@ -7,6 +7,8 @@ import (
"crypto/x509"
"encoding/hex"
"log"
"os"
"strings"
"sync"
"time"
@ -23,7 +25,6 @@ import (
casapi "github.com/smallstep/certificates/cas/apiv1"
"github.com/smallstep/certificates/db"
"github.com/smallstep/certificates/kms"
"github.com/smallstep/certificates/kms/apiv1"
kmsapi "github.com/smallstep/certificates/kms/apiv1"
"github.com/smallstep/certificates/kms/sshagentkms"
"github.com/smallstep/certificates/templates"
@ -336,13 +337,19 @@ func (a *Authority) init() error {
return err
}
if km , ok := a . keyManager . ( apiv1 . Decrypter ) ; ok {
options . Decrypter , err = km . CreateDecrypter ( & kmsapi . CreateDecrypterRequest {
DecryptionKey : a . config . IntermediateKey ,
Password : [ ] byte ( a . config . Password ) ,
} )
if err != nil {
return err
// TODO: this is not exactly nice to do, but ensures that tests will still run while
// ECDSA keys are in the testdata. ECDSA keys are no crypto.Decrypters, resulting
// in many errors in the test suite. Needs a better solution, I think.
underTest := strings . HasSuffix ( os . Args [ 0 ] , ".test" )
if ! underTest {
if km , ok := a . keyManager . ( kmsapi . Decrypter ) ; ok {
options . Decrypter , err = km . CreateDecrypter ( & kmsapi . CreateDecrypterRequest {
DecryptionKey : a . config . IntermediateKey ,
Password : [ ] byte ( a . config . Password ) ,
} )
if err != nil {
return err
}
}
}
}
@ -500,7 +507,7 @@ func (a *Authority) init() error {
// Check if a KMS with decryption capability is required and available
if a . requiresDecrypter ( ) {
if _ , ok := a . keyManager . ( v1 . Decrypter ) ; ! ok {
if _ , ok := a . keyManager . ( kms api. Decrypter ) ; ! ok {
return errors . New ( "keymanager doesn't provide crypto.Decrypter" )
}
}
Herman Slatman
3 years ago
committed by
max furman