Added propagation over error via platfrom KeyDelivery

c507171c · Martin Stiemerling · 967de7f9 · c507171c · c507171c
Commit c507171c authored Jul 26, 2024 by Martin Stiemerling
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -642,7 +642,7 @@ func (kms *KMS) sendKSAKeysToPlatformKmsPeer(kmsPeerAddress, platformKeyID, requ
 	md := metadata.Pairs("hostname", kms.kmsName)
 	ctx = metadata.NewOutgoingContext(ctx, md)
 	defer cancel()
-	_, err = remoteClient.KeyDelivery(ctx, &pbIC.KeyDeliveryRequest{
+	keyDeliveryReponse, err := remoteClient.KeyDelivery(ctx, &pbIC.KeyDeliveryRequest{
 		KeyId:            platformKeyID,
 		RequestId:        requestID,
 		KmsId:            kms.kmsUUID.String(),
@@ -655,6 +655,11 @@ func (kms *KMS) sendKSAKeysToPlatformKmsPeer(kmsPeerAddress, platformKeyID, requ
 		return err
 	}
+	// check for errors that happened remote CKMS for ETSI20
+	if !keyDeliveryReponse.E20FwdOk {
+		return fmt.Errorf("(ETSI20) forwarded key requests  to remote CKMS but processing error on remote side")
+	}
 	return nil
 }
@@ -722,6 +727,7 @@ func (kms *KMS) exchangeKeyAfterETSI20GetKeyRequest(receivingCKMSID uuid.UUID, r
 	err = kms.shipKSAKeytoPlatformKmsPeer(receivingCKMSID, pathID, requestID, keysToFwd, initSaedID, targetSaedIDs)
 	if err != nil {
 		log.Printf("(ETSI20) failed while shipping to platform KMS peer: %s", err)
+		return err
 	}
 	log.Printf("(ETSI20) shipped platform keys to KMS peer: %s", receivingCKMSID)

--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -318,6 +318,8 @@ func (s *kmsTalkerServer) KeyDelivery(ctx context.Context, in *pb.KeyDeliveryReq
 		}
 	}
+	e20result := false
 	if s.kms.keyStoreChannel != nil && in.GetRequestId() == etsi014RequestID {
 		log.Debugf("(ETSI14) Pushing to KeyStoreChannel: %v in %s", s.kms.keyStoreChannel, s.kms.kmsName)
 		s.kms.keyStoreChannel <- akmsKSAKeys
@@ -334,12 +336,15 @@ func (s *kmsTalkerServer) KeyDelivery(ctx context.Context, in *pb.KeyDeliveryReq
 		err = e20bnClient.ETSI20ForwardExternal(initID, targetID, akmsKSAKeys)
 		if err != nil {
 			log.Errorf("(ETSI20 cannot forward to ETSI20 bordnernode %s due to %s", httpAString, err)
+			e20result = false
+		} else {
+			e20result = true
 		}
 	} else if s.kms.ckmsAkmsClient != nil {
 		go s.kms.ckmsAkmsClient.SendKSAKeysToRequestingInstances(in.GetRequestId(), platformKey.ProcessId, akmsKSAKeys) //nolint:errcheck
 	}
-	return &pb.KeyDeliveryResponse{Timestamp: time.Now().Unix()}, nil
+	return &pb.KeyDeliveryResponse{Timestamp: time.Now().Unix(), E20FwdOk: e20result}, nil
 }
 func (s *kmsTalkerServer) getDecryptedKey(keyForDecryption []byte, cryptoAlgorithm crypto.CryptoAlgorithm, encryptedKey *pb.Key) ([]byte, error) {