diff --git a/pkg/common/cryptoutil/keys.go b/pkg/common/cryptoutil/keys.go index adac44b99c..57b2b41e7e 100644 --- a/pkg/common/cryptoutil/keys.go +++ b/pkg/common/cryptoutil/keys.go @@ -29,6 +29,9 @@ func RSAKeyMatches(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey) bool { } func GetPublicKey(ctx context.Context, km keymanager.KeyManager, keyID string) (crypto.PublicKey, error) { + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + resp, err := km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{ KeyId: keyID, }) diff --git a/pkg/common/cryptoutil/signer.go b/pkg/common/cryptoutil/signer.go index 3b0a38916c..f1ae4ab79e 100644 --- a/pkg/common/cryptoutil/signer.go +++ b/pkg/common/cryptoutil/signer.go @@ -69,10 +69,16 @@ func (s *KeyManagerSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOp // rand is purposefully ignored since it can't be communicated between // the plugin boundary. The crypto.Signer interface implies this is ok // when it says "possibly using entropy from rand". - return s.SignContext(context.Background(), digest, opts) + ctx, cancel := context.WithTimeout(context.Background(), keymanager.RPCTimeout) + defer cancel() + + return s.SignContext(ctx, digest, opts) } func GenerateKeyRaw(ctx context.Context, km keymanager.KeyManager, keyID string, keyType keymanager.KeyType) ([]byte, error) { + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + resp, err := km.GenerateKey(ctx, &keymanager.GenerateKeyRequest{ KeyId: keyID, KeyType: keyType, diff --git a/pkg/common/telemetry/server/keymanager/wrapper.go b/pkg/common/telemetry/server/keymanager/wrapper.go index b2f53484a6..14bd40c320 100644 --- a/pkg/common/telemetry/server/keymanager/wrapper.go +++ b/pkg/common/telemetry/server/keymanager/wrapper.go @@ -22,6 +22,10 @@ func WithMetrics(km keymanager.KeyManager, metrics telemetry.Metrics) keymanager func (w serverKeyManagerWrapper) GenerateKey(ctx context.Context, req *keymanager.GenerateKeyRequest) (_ *keymanager.GenerateKeyResponse, err error) { callCounter := StartGenerateKeyCall(w.m) defer callCounter.Done(&err) + + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + return w.k.GenerateKey(ctx, req) } diff --git a/pkg/server/ca/manager.go b/pkg/server/ca/manager.go index 780a2c8184..6f0f3207f2 100644 --- a/pkg/server/ca/manager.go +++ b/pkg/server/ca/manager.go @@ -690,6 +690,10 @@ func (m *Manager) loadJWTKeySlotFromEntry(ctx context.Context, entry *JWTKeyEntr func (m *Manager) makeSigner(ctx context.Context, keyID string) (crypto.Signer, error) { km := m.c.Catalog.GetKeyManager() + + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + resp, err := km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{ KeyId: keyID, }) diff --git a/pkg/server/endpoints/bundle/acme_auth.go b/pkg/server/endpoints/bundle/acme_auth.go index b5286f86ed..6e1360c30f 100644 --- a/pkg/server/endpoints/bundle/acme_auth.go +++ b/pkg/server/endpoints/bundle/acme_auth.go @@ -101,6 +101,9 @@ type acmeKeyStore struct { func (ks *acmeKeyStore) GetPrivateKey(ctx context.Context, id string) (crypto.Signer, error) { keyID := acmeKeyPrefix + id + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + resp, err := ks.km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{ KeyId: keyID, }) @@ -127,6 +130,9 @@ func (ks *acmeKeyStore) NewPrivateKey(ctx context.Context, id string, keyType au return nil, errs.New("unsupported key type: %d", keyType) } + ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout) + defer cancel() + resp, err := ks.km.GenerateKey(ctx, &keymanager.GenerateKeyRequest{ KeyId: keyID, KeyType: kmKeyType, diff --git a/pkg/server/plugin/keymanager/constant.go b/pkg/server/plugin/keymanager/constant.go new file mode 100644 index 0000000000..3b5d5d88fb --- /dev/null +++ b/pkg/server/plugin/keymanager/constant.go @@ -0,0 +1,5 @@ +package keymanager + +import "time" + +const RPCTimeout = 30 * time.Second