feature : aes-cbc then hmac for tpm2 (#2)

ThalesGroup · Feb 14, 2024 · a391ccb · a391ccb
1 parent 32520ec
commit a391ccb
Show file tree

Hide file tree

Showing 1,311 changed files with 695 additions and 458,272 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,39 @@
-.idea/
+# IntelliJ project files
+.idea
+*.iml
+out
+gen
 build/
 .DS_Store
 generated/
 deployed.json
-.socket
+.socket
+k8s-kms-plugin
+
+# dev
+pkg/crypto11
+pkg/gose
+TODO.md
+k8s-kms-plugin-dlv
+
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+vendor/
+
+# Go workspace file
+go.work
diff --git a/.go-version b/.go-version
@@ -0,0 +1 @@
+1.21.6
diff --git a/Makefile b/Makefile
@@ -25,7 +25,13 @@ gen-openapi:
 		@swagger generate server --quiet -m pkg/est/models -s pkg/est/restapi -f apis/kms/v1/est.yaml
 		@swagger generate client --quiet --existing-models=pkg/est/models -c pkg/est/client -f apis/kms/v1/est.yaml
 build:
+		@go version
 		@go build -o k8s-kms-plugin cmd/k8s-kms-plugin/main.go
+build-debug:
+		@go version
+		@go build -gcflags="all=-N -l" -o k8s-kms-plugin cmd/k8s-kms-plugin/main.go
+		$(info use cmd : dlv --listen=:2345 --headless=true --api-version=2 --accept-multiclient exec k8s-kms-plugin)
+		$(info will listen to port 2345)
 run:
 		@go run cmd/k8s-kms-plugin/main.go serve --disable-socket --enable-server --p11-lib /usr/local/lib/softhsm/libsofthsm2.so --p11-pin $(P11_PIN) --p11-label $(P11_TOKEN)
 run-test:

diff --git a/QUICKSTART.md b/QUICKSTART.md
@@ -0,0 +1,58 @@
+# Quick Start
+
+## SoftHsm
+
+Install the required packages :
+
+```sh
+# debian
+sudo apt install softhsm2 opensc
+# redhat
+sudo yum install epel-release softhsm opensc
+```
+
+Setup for rootless usage :
+
+```sh
+sudo cp /etc/softhsm/softhsm2.conf $HOME
+sudo chown $USER: $HOME/softhsm2.conf
+echo 'export SOFTHSM2_CONF=$HOME/softhsm2.conf' >> $HOME/.bashrc
+source $HOME/.bashrc
+sudo usermod -aG softhsm $USER
+```
+
+**Logout and login**.
+
+Create a token :
+
+```sh
+softhsm2-util --init-token --slot 0 --label mylabel --so-pin mysopin --pin mypin
+```
+
+Create the encryption key :
+
+```sh
+# for debian
+export MODULE="/usr/lib/softhsm/libsofthsm2.so"
+# for redhat
+export MODULE="/usr/lib64/pkcs11/libsofthsm2.so"
+# aes kek
+pkcs11-tool --module $MODULE --token-label mylabel --pin mypin --keygen --key-type aes:16 --label aes0
+```
+
+Start the plugin :
+
+```sh
+SOCKET="/run/user/$(id -u $USER)/k8s-kms-plugin.sock"
+# aes-gcm mode
+k8s-kms-plugin serve --socket $SOCKET \
+  --p11-lib $MODULE --p11-label mylabel --p11-pin mypin --p11-key-label aes0 \
+  --enable-server
+```
+
+Start a K3S cluster with the proper KMS configuration in [encryption-conf.yaml](k8s/encryption-conf.yaml) :
+
+```sh
+curl -sfL https://get.k3s.io | sh -s - \
+  --kube-apiserver-arg=encryption-provider-config=encryption-conf.yaml
+```
diff --git a/README.md b/README.md
@@ -10,15 +10,45 @@ This service is designed for kubernetes clusters that are using version 1.10.0 o
 
 https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/
 
-So for development purposes, you'll want a cluster that can be configured to use a KMS gRPC endpoint on your APIServer nodes. 
+So for development purposes, you'll want a cluster that can be configured to use a KMS gRPC endpoint on your APIServer nodes.
 
-Locally you should install [skaffold.dev](https://skaffold.dev) tooling as well as Cloud Code in your favorite IDE to leverage the skaffold.yaml file in this repo.
+To serve the k8s-kms-plugin for encryption operations from Kubernetes, you will need at least one AES key in a PKCS11 provider.
 
-## Quick Start for testing
+## KMS provider for SoftHsm V2
+
+In this mode, we recommend to run the k8s-kms-plugin with the GCM algorithm.  
+It provides a better design for authenticated encryption operations :
+
+```sh
+# debian
+export MODULE="/usr/lib/softhsm/libsofthsm2.so"
+# redhat
+export MODULE="/usr/lib64/pkcs11/libsofthsm2.so"
+# serve
+k8s-kms-plugin serve \
+  --provider p11 --p11-lib $MODULE --p11-key-label mykey --p11-label mylabel --p11-pin mypin --enable-server
+```
+
+## KMS provider for TPM2 PKCS11
+
+You must know that AES GCM is not supported by the TPM v2 specifications.
+In this mode, we recommend to run the k8s-kms-plugin with the CBC-then-HMAC algorithm. 
+You must provide an HMAC key alongside the AES key for encryption :
+
+```sh
+# debian
+export MODULE="/usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1"
+# redhat
+export MODULE="/usr/lib64/pkcs11/libtpm2_pkcs11.so"
+# serve
+k8s-kms-plugin serve \
+  --provider p11 --p11-lib $MODULE --p11-key-label cbc0 --p11-hmac-label hmac0 --p11-label mylabel --p11-pin mypin --algorithm aes-cbc --enable-server
+```
+
+## Quick Start
+
+Read the [QUICKSTART.md](QUICKSTART.md).
 
-- Get a k8s cluster to deploy the `k8s-kms-plugin`
-- Install skaffold.dev  [skaffold.dev](https://skaffold.dev) 
-- Running `skaffold dev` or `make dev` should put the  stack into a local deployment pipeline of the plugin being tested as a KMS gRPC server.
 ## Deployment scenarios
 
 This plugin is designed to be deployed in 2 configurations
@@ -42,5 +72,25 @@ The `Makefile` contains commands for easy execution:
 - `make dev` - loads project into your kubernetes cluster (minikube or GKE will work just fine), and continously builds and deploys as you develop.
 - `make build` - builds the standalone `k8s-kms-plugin` binary
 
+## Debug Environment
+
+For a remote debug, build the plugin with debug mode :
+
+```sh
+go get github.com/go-delve/delve/cmd/dlv
+make build-debug
+```
+
+It will generate a binary `k8s-kms-plugin` that can be used with Delve for debug purpose.  
+Do not use this binary in a production environment.
+
+## Vulnerability check
+
+```sh
+$ govulncheck ./...
+Scanning your code and 288 packages across 34 dependent modules for known vulnerabilities...
+
+No vulnerabilities found.
+```
+
 
-NOTE:  Currently the standalone plugin just waits for the 
diff --git a/apis/istio/v1/client.go b/apis/istio/v1/client.go
@@ -27,7 +27,6 @@ import (
 	"context"
 	"fmt"
 	"google.golang.org/grpc"
-	"net/url"
 	"time"
 )
 

diff --git a/apis/k8s/v1beta1/service.pb.go b/apis/k8s/v1beta1/service.pb.go
diff --git a/apis/kms/v1/client.go b/apis/kms/v1/client.go
@@ -31,7 +31,6 @@ import (
 	"time"
 )
 
-
 func GetClientTCP(host string, port int64, timeout time.Duration) (ctx context.Context, cancel context.CancelFunc, c KMSPluginServiceClient, err error) {
 	// Get Client
 	options := []grpc.DialOption{grpc.WithInsecure()}

diff --git a/cmd/k8s-kms-plugin/cmd/decrypt-csr.go b/cmd/k8s-kms-plugin/cmd/decrypt-csr.go
@@ -9,8 +9,8 @@ import (
 	"path/filepath"
 	"time"
 
+	istio "github.com/ThalesGroup/k8s-kms-plugin/apis/istio/v1"
 	"github.com/spf13/cobra"
-	"github.com/thalescpl-io/k8s-kms-plugin/apis/istio/v1"
 )
 
 var inName, outName string

diff --git a/cmd/k8s-kms-plugin/cmd/generate-kek.go b/cmd/k8s-kms-plugin/cmd/generate-kek.go
@@ -6,8 +6,8 @@ import (
 	"path/filepath"
 	"time"
 
+	istio "github.com/ThalesGroup/k8s-kms-plugin/apis/istio/v1"
 	"github.com/spf13/cobra"
-	"github.com/thalescpl-io/k8s-kms-plugin/apis/istio/v1"
 )
 
 var (

diff --git a/cmd/k8s-kms-plugin/cmd/import-ca.go b/cmd/k8s-kms-plugin/cmd/import-ca.go
@@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-    http://www.apache.org/licenses/LICENSE-2.0
+	http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
@@ -22,8 +22,8 @@ import (
 	"path/filepath"
 	"time"
 
+	istio "github.com/ThalesGroup/k8s-kms-plugin/apis/istio/v1"
 	"github.com/spf13/cobra"
-	"github.com/thalescpl-io/k8s-kms-plugin/apis/istio/v1"
 )
 
 var caCertPem []byte
@@ -47,7 +47,7 @@ var importCaCmd = &cobra.Command{
 			return
 		}
 		req := &istio.ImportCACertRequest{
-			CaId:     []byte(caId),
+			CaId:       []byte(caId),
 			CaCertBlob: caCertPem,
 		}
 		if _, err = ic.ImportCACert(ictx, req); err != nil {

diff --git a/cmd/k8s-kms-plugin/cmd/root.go b/cmd/k8s-kms-plugin/cmd/root.go
@@ -106,11 +106,9 @@ func init() {
 	rootCmd.PersistentFlags().IntVar(&p11slot, "p11-slot", 0, "P11 token slot")
 	rootCmd.PersistentFlags().StringVar(&p11pin, "p11-pin", "", "P11 Pin")
 	rootCmd.PersistentFlags().StringVar(&defaultDekKeyName, "p11-key-label", "k8s-dek", "Key Label to use for encrypt/decrypt")
+	rootCmd.PersistentFlags().StringVar(&hmacKeyName, "p11-hmac-label", "k8s-hmac", "Key Label to use for sha based verifications")
 	rootCmd.PersistentFlags().StringVarP(&nativePath, "native-path", "p", ".keys", "Path to key store for native provider(Files only)")
-	rootCmd.PersistentFlags().BoolVar(&createKey, "auto-create", true, "Auto create the keys if needed")
-	// Cobra also supports local flags, which will only run
-	// when this action is called directly.
-	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+	rootCmd.PersistentFlags().BoolVar(&createKey, "auto-create", false, "Auto create the keys if needed")
 }
 
 // initConfig reads in config file and ENV variables if set.