Skip to content

feat(kas): support HSM and standard crypto #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sujankota merged 39 commits into from
Apr 5, 2024
Merged

feat(kas): support HSM and standard crypto #497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
3cb3e5e
feat(kas): support HSM and standard crypto
sujankota Apr 2, 2024
b993e3c
fix the integeration test
sujankota Apr 2, 2024
d6e0600
fix test
sujankota Apr 2, 2024
ddd1b94
rename lib/crypto to lib/ocrypto
sujankota Apr 4, 2024
c1c7c5c
after merge
sujankota Apr 4, 2024
f7955dd
Fix Dockerfile
sujankota Apr 4, 2024
b40a49e
Fix build
sujankota Apr 4, 2024
b920593
fix the build
sujankota Apr 4, 2024
eb94914
go lint fix
sujankota Apr 4, 2024
4ab185f
fix lint errors
sujankota Apr 4, 2024
8214acd
fix lint errors
sujankota Apr 4, 2024
dcc1435
Fix lint error
sujankota Apr 4, 2024
1f372a5
merge main
sujankota Apr 4, 2024
3483990
Fix lint errors
sujankota Apr 4, 2024
98307e2
github flow fixes
sujankota Apr 4, 2024
4602072
Merge branch 'main' into support-standard-crypto
sujankota Apr 4, 2024
1d200d4
fix the build
sujankota Apr 4, 2024
d4c4a10
Fix lint error
sujankota Apr 4, 2024
9a13e79
Fixed lint errors
sujankota Apr 4, 2024
9a5987e
Fix the integeration test
sujankota Apr 4, 2024
30deeda
Fix lint errors
sujankota Apr 4, 2024
a4c210d
fix the lint error
sujankota Apr 4, 2024
b69212a
fix the lint error
sujankota Apr 4, 2024
70d18be
fix the test
sujankota Apr 4, 2024
00844d1
Fix services tests
sujankota Apr 5, 2024
b9508b7
Merge branch 'main' into support-standard-crypto
sujankota Apr 5, 2024
6ed2fd8
Fix lint error
sujankota Apr 5, 2024
acdbccf
Fix test
sujankota Apr 5, 2024
299cd98
Fix service tests
sujankota Apr 5, 2024
955c1f8
Fix service tests
sujankota Apr 5, 2024
2e29d88
Fix service test
sujankota Apr 5, 2024
49185c8
Fix service test
sujankota Apr 5, 2024
199987d
Fix service tests
sujankota Apr 5, 2024
342432a
Fix service tests
sujankota Apr 5, 2024
cdcc223
Fix service tests
sujankota Apr 5, 2024
373a137
Fix service test
sujankota Apr 5, 2024
c7d192d
Disable HSM
sujankota Apr 5, 2024
a48949b
Fix the ocrypto package
sujankota Apr 5, 2024
08e2e41
Merge branch 'main' into support-standard-crypto
sujankota Apr 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions .github/scripts/hsm-init-temporary-keys.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@

set -ex

: "${OPENTDF_SERVER_HSM_PIN:=12345}"
: "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL:=development-ec-kas}"
: "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL:=development-rsa-kas}"
: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN:=12345}"
: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL:=development-ec-kas}"
: "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL:=development-rsa-kas}"

if [ -z "${OPENTDF_SERVER_HSM_MODULEPATH}" ]; then
if [ -z "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" ]; then
if which brew; then
OPENTDF_SERVER_HSM_MODULEPATH=$(brew --prefix)/lib/softhsm/libsofthsm2.so
OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=$(brew --prefix)/lib/softhsm/libsofthsm2.so
else
OPENTDF_SERVER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so
OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so
fi
fi

Expand All @@ -21,13 +21,13 @@ if softhsm2-util --show-slots | grep dev-token; then
exit 0
fi

softhsm2-util --init-token --free --label "dev-token" --pin "${OPENTDF_SERVER_HSM_PIN}" --so-pin "${OPENTDF_SERVER_HSM_PIN}"
pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --show-info --list-objects --pin "${OPENTDF_SERVER_HSM_PIN}"
softhsm2-util --init-token --free --label "dev-token" --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --so-pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}"
pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --show-info --list-objects --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}"
openssl req -x509 -nodes -newkey RSA:2048 -subj "/CN=kas" -keyout kas-private.pem -out kas-cert.pem -days 365
openssl ecparam -name prime256v1 >ecparams.tmp
openssl req -x509 -nodes -newkey ec:ecparams.tmp -subj "/CN=kas" -keyout kas-ec-private.pem -out kas-ec-cert.pem -days 365
pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-private.pem --type privkey --label "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL}"
pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-cert.pem --type cert --label "${OPENTDF_SERVER_HSM_KEYS_RSA_LABEL}"
pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-private.pem --type privkey --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL}"
pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-cert.pem --type cert --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL}"
# https://manpages.ubuntu.com/manpages/jammy/man1/pkcs11-tool.1.html --usage-derive
pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-ec-private.pem --type privkey --label "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL}" --usage-derive
pkcs11-tool --module "${OPENTDF_SERVER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_HSM_PIN}" --write-object kas-ec-cert.pem --type cert --label "${OPENTDF_SERVER_HSM_KEYS_EC_LABEL}"
pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-ec-private.pem --type privkey --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL}" --usage-derive
pkcs11-tool --module "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH}" --login --pin "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN}" --write-object kas-ec-cert.pem --type cert --label "${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL}"
5 changes: 3 additions & 2 deletions .github/workflows/checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
- examples
- sdk
- service
- lib/crypto
- lib/ocrypto
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
Expand Down Expand Up @@ -70,6 +70,8 @@ jobs:
echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf
echo "log.level = DEBUG" >> softhsm2.conf
echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV"
- if: matrix.directory == 'service'
run: .github/scripts/hsm-init-temporary-keys.sh
- run: go test ./... -short
working-directory: ${{ matrix.directory }}

Expand Down Expand Up @@ -99,7 +101,6 @@ jobs:
echo "directories.tokendir = $(pwd)/.tmp/tokens" > softhsm2.conf
echo "log.level = DEBUG" >> softhsm2.conf
echo "SOFTHSM2_CONF=$(pwd)/softhsm2.conf" >> "$GITHUB_ENV"
echo "OPENTDF_SERVER_HSM_PIN=$(openssl rand -hex 4)" >> "$GITHUB_ENV"
- run: .github/scripts/hsm-init-temporary-keys.sh
- run: docker compose up -d --wait --wait-timeout 240
- run: cp opentdf-example.yaml opentdf.yaml
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lint-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,19 @@ jobs:
strategy:
matrix:
directory:
- "."
- sdk
- lib/crypto
- lib/ocrypto
- service
- examples
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
with:
go-version: "1.21"
cache-dependency-path: |
./go.sum
sdk/go.sum
examples/go.sum
service/go.sum
- run: make go.work
- name: golangci-lint
# uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ WORKDIR /app
# dependencies, add local,dependant package here
COPY protocol/ protocol/
COPY sdk/ sdk/
COPY lib/crypto lib/crypto
COPY lib/ocrypto lib/ocrypto
COPY service/ service/
COPY examples/ examples/
COPY Makefile ./
Expand Down
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

.PHONY: all build clean docker-build fix go-lint lint proto-generate proto-lint sdk/sdk test toolcheck

MODS=protocol/go lib/crypto sdk service examples
HAND_MODS=lib/crypto sdk service examples
MODS=protocol/go lib/ocrypto sdk service examples
HAND_MODS=lib/ocrypto sdk service examples

EXCLUDE_OPENAPI=./service/authorization/idp_plugin.proto

Expand Down
24 changes: 12 additions & 12 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,26 +86,26 @@ For development, we use [the SoftHSM library](https://www.softhsm.org/),
which presents a `PKCS #11` interface to on CPU cryptography libraries.

```
export OPENTDF_SERVER_HSM_PIN=12345
export OPENTDF_SERVER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so
export OPENTDF_SERVER_HSM_KEYS_EC_LABEL=kas-ec
export OPENTDF_SERVER_HSM_KEYS_RSA_LABEL=kas-rsa
export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN=12345
export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH=/lib/softhsm/libsofthsm2.so
export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_EC_LABEL=kas-ec
export OPENTDF_SERVER_CRYPTOPROVIDER_HSM_KEYS_RSA_LABEL=kas-rsa

pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_HSM_PIN} \
pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \
--write-object kas-private.pem --type privkey \
--label kas-rsa
pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_HSM_PIN} \
pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \
--write-object kas-cert.pem --type cert \
--label kas-rsa

pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_HSM_PIN} \
pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \
--write-object ec-private.pem --type privkey \
--label kas-ec
pkcs11-tool --module $OPENTDF_SERVER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_HSM_PIN} \
pkcs11-tool --module $OPENTDF_SERVER_CRYPTOPROVIDER_HSM_MODULEPATH \
--login --pin ${OPENTDF_SERVER_CRYPTOPROVIDER_HSM_PIN} \
--write-object ec-cert.pem --type cert \
--label kas-ec
```
Expand Down
4 changes: 2 additions & 2 deletions examples/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ require (
)

replace (
github.com/opentdf/platform/lib/crypto => ../lib/crypto
github.com/opentdf/platform/lib/ocrypto => ../lib/ocrypto
github.com/opentdf/platform/protocol/go => ../protocol/go
github.com/opentdf/platform/sdk => ../sdk
)
Expand All @@ -32,7 +32,7 @@ require (
github.com/lestrrat-go/iter v1.0.2 // indirect
github.com/lestrrat-go/jwx/v2 v2.0.21 // indirect
github.com/lestrrat-go/option v1.0.1 // indirect
github.com/opentdf/platform/lib/crypto v0.0.0-00010101000000-000000000000 // indirect
github.com/opentdf/platform/lib/ocrypto v0.0.0-00010101000000-000000000000 // indirect
github.com/rogpeppe/go-internal v1.12.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/segmentio/asm v1.2.0 // indirect
Expand Down
3 changes: 0 additions & 3 deletions lib/crypto/go.mod
View file
Open in desktop

This file was deleted.

0 lib/crypto/LICENSE → lib/ocrypto/LICENSE
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion lib/crypto/aes_gcm.go → lib/ocrypto/aes_gcm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"crypto/aes"
Expand Down
2 changes: 1 addition & 1 deletion lib/crypto/aes_gcm_test.go → lib/ocrypto/aes_gcm_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"encoding/hex"
Expand Down
8 changes: 4 additions & 4 deletions lib/crypto/asym_decryption.go → lib/ocrypto/asym_decryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"crypto"
Expand All @@ -10,7 +10,7 @@ import (
)

type AsymDecryption struct {
privateKey *rsa.PrivateKey
PrivateKey *rsa.PrivateKey
}

// NewAsymDecryption creates and returns a new AsymDecryption.
Expand All @@ -37,11 +37,11 @@ func NewAsymDecryption(privateKeyInPem string) (AsymDecryption, error) {

// Decrypt decrypts ciphertext with private key.
func (asymDecryption AsymDecryption) Decrypt(data []byte) ([]byte, error) {
if asymDecryption.privateKey == nil {
if asymDecryption.PrivateKey == nil {
return nil, errors.New("failed to decrypt, private key is empty")
}

bytes, err := asymDecryption.privateKey.Decrypt(nil,
bytes, err := asymDecryption.PrivateKey.Decrypt(nil,
data,
&rsa.OAEPOptions{Hash: crypto.SHA1})
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion lib/crypto/asym_encrypt_decrypt_test.go → lib/ocrypto/asym_encrypt_decrypt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"testing"
Expand Down
29 changes: 25 additions & 4 deletions lib/crypto/asym_encryption.go → lib/ocrypto/asym_encryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"crypto/rand"
Expand All @@ -12,7 +12,7 @@ import (
)

type AsymEncryption struct {
publicKey *rsa.PublicKey
PublicKey *rsa.PublicKey
}

// NewAsymEncryption creates and returns a new AsymEncryption.
Expand Down Expand Up @@ -53,14 +53,35 @@ func NewAsymEncryption(publicKeyInPem string) (AsymEncryption, error) {

// Encrypt encrypts data with public key.
func (asymEncryption AsymEncryption) Encrypt(data []byte) ([]byte, error) {
if asymEncryption.publicKey == nil {
if asymEncryption.PublicKey == nil {
return nil, errors.New("failed to encrypt, public key is empty")
}

bytes, err := rsa.EncryptOAEP(sha1.New(), rand.Reader, asymEncryption.publicKey, data, nil) //nolint:gosec // used for padding which is safe
bytes, err := rsa.EncryptOAEP(sha1.New(), rand.Reader, asymEncryption.PublicKey, data, nil) //nolint:gosec // used for padding which is safe
if err != nil {
return nil, fmt.Errorf("rsa.EncryptOAEP failed: %w", err)
}

return bytes, nil
}

// PublicKeyInPemFormat Returns public key in pem format.
func (asymEncryption AsymEncryption) PublicKeyInPemFormat() (string, error) {
if asymEncryption.PublicKey == nil {
return "", errors.New("failed to generate PEM formatted public key")
}

publicKeyBytes, err := x509.MarshalPKIXPublicKey(asymEncryption.PublicKey)
if err != nil {
return "", fmt.Errorf("x509.MarshalPKIXPublicKey failed: %w", err)
}

publicKeyPem := pem.EncodeToMemory(
&pem.Block{
Type: "PUBLIC KEY",
Bytes: publicKeyBytes,
},
)

return string(publicKeyPem), nil
}
2 changes: 1 addition & 1 deletion lib/crypto/crypto_utils.go → lib/ocrypto/crypto_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"crypto/hmac"
Expand Down
2 changes: 1 addition & 1 deletion lib/crypto/crypto_utils_test.go → lib/ocrypto/crypto_utils_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"testing"
Expand Down
3 changes: 3 additions & 0 deletions lib/ocrypto/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
module github.com/opentdf/platform/lib/ocrypto

go 1.21.8
2 changes: 1 addition & 1 deletion lib/crypto/rsa_key_pair.go → lib/ocrypto/rsa_key_pair.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"crypto/rand"
Expand Down
2 changes: 1 addition & 1 deletion lib/crypto/rsa_key_pair_test.go → lib/ocrypto/rsa_key_pair_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package crypto
package ocrypto

import (
"testing"
Expand Down
29 changes: 21 additions & 8 deletions opentdf-example.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,16 +67,29 @@ server:

grpc:
reflectionEnabled: true # Default is false
hsm:
enabled: true
# As configured by hsm-init-temporary-keys.sh
pin: "12345"
slotlabel: "dev-token"
keys:
cryptoProvider:
hsm:
enabled: false
# As configured by hsm-init-temporary-keys.sh
pin: "12345"
slotlabel: "dev-token"
keys:
rsa:
label: development-rsa-kas
ec:
label: development-ec-kas
standard:
rsa:
label: development-rsa-kas
123:
privateKeyPath: kas-private.pem
publicKeyPath: kas-cert.pem
456:
privateKeyPath: kas-private.pem
publicKeyPath: kas-cert.pem
ec:
label: development-ec-kas
123:
privateKeyPath: kas-ec-private.pem
publicKeyPath: kas-ec-cert.pem
port: 8080
opa:
embedded: true # Only for local development
Loading