From 1a30d61f7e11b46dcc684d423779b236c45b93d9 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Mon, 15 Jan 2024 20:39:51 +0100 Subject: [PATCH] add HMAC API test This commit adds tests for the HMAC server API. It also removes enclave code that is no longer used nor supported. Signed-off-by: Andreas Auernhammer --- api_test.go | 51 ++++++++++++++++++++- audit.go | 2 +- auth.go | 2 +- cmd/kes/identity.go | 56 +----------------------- cmd/kes/key.go | 13 ++---- cmd/kes/log.go | 2 +- cmd/kes/main.go | 10 +---- cmd/kes/metric.go | 2 +- cmd/kes/migrate.go | 2 +- cmd/kes/policy.go | 56 +----------------------- cmd/kes/server.go | 2 +- cmd/kes/status.go | 2 +- config.go | 2 +- go.mod | 4 +- go.sum | 4 +- internal/api/api.go | 2 +- internal/crypto/ciphertext.go | 2 +- internal/crypto/key.go | 2 +- internal/https/proxy.go | 2 +- internal/https/proxy_test.go | 2 +- internal/keystore/aws/secrets-manager.go | 2 +- internal/keystore/azure/key-vault.go | 2 +- internal/keystore/entrust/keycontrol.go | 2 +- internal/keystore/fortanix/keystore.go | 2 +- internal/keystore/fs/fs.go | 2 +- internal/keystore/gcp/secret-manager.go | 2 +- internal/keystore/gemalto/key-secure.go | 2 +- internal/keystore/vault/vault.go | 2 +- kesconf/config.go | 2 +- kesconf/edge_test.go | 2 +- kesconf/file.go | 2 +- keystore.go | 2 +- server.go | 6 +-- server_test.go | 2 +- state.go | 2 +- 35 files changed, 93 insertions(+), 161 deletions(-) diff --git a/api_test.go b/api_test.go index 676a1140..aa80f06c 100644 --- a/api_test.go +++ b/api_test.go @@ -6,6 +6,7 @@ package kes import ( "bytes" + "crypto/hmac" "errors" "net/http" "runtime" @@ -15,7 +16,7 @@ import ( "time" "aead.dev/mem" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" ) func TestImportKey(t *testing.T) { @@ -54,6 +55,7 @@ func TestAPI(t *testing.T) { t.Run("v1/key/import", testImportKey) t.Run("v1/key/describe", testDescribeKey) t.Run("v1/key/generate", testGenerateKey) + t.Run("v1/key/hmac", testHMAC) t.Run("v1/key/encrypt", testEncryptDecryptKey) // also tests decryption t.Run("v1/key/list", testListKeys) t.Run("v1/identity/describe", testDescribeIdentity) @@ -335,6 +337,53 @@ func testGenerateKey(t *testing.T) { } } +func testHMAC(t *testing.T) { + t.Parallel() + + ctx := testContext(t) + srv, url := startServer(ctx, nil) + defer srv.Close() + + message1 := []byte("Hello World") + message2 := []byte("Hello World!") + + client := defaultClient(url) + for i, test := range validNameTests { + err := client.CreateKey(ctx, test.Name) + if err == nil && test.ShouldFail { + t.Errorf("Test %d: setup: creating key '%s' should have failed", i, test.Name) + } + if err != nil && !test.ShouldFail { + t.Errorf("Test %d: setup: failed to create key '%s': %v", i, test.Name, err) + } + + if test.ShouldFail { + continue + } + + sum1, err := client.HMAC(ctx, test.Name, message1) + if err != nil { + t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err) + } + sum2, err := client.HMAC(ctx, test.Name, message2) + if err != nil { + t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err) + } + if hmac.Equal(sum1, sum2) { + t.Errorf("Test %d: HMACs of different messages are equal: got '%x' and '%x'", i, sum1, sum2) + } + + verifySum, err := client.HMAC(ctx, test.Name, message1) + if err != nil { + t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err) + } + + if !hmac.Equal(sum1, verifySum) { + t.Errorf("Test %d: HMACs of equal messages are not equal: got '%x' and '%x'", i, sum1, verifySum) + } + } +} + func testEncryptDecryptKey(t *testing.T) { t.Parallel() diff --git a/audit.go b/audit.go index ccf00c24..3d3ebf53 100644 --- a/audit.go +++ b/audit.go @@ -11,8 +11,8 @@ import ( "net/netip" "time" - "github.com/minio/kes-go" "github.com/minio/kes/internal/api" + "github.com/minio/kms-go/kes" ) // AuditRecord describes an audit event logged by a KES server. diff --git a/auth.go b/auth.go index 44720bde..15198350 100644 --- a/auth.go +++ b/auth.go @@ -13,8 +13,8 @@ import ( "net/http" "sync/atomic" - "github.com/minio/kes-go" "github.com/minio/kes/internal/api" + "github.com/minio/kms-go/kes" ) // verifyIdentity authenticates client requests by verifying that diff --git a/cmd/kes/identity.go b/cmd/kes/identity.go index 8171f5d9..c718b5fa 100644 --- a/cmd/kes/identity.go +++ b/cmd/kes/identity.go @@ -24,9 +24,9 @@ import ( "time" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" "github.com/minio/kes/internal/https" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" "golang.org/x/term" ) @@ -39,7 +39,6 @@ Commands: of Compute a KES identity from a certificate. info Get information about a KES identity. ls List KES identities. - rm Remove a KES identity. Options: -h, --help Print command line options. @@ -54,7 +53,6 @@ func identityCmd(args []string) { "of": ofIdentityCmd, "info": infoIdentityCmd, "ls": lsIdentityCmd, - "rm": rmIdentityCmd, } if len(args) < 2 { @@ -480,7 +478,6 @@ Options: is detected - colors are automatically disabled if the output goes to a pipe. Possible values: *auto*, never, always. - -e, --enclave Operate within the specified enclave. -h, --help Print command line options. @@ -497,12 +494,10 @@ func lsIdentityCmd(args []string) { jsonFlag bool colorFlag colorOption insecureSkipVerify bool - enclaveName string ) cmd.BoolVar(&jsonFlag, "json", false, "Print identities in JSON format") cmd.Var(&colorFlag, "color", "Specify when to use colored output") cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation") - cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave") if err := cmd.Parse(args[1:]); err != nil { if errors.Is(err, flag.ErrHelp) { os.Exit(2) @@ -522,7 +517,7 @@ func lsIdentityCmd(args []string) { ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) defer cancelCtx() - enclave := newEnclave(enclaveName, insecureSkipVerify) + enclave := newClient(insecureSkipVerify) iter := &kes.ListIter[kes.Identity]{ NextFunc: enclave.ListIdentities, } @@ -556,50 +551,3 @@ func lsIdentityCmd(args []string) { } fmt.Print(buf) } - -const rmIdentityCmdUsage = `Usage: - kes identity rm ... - -Options: - -k, --insecure Skip TLS certificate validation. - -e, --enclave Operate within the specified enclave. - - -h, --help Print command line options. - -Examples: - $ kes identity rm 736bf58626441e3e134a2daf2e6a8441b40e1abc0eac510878168c8aac9f2b0b -` - -func rmIdentityCmd(args []string) { - cmd := flag.NewFlagSet(args[0], flag.ContinueOnError) - cmd.Usage = func() { fmt.Fprint(os.Stderr, rmIdentityCmdUsage) } - - var ( - insecureSkipVerify bool - enclaveName string - ) - cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation") - cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave") - if err := cmd.Parse(args[1:]); err != nil { - if errors.Is(err, flag.ErrHelp) { - os.Exit(2) - } - cli.Fatalf("%v. See 'kes identity rm --help'", err) - } - if cmd.NArg() == 0 { - cli.Fatal("no identity specified. See 'kes identity rm --help'") - } - - client := newClient(insecureSkipVerify) - ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) - defer cancel() - - for _, identity := range cmd.Args() { - if err := client.DeleteIdentity(ctx, kes.Identity(identity)); err != nil { - if errors.Is(err, context.Canceled) { - os.Exit(1) - } - cli.Fatalf("failed to remove identity %q: %v", identity, err) - } - } -} diff --git a/cmd/kes/key.go b/cmd/kes/key.go index caf04c50..b7fd597b 100644 --- a/cmd/kes/key.go +++ b/cmd/kes/key.go @@ -17,8 +17,8 @@ import ( "strings" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) @@ -132,7 +132,6 @@ const importKeyCmdUsage = `Usage: Options: -k, --insecure Skip TLS certificate validation. - -e, --enclave Operate within the specified enclave. -h, --help Print command line options. @@ -144,12 +143,8 @@ func importKeyCmd(args []string) { cmd := flag.NewFlagSet(args[0], flag.ContinueOnError) cmd.Usage = func() { fmt.Fprint(os.Stderr, importKeyCmdUsage) } - var ( - insecureSkipVerify bool - enclaveName string - ) + var insecureSkipVerify bool cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation") - cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave") if err := cmd.Parse(args[1:]); err != nil { if errors.Is(err, flag.ErrHelp) { os.Exit(2) @@ -174,7 +169,7 @@ func importKeyCmd(args []string) { ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) defer cancel() - enclave := newEnclave(enclaveName, insecureSkipVerify) + enclave := newClient(insecureSkipVerify) if err = enclave.ImportKey(ctx, name, &kes.ImportKeyRequest{Key: key}); err != nil { if errors.Is(err, context.Canceled) { os.Exit(1) @@ -313,7 +308,7 @@ func lsKeyCmd(args []string) { ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) defer cancelCtx() - enclave := newEnclave(enclaveName, insecureSkipVerify) + enclave := newClient(insecureSkipVerify) iter := &kes.ListIter[string]{ NextFunc: enclave.ListKeys, } diff --git a/cmd/kes/log.go b/cmd/kes/log.go index 679276d3..e8806ea4 100644 --- a/cmd/kes/log.go +++ b/cmd/kes/log.go @@ -15,8 +15,8 @@ import ( "time" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) diff --git a/cmd/kes/main.go b/cmd/kes/main.go index cda5ac1c..6cbf74a6 100644 --- a/cmd/kes/main.go +++ b/cmd/kes/main.go @@ -17,10 +17,10 @@ import ( "time" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" "github.com/minio/kes/internal/https" "github.com/minio/kes/internal/sys" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" "golang.org/x/term" ) @@ -227,14 +227,6 @@ func newClient(insecureSkipVerify bool) *kes.Client { }) } -func newEnclave(name string, insecureSkipVerify bool) *kes.Enclave { - client := newClient(insecureSkipVerify) - if name == "" { - name = os.Getenv("KES_ENCLAVE") - } - return client.Enclave(name) -} - func isTerm(f *os.File) bool { return term.IsTerminal(int(f.Fd())) } func decodePrivateKey(pemBlock []byte) (*pem.Block, error) { diff --git a/cmd/kes/metric.go b/cmd/kes/metric.go index 0961c252..8e1bc7f4 100644 --- a/cmd/kes/metric.go +++ b/cmd/kes/metric.go @@ -17,8 +17,8 @@ import ( "aead.dev/mem" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) diff --git a/cmd/kes/migrate.go b/cmd/kes/migrate.go index 07033cac..95d155e5 100644 --- a/cmd/kes/migrate.go +++ b/cmd/kes/migrate.go @@ -16,9 +16,9 @@ import ( "time" "github.com/fatih/color" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" "github.com/minio/kes/kesconf" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" "golang.org/x/term" ) diff --git a/cmd/kes/policy.go b/cmd/kes/policy.go index 49784a2c..92f52cf1 100644 --- a/cmd/kes/policy.go +++ b/cmd/kes/policy.go @@ -16,8 +16,8 @@ import ( "time" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) @@ -41,7 +41,6 @@ func policyCmd(args []string) { subCmds := commands{ "info": infoPolicyCmd, "ls": lsPolicyCmd, - "rm": rmPolicyCmd, "show": showPolicyCmd, } if len(args) < 2 { @@ -76,7 +75,6 @@ Options: is detected - colors are automatically disabled if the output goes to a pipe. Possible values: *auto*, never, always. - -e, --enclave Operate within the specified enclave. -h, --help Print command line options. @@ -93,12 +91,10 @@ func lsPolicyCmd(args []string) { jsonFlag bool colorFlag colorOption insecureSkipVerify bool - enclaveName string ) cmd.BoolVar(&jsonFlag, "json", false, "Print identities in JSON format") cmd.Var(&colorFlag, "color", "Specify when to use colored output") cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation") - cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave") if err := cmd.Parse(args[1:]); err != nil { if errors.Is(err, flag.ErrHelp) { os.Exit(2) @@ -118,7 +114,7 @@ func lsPolicyCmd(args []string) { ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) defer cancelCtx() - enclave := newEnclave(enclaveName, insecureSkipVerify) + enclave := newClient(insecureSkipVerify) iter := &kes.ListIter[string]{ NextFunc: enclave.ListPolicies, } @@ -152,54 +148,6 @@ func lsPolicyCmd(args []string) { fmt.Print(buf) } -const rmPolicyCmdUsage = `Usage: - kes policy rm [options] ... - -Options: - -k, --insecure Skip TLS certificate validation. - -e, --enclave Operate within the specified enclave. - - -h, --help Print command line options. - -Examples: - $ kes policy delete my-policy - $ kes policy delete my-policy1, my-policy2 -` - -func rmPolicyCmd(args []string) { - cmd := flag.NewFlagSet(args[0], flag.ContinueOnError) - cmd.Usage = func() { fmt.Fprint(os.Stderr, rmPolicyCmdUsage) } - - var ( - insecureSkipVerify bool - enclaveName string - ) - cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation") - cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave") - if err := cmd.Parse(args[1:]); err != nil { - if errors.Is(err, flag.ErrHelp) { - os.Exit(2) - } - cli.Fatalf("%v. See 'kes policy rm --help'", err) - } - if cmd.NArg() == 0 { - cli.Fatal("no policy name specified. See 'kes policy rm --help'") - } - - ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill) - defer cancelCtx() - - client := newClient(insecureSkipVerify) - for _, name := range cmd.Args() { - if err := client.DeletePolicy(ctx, name); err != nil { - if errors.Is(err, context.Canceled) { - os.Exit(1) - } - cli.Fatalf("failed to delete policy %q: %v", name, err) - } - } -} - const infoPolicyCmdUsage = `Usage: kes policy info [options] diff --git a/cmd/kes/server.go b/cmd/kes/server.go index d51371cc..25db3c71 100644 --- a/cmd/kes/server.go +++ b/cmd/kes/server.go @@ -29,10 +29,10 @@ import ( tui "github.com/charmbracelet/lipgloss" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" "github.com/minio/kes/internal/sys" "github.com/minio/kes/kesconf" + kesdk "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) diff --git a/cmd/kes/status.go b/cmd/kes/status.go index f2bb7446..58820887 100644 --- a/cmd/kes/status.go +++ b/cmd/kes/status.go @@ -18,8 +18,8 @@ import ( "aead.dev/mem" tui "github.com/charmbracelet/lipgloss" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cli" + "github.com/minio/kms-go/kes" flag "github.com/spf13/pflag" ) diff --git a/config.go b/config.go index 4ba9560d..44d09985 100644 --- a/config.go +++ b/config.go @@ -10,7 +10,7 @@ import ( "log/slog" "time" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" ) // Config is a structure that holds configuration for a KES server. diff --git a/go.mod b/go.mod index de93d95f..3610eb1b 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/charmbracelet/lipgloss v0.9.1 github.com/fatih/color v1.16.0 github.com/hashicorp/vault/api v1.10.0 - github.com/minio/kes-go v0.2.1 + github.com/minio/kms-go/kes v0.3.0 github.com/minio/selfupdate v0.6.0 github.com/muesli/termenv v0.15.2 github.com/prometheus/client_golang v1.18.0 @@ -24,6 +24,7 @@ require ( golang.org/x/term v0.16.0 google.golang.org/api v0.155.0 google.golang.org/grpc v1.60.1 + google.golang.org/protobuf v1.32.0 gopkg.in/yaml.v3 v3.0.1 ) @@ -92,5 +93,4 @@ require ( google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240108191215-35c7eff3a6b1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240108191215-35c7eff3a6b1 // indirect - google.golang.org/protobuf v1.32.0 // indirect ) diff --git a/go.sum b/go.sum index f872c5d8..d8c94d4b 100644 --- a/go.sum +++ b/go.sum @@ -162,8 +162,8 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= -github.com/minio/kes-go v0.2.1 h1:KnqS+p6xoSFJZbQhmJaz/PbxeA6nQyRqT/ywrn5lU2o= -github.com/minio/kes-go v0.2.1/go.mod h1:76xf7l41Wrh+IifisABXK2S8uZWYgWV1IGBKC3GdOJk= +github.com/minio/kms-go/kes v0.3.0 h1:SU8VGVM/Hk9w1OiSby3OatkcojooUqIdDHl6dtM6NkY= +github.com/minio/kms-go/kes v0.3.0/go.mod h1:w6DeVT878qEOU3nUrYVy1WOT5H1Ig9hbDIh698NYJKY= github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU= github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= diff --git a/internal/api/api.go b/internal/api/api.go index 018f66aa..b3fcc559 100644 --- a/internal/api/api.go +++ b/internal/api/api.go @@ -15,8 +15,8 @@ import ( "time" "aead.dev/mem" - "github.com/minio/kes-go" "github.com/minio/kes/internal/headers" + "github.com/minio/kms-go/kes" ) // API paths exposed by KES servers. diff --git a/internal/crypto/ciphertext.go b/internal/crypto/ciphertext.go index 3ed8d352..9b15b0e0 100644 --- a/internal/crypto/ciphertext.go +++ b/internal/crypto/ciphertext.go @@ -8,7 +8,7 @@ import ( "encoding/json" "slices" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" "github.com/tinylib/msgp/msgp" ) diff --git a/internal/crypto/key.go b/internal/crypto/key.go index fc1f11de..82fb2245 100644 --- a/internal/crypto/key.go +++ b/internal/crypto/key.go @@ -20,9 +20,9 @@ import ( "strconv" "time" - "github.com/minio/kes-go" "github.com/minio/kes/internal/fips" pb "github.com/minio/kes/internal/protobuf" + "github.com/minio/kms-go/kes" "golang.org/x/crypto/chacha20" "golang.org/x/crypto/chacha20poly1305" ) diff --git a/internal/https/proxy.go b/internal/https/proxy.go index 604b30b8..eaa7fbc1 100644 --- a/internal/https/proxy.go +++ b/internal/https/proxy.go @@ -16,7 +16,7 @@ import ( "strings" "sync" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" ) // A TLSProxy handles HTTP requests sent by a client through diff --git a/internal/https/proxy_test.go b/internal/https/proxy_test.go index 273ada0b..5c930300 100644 --- a/internal/https/proxy_test.go +++ b/internal/https/proxy_test.go @@ -9,7 +9,7 @@ import ( "net/url" "testing" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" ) var tlsProxyAddTests = []struct { diff --git a/internal/keystore/aws/secrets-manager.go b/internal/keystore/aws/secrets-manager.go index a2821fae..c989ecd7 100644 --- a/internal/keystore/aws/secrets-manager.go +++ b/internal/keystore/aws/secrets-manager.go @@ -17,8 +17,8 @@ import ( "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/secretsmanager" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // Credentials represents static AWS credentials: diff --git a/internal/keystore/azure/key-vault.go b/internal/keystore/azure/key-vault.go index a3ba7024..7035e0db 100644 --- a/internal/keystore/azure/key-vault.go +++ b/internal/keystore/azure/key-vault.go @@ -15,8 +15,8 @@ import ( "github.com/Azure/go-autorest/autorest" "github.com/Azure/go-autorest/autorest/azure/auth" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // Credentials are Azure client credentials to authenticate an application diff --git a/internal/keystore/entrust/keycontrol.go b/internal/keystore/entrust/keycontrol.go index 65655387..eece7caa 100644 --- a/internal/keystore/entrust/keycontrol.go +++ b/internal/keystore/entrust/keycontrol.go @@ -22,9 +22,9 @@ import ( "aead.dev/mem" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" xhttp "github.com/minio/kes/internal/http" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // Config is a structure containing the Entrust KeyControl configuration. diff --git a/internal/keystore/fortanix/keystore.go b/internal/keystore/fortanix/keystore.go index d76ea8eb..add81c37 100644 --- a/internal/keystore/fortanix/keystore.go +++ b/internal/keystore/fortanix/keystore.go @@ -24,9 +24,9 @@ import ( "aead.dev/mem" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" xhttp "github.com/minio/kes/internal/http" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // APIKey is a Fortanix API key for authenticating to diff --git a/internal/keystore/fs/fs.go b/internal/keystore/fs/fs.go index 85e810c3..ecad70be 100644 --- a/internal/keystore/fs/fs.go +++ b/internal/keystore/fs/fs.go @@ -19,8 +19,8 @@ import ( "aead.dev/mem" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // NewStore returns a new Store that reads diff --git a/internal/keystore/gcp/secret-manager.go b/internal/keystore/gcp/secret-manager.go index ae334540..d596511c 100644 --- a/internal/keystore/gcp/secret-manager.go +++ b/internal/keystore/gcp/secret-manager.go @@ -13,8 +13,8 @@ import ( "time" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" gcpiterator "google.golang.org/api/iterator" "google.golang.org/api/option" "google.golang.org/grpc/codes" diff --git a/internal/keystore/gemalto/key-secure.go b/internal/keystore/gemalto/key-secure.go index d641184b..327391de 100644 --- a/internal/keystore/gemalto/key-secure.go +++ b/internal/keystore/gemalto/key-secure.go @@ -24,9 +24,9 @@ import ( "aead.dev/mem" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" xhttp "github.com/minio/kes/internal/http" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // Credentials represents a Gemalto KeySecure diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go index f1736bd0..dd0005e1 100644 --- a/internal/keystore/vault/vault.go +++ b/internal/keystore/vault/vault.go @@ -26,8 +26,8 @@ import ( "aead.dev/mem" vaultapi "github.com/hashicorp/vault/api" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/keystore" + kesdk "github.com/minio/kms-go/kes" ) // Store is a Hashicorp Vault secret store. diff --git a/kesconf/config.go b/kesconf/config.go index a68a72f9..5b4378f2 100644 --- a/kesconf/config.go +++ b/kesconf/config.go @@ -14,7 +14,7 @@ import ( "strings" "time" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" "gopkg.in/yaml.v3" ) diff --git a/kesconf/edge_test.go b/kesconf/edge_test.go index addb7fb4..7093f905 100644 --- a/kesconf/edge_test.go +++ b/kesconf/edge_test.go @@ -16,7 +16,7 @@ import ( "testing" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" + kesdk "github.com/minio/kms-go/kes" ) type SetupFunc func(context.Context, kes.KeyStore, string) error diff --git a/kesconf/file.go b/kesconf/file.go index 6913bc1f..4e44c829 100644 --- a/kesconf/file.go +++ b/kesconf/file.go @@ -17,7 +17,6 @@ import ( "time" "github.com/minio/kes" - kesdk "github.com/minio/kes-go" "github.com/minio/kes/internal/https" "github.com/minio/kes/internal/keystore/aws" "github.com/minio/kes/internal/keystore/azure" @@ -27,6 +26,7 @@ import ( "github.com/minio/kes/internal/keystore/gcp" "github.com/minio/kes/internal/keystore/gemalto" "github.com/minio/kes/internal/keystore/vault" + kesdk "github.com/minio/kms-go/kes" yaml "gopkg.in/yaml.v3" ) diff --git a/keystore.go b/keystore.go index f814f77d..dcf356bd 100644 --- a/keystore.go +++ b/keystore.go @@ -13,10 +13,10 @@ import ( "sync/atomic" "time" - "github.com/minio/kes-go" "github.com/minio/kes/internal/cache" "github.com/minio/kes/internal/crypto" "github.com/minio/kes/internal/keystore" + "github.com/minio/kms-go/kes" ) // A KeyStore stores key-value pairs. It provides durable storage for a diff --git a/server.go b/server.go index fe2b7d4a..88f2f652 100644 --- a/server.go +++ b/server.go @@ -22,7 +22,6 @@ import ( "sync/atomic" "time" - "github.com/minio/kes-go" "github.com/minio/kes/internal/api" "github.com/minio/kes/internal/cpu" "github.com/minio/kes/internal/crypto" @@ -32,6 +31,7 @@ import ( "github.com/minio/kes/internal/keystore" "github.com/minio/kes/internal/metric" "github.com/minio/kes/internal/sys" + "github.com/minio/kms-go/kes" "github.com/prometheus/common/expfmt" ) @@ -924,8 +924,8 @@ func (s *Server) hmacKey(resp *api.Response, req *api.Request) { return } - api.ReplyWith(resp, http.StatusOK, api.DecryptKeyResponse{ - Plaintext: key.HMACKey.Sum(body.Message), + api.ReplyWith(resp, http.StatusOK, api.HMACResponse{ + Sum: key.HMACKey.Sum(body.Message), }) } diff --git a/server_test.go b/server_test.go index bb16c682..8ed8a3d3 100644 --- a/server_test.go +++ b/server_test.go @@ -15,7 +15,7 @@ import ( "testing" "time" - "github.com/minio/kes-go" + "github.com/minio/kms-go/kes" ) // Self-signed, valid from Oct. 10 2023 until Oct 10 2050 diff --git a/state.go b/state.go index cb64fd9b..a13d1663 100644 --- a/state.go +++ b/state.go @@ -13,9 +13,9 @@ import ( "time" "aead.dev/mem" - "github.com/minio/kes-go" "github.com/minio/kes/internal/api" "github.com/minio/kes/internal/metric" + "github.com/minio/kms-go/kes" ) type serverState struct {