Skip to content

Commit b42c8c7

Browse files
pranavjain97pranavjain97
committed
feat(ebe): add support to use TLS for KMS API
Ticket: WP-4353
1 parent 2e67bdd commit b42c8c7

File tree

2 files changed

+20
-4
lines changed

2 files changed

+20
-4
lines changed

src/kms/kmsClient.ts

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,13 @@ import {
1313
GenerateDataKeyParams,
1414
GenerateDataKeyResponse,
1515
} from './types/generateDataKey';
16+
import https from 'https';
1617

1718
const debugLogger = debug('bitgo:express:kmsClient');
1819

1920
export class KmsClient {
2021
private readonly url: string;
22+
private readonly agent?: https.Agent;
2123

2224
constructor(cfg: EnclavedConfig) {
2325
if (isMasterExpressConfig(cfg)) {
@@ -29,6 +31,9 @@ export class KmsClient {
2931
}
3032

3133
this.url = cfg.kmsUrl;
34+
if (cfg.kmsTlsMode === 'enabled' && cfg.kmsTlsCert) {
35+
this.agent = new https.Agent({ ca: cfg.kmsTlsCert });
36+
}
3237
debugLogger('kmsClient initialized with URL: %s', this.url);
3338
}
3439

@@ -38,7 +43,9 @@ export class KmsClient {
3843
// Call KMS to post the key
3944
let kmsResponse: any;
4045
try {
41-
kmsResponse = await superagent.post(`${this.url}/key`).set('x-api-key', 'abc').send(params);
46+
let req = superagent.post(`${this.url}/key`).set('x-api-key', 'abc').send(params);
47+
if (this.agent) req = req.agent(this.agent);
48+
kmsResponse = await req;
4249
} catch (error: any) {
4350
console.log('Error posting key to KMS', error);
4451
throw error;
@@ -63,10 +70,12 @@ export class KmsClient {
6370
// Call KMS to get the key
6471
let kmsResponse: any;
6572
try {
66-
kmsResponse = await superagent.get(`${this.url}/key/${params.pub}`).query({
73+
let req = superagent.get(`${this.url}/key/${params.pub}`).query({
6774
source: params.source,
6875
useLocalEncipherment: params.options?.useLocalEncipherment ?? false,
6976
});
77+
if (this.agent) req = req.agent(this.agent);
78+
kmsResponse = await req;
7079
} catch (error: any) {
7180
console.log('Error getting key from KMS', error);
7281
throw error;
@@ -90,7 +99,9 @@ export class KmsClient {
9099
// Call KMS to generate the data key
91100
let kmsResponse: any;
92101
try {
93-
kmsResponse = await superagent.post(`${this.url}/generateDataKey`).send(params);
102+
let req = superagent.post(`${this.url}/generateDataKey`).send(params);
103+
if (this.agent) req = req.agent(this.agent);
104+
kmsResponse = await req;
94105
} catch (error: any) {
95106
debugLogger('Error generating data key from KMS', error);
96107
throw error;
@@ -117,7 +128,9 @@ export class KmsClient {
117128
// Call KMS to decrypt the data key
118129
let kmsResponse: any;
119130
try {
120-
kmsResponse = await superagent.post(`${this.url}/decryptDataKey`).send(params);
131+
let req = superagent.post(`${this.url}/decryptDataKey`).send(params);
132+
if (this.agent) req = req.agent(this.agent);
133+
kmsResponse = await req;
121134
} catch (error: any) {
122135
debugLogger('Error decrypting data key from KMS', error);
123136
throw error;

src/shared/types/index.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@ export interface EnclavedConfig extends BaseConfig {
2828
appMode: AppMode.ENCLAVED;
2929
// KMS settings
3030
kmsUrl: string;
31+
kmsTlsMode?: 'enabled' | 'disabled';
32+
kmsTlsCert?: string;
33+
kmsTlsCertPath?: string;
3134
// mTLS settings
3235
keyPath?: string;
3336
crtPath?: string;

0 commit comments

Comments
 (0)