mirror of https://github.com/certusone/aiakos.git
Upgrade to yubihsm-go v0.1.0
This commit is contained in:
parent
247a8286ee
commit
4395c53661
|
@ -8,7 +8,6 @@
|
||||||
revision = "67e573d211ace594f1366b4ce9d39726c4b19bd0"
|
revision = "67e573d211ace594f1366b4ce9d39726c4b19bd0"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
branch = "master"
|
|
||||||
name = "github.com/certusone/yubihsm-go"
|
name = "github.com/certusone/yubihsm-go"
|
||||||
packages = [
|
packages = [
|
||||||
".",
|
".",
|
||||||
|
@ -16,7 +15,8 @@
|
||||||
"connector",
|
"connector",
|
||||||
"securechannel"
|
"securechannel"
|
||||||
]
|
]
|
||||||
revision = "cbe259b1eea4d9429b0d083619a980e581ac59e8"
|
revision = "2f4bdbb679b59998a67ab3443a896c36211ade80"
|
||||||
|
version = "v0.1.0"
|
||||||
|
|
||||||
[[projects]]
|
[[projects]]
|
||||||
name = "github.com/davecgh/go-spew"
|
name = "github.com/davecgh/go-spew"
|
||||||
|
@ -220,6 +220,6 @@
|
||||||
[solve-meta]
|
[solve-meta]
|
||||||
analyzer-name = "dep"
|
analyzer-name = "dep"
|
||||||
analyzer-version = 1
|
analyzer-version = 1
|
||||||
inputs-digest = "ce36da4f71a430971b68672ab49a690efd7bf70faf8188e3474f0d82af7dd355"
|
inputs-digest = "67414e714c2545c1a8679288655315fa603e148f48459c727d031bbf164c4d4e"
|
||||||
solver-name = "gps-cdcl"
|
solver-name = "gps-cdcl"
|
||||||
solver-version = 1
|
solver-version = 1
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
|
|
||||||
[[constraint]]
|
[[constraint]]
|
||||||
name = "github.com/certusone/yubihsm-go"
|
name = "github.com/certusone/yubihsm-go"
|
||||||
branch = "master"
|
version = "0.1.0"
|
||||||
|
|
||||||
[prune]
|
[prune]
|
||||||
go-tests = true
|
go-tests = true
|
||||||
|
|
46
hsm.go
46
hsm.go
|
@ -2,6 +2,7 @@ package aiakos
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
|
|
||||||
"github.com/certusone/yubihsm-go"
|
"github.com/certusone/yubihsm-go"
|
||||||
"github.com/certusone/yubihsm-go/commands"
|
"github.com/certusone/yubihsm-go/commands"
|
||||||
"github.com/certusone/yubihsm-go/connector"
|
"github.com/certusone/yubihsm-go/connector"
|
||||||
|
@ -10,17 +11,12 @@ import (
|
||||||
cmn "github.com/tendermint/tendermint/libs/common"
|
cmn "github.com/tendermint/tendermint/libs/common"
|
||||||
"github.com/tendermint/tendermint/libs/log"
|
"github.com/tendermint/tendermint/libs/log"
|
||||||
"github.com/tendermint/tendermint/types"
|
"github.com/tendermint/tendermint/types"
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
defaultPoolSize = 5
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
// AiakosPV implements PrivValidator using Aiakos
|
// AiakosPV implements PrivValidator using Aiakos
|
||||||
AiakosPV struct {
|
AiakosPV struct {
|
||||||
hsmSessionPool *yubihsm.SessionManager
|
hsmSessionManager *yubihsm.SessionManager
|
||||||
|
|
||||||
hsmURL string
|
hsmURL string
|
||||||
authKeyID uint16
|
authKeyID uint16
|
||||||
|
@ -49,26 +45,19 @@ func NewAiakosPV(hsmURL string, signingKeyID uint16, authKeyID uint16, password
|
||||||
|
|
||||||
// OnStart implements cmn.Service.
|
// OnStart implements cmn.Service.
|
||||||
func (a *AiakosPV) OnStart() error {
|
func (a *AiakosPV) OnStart() error {
|
||||||
|
sessionManager, err := yubihsm.NewSessionManager(connector.NewHTTPConnector(a.hsmURL), a.authKeyID, a.password)
|
||||||
sessionPool, err := yubihsm.NewSessionManager(connector.NewHTTPConnector(a.hsmURL), a.authKeyID, a.password, defaultPoolSize)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
a.hsmSessionPool = sessionPool
|
|
||||||
|
|
||||||
select {
|
a.hsmSessionManager = sessionManager
|
||||||
case <-sessionPool.Connected:
|
|
||||||
a.Logger.Info("connected to HSM")
|
|
||||||
case <-time.After(5 * time.Second):
|
|
||||||
return errors.New("connection/authentication with the HSM timed out; look at yubihsm logs for more info")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// OnStop implements cmn.Service.
|
// OnStop implements cmn.Service.
|
||||||
func (a *AiakosPV) OnStop() {
|
func (a *AiakosPV) OnStop() {
|
||||||
a.hsmSessionPool.Destroy()
|
a.hsmSessionManager.Destroy()
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAddress returns the address of the validator.
|
// GetAddress returns the address of the validator.
|
||||||
|
@ -84,16 +73,12 @@ func (a *AiakosPV) GetPubKey() crypto.PubKey {
|
||||||
if a.cachedPubKey != nil {
|
if a.cachedPubKey != nil {
|
||||||
return a.cachedPubKey
|
return a.cachedPubKey
|
||||||
}
|
}
|
||||||
session, err := a.hsmSessionPool.GetSession()
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
command, err := commands.CreateGetPubKeyCommand(a.signingKeyID)
|
command, err := commands.CreateGetPubKeyCommand(a.signingKeyID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
resp, err := session.SendEncryptedCommand(command)
|
resp, err := a.hsmSessionManager.SendEncryptedCommand(command)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
@ -167,17 +152,15 @@ func (a *AiakosPV) SignHeartbeat(chainID string, heartbeat *types.Heartbeat) err
|
||||||
// This fails if the key slot already contains a key.
|
// This fails if the key slot already contains a key.
|
||||||
// This should be used for testing purposes only. Wrap and import keys in production.
|
// This should be used for testing purposes only. Wrap and import keys in production.
|
||||||
func (a *AiakosPV) ImportKey(keyID uint16, key []byte) error {
|
func (a *AiakosPV) ImportKey(keyID uint16, key []byte) error {
|
||||||
session, err := a.hsmSessionPool.GetSession()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
command, err := commands.CreatePutAsymmetricKeyCommand(keyID, []byte("imported"), commands.Domain1, commands.CapabilityAsymmetricSignEddsa, commands.AlgorighmED25519, key, []byte{})
|
command, err := commands.CreatePutAsymmetricKeyCommand(keyID, []byte("imported"), commands.Domain1, commands.CapabilityAsymmetricSignEddsa, commands.AlgorighmED25519, key, []byte{})
|
||||||
|
|
||||||
resp, err := session.SendEncryptedCommand(command)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
resp, err := a.hsmSessionManager.SendEncryptedCommand(command)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
parsedResp, matched := resp.(*commands.PutAsymmetricKeyResponse)
|
parsedResp, matched := resp.(*commands.PutAsymmetricKeyResponse)
|
||||||
if !matched {
|
if !matched {
|
||||||
a.Logger.Error("invalid response type")
|
a.Logger.Error("invalid response type")
|
||||||
|
@ -193,16 +176,11 @@ func (a *AiakosPV) ImportKey(keyID uint16, key []byte) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *AiakosPV) signBytes(data []byte) ([]byte, error) {
|
func (a *AiakosPV) signBytes(data []byte) ([]byte, error) {
|
||||||
session, err := a.hsmSessionPool.GetSession()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
command, err := commands.CreateSignDataEddsaCommand(a.signingKeyID, data)
|
command, err := commands.CreateSignDataEddsaCommand(a.signingKeyID, data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
resp, err := session.SendEncryptedCommand(command)
|
resp, err := a.hsmSessionManager.SendEncryptedCommand(command)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue