.devcontainer/devcontainer.json

@@ -12,7 +12,7 @@
             "ghcr.io/devcontainers/features/go:1": {
                     "version": "1.22"
                 },
-            "ghcr.io/devcontainers/features/docker-in-docker:2.11": {
+            "ghcr.io/devcontainers/features/docker-in-docker:2.12": {
                 "version": "latest",
                 "dockerDashComposeVersion": "v2"
                 }

README.md

@@ -27,8 +27,19 @@ Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b" # ID of the kms
 Name: kms01 # name of the kms
 InterComAddr: 0.0.0.0:50910 # IP and port to bind the local gRPC server for inter KMS communication to
 QuantumAddr: 0.0.0.0:50911 # IP and port to bind the local gRPC server for QKD modules to reach the KMS to (optional, only used for specific emulated or experimental QKD modules)
-AkmsURL: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the rest endpoint of a connected AKMS (used for sending KSA key to the AKMS).
-AkmsCkmsServerPort: "9696" # Port of connected AKMS
+AKMS:
+  RemoteAddress: "http://172.100.20.22:4444/api/v1/keys/push_ksa_key" # address of the rest endpoint of a connected AKMS (used for sending KSA key to the AKMS).
+  ServerPort: "9696" # Port of connected AKMS
+  ClientTLS: # Settings for TLS for akms ckms interface
+    Active: true # Whether TLS is enabled
+    CAFile: "ssl/ca.crt" # Path to ca
+    CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+    KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
+  ServerTLS:
+    Active: true # Whether TLS is enabled
+    CAFile: "ssl/ca.crt" # Path to ca
+    CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
+    KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
 GRPCTimeoutInSeconds: 10 # Time in seconds for timeout of gRPC connections as a client. Defaults to 10 seconds. Should not be set to 0 or negative values.
 GnmiTLS: # Settings for TLS for gNMI endpoint. Can be overwritten with cli parameters.
   Active: true # Whether TLS is enabled
@@ -40,11 +51,6 @@ KmsTLS: # Settings for TLS for inter KMS communication
   CAFile: "ssl/ca.crt" # Path to ca
   CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
   KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
-AkmsCkmsTLS: # Settings for TLS for akms ckms interface
-  Active: true # Whether TLS is enabled
-  CAFile: "ssl/ca.crt" # Path to ca
-  CertFile: "ssl/kms/kms1-selfsigned.crt" # Path to cert
-  KeyFile: "ssl/kms/kms1-selfsigned.key" # Path to key
 Peers: # Peers to other goKMS
     # peer to goKMS02
     - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2" # id of the peer

akms-simulator/akms-simulator.go

 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"flag"
 	"io"
-	"log"
 	"net/http"
 	"os"
 
@@ -26,11 +28,53 @@ type KSAKey struct {
 }
 
 func main() {
+	tlsCAFile := flag.String("ca", "", "Path to CA certificate file")
+	tlsCertFile := flag.String("cert", "", "Path to certificate file")
+	tlsKeyFile := flag.String("key", "", "Path to key file")
+	flag.Parse()
+
 	logrus.Info("Starting AKMS Simulator...")
 
-	http.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
-	http.HandleFunc("/debug/get_log_file", getLogFile)
-	log.Fatal(http.ListenAndServe(":4444", nil))
+	router := http.NewServeMux()
+
+	router.HandleFunc("/api/v1/keys/push_ksa_key", handlePushKsaKey)
+	router.HandleFunc("/debug/get_log_file", getLogFile)
+
+	server := &http.Server{
+		Addr:    ":4444",
+		Handler: router,
+	}
+
+	if *tlsCAFile != "" && *tlsCertFile != "" && *tlsKeyFile != "" {
+		logrus.Info("TLS enabled")
+		cp := x509.NewCertPool()
+		b, err := os.ReadFile(*tlsCAFile)
+		if err != nil {
+			logrus.Fatalf("Error reading CA file: %s", err)
+		}
+
+		if !cp.AppendCertsFromPEM(b) {
+			logrus.Fatalf("Error appending certs from PEM")
+		}
+
+		cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		if err != nil {
+			logrus.Fatalf("Error loading X509 key pair: %s", err)
+		}
+
+		tlsConfig := &tls.Config{
+			MinVersion:   tls.VersionTLS13,
+			ClientCAs:    cp,
+			Certificates: []tls.Certificate{cert},
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		}
+
+		server.TLSConfig = tlsConfig
+
+		logrus.Fatal(server.ListenAndServeTLS("", ""))
+	} else {
+		logrus.Fatal(server.ListenAndServe())
+	}
 }
 
 func getLogFile(w http.ResponseWriter, r *http.Request) {

config/goKMS/example01.yaml

@@ -3,16 +3,17 @@ Name: kms01
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
-AkmsURL: "http://akms-receiver01:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "http://akms-receiver01:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms1-selfsigned.crt"
   KeyFile: "ssl/kms/kms1-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms1-selfsigned.crt"
   KeyFile: "ssl/kms/kms1-selfsigned.key"

config/goKMS/example02.yaml

@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms2-selfsigned.crt"
   KeyFile: "ssl/kms/kms2-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms2-selfsigned.crt"
   KeyFile: "ssl/kms/kms2-selfsigned.key"

config/goKMS/example03.yaml

@@ -5,12 +5,12 @@ QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms3-selfsigned.crt"
   KeyFile: "ssl/kms/kms3-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms3-selfsigned.crt"
   KeyFile: "ssl/kms/kms3-selfsigned.key"

config/goKMS/example04.yaml

@@ -3,16 +3,17 @@ Name: kms04
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
 GRPCAddr: 0.0.0.0:50900
-AkmsURL: "http://akms-receiver02:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "http://akms-receiver02:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms4-selfsigned.crt"
   KeyFile: "ssl/kms/kms4-selfsigned.key"
 QuantumModuleTLS:
-  TLS: false
+  Active: false
   CAFile: "ssl/ca.crt"
   CertFile: "ssl/kms/kms4-selfsigned.crt"
   KeyFile: "ssl/kms/kms4-selfsigned.key"

config/goKMS/small_kms_1.yaml

-Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
+Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
 Name: kms_1
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
 Peers:
-    # peer to kms_2
-    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
-      PeerInterComAddr: kms_2:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_1
+  # peer to kms_2
+  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
+    PeerInterComAddr: kms_2:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_1
 QkdnManagerServer:
   Address: ":8090"

config/goKMS/small_kms_2.yaml

-Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
+Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
 Name: kms_2
 InterComAddr: 0.0.0.0:50910
 GRPCAddr: 0.0.0.0:50900
-AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
 Peers:
-    # peer to kms_1
-    - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
-      PeerInterComAddr: kms_1:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_2
+  # peer to kms_1
+  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
+    PeerInterComAddr: kms_1:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_2
 QkdnManagerServer:
   Address: ":8090"

goKMS/config/config.go

@@ -11,18 +11,23 @@ type Config struct {
 	Name                 string             `yaml:"Name"`
 	InterComAddr         string             `yaml:"InterComAddr"`
 	QuantumAddr          string             `yaml:"QuantumAddr"`
-	AkmsURL              string             `yaml:"AkmsURL"`
-	AkmsCkmsServerPort   string             `yaml:"AkmsCkmsServerPort"`
+	AKMS                 AKMS               `yaml:"AKMS"`
 	GnmiBindAddress      string             `yaml:"GnmiBindAddress"`
 	KmsTLS               TLSConfig          `yaml:"KmsTLS"`
 	Peers                []Peer             `yaml:"Peers"`
 	GnmiTLS              TLSConfig          `yaml:"GnmiTLS"`
-	AkmsCkmsTLS          TLSConfig          `yaml:"AkmsCkmsTLS"`
 	ETSI14Server         *ETSI14Server      `yaml:"ETSI14Server,omitempty"`
 	QkdnManagerServer    *QkdnManagerServer `yaml:"QkdnManagerServer,omitempty"`
 	GRPCTimeoutInSeconds int                `yaml:"GRPCTimeoutInSeconds"`
 }
 
+type AKMS struct {
+	RemoteAddress string    `yaml:"RemoteAddress"`
+	ServerPort    string    `yaml:"ServerPort"`
+	ServerTLS     TLSConfig `yaml:"ServerTLS"`
+	ClientTLS     TLSConfig `yaml:"ClientTLS"`
+}
+
 type Peer struct {
 	PeerId           string        `yaml:"PeerId"`
 	PeerInterComAddr string        `yaml:"PeerInterComAddr"`
@@ -31,10 +36,11 @@ type Peer struct {
 }
 
 type TLSConfig struct {
-	Active   bool   `yaml:"Active"`
-	CAFile   string `yaml:"CAFile"`
-	CertFile string `yaml:"CertFile"`
-	KeyFile  string `yaml:"KeyFile"`
+	Active             bool   `yaml:"Active"`
+	InsecureSkipVerify bool   `yaml:"InsecureSkipVerify"`
+	CAFile             string `yaml:"CAFile"`
+	CertFile           string `yaml:"CertFile"`
+	KeyFile            string `yaml:"KeyFile"`
 }
 
 type QuantumModule struct {

goKMS/kms/akms/client/client.go → goKMS/kms/akmsInterface/client/client.go

@@ -3,20 +3,39 @@ package client
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"io"
 	"net/http"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/sirupsen/logrus"
 )
 
 type CkmsAkmsClient struct {
-	url string
+	url        string
+	httpClient *http.Client
 }
 
-func NewCkmsAkmsClient(url string) *CkmsAkmsClient {
-	return &CkmsAkmsClient{
-		url: url,
+func NewCkmsAkmsClient(url string, tlsConfig config.TLSConfig) (*CkmsAkmsClient, error) {
+	client := &http.Client{}
+
+	if tlsConfig.Active {
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConf,
+		}
 	}
+
+	return &CkmsAkmsClient{
+		url:        url,
+		httpClient: client,
+	}, nil
 }
 
 type PushKSAKeyRequest struct {
@@ -38,9 +57,14 @@ func (c *CkmsAkmsClient) SendKSAKeysToRequestingInstances(requestID string, proc
 		return err
 	}
 
-	resp, err := http.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
+	logrus.Infof("Attempting to send KSA post request to AKMS with URL: %s", c.url)
+	resp, err := c.httpClient.Post(c.url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
-		logrus.Errorf("Error sending POST request: %s", err)
+		body, err2 := io.ReadAll(resp.Body)
+		if err2 != nil {
+			logrus.Errorf("Error reading POST response body: %s", err2)
+		}
+		logrus.Errorf("Error sending POST request: %s, received response body: %s", err, string(body))
 		logrus.Errorf("Tried to send request: %s to url: %s", jsonData, c.url)
 		return err
 	}

goKMS/kms/akms/server/server.go → goKMS/kms/akmsInterface/server/server.go

@@ -6,17 +6,20 @@ import (
 	"net/http"
 	"time"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/receiver"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 )
 
 type AKMSReceiverServer struct {
-	server *http.Server
+	server    *http.Server
+	tlsConfig config.TLSConfig
 }
 
-func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error) *AKMSReceiverServer {
+func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.Receiver, generateAndSend func(string, uuid.UUID, string, int) error, tlsConfig config.TLSConfig) (*AKMSReceiverServer, error) {
 	router := http.NewServeMux()
 
 	router.HandleFunc("/api/v1/keys/ksa_key_req", ksaReqHandler(eventBus, receiver, generateAndSend))
@@ -26,15 +29,28 @@ func NewAKMSReceiver(port string, eventBus *event.EventBus, receiver *receiver.R
 		Handler: router,
 	}
 
+	if tlsConfig.Active {
+		tlsLibraryConfig, err := kmstls.GenerateServerTLSLibraryConfig(tlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
+		}
+		server.TLSConfig = tlsLibraryConfig
+	}
+
 	AKMSReceiver := &AKMSReceiverServer{
-		server: server,
+		server:    server,
+		tlsConfig: tlsConfig,
 	}
 
-	return AKMSReceiver
+	return AKMSReceiver, nil
 }
 
 func (akmsReceiver *AKMSReceiverServer) Serve() {
-	go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+	if akmsReceiver.tlsConfig.Active {
+		go akmsReceiver.server.ListenAndServeTLS("", "") //nolint:errcheck
+	} else {
+		go akmsReceiver.server.ListenAndServe() //nolint:errcheck
+	}
 }
 
 type KeyProperties struct {

goKMS/kms/kms.go

@@ -21,8 +21,8 @@ import (
 
 	pbIC "code.fbi.h-da.de/danet/quant/goKMS/api/gen/proto/go/kmsintercom"
 	"code.fbi.h-da.de/danet/quant/goKMS/config"
-	akmsClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/client"
-	akmsServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akms/server"
+	akmsInterfaceClient "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/client"
+	akmsInterfaceServer "code.fbi.h-da.de/danet/quant/goKMS/kms/akmsInterface/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/crypto"
 	etsi14Server "code.fbi.h-da.de/danet/quant/goKMS/kms/etsi/etsi14/server"
 	"code.fbi.h-da.de/danet/quant/goKMS/kms/event"
@@ -82,8 +82,8 @@ type KMS struct {
 	eventBus            *event.EventBus
 	receiver            *receiver.Receiver
 	// Akms things
-	ckmsAkmsClient *akmsClient.CkmsAkmsClient
-	ckmsAkmsServer *akmsServer.AKMSReceiverServer
+	ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	ckmsAkmsServer *akmsInterfaceServer.AKMSReceiverServer
 	// ETSI14 Server things
 	etsi14Server    *etsi14Server.ETSI14RESTService
 	keyStoreChannel chan []crypto.KSAKey
@@ -118,9 +118,13 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 		log.SetReportCaller(false)
 	}
 
-	var ckmsAkmsClient *akmsClient.CkmsAkmsClient
-	if config.AkmsURL != "" {
-		ckmsAkmsClient = akmsClient.NewCkmsAkmsClient(config.AkmsURL)
+	var ckmsAkmsClient *akmsInterfaceClient.CkmsAkmsClient
+	var err error
+	if config.AKMS.RemoteAddress != "" {
+		ckmsAkmsClient, err = akmsInterfaceClient.NewCkmsAkmsClient(config.AKMS.RemoteAddress, config.AKMS.ClientTLS)
+		if err != nil {
+			log.Fatalf("Failed to setup CkmsAkmsClient: %s", err)
+		}
 	}
 
 	gRPCTimeoutInSecondsDuration := time.Duration(config.GRPCTimeoutInSeconds) * time.Second
@@ -149,15 +153,18 @@ func NewKMS(kmsUUID uuid.UUID, logOutput io.Writer, logLevel log.Level, logInJso
 	go createdKMS.startGRPC()
 
 	// initialize from config
-	err := createdKMS.initializePeers(config)
+	err = createdKMS.initializePeers(config)
 	if err != nil {
 		log.Fatalf("Failed to initialize peers: %s", err)
 	}
 
 	// Start the akmsCkmsReceiverServer
-	if config.AkmsCkmsServerPort != "" {
-		createdKMS.ckmsAkmsServer = akmsServer.NewAKMSReceiver(config.AkmsCkmsServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey)
-		log.Infof("Starting AKMS receiver server on port: %s", config.AkmsCkmsServerPort)
+	if config.AKMS.ServerPort != "" {
+		createdKMS.ckmsAkmsServer, err = akmsInterfaceServer.NewAKMSReceiver(config.AKMS.ServerPort, createdKMS.eventBus, receiver, createdKMS.GenerateAndSendKSAKey, config.AKMS.ServerTLS)
+		if err != nil {
+			log.Fatalf("Failed to initialize CkmsAkmsServer: %s", err)
+		}
+		log.Infof("Starting AKMS receiver server on port: %s", config.AKMS.ServerPort)
 		go createdKMS.ckmsAkmsServer.Serve()
 	}
 

goKMS/kms/peers/etsi14Quantummodule.go

@@ -51,7 +51,7 @@ func NewETSI014HTTPQuantumModule(addr, kmsId, localSAEID, targetSAEID string, tl
 	}
 
 	if tlsConfig.Active {
-		tlsConf, err := kmstls.GenerateTlsLibraryConfig(tlsConfig)
+		tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("unable to generate TLS config: %w", err)
 		}

goKMS/kms/tls/tls.go

@@ -11,15 +11,15 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 )
 
-func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
+func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
-	if tlsData.Active {
-		creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
+	if tlsConfig.Active {
+		tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -27,9 +27,9 @@ func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (c
 	return gRPCTransportCreds, nil
 }
 
-func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()
-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -38,30 +38,28 @@ func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}
 
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
 	}
 
-	tlsConfig := &tls.Config{
+	return &tls.Config{
 		MinVersion:   tls.VersionTLS13,
 		ClientCAs:    cp,
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
+	}, nil
 }
 
 func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
 	var gRPCTransportCreds credentials.TransportCredentials
 	if tlsConfig.Active {
-		creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
+		tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
 		if err != nil {
 			return nil, err
 		}
 
-		gRPCTransportCreds = creds
+		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
 	} else {
 		gRPCTransportCreds = insecure.NewCredentials()
 	}
@@ -69,10 +67,10 @@ func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig)
 	return gRPCTransportCreds, nil
 }
 
-func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
+func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
 	cp := x509.NewCertPool()
 
-	b, err := os.ReadFile(caFile)
+	b, err := os.ReadFile(tlsConfig.CAFile)
 	if err != nil {
 		return nil, err
 	}
@@ -80,38 +78,15 @@ func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (
 		return nil, fmt.Errorf("credentials: failed to append certificates")
 	}
 
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig := &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		RootCAs:      cp,
-		Certificates: []tls.Certificate{cert},
-	}
-
-	return credentials.NewTLS(tlsConfig), nil
-}
-
-func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
-	caCert, err := os.ReadFile(tlsConfig.CAFile)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	if !caCertPool.AppendCertsFromPEM(caCert) {
-		return nil, fmt.Errorf("credentials: failed to append certificates")
-	}
-
 	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
 	if err != nil {
 		return nil, err
 	}
 
 	return &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		RootCAs:      caCertPool,
-		Certificates: []tls.Certificate{cert},
+		MinVersion:         tls.VersionTLS13,
+		RootCAs:            cp,
+		Certificates:       []tls.Certificate{cert},
+		InsecureSkipVerify: tlsConfig.InsecureSkipVerify,
 	}, nil
 }

goKMS/main.go

@@ -177,9 +177,13 @@ func outputTlsSettings(config *config.Config) {
 		}
 	}
 
-	log.Infof("TLS enabled for AKMS-CKMS interface: %t", config.AkmsCkmsTLS.Active)
-	if config.AkmsCkmsTLS.Active {
-		log.Infof("TLS filepaths for AKMS-CKMS interface: ca: %s, cert: %s, key: %s", config.AkmsCkmsTLS.CAFile, config.AkmsCkmsTLS.CertFile, config.AkmsCkmsTLS.KeyFile)
+	log.Infof("TLS enabled for AKMS-CKMS Client interface: %t", config.AKMS.ClientTLS.Active)
+	if config.AKMS.ClientTLS.Active {
+		log.Infof("TLS filepaths for AKMS-CKMS Client interface: ca: %s, cert: %s, key: %s", config.AKMS.ClientTLS.CAFile, config.AKMS.ClientTLS.CertFile, config.AKMS.ClientTLS.KeyFile)
+	}
+	log.Infof("TLS enabled for AKMS-CKMS Server interface: %t", config.AKMS.ServerTLS.Active)
+	if config.AKMS.ServerTLS.Active {
+		log.Infof("TLS filepaths for AKMS-CKMS Server interface: ca: %s, cert: %s, key: %s", config.AKMS.ServerTLS.CAFile, config.AKMS.ServerTLS.CertFile, config.AKMS.ServerTLS.KeyFile)
 	}
 }
 

integration-tests/code/getKSAKeyTest/getKSA_key_test.go

@@ -10,6 +10,8 @@ import (
 	"os"
 	"testing"
 
+	"code.fbi.h-da.de/danet/quant/goKMS/config"
+	kmstls "code.fbi.h-da.de/danet/quant/goKMS/kms/tls"
 	utils "code.fbi.h-da.de/danet/quant/integration-tests/code/integrationTestUtils"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -87,7 +89,14 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 
 	requestId := uuid.New().String()
 
-	url := fmt.Sprintf("http://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
+	tlsConfig := config.TLSConfig{
+		Active:   true,
+		CAFile:   "../../../artifacts/integration-tests/ssl/ca.crt",
+		CertFile: "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.crt",
+		KeyFile:  "../../../artifacts/integration-tests/ssl/kms/kms2-selfsigned.key",
+	}
+
+	url := fmt.Sprintf("https://%s/api/v1/keys/ksa_key_req", kms1AkmsURL)
 	data := RequestData{
 		ReceivingCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2",
 		RequestID:       requestId,
@@ -99,13 +108,22 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 		},
 	}
 
+	tlsConf, err := kmstls.GenerateTLSLibraryConfig(tlsConfig)
+	if err != nil {
+		t.Errorf("Error generating TLS config: %s", err)
+	}
+	transport := &http.Transport{
+		TLSClientConfig: tlsConf,
+	}
+	client := &http.Client{Transport: transport}
+
 	jsonData, err := json.Marshal(data)
 	if err != nil {
 		fmt.Println(err)
 		return
 	}
 
-	resp, err := http.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return
@@ -117,7 +135,7 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 	}
 
 	// Get logfile of akms
-	resp, err = http.Get("http://" + logFileURL + "/debug/get_log_file")
+	resp, err = client.Get("https://" + logFileURL + "/debug/get_log_file")
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return
@@ -143,7 +161,23 @@ func TestGetKSAKey(t *testing.T) { //nolint:gocyclo
 	assert.NotNil(t, logFile.Body.KSAKeys[0].KeyID)
 	assert.NotNil(t, logFile.Body.KSAKeys[0].Key)
 
-	resp, err = http.Get("http://" + logFileURL2 + "/debug/get_log_file")
+	tlsConfig = config.TLSConfig{
+		Active:   true,
+		CAFile:   "../../../artifacts/integration-tests/ssl/ca.crt",
+		CertFile: "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.crt",
+		KeyFile:  "../../../artifacts/integration-tests/ssl/kms/kms1-selfsigned.key",
+	}
+
+	tlsConf, err = kmstls.GenerateTLSLibraryConfig(tlsConfig)
+	if err != nil {
+		t.Errorf("Error generating TLS config: %s", err)
+	}
+	transport = &http.Transport{
+		TLSClientConfig: tlsConf,
+	}
+	client = &http.Client{Transport: transport}
+
+	resp, err = client.Get("https://" + logFileURL2 + "/debug/get_log_file")
 	if err != nil {
 		t.Errorf("Error making HTTP request: %s", err)
 		return

integration-tests/config/kms/kms_1.yaml

-Id: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
+Id: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
 Name: kms01
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "https://akms-simulator_1:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
+  ClientTLS:
+    Active: true
+    CAFile: "config/ssl/ca.crt"
+    CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+    KeyFile: "config/ssl/kms/kms1-selfsigned.key"
+  ServerTLS:
+    Active: true
+    CAFile: "config/ssl/ca.crt"
+    CertFile: "config/ssl/kms/kms1-selfsigned.crt"
+    KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: false
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms1-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms1-selfsigned.key"
 Peers:
-    # peer to kms02
-    - PeerId: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
-      PeerInterComAddr: kms02:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_1
+  # peer to kms02
+  - PeerId: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
+    PeerInterComAddr: kms02:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_1
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "5e41c291-6121-4335-84f6-41e04b8bdaa2"

integration-tests/config/kms/kms_2.yaml

-Id: '5e41c291-6121-4335-84f6-41e04b8bdaa2'
+Id: "5e41c291-6121-4335-84f6-41e04b8bdaa2"
 Name: kms02
 InterComAddr: 0.0.0.0:50910
 QuantumAddr: 0.0.0.0:50911
-AkmsURL: "http://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
-AkmsCkmsServerPort: "9696"
+AKMS:
+  RemoteAddress: "https://akms-simulator_2:4444/api/v1/keys/push_ksa_key"
+  ServerPort: "9696"
+  ClientTLS:
+    Active: true
+    CAFile: "config/ssl/ca.crt"
+    CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+    KeyFile: "config/ssl/kms/kms2-selfsigned.key"
+  ServerTLS:
+    Active: true
+    CAFile: "config/ssl/ca.crt"
+    CertFile: "config/ssl/kms/kms2-selfsigned.crt"
+    KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 GRPCTimeoutInSeconds: 600
 KmsTLS:
-  TLS: true
+  Active: false
   CAFile: "config/ssl/ca.crt"
   CertFile: "config/ssl/kms/kms2-selfsigned.crt"
   KeyFile: "config/ssl/kms/kms2-selfsigned.key"
 Peers:
-    # peer to kms01
-    - PeerId: '0ff33c82-7fe1-482b-a0ca-67565806ee4b'
-      PeerInterComAddr: kms01:50910
-      Type: danet
-      # quantum module of type emulated at the given address
-      QuantumModule:
-          Type: emulated
-          Hostname: quantumlayer_2
+  # peer to kms01
+  - PeerId: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"
+    PeerInterComAddr: kms01:50910
+    Type: danet
+    # quantum module of type emulated at the given address
+    QuantumModule:
+      Type: emulated
+      Hostname: quantumlayer_2
 ETSI14Server:
   Address: ":1414"
   RemoteCKMSID: "0ff33c82-7fe1-482b-a0ca-67565806ee4b"

integration-tests/config/kms/tlsConfigs/kms1ReqConfig.txt

@@ -13,4 +13,7 @@ keyUsage = keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names
 [alt_names]
+IP.1 = 127.0.0.1
 DNS.1 = kms01
+DNS.2 = akms-simulator_1
+DNS.3 = akms-simulator_2