-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scion-pki: enable kms support #4617
Conversation
f7a78e2
to
2df9895
Compare
FWIW. I think longterm we should just migrate to using step directly and provide scion specific things via plugins, rather than maintain our own scion-pki tool. |
c184aae
to
2df9895
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 28 of 32 files at r1, 4 of 4 files at r3, all commit messages.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @lukedirtwalker and @oncilla)
doc/command/scion-pki/scion-pki_kms.rst
line 14 at r3 (raw file):
This command leverages the step-kms-plugin to interact with the cloud KMS and HSMs.
Spell out KMS and HSM at least once:
"This command leverages the step-kms-plugin to interact with cloud Key Management Systems (KMS) and Hardware Security Modules (HSM)."
scion-pki/certs/create.go
line 210 at r3 (raw file):
} if flags.existingKey == "" && flags.kms != "" { return serrors.New("kms flag is only allowed with existing key")
"The kms flag is only allowed with an existing key."
scion-pki/certs/create.go
line 244 at r3 (raw file):
} if !key.IsX509Signer(privKey) { return serrors.New("private key cannot be used in X.509 certificates",
"A private key cannot be used in X.509 certificates."
scion-pki/certs/create.go
line 267 at r3 (raw file):
} if !key.IsX509Signer(caKey) { return serrors.New("CA key cannot be used to create X.509 certificates",
"A CA key cannot be used to create X.509 certificates."
scion-pki/certs/sign.go
line 125 at r3 (raw file):
} if !key.IsX509Signer(caKey) { return serrors.New("CA key cannot be used to create X.509 certificates",
Ditto; use articles.
scion-pki/cmd/scion-pki/kms.go
line 1 at r3 (raw file):
// Copyright 2020 Anapaya Systems
2024
scion-pki/cmd/scion-pki/kms.go
line 111 at r3 (raw file):
func rpad(s string, padding int) string { formattedString := fmt.Sprintf("%%-%ds", padding) return fmt.Sprintf(formattedString, s)
I think there's a linter check that objects to not using litteral strings as formats. (With some good reasons, albeit not applicable here). May-be there's way around that with a "*", like Sprintf("%-*s", padding, s) (I honestly never used that, just found it in the fmt pkg doc)
0ea2b3a
to
63995f1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @jiceatscion and @lukedirtwalker)
doc/command/scion-pki/scion-pki_kms.rst
line 14 at r3 (raw file):
Previously, jiceatscion wrote…
Spell out KMS and HSM at least once:
"This command leverages the step-kms-plugin to interact with cloud Key Management Systems (KMS) and Hardware Security Modules (HSM)."
Done.
scion-pki/certs/create.go
line 210 at r3 (raw file):
Previously, jiceatscion wrote…
"The kms flag is only allowed with an existing key."
Done.
scion-pki/certs/create.go
line 244 at r3 (raw file):
Previously, jiceatscion wrote…
"A private key cannot be used in X.509 certificates."
Done.
scion-pki/certs/create.go
line 267 at r3 (raw file):
Previously, jiceatscion wrote…
"A CA key cannot be used to create X.509 certificates."
Done.
scion-pki/certs/sign.go
line 125 at r3 (raw file):
Previously, jiceatscion wrote…
Ditto; use articles.
Done.
scion-pki/cmd/scion-pki/kms.go
line 1 at r3 (raw file):
Previously, jiceatscion wrote…
2024
Done.
scion-pki/cmd/scion-pki/kms.go
line 111 at r3 (raw file):
Previously, jiceatscion wrote…
I think there's a linter check that objects to not using litteral strings as formats. (With some good reasons, albeit not applicable here). May-be there's way around that with a "*", like Sprintf("%-*s", padding, s) (I honestly never used that, just found it in the fmt pkg doc)
Done. (originally copied from cobra source)
63995f1
to
9b9403a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 7 of 7 files at r4, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @lukedirtwalker)
Enable the scion-pki tool to interact with various cloud KMS and HSMs through the step-kms-plugin. The step-kms-plugin must be installed and available in the PATH. For more information about step-kms-plugin, please refer to the documentation at https://github.com/smallstep/step-kms-plugin. To see example usage of step-kms-plugin, please refer to https://smallstep.com/docs/step-ca/cryptographic-protection
f422306
to
f35e5b6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 22 of 32 files at r1, 2 of 4 files at r3, 4 of 7 files at r4, 4 of 4 files at r5, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @lukedirtwalker)
Enable the scion-pki tool to interact with various cloud KMS and HSMs through the step-kms-plugin. The step-kms-plugin must be installed and available in the PATH.
For more information about step-kms-plugin, please refer to the documentation at https://github.com/smallstep/step-kms-plugin.
To see example usage of step-kms-plugin, please
refer to
https://smallstep.com/docs/step-ca/cryptographic-protection