spiffe · evan2645 · Jan 19, 2021 · Jan 11, 2021 · Jan 19, 2021
diff --git a/pkg/common/cryptoutil/keys.go b/pkg/common/cryptoutil/keys.go
@@ -29,6 +29,9 @@ func RSAKeyMatches(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey) bool {
 }
 
 func GetPublicKey(ctx context.Context, km keymanager.KeyManager, keyID string) (crypto.PublicKey, error) {
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	resp, err := km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{
 		KeyId: keyID,
 	})

diff --git a/pkg/common/cryptoutil/signer.go b/pkg/common/cryptoutil/signer.go
@@ -69,10 +69,16 @@ func (s *KeyManagerSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOp
 	// rand is purposefully ignored since it can't be communicated between
 	// the plugin boundary. The crypto.Signer interface implies this is ok
 	// when it says "possibly using entropy from rand".
-	return s.SignContext(context.Background(), digest, opts)
+	ctx, cancel := context.WithTimeout(context.Background(), keymanager.RPCTimeout)
+	defer cancel()
+
+	return s.SignContext(ctx, digest, opts)
 }
 
 func GenerateKeyRaw(ctx context.Context, km keymanager.KeyManager, keyID string, keyType keymanager.KeyType) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	resp, err := km.GenerateKey(ctx, &keymanager.GenerateKeyRequest{
 		KeyId:   keyID,
 		KeyType: keyType,

diff --git a/pkg/common/telemetry/server/keymanager/wrapper.go b/pkg/common/telemetry/server/keymanager/wrapper.go
@@ -22,6 +22,10 @@ func WithMetrics(km keymanager.KeyManager, metrics telemetry.Metrics) keymanager
 func (w serverKeyManagerWrapper) GenerateKey(ctx context.Context, req *keymanager.GenerateKeyRequest) (_ *keymanager.GenerateKeyResponse, err error) {
 	callCounter := StartGenerateKeyCall(w.m)
 	defer callCounter.Done(&err)
+
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	return w.k.GenerateKey(ctx, req)
 }
 

diff --git a/pkg/server/ca/manager.go b/pkg/server/ca/manager.go
@@ -690,6 +690,10 @@ func (m *Manager) loadJWTKeySlotFromEntry(ctx context.Context, entry *JWTKeyEntr
 
 func (m *Manager) makeSigner(ctx context.Context, keyID string) (crypto.Signer, error) {
 	km := m.c.Catalog.GetKeyManager()
+
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	resp, err := km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{
 		KeyId: keyID,
 	})

diff --git a/pkg/server/endpoints/bundle/acme_auth.go b/pkg/server/endpoints/bundle/acme_auth.go
@@ -101,6 +101,9 @@ type acmeKeyStore struct {
 func (ks *acmeKeyStore) GetPrivateKey(ctx context.Context, id string) (crypto.Signer, error) {
 	keyID := acmeKeyPrefix + id
 
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	resp, err := ks.km.GetPublicKey(ctx, &keymanager.GetPublicKeyRequest{
 		KeyId: keyID,
 	})
@@ -127,6 +130,9 @@ func (ks *acmeKeyStore) NewPrivateKey(ctx context.Context, id string, keyType au
 		return nil, errs.New("unsupported key type: %d", keyType)
 	}
 
+	ctx, cancel := context.WithTimeout(ctx, keymanager.RPCTimeout)
+	defer cancel()
+
 	resp, err := ks.km.GenerateKey(ctx, &keymanager.GenerateKeyRequest{
 		KeyId:   keyID,
 		KeyType: kmKeyType,

diff --git a/pkg/server/plugin/keymanager/constant.go b/pkg/server/plugin/keymanager/constant.go
@@ -0,0 +1,5 @@
+package keymanager
+
+import "time"
+
+const RPCTimeout = 30 * time.Second