From e414b725b68bfb04340cfa366ab10eb9967b5304 Mon Sep 17 00:00:00 2001
From: Neil-Jocelyn Schark <neil.schark@h-da.de>
Date: Fri, 10 May 2024 11:59:19 +0000
Subject: [PATCH] Rework flags and tls config and enable one cert per endpoint
See merge request danet/quant!108
---
.gitlab-ci.yml | 2 -
Makefile | 4 +-
README.md | 44 ++++++++++-
config/goKMS/example01.yaml | 15 ++--
config/goKMS/example02.yaml | 15 ++--
config/goKMS/example03.yaml | 15 ++--
config/goKMS/example04.yaml | 15 ++--
debug_configs/config/kms/kms_1.yaml | 9 ++-
debug_configs/config/kms/kms_2.yaml | 9 ++-
docker-compose.yml | 8 +-
docker-compose_debug_kms.yml | 4 +-
docker-compose_small_random.yml | 4 +-
docker-compose_small_replay.yml | 4 +-
goKMS/config/config.go | 17 +++--
goKMS/kms/kms.go | 37 ++++-----
goKMS/kms/kmsintercom.go | 4 +-
goKMS/kms/peers/qmodule.go | 16 ++--
goKMS/kms/tls/tls.go | 26 +++----
goKMS/main.go | 75 +++++++++++++++++--
integration-tests/config/kms/kms_1.yaml | 9 ++-
integration-tests/config/kms/kms_2.yaml | 9 ++-
.../docker-compose_integration_test.yml | 2 -
playground.clab.yaml | 8 +-
23 files changed, 233 insertions(+), 118 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d0653825..0cf1e0e9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -108,7 +108,6 @@ integration-test-kms:
"debug",
"--kms_config",
"/config/kms/kms_1.yaml",
- "--insecure",
]
- name: $IMAGE_PATH/gokms:${CI_COMMIT_REF_SLUG}_integration-test
alias: kms_2
@@ -118,7 +117,6 @@ integration-test-kms:
"debug",
"--kms_config",
"/config/kms/kms_2.yaml",
- "--insecure",
]
- name: $IMAGE_PATH/quantumlayer:${CI_COMMIT_REF_SLUG}_integration-test
alias: quantumlayer_1
diff --git a/Makefile b/Makefile
index a63c6b73..c537a249 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,8 @@ lint-fix: install-tools
unit-test:
go test -coverprofile=coverage.out -v ./goKMS/... ./quantumlayer/...
+build: build-gokms build-quantumlayer build-etsi14module build-akms-simulator
+
build-gokms: pre
CGO_ENABLED=0 $(GOBUILD) -o $(BUILD_ARTIFACTS_PATH)/goKMS ./goKMS/main.go
@@ -96,7 +98,7 @@ debug-kms-down:
integration-test-debug-up: generate-integration-test-certs build-images
docker-compose -f integration-tests/docker-compose_integration_test.yml down
- docker-compose -f integration-tests/docker-compose_integration_test.yml up -d
+ docker-compose -f integration-tests/docker-compose_integration_test.yml up
integration-test-debug-down:
docker-compose -f integration-tests/docker-compose_integration_test.yml down
diff --git a/README.md b/README.md
index aa555fbf..0cf5c9b3 100644
--- a/README.md
+++ b/README.md
@@ -31,9 +31,28 @@ A goKMS can be configured through a configuration file, as seen below:
Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" # ID of the kms
Name: kms01 # name of the kms
InterComAddr: 172.100.20.10:50910 # Address of the endpoint for inter communication
-GRPCAddr: 172.100.20.10:50900 # deprecated
AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the rest endpoint of a connected AKMS (used for sending KSA key to the AKMS).
AkmsCkmsServerPort: "9696" # Port of connected AKMS
+GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+KmsTLS: # Settings for TLS for inter KMS communication
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+QuantumModuleTLS: # Settings for TLS for quantum module communication
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+AkmsCkmsTLS: # Settings for TLS for akms ckms interface
+ TLS: true # Whether TLS is enabled
+ CAFile: "ssl/ca.crt" # Path to ca
+ CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+ KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
Peers: # Peers to other goKMS
# peer to goKMS02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2" # id of the peer
@@ -51,6 +70,27 @@ Peers: # Peers to other goKMS
Address: 172.100.20.18
```
+You can also provide some configuration via command line arguments. Only settings relevant for running goKMS with remote configuration via gNMI are available here. This includes gNMI TLS settings and log level. Furthermore a path to a configuration file can be provided. Keep in mind that cli arguments will be prioritized, so you can overwrite your gNMI settings in the config file with your cli arguments.
+
+Available are the following flags:
+```bash
+Usage of goKMS:
+ -caFile string
+ location of the gNMI ca file (overwrites settings in config file)
+ -certFile string
+ location of the gNMI cert file (overwrites settings in config file)
+ -gnmiBindAddress string
+ address to bind gNMI to (overwrites settings in config file) (default ":7030")
+ -gnmiTLS
+ If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)
+ -keyFile string
+ location of the gNMI key file (overwrites settings in config file)
+ -kms_config string
+ path to the config file
+ -log string
+ logrus lof level (debug, info, warn, error, fatal, panic) (default "info")
+```
+
### Interfaces
#### Inter-KMS Communication
@@ -86,7 +126,7 @@ it is possible to manage (GET/SET/subscribe) configuration data of the KMS.
Currently we use the [temp.yang](goKMS/models/danet/temp.yang) file for this and only a part of
it is implemented yet.
-## quantumlayer
+## Quantumlayer
A prototypical implementation of an emulated quantum module.
diff --git a/config/goKMS/example01.yaml b/config/goKMS/example01.yaml
index 707ebc42..937cd40b 100644
--- a/config/goKMS/example01.yaml
+++ b/config/goKMS/example01.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.10:50911
GRPCAddr: 172.100.20.10:50900
AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms1-selfsigned.crt"
-KeyFile: "ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "ssl/kms/kms1-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "ssl/kms/kms1-selfsigned.key"
Peers:
# peer to kms02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/config/goKMS/example02.yaml b/config/goKMS/example02.yaml
index a6fca311..4c6dfaba 100644
--- a/config/goKMS/example02.yaml
+++ b/config/goKMS/example02.yaml
@@ -3,11 +3,16 @@ Name: kms02
InterComAddr: 172.100.20.11:50910
QuantumAddr: 172.100.20.11:50911
GRPCAddr: 172.100.20.11:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms2-selfsigned.crt"
-KeyFile: "ssl/kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/kms/kms2-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/kms/kms2-selfsigned.key"
Peers:
# peer to kms01
- PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/config/goKMS/example03.yaml b/config/goKMS/example03.yaml
index 046b1056..d1f12de6 100644
--- a/config/goKMS/example03.yaml
+++ b/config/goKMS/example03.yaml
@@ -3,11 +3,16 @@ Name: kms03
InterComAddr: 172.100.20.12:50910
QuantumAddr: 172.100.20.12:50911
GRPCAddr: 172.100.20.12:50900
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms3-selfsigned.crt"
-KeyFile: "ssl/kms/kms3-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms3-selfsigned.crt"
+ KeyFile: "ssl/kms/kms3-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms3-selfsigned.crt"
+ KeyFile: "ssl/kms/kms3-selfsigned.key"
Peers:
# peer to kms01
- PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
diff --git a/config/goKMS/example04.yaml b/config/goKMS/example04.yaml
index 76a58699..346dbe21 100644
--- a/config/goKMS/example04.yaml
+++ b/config/goKMS/example04.yaml
@@ -5,11 +5,16 @@ QuantumAddr: 172.100.20.13:50911
GRPCAddr: 172.100.20.13:50900
AkmsURL: "http://172.100.20.23:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-ETSI14TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/kms/kms4-selfsigned.crt"
-KeyFile: "ssl/kms/kms4-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms4-selfsigned.crt"
+ KeyFile: "ssl/kms/kms4-selfsigned.key"
+QuantumModuleTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/kms/kms4-selfsigned.crt"
+ KeyFile: "ssl/kms/kms4-selfsigned.key"
Peers:
# peer to kms02
- PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
diff --git a/debug_configs/config/kms/kms_1.yaml b/debug_configs/config/kms/kms_1.yaml
index 47ffa2e8..899aa6a1 100644
--- a/debug_configs/config/kms/kms_1.yaml
+++ b/debug_configs/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 127.0.0.1:50900
QuantumAddr: 0.0.0.0:50911
AkmsURL: "http://127.0.0.1:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "../artifacts/ssl/ca.crt"
-CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
-KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "../artifacts/ssl/ca.crt"
+ CertFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.crt"
+ KeyFile: "../artifacts/ssl/debug-kms/kms1-selfsigned.key"
Peers:
# peer to kms_2
- PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
diff --git a/debug_configs/config/kms/kms_2.yaml b/debug_configs/config/kms/kms_2.yaml
index ff1248a3..e9d763dc 100644
--- a/debug_configs/config/kms/kms_2.yaml
+++ b/debug_configs/config/kms/kms_2.yaml
@@ -5,10 +5,11 @@ GRPCAddr: 0.0.0.0:50900
QuantumAddr: 0.0.0.0:50911
AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "ssl/ca.crt"
-CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
-KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "ssl/ca.crt"
+ CertFile: "ssl/debug-kms/kms2-selfsigned.crt"
+ KeyFile: "ssl/debug-kms/kms2-selfsigned.key"
Peers:
# peer to kms_1
- PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
diff --git a/docker-compose.yml b/docker-compose.yml
index 743dc2c7..5b9e158a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms01.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example01.yaml:/tmp/kms/config/kms01.yaml
- ./artifacts/ssl:/ssl
@@ -11,7 +11,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms02.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example02.yaml:/tmp/kms/config/kms02.yaml
- ./artifacts/ssl:/ssl
@@ -21,7 +21,7 @@ services:
kms_3:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms03.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example03.yaml:/tmp/kms/config/kms03.yaml
- ./artifacts/ssl:/ssl
@@ -31,7 +31,7 @@ services:
kms_4:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms04.yaml", "--insecureGNMI"]
volumes:
- ./config/goKMS/example04.yaml:/tmp/kms/config/kms04.yaml
- ./artifacts/ssl:/ssl
diff --git a/docker-compose_debug_kms.yml b/docker-compose_debug_kms.yml
index 6a7ff0ad..8b6a2065 100644
--- a/docker-compose_debug_kms.yml
+++ b/docker-compose_debug_kms.yml
@@ -1,7 +1,7 @@
services:
#kms_1:
#image: gokms
- #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ #command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
#volumes:
# - ./debug_configs/config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
#ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./debug_configs/config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
- ./artifacts/ssl:/ssl
diff --git a/docker-compose_small_random.yml b/docker-compose_small_random.yml
index ff571241..91b29d3a 100644
--- a/docker-compose_small_random.yml
+++ b/docker-compose_small_random.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
volumes:
- ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
ports:
diff --git a/docker-compose_small_replay.yml b/docker-compose_small_replay.yml
index a84a9de8..1f292040 100644
--- a/docker-compose_small_replay.yml
+++ b/docker-compose_small_replay.yml
@@ -1,7 +1,7 @@
services:
kms_1:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_1.yaml"]
volumes:
- ./config/goKMS/small_kms_1.yaml:/tmp/kms/config/kms_1.yaml
ports:
@@ -10,7 +10,7 @@ services:
kms_2:
image: gokms
- command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml", "--insecure"]
+ command: ["--log", "debug", "--kms_config", "/tmp/kms/config/kms_2.yaml"]
volumes:
- ./config/goKMS/small_kms_2.yaml:/tmp/kms/config/kms_2.yaml
ports:
diff --git a/goKMS/config/config.go b/goKMS/config/config.go
index 63af65d6..cc59263b 100644
--- a/goKMS/config/config.go
+++ b/goKMS/config/config.go
@@ -10,6 +10,7 @@ type Config struct {
GRPCAddr string `yaml:"GRPCAddr"`
AkmsURL string `yaml:"AkmsURL"`
AkmsCkmsServerPort string `yaml:"AkmsCkmsServerPort"`
+ GnmiBindAddress string `yaml:"GnmiBindAddress"`
Peers []struct {
PeerId string `yaml:"PeerId"`
PeerInterComAddr string `yaml:"PeerInterComAddr"`
@@ -17,11 +18,17 @@ type Config struct {
Type string `yaml:"Type"`
QuantumModule QuantumModule `yaml:"QuantumModule"`
} `yaml:"Peers"`
- TLS bool `yaml:"TLS"`
- ETSI14TLS bool `yaml:"ETSI14TLS"`
- CAFile string `yaml:"CAFile"`
- CertFile string `yaml:"CertFile"`
- KeyFile string `yaml:"KeyFile"`
+ GnmiTLS TLSConfig `yaml:"GnmiTLS"`
+ KmsTLS TLSConfig `yaml:"KmsTLS"`
+ QuantumModuleTLS TLSConfig `yaml:"QuantumModuleTLS"`
+ AkmsCkmsTLS TLSConfig `yaml:"AkmsCkmsTLS"`
+}
+
+type TLSConfig struct {
+ TLS bool `yaml:"TLS"`
+ CAFile string `yaml:"CAFile"`
+ CertFile string `yaml:"CertFile"`
+ KeyFile string `yaml:"KeyFile"`
}
type QuantumModule struct {
diff --git a/goKMS/kms/kms.go b/goKMS/kms/kms.go
index 393fa043..f6fe6388 100644
--- a/goKMS/kms/kms.go
+++ b/goKMS/kms/kms.go
@@ -68,7 +68,7 @@ type KMS struct {
kmsUUID uuid.UUID
interComAddr string
quantumAddress string
- tlsData kmstls.TlsData
+ tlsConfig config.TLSConfig
// TODO create a mapping between ids and address
remoteKMSMapping map[string]*RemoteKMS
remoteKMSMappingMutex sync.RWMutex
@@ -118,13 +118,6 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
log.SetReportCaller(false)
}
- tlsData := kmstls.TlsData{
- TLS: config.TLS,
- CaFile: config.CAFile,
- CertFile: config.CertFile,
- KeyFile: config.KeyFile,
- }
-
ckmsAkmsClient := client.NewCkmsAkmsClient(config.AkmsURL)
createdKMS := &KMS{
@@ -132,7 +125,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
kmsUUID: kmsUUID,
interComAddr: config.InterComAddr,
quantumAddress: config.QuantumAddr,
- tlsData: tlsData,
+ tlsConfig: config.KmsTLS,
remoteKMSMapping: make(map[string]*RemoteKMS),
quantumModules: make(map[string]peers.QuantumModule),
routingTable: make(map[uuid.UUID]*Route),
@@ -146,7 +139,7 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
createdKMS.supportedKeyLengths[BitKeyLen256] = true
// start the inter communication gRPC server
- go createdKMS.startGRPC(config.InterComAddr, config.QuantumAddr, tlsData)
+ go createdKMS.startGRPC()
// initialize from config
err := createdKMS.initializePeers(config)
@@ -173,7 +166,7 @@ func (kms *KMS) initializePeers(config *config.Config) error {
case "emulated":
qm = peers.NewEmulatedQuantumModule(pqm.Address, config.Id)
case "etsi":
- qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.CAFile, config.CertFile, config.KeyFile, config.ETSI14TLS, pqm.MasterMode)
+ qm, err = peers.NewETSI014HTTPQuantumModule(pqm.Address, config.Id, pqm.SlaveSAEID, pqm.MasterSAEID, config.QuantumModuleTLS, pqm.MasterMode)
if err != nil {
log.Fatalf("Failed to create ETSI QKD module: %s", err)
return nil
@@ -190,8 +183,8 @@ func (kms *KMS) initializePeers(config *config.Config) error {
}
var gRPCTransportCreds credentials.TransportCredentials
- if config.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(config.CAFile, config.CertFile, config.KeyFile)
+ if config.KmsTLS.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Error(err)
return nil
@@ -233,15 +226,15 @@ func (kms *KMS) initializePeers(config *config.Config) error {
return nil
}
-func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData kmstls.TlsData) {
- interKMSLis, err := net.Listen("tcp", interComAddr)
+func (kms *KMS) startGRPC() {
+ interKMSLis, err := net.Listen("tcp", kms.interComAddr)
if err != nil {
log.Fatalf("failed to listen: %v", err)
}
var gRPCTransportCreds credentials.TransportCredentials
- if tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(tlsData.CaFile, tlsData.CertFile, tlsData.KeyFile)
+ if kms.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCServerTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
@@ -258,8 +251,8 @@ func (kms *KMS) startGRPC(interComAddr string, quantumAddress string, tlsData km
KMS: kms,
})
- if quantumAddress != "" {
- quantumLis, err := net.Listen("tcp", quantumAddress)
+ if kms.quantumAddress != "" {
+ quantumLis, err := net.Listen("tcp", kms.quantumAddress)
if err != nil {
log.Fatalf("failed to listen: %v", err)
}
@@ -434,7 +427,7 @@ func (kms *KMS) GetRemoteKMS(remoteKMSId string) (*RemoteKMS, error) {
remoteKMS, ok := kms.remoteKMSMapping[remoteKMSId]
if !ok {
- return nil, fmt.Errorf("Address for remoteKMS with id %s not found", remoteKMSId)
+ return nil, fmt.Errorf("address for remoteKMS with id %s not found", remoteKMSId)
}
return remoteKMS, nil
}
@@ -497,8 +490,8 @@ func (kms *KMS) GenerateAndSendKSAKey(remoteKMSId string, pathId uuid.UUID, requ
// TODO: move this somewhere else!
// send to remote
var gRPCTransportCreds credentials.TransportCredentials
- if kms.tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsData.CaFile, kms.tlsData.CertFile, kms.tlsData.KeyFile)
+ if kms.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(kms.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/kmsintercom.go b/goKMS/kms/kmsintercom.go
index cc584521..73a1eb5a 100644
--- a/goKMS/kms/kmsintercom.go
+++ b/goKMS/kms/kmsintercom.go
@@ -287,8 +287,8 @@ func (s *kmsTalkerServer) KeyForwarding(ctx context.Context, in *pb.KeyForwardin
s.KMS.PKStoreMutex.Unlock()
var gRPCTransportCreds credentials.TransportCredentials
- if s.KMS.tlsData.TLS {
- gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsData.CaFile, s.KMS.tlsData.CertFile, s.KMS.tlsData.KeyFile)
+ if s.KMS.tlsConfig.TLS {
+ gRPCTransportCreds, err = kmstls.GenerateGRPCClientTransportCredsWithTLS(s.KMS.tlsConfig)
if err != nil {
log.Fatalf("unable to generate TLS creds: %v", err)
}
diff --git a/goKMS/kms/peers/qmodule.go b/goKMS/kms/peers/qmodule.go
index f878131a..3452094f 100644
--- a/goKMS/kms/peers/qmodule.go
+++ b/goKMS/kms/peers/qmodule.go
@@ -11,6 +11,7 @@ import (
etsi14 "code.fbi.h-da.de/danet/quant/etsi014/go/rest/etsi/client"
pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
"code.fbi.h-da.de/danet/quant/goKMS/kms/store"
kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
@@ -18,7 +19,6 @@ import (
restclient "code.fbi.h-da.de/danet/quant/goKMS/restclient"
"code.fbi.h-da.de/danet/quant/quantumlayer"
"github.com/google/uuid"
- "github.com/sirupsen/logrus"
log "github.com/sirupsen/logrus"
)
@@ -76,7 +76,7 @@ func (eqe *EmulatedQuantumModule) Address() string {
func (eqe *EmulatedQuantumModule) Sync() error {
rawBulkKeyIds := util.KeysOfMap(eqe.RawBulkKeys)
- logrus.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)
+ log.Info("Found the following bulk key ids for usage: ", rawBulkKeyIds)
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
defer cancel()
@@ -92,7 +92,7 @@ func (eqe *EmulatedQuantumModule) Sync() error {
bulkKey, ok := eqe.RawBulkKeys[initialPeerSetupResponse.BulkId]
if !ok {
// TODO: add proper error message
- return fmt.Errorf("Could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
+ return fmt.Errorf("could not find raw bulk key with id: %d", initialPeerSetupResponse.BulkId)
}
// TODO: Initially the peer partners should discuss about the key length,
@@ -182,7 +182,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB
if bulkKey.BulkKeyLength != len(*bulkKey.BulkKey) {
if (bulkKey.BulkKeyLength) != (len(*bulkKey.BulkKey) * 8) {
- logrus.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
+ log.Errorf("Length missmatch, even when converting 'bulkKey.BulkKey' to bytes: %d, %d", bulkKey.BulkKeyLength, len(*bulkKey.BulkKey))
return nil, nil, errors.New("bulkKey length mismatch")
}
}
@@ -203,7 +203,7 @@ func (eqe *EmulatedQuantumModule) KeyChopper(bulkKey *quantumlayer.QuantumLayerB
} else {
keyId, err = uuid.Parse(keyIds[counter])
if err != nil {
- return nil, nil, fmt.Errorf("The provided ID: %s can not be parsed as UUID.", keyIds[counter])
+ return nil, nil, fmt.Errorf("the provided ID: %s can not be parsed as UUID", keyIds[counter])
}
counter++
}
@@ -228,7 +228,7 @@ type ETSI014HTTPQuantumModule struct {
master bool
}
-func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, certFile, keyFile string, etsi14TLS, master bool) (*ETSI014HTTPQuantumModule, error) {
+func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID string, tlsConfig config.TLSConfig, master bool) (*ETSI014HTTPQuantumModule, error) {
parsedUrl, err := url.Parse(addr)
if err != nil {
return nil, err
@@ -245,8 +245,8 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, slaveSAEID, masterSAEID, caFile, c
Scheme: parsedUrl.Scheme,
}
- if etsi14TLS {
- tlsConf, err := kmstls.GenerateTLSConf(caFile, certFile, keyFile)
+ if tlsConfig.TLS {
+ tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
if err != nil {
return nil, err
}
diff --git a/goKMS/kms/tls/tls.go b/goKMS/kms/tls/tls.go
index 219a1179..a7de1861 100644
--- a/goKMS/kms/tls/tls.go
+++ b/goKMS/kms/tls/tls.go
@@ -6,19 +6,13 @@ import (
"fmt"
"os"
+ "code.fbi.h-da.de/danet/quant/goKMS/config"
"google.golang.org/grpc/credentials"
)
-type TlsData struct {
- TLS bool
- CaFile string
- CertFile string
- KeyFile string
-}
-
-func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFilePath)
+ b, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -27,7 +21,7 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
@@ -42,10 +36,10 @@ func GenerateGRPCServerTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return credentials.NewTLS(tlsConfig), nil
}
-func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateGRPCClientTransportCredsWithTLS(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
cp := x509.NewCertPool()
- b, err := os.ReadFile(caFilePath)
+ b, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -53,7 +47,7 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
@@ -67,8 +61,8 @@ func GenerateGRPCClientTransportCredsWithTLS(caFilePath, certFile, keyFile strin
return credentials.NewTLS(tlsConfig), nil
}
-func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
- caCert, err := os.ReadFile(caFile)
+func GenerateTlsLibraryConfig(tlsData config.TLSConfig) (*tls.Config, error) {
+ caCert, err := os.ReadFile(tlsData.CAFile)
if err != nil {
return nil, err
}
@@ -77,7 +71,7 @@ func GenerateTLSConf(caFile, certFile, keyFile string) (*tls.Config, error) {
return nil, fmt.Errorf("credentials: failed to append certificates")
}
- cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ cert, err := tls.LoadX509KeyPair(tlsData.CertFile, tlsData.KeyFile)
if err != nil {
return nil, err
}
diff --git a/goKMS/main.go b/goKMS/main.go
index 18d552c5..b204b34f 100644
--- a/goKMS/main.go
+++ b/goKMS/main.go
@@ -51,11 +51,11 @@ import (
func main() {
configPath := flag.String("kms_config", "", "path to the config file")
logLevel := flag.String("log", "info", "logrus lof level (debug, info, warn, error, fatal, panic)")
- bindAddress := flag.String("bindAddress", ":7030", "address to bind to")
- certFile := flag.String("certFile", "", "location of the cert file")
- keyFile := flag.String("keyFile", "", "location of the key file")
- caFile := flag.String("caFile", "", "location of the ca file")
- insecure := flag.Bool("insecure", true, "If true do not use TLS")
+ gnmiBindAddress := flag.String("gnmiBindAddress", ":7030", "address to bind gNMI to (overwrites settings in config file)")
+ gnmiTLS := flag.Bool("gnmiTLS", false, "If true do use TLS for gNMI, paths to ca, cert and key must be set aswell (overwrites settings in config file)")
+ certFile := flag.String("certFile", "", "location of the gNMI cert file (overwrites settings in config file)")
+ keyFile := flag.String("keyFile", "", "location of the gNMI key file (overwrites settings in config file)")
+ caFile := flag.String("caFile", "", "location of the gNMI ca file (overwrites settings in config file)")
flag.Parse()
@@ -69,18 +69,20 @@ func main() {
log.Info("setting log level to ", ll)
log.SetLevel(ll)
+ // Parse config file
kmsConfig := &config.Config{}
-
log.Debugf("current config path: %s", *configPath)
file, err := os.ReadFile(*configPath)
if err != nil {
log.Fatal(err)
}
-
if err := yaml.Unmarshal(file, kmsConfig); err != nil {
log.Fatal(err)
}
+ // All gNMI settings which are provided via cli arguments should overwrite the settings in the config file.
+ overwriteConfigFieldsWithFlags(kmsConfig, gnmiBindAddress, gnmiTLS, certFile, keyFile, caFile)
+
// initialize id for the kms
var kmsId uuid.UUID
if kmsConfig.Id != "" {
@@ -89,6 +91,7 @@ func main() {
kmsId = uuid.New()
}
+ outputTlsSettings(kmsConfig)
resolveHostnameToIPForQuantumModules(kmsConfig)
kmsInfo := generateKMSInfo(kmsId)
@@ -114,8 +117,10 @@ func main() {
kmsHandler.NewAssignForwardingHandler(kms),
}
+ // The gnmiTarget implementation uses a flag to pass NO tls, so we have to invert our flag for it to work.
+ gnmiInsecure := !kmsConfig.GnmiTLS.TLS
gnmitTarget := gnmitarget.NewGnmiTarget(schema, &gnmitargetygot.Gnmitarget{}, gnmitargetygot.ΓModelData, gnmitargetygot.Unmarshal, gnmitargetygot.ΛEnum, handlers...)
- if err := gnmitTarget.Start(*bindAddress, *certFile, *keyFile, *caFile, *insecure); err != nil {
+ if err := gnmitTarget.Start(*gnmiBindAddress, kmsConfig.GnmiTLS.CertFile, kmsConfig.GnmiTLS.KeyFile, kmsConfig.GnmiTLS.CAFile, gnmiInsecure); err != nil {
log.Fatal(err)
}
}
@@ -154,6 +159,60 @@ func resolveHostnameToIPForQuantumModules(config *config.Config) {
}
}
+func outputTlsSettings(config *config.Config) {
+ log.Infof("TLS enabled for gNMIC: %t", config.GnmiTLS.TLS)
+ if config.GnmiTLS.TLS {
+ log.Infof("TLS filepaths for gNMIC; ca: %s, cert: %s, key: %s", config.GnmiTLS.CAFile, config.GnmiTLS.CertFile, config.GnmiTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for KMS: %t", config.KmsTLS.TLS)
+ if config.KmsTLS.TLS {
+ log.Infof("TLS filepaths for KMS; ca: %s, cert: %s, key: %s", config.KmsTLS.CAFile, config.KmsTLS.CertFile, config.KmsTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for Quantum Module: %t", config.QuantumModuleTLS.TLS)
+ if config.QuantumModuleTLS.TLS {
+ log.Infof("TLS filepaths for Quantum Module; ca: %s, cert: %s, key: %s", config.QuantumModuleTLS.CAFile, config.QuantumModuleTLS.CertFile, config.QuantumModuleTLS.KeyFile)
+ }
+
+ log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.TLS)
+ if config.AkmsCkmsTLS.TLS {
+ log.Infof("TLS filepaths for AKMS-CKMS interface; ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
+ }
+}
+
+func isFlagPassed(name string) bool {
+ found := false
+ flag.Visit(func(f *flag.Flag) {
+ if f.Name == name {
+ found = true
+ }
+ })
+ return found
+}
+
+func overwriteConfigFieldsWithFlags(config *config.Config, gnmiBindAddress *string, gnmiTLS *bool, certFile *string, keyFile *string, caFile *string) {
+ if isFlagPassed("gnmiTLS") {
+ config.GnmiTLS.TLS = *gnmiTLS
+ }
+
+ if isFlagPassed("gnmiBindAddress") {
+ config.GnmiBindAddress = *gnmiBindAddress
+ }
+
+ if *caFile != "" {
+ config.GnmiTLS.CAFile = *caFile
+ }
+
+ if *certFile != "" {
+ config.GnmiTLS.CertFile = *certFile
+ }
+
+ if *keyFile != "" {
+ config.GnmiTLS.KeyFile = *keyFile
+ }
+}
+
func generateKMSInfo(id uuid.UUID) *config.KMSInfo {
kmsVersionInformation := config.NewKMSVersionInformation("danet-emulated-kms", "0.1.0", "0.1.0")
diff --git a/integration-tests/config/kms/kms_1.yaml b/integration-tests/config/kms/kms_1.yaml
index 7b93c10c..273b4440 100644
--- a/integration-tests/config/kms/kms_1.yaml
+++ b/integration-tests/config/kms/kms_1.yaml
@@ -5,10 +5,11 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "config/ssl/ca.crt"
-CertFile: "config/ssl/kms/kms1-selfsigned.crt"
-KeyFile: "config/ssl/kms/kms1-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms1-selfsigned.key"
Peers:
# peer to kms_2
- PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
diff --git a/integration-tests/config/kms/kms_2.yaml b/integration-tests/config/kms/kms_2.yaml
index 537e2a8e..319da986 100644
--- a/integration-tests/config/kms/kms_2.yaml
+++ b/integration-tests/config/kms/kms_2.yaml
@@ -5,10 +5,11 @@ QuantumAddr: 0.0.0.0:50911
GRPCAddr: 0.0.0.0:50900
AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
AkmsCkmsServerPort: "9696"
-TLS: true
-CAFile: "config/ssl/ca.crt"
-CertFile: "config/ssl/kms/kms2-selfsigned.crt"
-KeyFile: "config/ssl/kms/kms2-selfsigned.key"
+KmsTLS:
+ TLS: true
+ CAFile: "config/ssl/ca.crt"
+ CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+ KeyFile: "config/ssl/kms/kms2-selfsigned.key"
Peers:
# peer to kms_1
- PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
diff --git a/integration-tests/docker-compose_integration_test.yml b/integration-tests/docker-compose_integration_test.yml
index 4c6dacf1..8576fc0a 100644
--- a/integration-tests/docker-compose_integration_test.yml
+++ b/integration-tests/docker-compose_integration_test.yml
@@ -7,7 +7,6 @@ services:
"debug",
"--kms_config",
"/tmp/kms/config/kms_1.yaml",
- "--insecure",
]
volumes:
- ./config/kms/kms_1.yaml:/tmp/kms/config/kms_1.yaml
@@ -24,7 +23,6 @@ services:
"debug",
"--kms_config",
"/tmp/kms/config/kms_2.yaml",
- "--insecure",
]
volumes:
- ./config/kms/kms_2.yaml:/tmp/kms/config/kms_2.yaml
diff --git a/playground.clab.yaml b/playground.clab.yaml
index 8dc09fb6..a43e54e7 100644
--- a/playground.clab.yaml
+++ b/playground.clab.yaml
@@ -46,7 +46,7 @@ topology:
mgmt-ipv4: 172.100.20.10
binds:
- ./config/kms/example01.yaml:/tmp/kms/config/kms01.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms01.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms01.yaml --insecureGNMI
kms2:
kind: linux
@@ -54,7 +54,7 @@ topology:
mgmt-ipv4: 172.100.20.11
binds:
- ./config/kms/example02.yaml:/tmp/kms/config/kms02.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms02.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms02.yaml --insecureGNMI
kms3:
kind: linux
@@ -62,7 +62,7 @@ topology:
mgmt-ipv4: 172.100.20.12
binds:
- ./config/kms/example03.yaml:/tmp/kms/config/kms03.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms03.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms03.yaml --insecureGNMI
kms4:
kind: linux
@@ -70,7 +70,7 @@ topology:
mgmt-ipv4: 172.100.20.13
binds:
- ./config/kms/example04.yaml:/tmp/kms/config/kms04.yaml
- cmd: --log debug --kms_config /tmp/kms/config/kms04.yaml --insecure
+ cmd: --log debug --kms_config /tmp/kms/config/kms04.yaml --insecureGNMI
qlayer01:
kind: linux
--
GitLab