1 1
package client
2 2 3 3
import (
4 +
"context"
4 5
"crypto"
5 6
"crypto/ecdsa"
6 7
"crypto/rsa"
@@ -18,7 +19,9 @@ import (
18 19 19 20
"github.com/cloudflare/cfssl/log"
20 21
"github.com/cloudflare/gokeyless/protocol"
22 +
"github.com/cloudflare/gokeyless/tracing"
21 23
"github.com/lziest/ttlcache"
24 +
"github.com/opentracing/opentracing-go"
22 25
)
23 26 24 27
const (
@@ -190,8 +193,10 @@ func (c *Client) getRemote(server string) (Remote, error) {
190 193
// NewRemoteSignerWithCertID returns a remote keyserver based crypto.Signer
191 194
// ski, sni, serverIP, and certID are used to identify the key by the remote
192 195
// keyserver.
193 -
func NewRemoteSignerWithCertID(c *Client, keyserver string, ski protocol.SKI,
196 +
func NewRemoteSignerWithCertID(ctx context.Context, c *Client, keyserver string, ski protocol.SKI,
194 197
pub crypto.PublicKey, sni string, certID string, serverIP net.IP) (crypto.Signer, error) {
198 +
span, _ := opentracing.StartSpanFromContext(ctx, "client.NewRemoteSignerWithCertID")
199 +
defer span.Finish()
195 200
priv := PrivateKey{
196 201
public: pub,
197 202
client: c,
@@ -201,6 +206,11 @@ func NewRemoteSignerWithCertID(c *Client, keyserver string, ski protocol.SKI,
201 206
keyserver: keyserver,
202 207
certID: certID,
203 208
}
209 +
var err error
210 +
priv.JaegerSpan, err = tracing.SpanContextToBinary(span.Context())
211 +
if err != nil {
212 +
log.Errorf("failed to inject span: %v", err)
213 +
}
204 214 205 215
// This is due to an issue in crypto/tls, where an ECDSA key is not allowed to
206 216
// implement Decrypt.
@@ -213,8 +223,11 @@ func NewRemoteSignerWithCertID(c *Client, keyserver string, ski protocol.SKI,
213 223
// NewRemoteSigner returns a remote keyserver based crypto.Signer,
214 224
// ski, sni, and serverIP are used to identified the key by the remote
215 225
// keyserver.
216 -
func NewRemoteSigner(c *Client, keyserver string, ski protocol.SKI,
226 +
func NewRemoteSigner(ctx context.Context, c *Client, keyserver string, ski protocol.SKI,
217 227
pub crypto.PublicKey, sni string, serverIP net.IP) (crypto.Signer, error) {
228 + 229 +
span, _ := opentracing.StartSpanFromContext(ctx, "client.NewRemoteSignerWithCertID")
230 +
defer span.Finish()
218 231
priv := PrivateKey{
219 232
public: pub,
220 233
client: c,
@@ -223,6 +236,11 @@ func NewRemoteSigner(c *Client, keyserver string, ski protocol.SKI,
223 236
serverIP: serverIP,
224 237
keyserver: keyserver,
225 238
}
239 +
var err error
240 +
priv.JaegerSpan, err = tracing.SpanContextToBinary(span.Context())
241 +
if err != nil {
242 +
log.Errorf("failed to inject span: %v", err)
243 +
}
226 244 227 245
// This is due to an issue in crypto/tls, where an ECDSA key is not allowed to
228 246
// implement Decrypt.
@@ -237,42 +255,42 @@ func NewRemoteSigner(c *Client, keyserver string, ski protocol.SKI,
237 255
// SKI is computed from the public key and along with sni and serverIP,
238 256
// the remote Signer uses those key identification info to contact the
239 257
// remote keyserver for keyless operations.
240 -
func (c *Client) NewRemoteSignerTemplate(keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP) (crypto.Signer, error) {
258 +
func (c *Client) NewRemoteSignerTemplate(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP) (crypto.Signer, error) {
241 259
ski, err := protocol.GetSKI(pub)
242 260
if err != nil {
243 261
return nil, err
244 262
}
245 -
return NewRemoteSigner(c, keyserver, ski, pub, sni, serverIP)
263 +
return NewRemoteSigner(ctx, c, keyserver, ski, pub, sni, serverIP)
246 264
}
247 265 248 266
// NewRemoteSignerTemplateWithCertID returns a remote keyserver
249 267
// based crypto.Signer with the public key.
250 268
// SKI is computed from public key, and along with sni, serverIP, and
251 269
// certID the remote signer uses these to contact the remote keyserver.
252 -
func (c *Client) NewRemoteSignerTemplateWithCertID(keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP, certID string) (crypto.Signer, error) {
270 +
func (c *Client) NewRemoteSignerTemplateWithCertID(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP, certID string) (crypto.Signer, error) {
253 271
ski, err := protocol.GetSKI(pub)
254 272
if err != nil {
255 273
return nil, err
256 274
}
257 -
return NewRemoteSignerWithCertID(c, keyserver, ski, pub, sni, certID, serverIP)
275 +
return NewRemoteSignerWithCertID(ctx, c, keyserver, ski, pub, sni, certID, serverIP)
258 276
}
259 277 260 278
// NewRemoteSignerByPublicKey returns a remote keyserver based signer
261 279
// with the the public key.
262 -
func (c *Client) NewRemoteSignerByPublicKey(server string, pub crypto.PublicKey) (crypto.Signer, error) {
263 -
return c.NewRemoteSignerTemplate(server, pub, "", nil)
280 +
func (c *Client) NewRemoteSignerByPublicKey(ctx context.Context, server string, pub crypto.PublicKey) (crypto.Signer, error) {
281 +
return c.NewRemoteSignerTemplate(ctx, server, pub, "", nil)
264 282
}
265 283 266 284
// NewRemoteSignerByCert returns a remote keyserver based signer
267 285
// with the the public key contained in a x509.Certificate.
268 -
func (c *Client) NewRemoteSignerByCert(server string, cert *x509.Certificate) (crypto.Signer, error) {
269 -
return c.NewRemoteSignerTemplate(server, cert.PublicKey, "", nil)
286 +
func (c *Client) NewRemoteSignerByCert(ctx context.Context, server string, cert *x509.Certificate) (crypto.Signer, error) {
287 +
return c.NewRemoteSignerTemplate(ctx, server, cert.PublicKey, "", nil)
270 288
}
271 289 272 290
// NewRemoteSignerByCertPEM returns a remote keyserver based signer
273 291
// with the public key extracted from a single PEM cert
274 292
// (possibly the leaf of a chain of certs).
275 -
func (c *Client) NewRemoteSignerByCertPEM(server string, certsPEM []byte) (crypto.Signer, error) {
293 +
func (c *Client) NewRemoteSignerByCertPEM(ctx context.Context, server string, certsPEM []byte) (crypto.Signer, error) {
276 294
block, _ := pem.Decode(certsPEM)
277 295
if block == nil {
278 296
return nil, errors.New("couldn't parse PEM bytes")
@@ -283,7 +301,7 @@ func (c *Client) NewRemoteSignerByCertPEM(server string, certsPEM []byte) (crypt
283 301
return nil, err
284 302
}
285 303 286 -
return c.NewRemoteSignerTemplate(server, cert.PublicKey, "", nil)
304 +
return c.NewRemoteSignerTemplate(ctx, server, cert.PublicKey, "", nil)
287 305
}
288 306 289 307
var (
@@ -318,11 +336,11 @@ func (c *Client) ScanDir(server, dir string, LoadPubKey func([]byte) (crypto.Pub
318 336
return err
319 337
}
320 338 321 -
if priv, err = c.NewRemoteSignerByPublicKey(server, pub); err != nil {
339 +
if priv, err = c.NewRemoteSignerByPublicKey(context.Background(), server, pub); err != nil {
322 340
return err
323 341
}
324 342
} else {
325 -
if priv, err = c.NewRemoteSignerByCertPEM(server, in); err != nil {
343 +
if priv, err = c.NewRemoteSignerByCertPEM(context.Background(), server, in); err != nil {
326 344
return err
327 345
}
328 346
}
@@ -363,7 +381,7 @@ func (c *Client) LoadTLSCertificate(server, certFile string) (cert tls.Certifica
363 381
return fail(err)
364 382
}
365 383 366 -
cert.PrivateKey, err = c.NewRemoteSignerByCert(server, cert.Leaf)
384 +
cert.PrivateKey, err = c.NewRemoteSignerByCert(context.TODO(), server, cert.Leaf)
367 385
if err != nil {
368 386
return fail(err)
369 387
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4