diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d065382579a78cdde5aacc07d2e6712afd5af3b4..0cf1e0e987dad121b44b279e21b34ef1a7604084 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -108,7 +108,6 @@ integration-test-kms:
"debug",
"--kms_config",
"/config/kms/kms_1.yaml",
- "--insecure",
]
- name: $IMAGE_PATH/gokms:${CI_COMMIT_REF_SLUG}_integration-test
alias: kms_2
@@ -118,7 +117,6 @@ integration-test-kms:
"debug",
"--kms_config",
"/config/kms/kms_2.yaml",
- "--insecure",
]
- name: $IMAGE_PATH/quantumlayer:${CI_COMMIT_REF_SLUG}_integration-test
alias: quantumlayer_1
diff --git a/Makefile b/Makefile
index a63c6b734ce5729c05d9a9cabe2aa9d8da237c92..c537a2497bb778cbabe6742bec59e91dc40b5d10 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,8 @@ lint-fix: install-tools
unit-test:
go test -coverprofile=coverage.out -v ./goKMS/... ./quantumlayer/...
+build: build-gokms build-quantumlayer build-etsi14module build-akms-simulator
+
build-gokms: pre
CGO_ENABLED=0 $(GOBUILD) -o $(BUILD_ARTIFACTS_PATH)/goKMS ./goKMS/main.go
@@ -96,7 +98,7 @@ debug-kms-down:
integration-test-debug-up: generate-integration-test-certs build-images
docker-compose -f integration-tests/docker-compose_integration_test.yml down
- docker-compose -f integration-tests/docker-compose_integration_test.yml up -d
+ docker-compose -f integration-tests/docker-compose_integration_test.yml up
integration-test-debug-down:
docker-compose -f integration-tests/docker-compose_integration_test.yml down
diff --git a/README.md b/README.md
index aa555fbf4bbf3ee08d12583529069efb7537f831..0cf5c9b3b2f847438b46e57ba23e5a2f7a598a70 100644
--- a/README.md
+++ b/README.md
@@ -31,9 +31,28 @@ A goKMS can be configured through a configuration file, as seen below:
Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" # ID of the kms
Name: kms01 # name of the kms
InterComAddr: 172.100.20.10:50910 # Address of the endpoint for inter communication
-GRPCAddr: 172.100.20.10:50900 # deprecated
AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the rest endpoint of a connected AKMS (used for sending KSA key to the AKMS).
AkmsCkmsServerPort: "9696" # Port of connected AKMS
+GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+KmsTLS: # Settings for TLS for inter KMS communication
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+QuantumModuleTLS: # Settings for TLS for quantum module communication
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+AkmsCkmsTLS: # Settings for TLS for akms ckms interface
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
Peers: # Peers to other goKMS
# peer to goKMS02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2" # id of the peer
@@ -51,6 +70,27 @@ Peers: # Peers to other goKMS
Address: 172.100.20.18
```
+You can also provide some configuration via command line arguments. Only settings relevant for running goKMS with remote configuration via gNMI are available here. This includes gNMI TLS settings and log level. Furthermore a path to a configuration file can be provided. Keep in mind that cli arguments will be prioritized, so you can overwrite your gNMI settings in the config file with your cli arguments.
+
+Available are the following flags:
+```bash
+Usage of goKMS:
+ -caFile string
+ location of the gNMI ca file (overwrites settings in config file)
+ -certFile string
+ location of the gNMI cert file (overwrites settings in config file)
+ -gnmiBindAddress string
+ address to bind gNMI to (overwrites settings in config file) (default ":7030")
+ -gnmiTLS
+ If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)
+ -keyFile string
+ location of the gNMI key file (overwrites settings in config file)
+ -kms_config string
+ path to the config file
+ -log string
+ logrus lof level (debug, info, warn, error, fatal, panic) (default "info")
+```
+
### Interfaces
#### Inter-KMS Communication
@@ -86,7 +126,7 @@ it is possible to manage (GET/SET/subscribe) configuration data of the KMS.
Currently we use the [temp.yang](goKMS/models/danet/temp.yang) file for this and only a part of
it is implemented yet.
-## quantumlayer
+## Quantumlayer
A prototypical implementation of an emulated quantum module.
diff --git a/config/goKMS/example01.yaml b/config/goKMS/example01.yaml
index 707ebc42dd73305ce8cecaff07f2be95aea3b09e..937cd40bb00a7d2f20364c4132db136ed0643124 100644
--- a/config/goKMS/example01.yaml
+++ b/config/goKMS/example01.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.10:50911
GRPCAddr: 172.100.20.10:50900
AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms1-selfsigned.crt"
-KeyFile: "ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "ssl/kms/kms1-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "ssl/kms/kms1-selfsigned.key"
Peers:
# peer to kms02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/config/goKMS/example02.yaml b/config/goKMS/example02.yaml
index a6fca31113991e8a2680a0deae204912b0f23622..4c6dfaba0410e3161ffea49ed141a7398d1ed677 100644
--- a/config/goKMS/example02.yaml
+++ b/config/goKMS/example02.yaml
@@ -3,11 +3,16 @@ Name: kms02
InterComAddr: 172.100.20.11:50910
QuantumAddr: 172.100.20.11:50911
GRPCAddr: 172.100.20.11:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms2-selfsigned.crt"
-KeyFile: "ssl/kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/kms/kms2-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/kms/kms2-selfsigned.key"
Peers:
# peer to kms01
- PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/config/goKMS/example03.yaml b/config/goKMS/example03.yaml
index 046b105608ae4fa5944237e10b98cd191254a226..d1f12de6414dec2ed87ac885d2c6f2968e4e9f09 100644
--- a/config/goKMS/example03.yaml
+++ b/config/goKMS/example03.yaml
@@ -3,11 +3,16 @@ Name: kms03
InterComAddr: 172.100.20.12:50910
QuantumAddr: 172.100.20.12:50911
GRPCAddr: 172.100.20.12:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms3-selfsigned.crt"
-KeyFile: "ssl/kms/kms3-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms3-selfsigned.crt"
+ KeyFile: "ssl/kms/kms3-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms3-selfsigned.crt"
+ KeyFile: "ssl/kms/kms3-selfsigned.key"
Peers:
# peer to kms01
- PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/config/goKMS/example04.yaml b/config/goKMS/example04.yaml
index 76a5869916d34fab411b7b8c5f859dc06861bf14..346dbe210fb688654685949f965848d2c3867c7f 100644
--- a/config/goKMS/example04.yaml
+++ b/config/goKMS/example04.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.13:50911
GRPCAddr: 172.100.20.13:50900
AkmsURL: "http://172.100.20.23:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms4-selfsigned.crt"
-KeyFile: "ssl/kms/kms4-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms4-selfsigned.crt"
+ KeyFile: "ssl/kms/kms4-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms4-selfsigned.crt"
+ KeyFile: "ssl/kms/kms4-selfsigned.key"
Peers:
# peer to kms02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/debug_configs/config/kms/kms_1.yaml b/debug_configs/config/kms/kms_1.yaml
index 47ffa2e8efd729721a71c48c8f1f2cc53f832ffc..899aa6a1675ce76b5226399df9d504c347dda554 100644
--- a/debug_configs/config/kms/kms_1.yaml
+++ b/debug_configs/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 127.0.0.1:50900
QuantumAddr: 0.0.0.0:50911
AkmsURL: "http://127.0.0.1:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "../artifacts/ssl/ca.crt"
-CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
-KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "../artifacts/ssl/ca.crt"
+ CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
+ KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
Peers:
# peer to kms_2
- PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
diff --git a/debug_configs/config/kms/kms_2.yaml b/debug_configs/config/kms/kms_2.yaml
index ff1248a36b614b961c3d0b25f502437f14c7ad3e..e9d763dcd90fb9417f5af7d4dfe9e2a8082c3db7 100644
--- a/debug_configs/config/kms/kms_2.yaml
+++ b/debug_configs/config/kms/kms_2.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 0.0.0.0:50900
QuantumAddr: 0.0.0.0:50911
AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
-KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
Peers:
# peer to kms_1
- PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
diff --git a/docker-compose.yml b/docker-compose.yml
index 743dc2c745ad5fd4e6ee4869aa6f0cd1a03890d7..5b9e158a6802e1d2bf5b94c9071df12369f8b8d3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example01.yaml:/tmp/kms/config/kms01.yaml
- ./artifacts/ssl:/ssl
@@ -11,7 +11,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example02.yaml:/tmp/kms/config/kms02.yaml
- ./artifacts/ssl:/ssl
@@ -21,7 +21,7 @@ services:
kms_3:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example03.yaml:/tmp/kms/config/kms03.yaml
- ./artifacts/ssl:/ssl
@@ -31,7 +31,7 @@ services:
kms_4:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example04.yaml:/tmp/kms/config/kms04.yaml
- ./artifacts/ssl:/ssl
diff --git a/docker-compose_debug_kms.yml b/docker-compose_debug_kms.yml
index 6a7ff0ad39e25ffc2384b04ef693b0ca9d773b89..8b6a2065cf08a18af138cf396297f5d02843f8b4 100644
--- a/docker-compose_debug_kms.yml
+++ b/docker-compose_debug_kms.yml
@@ -1,7 +1,7 @@
services:
#kms_1:
#image: gokms
- #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
#volumes:
# - ./debug_configs/config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
#ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./debug_configs/config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
- ./artifacts/ssl:/ssl
diff --git a/docker-compose_small_random.yml b/docker-compose_small_random.yml
index ff5712416dedffaed969c08f595a613b33b05403..91b29d3aa79cddbbfb8a9e99b2519d645ed33b17 100644
--- a/docker-compose_small_random.yml
+++ b/docker-compose_small_random.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
volumes:
- ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
ports:
diff --git a/docker-compose_small_replay.yml b/docker-compose_small_replay.yml
index a84a9de8ca3820a64f2153ebdd3f0e2954e13802..1f292040449163f22bfee258ed62b127700b570f 100644
--- a/docker-compose_small_replay.yml
+++ b/docker-compose_small_replay.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
volumes:
- ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
ports:
diff --git a/goKMS/config/config.go b/goKMS/config/config.go
index 63af65d69e7ab58fc86150ff1c8117282c330e23..cc59263b425c4758bedf3049d99bb4f9f674b022 100644
--- a/goKMS/config/config.go
+++ b/goKMS/config/config.go
@@ -10,6 +10,7 @@ type Config struct {
GRPCAddr string `yaml:"GRPCAddr"`
AkmsURL string `yaml:"AkmsURL"`
AkmsCkmsServerPort string `yaml:"AkmsCkmsServerPort"`
+ GnmiBindAddress string `yaml:"GnmiBindAddress"`
Peers []struct {
PeerId string `yaml:"PeerId"`
PeerInterComAddr string `yaml:"PeerInterComAddr"`
@@ -17,11 +18,17 @@ type Config struct {
Type string `yaml:"Type"`
QuantumModule QuantumModule `yaml:"QuantumModule"`
} `yaml:"Peers"`
- TLS bool `yaml:"TLS"`
- ETSI14TLS bool `yaml:"ETSI14TLS"`
- CAFile string `yaml:"CAFile"`
- CertFile string `yaml:"CertFile"`
- KeyFile string `yaml:"KeyFile"`
+ GnmiTLS TLSConfig `yaml:"GnmiTLS"`
+ KmsTLS TLSConfig `yaml:"KmsTLS"`
+ QuantumModuleTLS TLSConfig `yaml:"QuantumModuleTLS"`
+ AkmsCkmsTLS TLSConfig `yaml:"AkmsCkmsTLS"`
+}
+
+type TLSConfig struct {
+ TLS bool `yaml:"TLS"`
+ CAFile string `yaml:"CAFile"`
+ CertFile string `yaml:"CertFile"`
+ KeyFile string `yaml:"KeyFile"`
}
type QuantumModule struct {
diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index 393fa0435ec428102bb774b30f0c2e2ac2b93ee6..f6fe6388237693f3047978c32e8ed185b6572e08 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -68,7 +68,7 @@ type KMS struct {
kmsUUID uuid.UUID
interComAddr string
quantumAddress string
- tlsData kmstls.TlsData
+ tlsConfig config.TLSConfig
// TODO create a mapping between ids and address
remoteKMSMapping map[string]*RemoteKMS
remoteKMSMappingMutex sync.RWMutex
@@ -118,13 +118,6 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
log.SetReportCaller(false)
}
- tlsData := kmstls.TlsData{
- TLS: config.TLS,
- CaFile: config.CAFile,
- CertFile: config.CertFile,
- KeyFile: config.KeyFile,
- }
-
ckmsAkmsClient := client.NewCkmsAkmsClient(config.AkmsURL)
createdKMS := &KMS{
@@ -132,7 +125,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
kmsUUID: kmsUUID,
interComAddr: config.InterComAddr,
quantumAddress: config.QuantumAddr,
- tlsData: tlsData,
+ tlsConfig: config.KmsTLS,
remoteKMSMapping: make(map[string]*RemoteKMS),
quantumModules: make(map[string]peers.QuantumModule),
routingTable: make(map[uuid.UUID]*Route),
@@ -146,7 +139,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
createdKMS.supportedKeyLengths[BitKeyLen256] = true
// start the inter communication gRPC server
- go createdKMS.startGRPC(config.InterComAddr, config.QuantumAddr, tlsData)
+ go createdKMS.startGRPC()
// initialize from config
err := createdKMS.initializePeers(config)
@@ -173,7 +166,7 @@ func (kms *KMS) initializePeers(config *config.Config) error {
case "emulated":
qm = peers.NewEmulatedQuantumModule(pqm.Address, config.Id)
case "etsi":
- qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.CAFile, config.CertFile, config.KeyFile, config.ETSI14TLS, pqm.MasterMode)
+ qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.QuantumModuleTLS, pqm.MasterMode)
if err != nil {
log.Fatalf("Failed to create ETSI QKD module: %s", err)
return nil
@@ -190,8 +183,8 @@ func (kms *KMS) initializePeers(config *config.Config) error {
}
var gRPCTransportCreds credentials.TransportCredentials
- if config.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(config.CAFile, config.CertFile, config.KeyFile)
+ if config.KmsTLS.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Error(err)
return nil
@@ -233,15 +226,15 @@ func (kms *KMS) initializePeers(config *config.Config) error {
return nil
}
-func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData kmstls.TlsData) {
- interKMSLis, err := net.Listen("tcp", interComAddr)
+func (kms *KMS) startGRPC() {
+ interKMSLis, err := net.Listen("tcp", kms.interComAddr)
if err != nil {
log.Fatalf("failed to listen: %v", err)
}
var gRPCTransportCreds credentials.TransportCredentials
- if tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(tlsData.CaFile, tlsData.CertFile, tlsData.KeyFile)
+ if kms.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
@@ -258,8 +251,8 @@ func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData km
KMS: kms,
})
- if quantumAddress != "" {
- quantumLis, err := net.Listen("tcp", quantumAddress)
+ if kms.quantumAddress != "" {
+ quantumLis, err := net.Listen("tcp", kms.quantumAddress)
if err != nil {
log.Fatalf("failed to listen: %v", err)
}
@@ -434,7 +427,7 @@ func (kms *KMS) GetRemoteKMS(remoteKMSId string) (*RemoteKMS, error) {
remoteKMS, ok := kms.remoteKMSMapping[remoteKMSId]
if !ok {
- return nil, fmt.Errorf("Address for remoteKMS with id %s not found", remoteKMSId)
+ return nil, fmt.Errorf("address for remoteKMS with id %s not found", remoteKMSId)
}
return remoteKMS, nil
}
@@ -497,8 +490,8 @@ func (kms *KMS) GenerateAndSendKSAKey(remoteKMSId string, pathId uuid.UUID, requ
// TODO: move this somewhere else!
// send to remote
var gRPCTransportCreds credentials.TransportCredentials
- if kms.tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsData.CaFile, kms.tlsData.CertFile, kms.tlsData.KeyFile)
+ if kms.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/kmsintercom.go b/goKMS/kms/kmsintercom.go
index cc5845211a193f1ebed2618bea0bf6978ad1efe7..73a1eb5a5964131d37de02594f7ec72cfde6b898 100644
--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -287,8 +287,8 @@ func (s *kmsTalkerServer) KeyForwarding(ctx context.Context, in *pb.KeyForwardin
s.KMS.PKStoreMutex.Unlock()
var gRPCTransportCreds credentials.TransportCredentials
- if s.KMS.tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsData.CaFile, s.KMS.tlsData.CertFile, s.KMS.tlsData.KeyFile)
+ if s.KMS.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/peers/qmodule.go b/goKMS/kms/peers/qmodule.go
index f878131a13676c0b31b90a857d65f2e1e12edebd..3452094f716a0e5bffdb41a4ebd88f939fd4a6bf 100644
--- a/goKMS/kms/peers/qmodule.go
+++ b/goKMS/kms/peers/qmodule.go
@@ -11,6 +11,7 @@ import (
etsi14 "code.fbi.h-da.de/danet/quant/etsi014/go/rest/etsi/client"
pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
"code.fbi.h-da.de/danet/quant/goKMS/kms/store"
kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
@@ -18,7 +19,6 @@ import (
restclient "code.fbi.h-da.de/danet/quant/goKMS/restclient"
"code.fbi.h-da.de/danet/quant/quantumlayer"
"github.com/google/uuid"
- "github.com/sirupsen/logrus"
log "github.com/sirupsen/logrus"
)
@@ -76,7 +76,7 @@ func (eqe *EmulatedQuantumModule) Address() string {
func (eqe *EmulatedQuantumModule) Sync() error {
rawBulkKeyIds := util.KeysOfMap(eqe.RawBulkKeys)
- logrus.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)
+ log.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
defer cancel()
@@ -92,7 +92,7 @@ func (eqe *EmulatedQuantumModule) Sync() error {
bulkKey, ok := eqe.RawBulkKeys[initialPeerSetupResponse.BulkId]
if !ok {
// TODO: add proper error message
- return fmt.Errorf("Could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
+ return fmt.Errorf("could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
}
// TODO: Initially the peer partners should discuss about the key length,
@@ -182,7 +182,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB
if bulkKey.BulkKeyLength != len(*bulkKey.BulkKey) {
if (bulkKey.BulkKeyLength) != (len(*bulkKey.BulkKey) * 8) {
- logrus.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
+ log.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
return nil, nil, errors.New("bulkKey length mismatch")
}
}
@@ -203,7 +203,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB
} else {
keyId, err = uuid.Parse(keyIds[counter])
if err != nil {
- return nil, nil, fmt.Errorf("The provided ID: %s can not be parsed as UUID.", keyIds[counter])
+ return nil, nil, fmt.Errorf("the provided ID: %s can not be parsed as UUID", keyIds[counter])
}
counter++
}
@@ -228,7 +228,7 @@ type ETSI014HTTPQuantumModule struct {
master bool
}
-func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, certFile, keyFile string, etsi14TLS, master bool) (*ETSI014HTTPQuantumModule, error) {
+func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID string, tlsConfig config.TLSConfig, master bool) (*ETSI014HTTPQuantumModule, error) {
parsedUrl, err := url.Parse(addr)
if err != nil {
return nil, err
@@ -245,8 +245,8 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, c
Scheme: parsedUrl.Scheme,
}
- if etsi14TLS {
- tlsConf, err := kmstls.GenerateTLSConf(caFile, certFile, keyFile)
+ if tlsConfig.TLS {
+ tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
if err != nil {
return nil, err
}
diff --git a/goKMS/kms/tls/tls.go b/goKMS/kms/tls/tls.go
index 219a11793a622654880612a763996e692308afcd..a7de18613d8f411e53b1cc8fa2ebb1baa9532be3 100644
--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -6,19 +6,13 @@ import (
"fmt"
"os"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"google.golang.org/grpc/credentials"
)
-type TlsData struct {
- TLS bool
- CaFile string
- CertFile string
- KeyFile string
-}
-
-func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFilePath)
+ b, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -27,7 +21,7 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
@@ -42,10 +36,10 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return credentials.NewTLS(tlsConfig), nil
}
-func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCClientTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFilePath)
+ b, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -53,7 +47,7 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
@@ -67,8 +61,8 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return credentials.NewTLS(tlsConfig), nil
}
-func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
- caCert, err := os.ReadFile(caFile)
+func GenerateTlsLibraryConfig(tlsData config.TLSConfig) (*tls.Config, error) {
+ caCert, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -77,7 +71,7 @@ func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
diff --git a/goKMS/main.go b/goKMS/main.go
index 18d552c537effd0206716aa3a03a423c8a8dd06c..b204b34f13c6e2e3e83b3b4c3a15eaba51a452bc 100644
--- a/goKMS/main.go
+++ b/goKMS/main.go
@@ -51,11 +51,11 @@ import (
func main() {
configPath := flag.String("kms_config", "", "path to the config file")
logLevel := flag.String("log", "info", "logrus lof level (debug, info, warn, error, fatal, panic)")
- bindAddress := flag.String("bindAddress", ":7030", "address to bind to")
- certFile := flag.String("certFile", "", "location of the cert file")
- keyFile := flag.String("keyFile", "", "location of the key file")
- caFile := flag.String("caFile", "", "location of the ca file")
- insecure := flag.Bool("insecure", true, "If true do not use TLS")
+ gnmiBindAddress := flag.String("gnmiBindAddress", ":7030", "address to bind gNMI to (overwrites settings in config file)")
+ gnmiTLS := flag.Bool("gnmiTLS", false, "If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)")
+ certFile := flag.String("certFile", "", "location of the gNMI cert file (overwrites settings in config file)")
+ keyFile := flag.String("keyFile", "", "location of the gNMI key file (overwrites settings in config file)")
+ caFile := flag.String("caFile", "", "location of the gNMI ca file (overwrites settings in config file)")
flag.Parse()
@@ -69,18 +69,20 @@ func main() {
log.Info("setting log level to ", ll)
log.SetLevel(ll)
+ // Parse config file
kmsConfig := &config.Config{}
-
log.Debugf("current config path: %s", *configPath)
file, err := os.ReadFile(*configPath)
if err != nil {
log.Fatal(err)
}
-
if err := yaml.Unmarshal(file, kmsConfig); err != nil {
log.Fatal(err)
}
+ // All gNMI settings which are provided via cli arguments should overwrite the settings in the config file.
+ overwriteConfigFieldsWithFlags(kmsConfig, gnmiBindAddress, gnmiTLS, certFile, keyFile, caFile)
+
// initialize id for the kms
var kmsId uuid.UUID
if kmsConfig.Id != "" {
@@ -89,6 +91,7 @@ func main() {
kmsId = uuid.New()
}
+ outputTlsSettings(kmsConfig)
resolveHostnameToIPForQuantumModules(kmsConfig)
kmsInfo := generateKMSInfo(kmsId)
@@ -114,8 +117,10 @@ func main() {
kmsHandler.NewAssignForwardingHandler(kms),
}
+ // The gnmiTarget implementation uses a flag to pass NO tls, so we have to invert our flag for it to work.
+ gnmiInsecure := !kmsConfig.GnmiTLS.TLS
gnmitTarget := gnmitarget.NewGnmiTarget(schema, &gnmitargetygot.Gnmitarget{}, gnmitargetygot.ΓModelData, gnmitargetygot.Unmarshal, gnmitargetygot.ΛEnum, handlers...)
- if err := gnmitTarget.Start(*bindAddress, *certFile, *keyFile, *caFile, *insecure); err != nil {
+ if err := gnmitTarget.Start(*gnmiBindAddress, kmsConfig.GnmiTLS.CertFile, kmsConfig.GnmiTLS.KeyFile, kmsConfig.GnmiTLS.CAFile, gnmiInsecure); err != nil {
log.Fatal(err)
}
}
@@ -154,6 +159,60 @@ func resolveHostnameToIPForQuantumModules(config *config.Config) {
}
}
+func outputTlsSettings(config *config.Config) {
+ log.Infof("TLS enabled for gNMIC: %t", config.GnmiTLS.TLS)
+ if config.GnmiTLS.TLS {
+ log.Infof("TLS filepaths for gNMIC; ca: %s, cert: %s, key: %s", config.GnmiTLS.CAFile, config.GnmiTLS.CertFile, config.GnmiTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for KMS: %t", config.KmsTLS.TLS)
+ if config.KmsTLS.TLS {
+ log.Infof("TLS filepaths for KMS; ca: %s, cert: %s, key: %s", config.KmsTLS.CAFile, config.KmsTLS.CertFile, config.KmsTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for Quantum Module: %t", config.QuantumModuleTLS.TLS)
+ if config.QuantumModuleTLS.TLS {
+ log.Infof("TLS filepaths for Quantum Module; ca: %s, cert: %s, key: %s", config.QuantumModuleTLS.CAFile, config.QuantumModuleTLS.CertFile, config.QuantumModuleTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.TLS)
+ if config.AkmsCkmsTLS.TLS {
+ log.Infof("TLS filepaths for AKMS-CKMS interface; ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
+ }
+}
+
+func isFlagPassed(name string) bool {
+ found := false
+ flag.Visit(func(f *flag.Flag) {
+ if f.Name == name {
+ found = true
+ }
+ })
+ return found
+}
+
+func overwriteConfigFieldsWithFlags(config *config.Config, gnmiBindAddress *string, gnmiTLS *bool, certFile *string, keyFile *string, caFile *string) {
+ if isFlagPassed("gnmiTLS") {
+ config.GnmiTLS.TLS = *gnmiTLS
+ }
+
+ if isFlagPassed("gnmiBindAddress") {
+ config.GnmiBindAddress = *gnmiBindAddress
+ }
+
+ if *caFile != "" {
+ config.GnmiTLS.CAFile = *caFile
+ }
+
+ if *certFile != "" {
+ config.GnmiTLS.CertFile = *certFile
+ }
+
+ if *keyFile != "" {
+ config.GnmiTLS.KeyFile = *keyFile
+ }
+}
+
func generateKMSInfo(id uuid.UUID) *config.KMSInfo {
kmsVersionInformation := config.NewKMSVersionInformation("danet-emulated-kms", "0.1.0", "0.1.0")
diff --git a/integration-tests/config/kms/kms_1.yaml b/integration-tests/config/kms/kms_1.yaml
index 7b93c10c61b13e38f1cb2de6d1fb3e7d019e36b6..273b444090a9b320d6ae5aa5dcb9c9a6a4df03bc 100644
--- a/integration-tests/config/kms/kms_1.yaml
+++ b/integration-tests/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "config/ssl/ca.crt"
-CertFile: "config/ssl/kms/kms1-selfsigned.crt"
-KeyFile: "config/ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms1-selfsigned.key"
Peers:
# peer to kms_2
- PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
diff --git a/integration-tests/config/kms/kms_2.yaml b/integration-tests/config/kms/kms_2.yaml
index 537e2a8e08d0dd89fd06c464dca0416b9f53204a..319da986a4f47b927cdaa595062a8c016b96fe64 100644
--- a/integration-tests/config/kms/kms_2.yaml
+++ b/integration-tests/config/kms/kms_2.yaml
@@ -5,10 +5,11 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "config/ssl/ca.crt"
-CertFile: "config/ssl/kms/kms2-selfsigned.crt"
-KeyFile: "config/ssl/kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms2-selfsigned.key"
Peers:
# peer to kms_1
- PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
diff --git a/integration-tests/docker-compose_integration_test.yml b/integration-tests/docker-compose_integration_test.yml
index 4c6dacf19900291f05baf2fbad26c7ad9874c8fd..8576fc0a3f841292090c17394f74fab01f39e613 100644
--- a/integration-tests/docker-compose_integration_test.yml
+++ b/integration-tests/docker-compose_integration_test.yml
@@ -7,7 +7,6 @@ services:
"debug",
"--kms_config",
"/tmp/kms/config/kms_1.yaml",
- "--insecure",
]
volumes:
- ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
@@ -24,7 +23,6 @@ services:
"debug",
"--kms_config",
"/tmp/kms/config/kms_2.yaml",
- "--insecure",
]
volumes:
- ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
diff --git a/playground.clab.yaml b/playground.clab.yaml
index 8dc09fb6ac19e9626e274c5939271c19ffd31f47..a43e54e79b08cf0461d488e984bc60659a48d232 100644
--- a/playground.clab.yaml
+++ b/playground.clab.yaml
@@ -46,7 +46,7 @@ topology:
mgmt-ipv4: 172.100.20.10
binds:
- ./config/kms/example01.yaml:/tmp/kms/config/kms01.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms01.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms01.yaml --insecureGNMI
kms2:
kind: linux
@@ -54,7 +54,7 @@ topology:
mgmt-ipv4: 172.100.20.11
binds:
- ./config/kms/example02.yaml:/tmp/kms/config/kms02.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms02.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms02.yaml --insecureGNMI
kms3:
kind: linux
@@ -62,7 +62,7 @@ topology:
mgmt-ipv4: 172.100.20.12
binds:
- ./config/kms/example03.yaml:/tmp/kms/config/kms03.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms03.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms03.yaml --insecureGNMI
kms4:
kind: linux
@@ -70,7 +70,7 @@ topology:
mgmt-ipv4: 172.100.20.13
binds:
- ./config/kms/example04.yaml:/tmp/kms/config/kms04.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms04.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms04.yaml --insecureGNMI
qlayer01:
kind: linux