2022-09-05 03:06:08 -04:00
/ *
Copyright ( c ) Edgeless Systems GmbH
SPDX - License - Identifier : AGPL - 3.0 - only
* /
2022-06-29 10:13:01 -04:00
package main
import (
"context"
2022-07-29 03:52:47 -04:00
"encoding/base64"
2022-06-29 10:13:01 -04:00
"errors"
"flag"
"path/filepath"
"strconv"
"time"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/internal/server"
"github.com/edgelesssys/constellation/v2/kms/setup"
2022-06-29 10:13:01 -04:00
"github.com/spf13/afero"
"go.uber.org/zap"
)
func main ( ) {
port := flag . String ( "port" , strconv . Itoa ( constants . KMSPort ) , "Port gRPC server listens on" )
2022-07-29 03:52:47 -04:00
masterSecretPath := flag . String ( "master-secret" , filepath . Join ( constants . ServiceBasePath , constants . ConstellationMasterSecretKey ) , "Path to the Constellation master secret" )
saltPath := flag . String ( "salt" , filepath . Join ( constants . ServiceBasePath , constants . ConstellationMasterSecretSalt ) , "Path to the Constellation salt" )
2022-07-01 10:17:06 -04:00
verbosity := flag . Int ( "v" , 0 , logger . CmdLineVerbosityDescription )
2022-06-29 10:13:01 -04:00
flag . Parse ( )
2022-07-01 10:17:06 -04:00
log := logger . New ( logger . JSONLog , logger . VerbosityFromInt ( * verbosity ) )
2022-06-29 10:13:01 -04:00
2022-07-26 04:58:39 -04:00
log . With ( zap . String ( "version" , constants . VersionInfo ) ) .
2022-06-29 10:13:01 -04:00
Infof ( "Constellation Key Management Service" )
2022-07-29 03:52:47 -04:00
// read master secret and salt
file := file . NewHandler ( afero . NewOsFs ( ) )
masterKey , err := file . Read ( * masterSecretPath )
2022-06-29 10:13:01 -04:00
if err != nil {
log . With ( zap . Error ( err ) ) . Fatalf ( "Failed to read master secret" )
}
2022-07-29 03:52:47 -04:00
if len ( masterKey ) < crypto . MasterSecretLengthMin {
log . With ( zap . Error ( errors . New ( "invalid key length" ) ) ) . Fatalf ( "Provided master secret is smaller than the required minimum of %d bytes" , crypto . MasterSecretLengthMin )
}
salt , err := file . Read ( * saltPath )
if err != nil {
log . With ( zap . Error ( err ) ) . Fatalf ( "Failed to read salt" )
}
if len ( salt ) < crypto . RNGLengthDefault {
log . With ( zap . Error ( errors . New ( "invalid salt length" ) ) ) . Fatalf ( "Expected salt to be %d bytes, but got %d" , crypto . RNGLengthDefault , len ( salt ) )
}
keyURI := setup . ClusterKMSURI + "?salt=" + base64 . URLEncoding . EncodeToString ( salt )
2022-06-29 10:13:01 -04:00
2022-07-29 03:52:47 -04:00
// set up Key Management Service
2022-06-29 10:13:01 -04:00
ctx , cancel := context . WithTimeout ( context . Background ( ) , 1 * time . Minute )
defer cancel ( )
2022-10-05 09:02:46 -04:00
conKMS , err := setup . KMS ( ctx , setup . NoStoreURI , keyURI )
2022-06-29 10:13:01 -04:00
if err != nil {
log . With ( zap . Error ( err ) ) . Fatalf ( "Failed to setup KMS" )
}
if err := conKMS . CreateKEK ( ctx , "Constellation" , masterKey ) ; err != nil {
log . With ( zap . Error ( err ) ) . Fatalf ( "Failed to create KMS KEK from MasterKey" )
}
2022-07-26 04:58:39 -04:00
if err := server . New ( log . Named ( "kms" ) , conKMS ) . Run ( * port ) ; err != nil {
2022-06-29 10:13:01 -04:00
log . With ( zap . Error ( err ) ) . Fatalf ( "Failed to run KMS server" )
}
}