scion-pki: enable kms support #4617
Conversation
|
This change is |
oncilla
force-pushed
the
scion-pki-kms
branch
from
f7a78e2
to
2df9895
Compare
|
FWIW. I think longterm we should just migrate to using step directly and provide scion specific things via plugins, rather than maintain our own scion-pki tool. |
oncilla
force-pushed
the
scion-pki-kms
branch
from
c184aae
to
2df9895
Compare
There was a problem hiding this comment.
Reviewed 28 of 32 files at r1, 4 of 4 files at r3, all commit messages.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @lukedirtwalker and @oncilla)
doc/command/scion-pki/scion-pki_kms.rst line 14 at r3 (raw file):
This command leverages the step-kms-plugin to interact with the cloud KMS and HSMs.
Spell out KMS and HSM at least once:
"This command leverages the step-kms-plugin to interact with cloud Key Management Systems (KMS) and Hardware Security Modules (HSM)."
scion-pki/certs/create.go line 210 at r3 (raw file):
} if flags.existingKey == "" && flags.kms != "" { return serrors.New("kms flag is only allowed with existing key")
"The kms flag is only allowed with an existing key."
scion-pki/certs/create.go line 244 at r3 (raw file):
} if !key.IsX509Signer(privKey) { return serrors.New("private key cannot be used in X.509 certificates",
"A private key cannot be used in X.509 certificates."
scion-pki/certs/create.go line 267 at r3 (raw file):
} if !key.IsX509Signer(caKey) { return serrors.New("CA key cannot be used to create X.509 certificates",
"A CA key cannot be used to create X.509 certificates."
scion-pki/certs/sign.go line 125 at r3 (raw file):
} if !key.IsX509Signer(caKey) { return serrors.New("CA key cannot be used to create X.509 certificates",
Ditto; use articles.
scion-pki/cmd/scion-pki/kms.go line 1 at r3 (raw file):
// Copyright 2020 Anapaya Systems
2024
scion-pki/cmd/scion-pki/kms.go line 111 at r3 (raw file):
func rpad(s string, padding int) string { formattedString := fmt.Sprintf("%%-%ds", padding) return fmt.Sprintf(formattedString, s)
I think there's a linter check that objects to not using litteral strings as formats. (With some good reasons, albeit not applicable here). May-be there's way around that with a "*", like Sprintf("%-*s", padding, s) (I honestly never used that, just found it in the fmt pkg doc)
oncilla
force-pushed
the
scion-pki-kms
branch
from
0ea2b3a
to
63995f1
Compare
There was a problem hiding this comment.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @jiceatscion and @lukedirtwalker)
doc/command/scion-pki/scion-pki_kms.rst line 14 at r3 (raw file):
Previously, jiceatscion wrote…
Spell out KMS and HSM at least once:
"This command leverages the step-kms-plugin to interact with cloud Key Management Systems (KMS) and Hardware Security Modules (HSM)."
Done.
scion-pki/certs/create.go line 210 at r3 (raw file):
Previously, jiceatscion wrote…
"The kms flag is only allowed with an existing key."
Done.
scion-pki/certs/create.go line 244 at r3 (raw file):
Previously, jiceatscion wrote…
"A private key cannot be used in X.509 certificates."
Done.
scion-pki/certs/create.go line 267 at r3 (raw file):
Previously, jiceatscion wrote…
"A CA key cannot be used to create X.509 certificates."
Done.
scion-pki/certs/sign.go line 125 at r3 (raw file):
Previously, jiceatscion wrote…
Ditto; use articles.
Done.
scion-pki/cmd/scion-pki/kms.go line 1 at r3 (raw file):
Previously, jiceatscion wrote…
2024
Done.
scion-pki/cmd/scion-pki/kms.go line 111 at r3 (raw file):
Previously, jiceatscion wrote…
I think there's a linter check that objects to not using litteral strings as formats. (With some good reasons, albeit not applicable here). May-be there's way around that with a "*", like Sprintf("%-*s", padding, s) (I honestly never used that, just found it in the fmt pkg doc)
Done. (originally copied from cobra source)
oncilla
force-pushed
the
scion-pki-kms
branch
from
63995f1
to
9b9403a
Compare
There was a problem hiding this comment.
Reviewed 7 of 7 files at r4, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @lukedirtwalker)
Enable the scion-pki tool to interact with various cloud KMS and HSMs through the step-kms-plugin. The step-kms-plugin must be installed and available in the PATH. For more information about step-kms-plugin, please refer to the documentation at https://github.com/smallstep/step-kms-plugin. To see example usage of step-kms-plugin, please refer to https://smallstep.com/docs/step-ca/cryptographic-protection
oncilla
force-pushed
the
scion-pki-kms
branch
from
f422306
to
f35e5b6
Compare
There was a problem hiding this comment.
Reviewed 22 of 32 files at r1, 2 of 4 files at r3, 4 of 7 files at r4, 4 of 4 files at r5, all commit messages.
Reviewable status:
Enable the scion-pki tool to interact with various cloud KMS and HSMs through the step-kms-plugin. The step-kms-plugin must be installed and available in the PATH.
For more information about step-kms-plugin, please refer to the documentation at https://github.com/smallstep/step-kms-plugin.
To see example usage of step-kms-plugin, please
refer to
https://smallstep.com/docs/step-ca/cryptographic-protection