ -149,14 +153,17 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 	go createdKMS.startGRPC()

 	// initialize from config
-	err := createdKMS.initializePeers(config)
+	err = createdKMS.initializePeers(config)
 	if err != nil {
 		log.Fatalf("Failed to initialize peers: %s", err)
 	}

 	// Start the akmsCkmsReceiverServer
 	if config.AkmsCkmsServerPort != "" {
-		createdKMS.ckmsAkmsServer = akmsServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey)
+		createdKMS.ckmsAkmsServer, err = akmsInterfaceServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey, config.AkmsCkmsTLS)
+		if err != nil {
+			log.Fatalf("Failed to initialize CkmsAkmsServer: %s", err)
+		}
 		log.Infof("Starting AKMS receiver server on port: %s", config.AkmsCkmsServerPort)
 		go createdKMS.ckmsAkmsServer.Serve()
 	}

--- a/goKMS/kms/peers/etsi14Quantummodule.go
+++ b/goKMS/kms/peers/etsi14Quantummodule.go
@@ -51,7 +51,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
 	}

 	if tlsConfig.Active {
-		tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
 		}

--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -11,15 +11,15 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 )

-func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsData.Active {
-		creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
+	if tlsConfig.Active {
+		tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}

-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -27,9 +27,9 @@ func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (c
 	return gRPCTransportCreds, nil
 }

-func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()
-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -38,30 +38,28 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}

-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
 	}

-	tlsConfig := &tls.Config{
+	return &tls.Config{
 		MinVersion:   tls.VersionTLS13,
 		ClientCAs:    cp,
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
+	}, nil
 }

 func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
 	if tlsConfig.Active {
-		creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
+		tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}

-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -69,10 +67,10 @@ func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig)
 	return gRPCTransportCreds, nil
 }

-func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()

-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -80,30 +78,6 @@ func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}

-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig := &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		RootCAs:      cp,
-		Certificates: []tls.Certificate{cert},
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
-}
-
-func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
-	caCert, err := os.ReadFile(tlsConfig.CAFile)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	if !caCertPool.AppendCertsFromPEM(caCert) {
-		return nil, fmt.Errorf("credentials: failed to append certificates")
-	}
-
 	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
@@ -111,7 +85,7 @@ func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {

 	return &tls.Config{
 		MinVersion:   tls.VersionTLS13,
-		RootCAs:      caCertPool,
+		RootCAs:      cp,
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }