Skip to content

Commit

Permalink
PKCS#11 (#511)
Browse files Browse the repository at this point in the history
* PKCS#11 untested

* PKCS#11 test

* PKCS#11 doc

* missing docs

* limit PKCS#11 handle parsing to 32 bit

* Ed25519 support for PKCS#11 backend

* go-pkcs11 v0.2.1

* chore: remove windows builds from goreleaser

* go-pkcs11 bump

* PKCS#11 vault reworked

* PKCS#11 doc updated

* index field can be used to locate a key in a set with the same label

* make index field optional and return an error if it's not specified while multiple keys are present

* pick a key by handle, index is gone

* missed error formatting

* in debug mode print all available PKCS11 objects with handles

* handles aren't reusable, gone

* doc updated

* print IDs in debug mode

* print handles in debug mode

* go-pkcs11 bump

* pkcs11.OptOsLockingOk is back

* go-pkcs11 updeted to 2.3.0 with new attribute logic
pkcs11 backend can now use public key data stored inside a private key object, config format changed
code cleanup

* list template fix

* mode cleanup

* optionally display key reference

* extended_private default value in auto-discovery mode set to true

* PKCS#11 backend documentation updated

* formatting fixed

* Minor security fixes

* use strconv.IntSize

---------

Co-authored-by: GImbrailo <[email protected]>
  • Loading branch information
e-asphyx and GImbrailo authored Dec 2, 2024
1 parent 1b20028 commit 7f25407
Show file tree
Hide file tree
Showing 26 changed files with 775 additions and 902 deletions.
2 changes: 1 addition & 1 deletion cmd/approve-list-svc/server/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func testServer(t *testing.T, addr []net.IP) error {
VaultFactory: vault.FactoryFunc(func(ctx context.Context, name string, conf *yaml.Node) (vault.Vault, error) {
return memory.New([]*memory.PrivateKey{
{
PrivateKey: signPriv,
Key: signPriv,
},
}, "Mock")
}),
Expand Down
16 changes: 12 additions & 4 deletions cmd/commands/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@ import (
"text/template"

"github.com/ecadlabs/signatory/pkg/signatory"
"github.com/ecadlabs/signatory/pkg/vault"
)

const listTemplateSrc = `{{range . -}}
Public Key Hash: {{.PublicKeyHash}}
Vault: {{.VaultName}}
ID: {{.ID}}
Public Key Hash: {{.Hash}}
Reference: {{keyRef .KeyReference}}
Vault: {{.Vault.Name}}
Active: {{.Active}}
{{with .Policy -}}
Allowed Requests: {{.AllowedRequests}}
Expand All @@ -21,7 +22,14 @@ Allowed Operations: {{.AllowedOps}}
`

var (
listTpl = template.Must(template.New("list").Parse(listTemplateSrc))
listTpl = template.Must(template.New("list").Funcs(template.FuncMap{
"keyRef": func(ref vault.KeyReference) string {
if withID, ok := ref.(vault.WithID); ok {
return withID.ID()
}
return ""
},
}).Parse(listTemplateSrc))
)

func listKeys(s *signatory.Signatory, w io.Writer, ctx context.Context) error {
Expand Down
10 changes: 1 addition & 9 deletions cmd/signatory-cli/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,7 @@ import (

"github.com/ecadlabs/signatory/pkg/vault"
// Install backends
_ "github.com/ecadlabs/signatory/pkg/vault/aws"
_ "github.com/ecadlabs/signatory/pkg/vault/azure"
_ "github.com/ecadlabs/signatory/pkg/vault/cloudkms"
_ "github.com/ecadlabs/signatory/pkg/vault/file"
_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
_ "github.com/ecadlabs/signatory/pkg/vault/mem"
_ "github.com/ecadlabs/signatory/pkg/vault/pkcs11"
_ "github.com/ecadlabs/signatory/pkg/vault/yubi"
_ "github.com/ecadlabs/signatory/pkg/vault/preamble"
)

func newRootCommand(ctx context.Context) *cobra.Command {
Expand Down
10 changes: 1 addition & 9 deletions cmd/signatory/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,7 @@ import (
"github.com/spf13/cobra"

// Install backends
_ "github.com/ecadlabs/signatory/pkg/vault/aws"
_ "github.com/ecadlabs/signatory/pkg/vault/azure"
_ "github.com/ecadlabs/signatory/pkg/vault/cloudkms"
_ "github.com/ecadlabs/signatory/pkg/vault/file"
_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
_ "github.com/ecadlabs/signatory/pkg/vault/mem"
_ "github.com/ecadlabs/signatory/pkg/vault/pkcs11"
_ "github.com/ecadlabs/signatory/pkg/vault/yubi"
_ "github.com/ecadlabs/signatory/pkg/vault/preamble"
)

func newRootCommand(ctx context.Context) *cobra.Command {
Expand Down
87 changes: 67 additions & 20 deletions docs/pkcs11.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,77 @@ title: PKCS#11

## Configuration

|||||
|--- |--- |--- |--- |
|Name|Type|Required|Description|
|library_path|string||Library Path|
|pin|string||User PIN|
|slot|string||Slot ID|
|label|string||Limit key search to the specified label (use in case of multiple key pairs in the same token)|
|object_ih|hex||Limit key search to the specified object ID (use in case of multiple key pairs in the same token)|
| Field | Type | Required | Description |
| -------------------------- | ---------------------------------- | -------- | ------------------------------------------------------------ |
| library_path | string || Library path. If not specified then `PKCS11_PATH` environment variable value will be used instead. |
| slot | unsigned integer | | Slot ID. Is both the field and `PKCS11_SLOT` environment variable are missed then the first slot with an initialised token will be used. |
| pin | string || User PIN. If not specified then `PKCS11_PIN` environment variable value will be used instead. |
| keys | sequence of `Key Pair` (see below) | | Key list. Use all available keys if not specified (see `public_keys_search_options` description) |
| public_keys_search_options | | | Automatic key pair discovery options (see below) |

**Note**: If the token contains multiple key pairs, every pair must have unique label or ID shared between private and public parts.
### Key Pair

### Example
| Field | Type | Required | Description |
| ---------------- | ------------------------ | -------- | ------------------------------------------------------------ |
| private | `Key Config` (see below) | | Private key locator. |
| public | `Key Config` | | Public key locator. |
| public_value | Base58 string | | Public key value. |
| extended_private | boolean | | Try to read the public key data from the private key object. In some PKCS#11 implementations private key objects have `EC_POINT` attribute. |

**Note**: `public_value` takes precedence over `public`. If none of `public` and `public_value` fields are present then the private key locator `Key Config` will be reused.

### Key Config

| Field | Type | Required | Description |
| ----- | ------ | -------- | ------------ |
| label | string | | Object label |
| id | hex | | Object ID |

### Public Keys Search Options

| Field | Type | Required | Description |
| ---------------- | ------- | -------- | ------------------------------------------------------------ |
| match_label | boolean | | Find the corresponding public key by matching label. |
| match_id | boolean | | Find the corresponding public key by matching ID. |
| extended_private | boolean | | Try to read the public key data from the private key object. |

**Note**: if the whole object is missing then all options will be assumed as **true**

### Environment Variables

| Variable | Description |
| ----------- | ------------ |
| PKCS11_PATH | Library path |
| PKCS11_SLOT | Slot ID |
| PKCS11_PIN | User PIN |

## Examples

### Automatic discovery

```yaml
library_path: /opt/homebrew/lib/softhsm/libsofthsm2.so
pin: 1234
slot: 0x4d0b85a2
label: TestKey
library_path: /usr/lib/hsmdriver/libhsmdriver.so
pin: user_pin
```
## Environment variables
### Manual Configuration
* `PKCS11_PATH`
* `PKCS11_PIN`
* `PKCS11_SLOT`
* `PKCS11_LABEL`
* `PKCS11_OBJECT_ID`
```yaml
library_path: /usr/lib/hsmdriver/libhsmdriver.so
slot: 0
pin: user_pin
keys:
- private:
label: PrivateKey0
public:
label: PublicKey0
- private:
label: Key1
# Use public key with the same label `Key1'
- private:
id: 1234abcd
public_value: edpkuXdPrbYEu5x54NaZEzaSHzwi5Tis5NBHrs58AMJXf4gS4iz5eQ
- private:
label: Key2
extended_private: true # Read the public key from the private object
```
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/aws/smithy-go v1.20.3
github.com/certusone/yubihsm-go v0.3.0
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0
github.com/ecadlabs/go-pkcs11 v0.2.1
github.com/ecadlabs/go-pkcs11 v0.3.0
github.com/ecadlabs/goblst v1.0.0
github.com/ecadlabs/gotez/v2 v2.1.3
github.com/go-playground/validator/v10 v10.22.0
Expand All @@ -29,7 +29,7 @@ require (
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.9.0
golang.org/x/crypto v0.28.0
golang.org/x/crypto v0.29.0
golang.org/x/exp v0.0.0-20231127185646-65229373498e
golang.org/x/oauth2 v0.15.0
google.golang.org/api v0.152.0
Expand Down Expand Up @@ -75,7 +75,7 @@ require (
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/rogpeppe/go-internal v1.13.1 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sync v0.9.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/genproto v0.0.0-20231127180814-3a041ad873d4 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231127180814-3a041ad873d4 // indirect
Expand All @@ -102,9 +102,9 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0
golang.org/x/text v0.19.0 // indirect
golang.org/x/sys v0.27.0 // indirect
golang.org/x/term v0.26.0
golang.org/x/text v0.20.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.59.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
Expand Down
25 changes: 12 additions & 13 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/ecadlabs/go-pkcs11 v0.2.1 h1:/3qAVS+lTNyrlBYXq6lq+tmp9fz24/5YSY3bVzTuMsg=
github.com/ecadlabs/go-pkcs11 v0.2.1/go.mod h1:PwAVBY0muwp6quQFmSDcB5Ekl4TjGG7cEQQwY9KpNVc=
github.com/ecadlabs/go-pkcs11 v0.3.0 h1:AsLURdNoZn0YocumJFloWXIlx1f2SDw4eTx4nPMa7II=
github.com/ecadlabs/go-pkcs11 v0.3.0/go.mod h1:PwAVBY0muwp6quQFmSDcB5Ekl4TjGG7cEQQwY9KpNVc=
github.com/ecadlabs/goblst v1.0.0 h1:8/e3SQGwqbV0+ul+pg0aSNFfC3lgQcvEed3VdDBXSl8=
github.com/ecadlabs/goblst v1.0.0/go.mod h1:s67gqaOol9o6fguh+evH75X5uQniOhv1HG/EU8xPLPY=
github.com/ecadlabs/gotez/v2 v2.1.3 h1:RGNtvb+UAtstTQYCsdE4XAeaEZwj3a5AliLluEOsoAg=
Expand Down Expand Up @@ -244,7 +244,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
Expand All @@ -256,8 +255,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
Expand Down Expand Up @@ -285,8 +284,8 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
Expand All @@ -302,20 +301,20 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
Expand Down
2 changes: 1 addition & 1 deletion pkg/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ func (s *Server) getKeyHandler(w http.ResponseWriter, r *http.Request) {
resp := struct {
PublicKey crypt.PublicKey `json:"public_key"`
}{
PublicKey: key.PublicKey,
PublicKey: key.PublicKey(),
}
jsonResponse(w, http.StatusOK, &resp)
}
Expand Down
14 changes: 13 additions & 1 deletion pkg/server/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/ecadlabs/gotez/v2/crypt"
"github.com/ecadlabs/signatory/pkg/server"
"github.com/ecadlabs/signatory/pkg/signatory"
"github.com/ecadlabs/signatory/pkg/vault"
"github.com/stretchr/testify/require"
)

Expand Down Expand Up @@ -130,6 +131,17 @@ func TestSign(t *testing.T) {
}
}

type mockRef struct {
key crypt.PublicKey
}

func (k *mockRef) PublicKey() crypt.PublicKey { return k.key }
func (k *mockRef) String() string { return k.key.Hash().String() }
func (k *mockRef) Vault() vault.Vault { panic("not implemented") }
func (k *mockRef) Sign(ctx context.Context, message []byte) (crypt.Signature, error) {
panic("not implemented")
}

func TestGetPublicKey(t *testing.T) {
type testCase struct {
Name string
Expand Down Expand Up @@ -157,7 +169,7 @@ func TestGetPublicKey(t *testing.T) {
{
Name: "Normal",
StatusCode: http.StatusOK,
Response: &signatory.PublicKey{PublicKey: mustPk(&tz.Ed25519PublicKey{1, 2, 3})},
Response: &signatory.PublicKey{KeyReference: &mockRef{mustPk(&tz.Ed25519PublicKey{1, 2, 3})}},
Expected: "{\"public_key\":\"edpktefgU4dfKqN1rZVBwBP8ZueBoJZfhDS3kHPSbo8c3aGPrMrunt\"}\n",
},
}
Expand Down
22 changes: 8 additions & 14 deletions pkg/signatory/import.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,27 +41,21 @@ func (s *Signatory) Import(ctx context.Context, importerName string, secretKey s
logPKH: hash,
logVault: importer.Name(),
})
if n, ok := importer.(vault.VaultNamer); ok {
l = l.WithField(logVaultName, n.VaultName())
} else {
l = l.WithField(logVaultName, importerName)
}

l.Info("Requesting import operation")

stored, err := importer.Import(ctx, priv, opt)
ref, err := importer.Import(ctx, priv, opt)
if err != nil {
return nil, err
}

s.cache.push(&keyVaultPair{pkh: hash, key: stored, vault: importer})
s.cache.push(&keyVaultPair{pkh: hash, key: ref})

l.WithField(logKeyID, stored.ID()).Info("Successfully imported")
l.WithField(logPKH, hash).Info("Successfully imported")
pol := s.fetchPolicyOrDefault(hash)
return &PublicKey{
PublicKey: pub,
PublicKeyHash: hash,
VaultName: importer.Name(),
ID: stored.ID(),
Policy: s.fetchPolicyOrDefault(hash),
KeyReference: ref,
Hash: hash,
Policy: s.fetchPolicyOrDefault(hash),
Active: pol != nil,
}, nil
}
6 changes: 2 additions & 4 deletions pkg/signatory/policy_hook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,7 @@ func testPolicyHookAuth(t *testing.T, status int) error {
VaultFactory: vault.FactoryFunc(func(ctx context.Context, name string, conf *yaml.Node) (vault.Vault, error) {
return memory.New([]*memory.PrivateKey{
{
PrivateKey: signPriv,
KeyID: signKeyHash.String(),
Key: signPriv,
},
}, "Mock")
}),
Expand Down Expand Up @@ -143,8 +142,7 @@ func testPolicyHook(t *testing.T, status int) error {
VaultFactory: vault.FactoryFunc(func(ctx context.Context, name string, conf *yaml.Node) (vault.Vault, error) {
return memory.New([]*memory.PrivateKey{
{
PrivateKey: signPriv,
KeyID: signKeyHash.String(),
Key: signPriv,
},
}, "Mock")
}),
Expand Down
Loading

0 comments on commit 7f25407

Please sign in to comment.