Add KeySpec Input and Output (#35)

* Amended tests to check for KeySpec amend

* One extra check

* Added KeySpec naming

And moved to use it as the main record of the selected key spec.

* Output KeySpec in logging

Author: nsmithuk

go.mod

@@ -3,7 +3,7 @@ module github.com/nsmithuk/local-kms
 go 1.17
 
 require (
-	github.com/aws/aws-sdk-go v1.35.0
+	github.com/aws/aws-sdk-go v1.42.19
 	github.com/btcsuite/btcd v0.22.0-beta
 	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.4.2
@@ -15,5 +15,5 @@ require (
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	golang.org/x/sys v0.0.0-20191210023423-ac6580df4449 // indirect
+	golang.org/x/sys v0.0.0-20210423082822-04245dca01da // indirect
 )

go.sum

@@ -1,6 +1,6 @@
 github.com/aead/siphash v1.0.1/go.mod h1:Nywa3cDsYNNK3gaciGTWPwHt0wlpNV15vwmswBAUSII=
-github.com/aws/aws-sdk-go v1.35.0 h1:Pxqn1MWNfBCNcX7jrXCCTfsKpg5ms2IMUMmmcGtYJuo=
-github.com/aws/aws-sdk-go v1.35.0/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48=
+github.com/aws/aws-sdk-go v1.42.19 h1:L/aM1QwsqVia9qIqexTHwYN+lgLYuOtf11VDgz0YIyw=
+github.com/aws/aws-sdk-go v1.42.19/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
 github.com/btcsuite/btcd v0.22.0-beta h1:LTDpDKUM5EeOFBPM8IXpinEcmZ6FWfNZbE3lfrfdnWo=
 github.com/btcsuite/btcd v0.22.0-beta/go.mod h1:9n5ntfhhHQBIhUvlhDvD3Qg6fRUj4jkN0VB8L8svzOA=
@@ -20,7 +20,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/lru v1.0.0/go.mod h1:mxKOwFd7lFjN2GZYsiz/ecgqR6kkYAl+0pz0tEMk218=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
@@ -64,17 +63,21 @@ golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191210023423-ac6580df4449 h1:gSbV7h1NRL2G1xTg/owz62CST1oJBmxy4QpMMregXVQ=
-golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=

src/cmk/aes_key.go

@@ -32,6 +32,7 @@ func NewAesKey(metadata KeyMetadata, policy string, origin KeyOrigin) *AesKey {
 	//---
 
 	k.Metadata.KeyUsage = UsageEncryptDecrypt
+	k.Metadata.KeySpec = SpecSymmetricDefault
 	k.Metadata.CustomerMasterKeySpec = SpecSymmetricDefault
 	k.Metadata.EncryptionAlgorithms = []EncryptionAlgorithm{EncryptionAlgorithmAes}
 
@@ -182,6 +183,7 @@ func (k *AesKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		k.Metadata.Enabled = false
 	}
 
+	k.Metadata.KeySpec = SpecSymmetricDefault
 	k.Metadata.CustomerMasterKeySpec = SpecSymmetricDefault
 	k.Metadata.EncryptionAlgorithms = []EncryptionAlgorithm{EncryptionAlgorithmAes}
 

src/cmk/ecc_key.go

@@ -27,7 +27,7 @@ type ecdsaSignature struct {
 	R, S *big.Int
 }
 
-func NewEccKey(spec CustomerMasterKeySpec, metadata KeyMetadata, policy string) (*EccKey, error) {
+func NewEccKey(spec KeySpec, metadata KeyMetadata, policy string) (*EccKey, error) {
 
 	var curve elliptic.Curve
 
@@ -62,6 +62,7 @@ func NewEccKey(spec CustomerMasterKeySpec, metadata KeyMetadata, policy string)
 	//---
 
 	k.Metadata.KeyUsage = UsageSignVerify
+	k.Metadata.KeySpec = spec
 	k.Metadata.CustomerMasterKeySpec = spec
 
 	switch spec {
@@ -257,13 +258,13 @@ func (k *EccKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 
 	switch bitLen {
 	case 256:
-		k.Metadata.CustomerMasterKeySpec = SpecEccNistP256
+		k.Metadata.KeySpec = SpecEccNistP256
 		k.Metadata.SigningAlgorithms = []SigningAlgorithm{SigningAlgorithmEcdsaSha256}
 	case 384:
-		k.Metadata.CustomerMasterKeySpec = SpecEccNistP384
+		k.Metadata.KeySpec = SpecEccNistP384
 		k.Metadata.SigningAlgorithms = []SigningAlgorithm{SigningAlgorithmEcdsaSha384}
 	case 521:
-		k.Metadata.CustomerMasterKeySpec = SpecEccNistP521
+		k.Metadata.KeySpec = SpecEccNistP521
 		k.Metadata.SigningAlgorithms = []SigningAlgorithm{SigningAlgorithmEcdsaSha512}
 	default:
 		return &UnmarshalYAMLError{
@@ -273,6 +274,8 @@ func (k *EccKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		}
 	}
 
+	k.Metadata.CustomerMasterKeySpec = k.Metadata.KeySpec
+
 	if k.Metadata.KeyUsage != UsageSignVerify {
 		return &UnmarshalYAMLError{
 			fmt.Sprintf(

src/cmk/key.go

@@ -19,17 +19,17 @@ const (
 
 //---
 
-type CustomerMasterKeySpec string
+type KeySpec string
 
 const (
-	SpecSymmetricDefault CustomerMasterKeySpec = "SYMMETRIC_DEFAULT"
-	SpecEccNistP256      CustomerMasterKeySpec = "ECC_NIST_P256"
-	SpecEccNistP384      CustomerMasterKeySpec = "ECC_NIST_P384"
-	SpecEccNistP521      CustomerMasterKeySpec = "ECC_NIST_P521"
-	SpecEccSecp256k1     CustomerMasterKeySpec = "ECC_SECG_P256K1"
-	SpecRsa2048          CustomerMasterKeySpec = "RSA_2048"
-	SpecRsa3072          CustomerMasterKeySpec = "RSA_3072"
-	SpecRsa4096          CustomerMasterKeySpec = "RSA_4096"
+	SpecSymmetricDefault KeySpec = "SYMMETRIC_DEFAULT"
+	SpecEccNistP256      KeySpec = "ECC_NIST_P256"
+	SpecEccNistP384      KeySpec = "ECC_NIST_P384"
+	SpecEccNistP521      KeySpec = "ECC_NIST_P521"
+	SpecEccSecp256k1     KeySpec = "ECC_SECG_P256K1"
+	SpecRsa2048          KeySpec = "RSA_2048"
+	SpecRsa3072          KeySpec = "RSA_3072"
+	SpecRsa4096          KeySpec = "RSA_4096"
 )
 
 //---
@@ -150,7 +150,8 @@ type KeyMetadata struct {
 
 	SigningAlgorithms     []SigningAlgorithm    `json:",omitempty"`
 	EncryptionAlgorithms  []EncryptionAlgorithm `json:",omitempty"`
-	CustomerMasterKeySpec CustomerMasterKeySpec `json:",omitempty"`
+	KeySpec               KeySpec               `json:",omitempty"`
+	CustomerMasterKeySpec KeySpec               `json:",omitempty"`
 }
 
 type ParametersForImport struct {
@@ -169,7 +170,7 @@ func (e *UnmarshalYAMLError) Error() string {
 }
 
 func defaultSeededKeyMetadata(metadata *KeyMetadata) {
-	metadata.Arn = config.ArnPrefix() + "key/" +metadata.KeyId
+	metadata.Arn = config.ArnPrefix() + "key/" + metadata.KeyId
 	metadata.AWSAccountId = config.AWSAccountId
 	metadata.CreationDate = time.Now().Unix()
 	metadata.Enabled = true

src/cmk/rsa_key.go

@@ -17,7 +17,7 @@ type RsaKey struct {
 	PrivateKey RsaPrivateKey
 }
 
-func NewRsaKey(spec CustomerMasterKeySpec, usage KeyUsage, metadata KeyMetadata, policy string) (*RsaKey, error) {
+func NewRsaKey(spec KeySpec, usage KeyUsage, metadata KeyMetadata, policy string) (*RsaKey, error) {
 
 	var bits int
 
@@ -48,6 +48,7 @@ func NewRsaKey(spec CustomerMasterKeySpec, usage KeyUsage, metadata KeyMetadata,
 	k.Policy = policy
 
 	k.Metadata.KeyUsage = usage
+	k.Metadata.KeySpec = spec
 	k.Metadata.CustomerMasterKeySpec = spec
 
 	switch usage {
@@ -253,11 +254,11 @@ func (k *RsaKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	bitLen := key.N.BitLen()
 	switch bitLen {
 	case 2048:
-		k.Metadata.CustomerMasterKeySpec = SpecRsa2048
+		k.Metadata.KeySpec = SpecRsa2048
 	case 3072:
-		k.Metadata.CustomerMasterKeySpec = SpecRsa3072
+		k.Metadata.KeySpec = SpecRsa3072
 	case 4096:
-		k.Metadata.CustomerMasterKeySpec = SpecRsa4096
+		k.Metadata.KeySpec = SpecRsa4096
 	default:
 		return &UnmarshalYAMLError{
 			fmt.Sprintf(
@@ -266,6 +267,8 @@ func (k *RsaKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		}
 	}
 
+	k.Metadata.CustomerMasterKeySpec = k.Metadata.KeySpec
+
 	switch k.Metadata.KeyUsage {
 	case UsageSignVerify:
 		k.Metadata.SigningAlgorithms = []SigningAlgorithm{
@@ -291,4 +294,3 @@ func (k *RsaKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	}
 	return nil
 }
-

src/data/database_key.go

@@ -57,6 +57,13 @@ func (d *Database) LoadKey(arn string) (cmk.Key, error) {
 
 	//---
 
+	// Migrate old keys to new naming
+	if key.GetMetadata().KeySpec == "" {
+		key.GetMetadata().KeySpec = key.GetMetadata().CustomerMasterKeySpec
+	}
+
+	//---
+
 	// Delete key if it has expired
 	if key.GetMetadata().DeletionDate != 0 && key.GetMetadata().DeletionDate < time.Now().Unix() {
 		d.DeleteObject(arn)

src/handler/create_key.go

@@ -80,9 +80,20 @@ func (r *RequestHandler) CreateKey() Response {
 		body.Policy = &policy
 	}
 
-	if body.CustomerMasterKeySpec == nil {
+	if body.KeySpec != nil && body.CustomerMasterKeySpec != nil {
+		// Both values cannot be set
+
+		msg := fmt.Sprintf("You cannot specify KeySpec and CustomerMasterKeySpec in the same request. CustomerMasterKeySpec is deprecated.")
+		r.logger.Warnf(msg)
+		return NewValidationExceptionResponse(msg)
+	} else if body.KeySpec == nil && body.CustomerMasterKeySpec != nil {
+		// If we only have CustomerMasterKeySpec, copy it over to KeySpec
+		body.KeySpec = body.CustomerMasterKeySpec
+
+	} else if body.KeySpec == nil && body.CustomerMasterKeySpec == nil {
+		// If neither are set, the default is SYMMETRIC_DEFAULT
 		sd := "SYMMETRIC_DEFAULT"
-		body.CustomerMasterKeySpec = &sd
+		body.KeySpec = &sd
 	}
 
 	if body.Origin != nil {
@@ -91,8 +102,8 @@ func (r *RequestHandler) CreateKey() Response {
 			// nop
 		case "EXTERNAL":
 
-			if *body.CustomerMasterKeySpec != "SYMMETRIC_DEFAULT" {
-				msg := fmt.Sprintf("KeySpec %s is not supported for Origin %s", *body.CustomerMasterKeySpec, *body.Origin)
+			if *body.KeySpec != "SYMMETRIC_DEFAULT" {
+				msg := fmt.Sprintf("KeySpec %s is not supported for Origin %s", *body.KeySpec, *body.Origin)
 
 				r.logger.Warnf(msg)
 				return NewValidationExceptionResponse(msg)
@@ -122,7 +133,7 @@ func (r *RequestHandler) CreateKey() Response {
 
 	var key cmk.Key
 
-	switch *body.CustomerMasterKeySpec {
+	switch *body.KeySpec {
 	case "SYMMETRIC_DEFAULT":
 
 		if body.KeyUsage != nil && *body.KeyUsage != "ENCRYPT_DECRYPT" {
@@ -142,12 +153,12 @@ func (r *RequestHandler) CreateKey() Response {
 		}
 
 		if *body.KeyUsage != "SIGN_VERIFY" {
-			msg := fmt.Sprintf("KeyUsage ENCRYPT_DECRYPT is not compatible with KeySpec %s", *body.CustomerMasterKeySpec)
+			msg := fmt.Sprintf("KeyUsage ENCRYPT_DECRYPT is not compatible with KeySpec %s", *body.KeySpec)
 			r.logger.Warnf(msg)
 			return NewValidationExceptionResponse(msg)
 		}
 
-		key, err = cmk.NewEccKey(cmk.CustomerMasterKeySpec(*body.CustomerMasterKeySpec), metadata, *body.Policy)
+		key, err = cmk.NewEccKey(cmk.KeySpec(*body.KeySpec), metadata, *body.Policy)
 		if err != nil {
 			r.logger.Error(err)
 			return NewInternalFailureExceptionResponse(err.Error())
@@ -162,22 +173,22 @@ func (r *RequestHandler) CreateKey() Response {
 		}
 
 		if !(*body.KeyUsage == "SIGN_VERIFY" || *body.KeyUsage == "ENCRYPT_DECRYPT") {
-			msg := fmt.Sprintf("KeyUsage %s is not compatible with KeySpec %s", *body.KeyUsage, *body.CustomerMasterKeySpec)
+			msg := fmt.Sprintf("KeyUsage %s is not compatible with KeySpec %s", *body.KeyUsage, *body.KeySpec)
 			r.logger.Warnf(msg)
 			return NewValidationExceptionResponse(msg)
 		}
 
-		key, err = cmk.NewRsaKey(cmk.CustomerMasterKeySpec(*body.CustomerMasterKeySpec), cmk.KeyUsage(*body.KeyUsage), metadata, *body.Policy)
+		key, err = cmk.NewRsaKey(cmk.KeySpec(*body.KeySpec), cmk.KeyUsage(*body.KeyUsage), metadata, *body.Policy)
 		if err != nil {
 			r.logger.Error(err)
 			return NewInternalFailureExceptionResponse(err.Error())
 		}
 
 	default:
 
-		msg := fmt.Sprintf("1 validation error detected: Value '%s' at 'customerMasterKeySpec' "+
+		msg := fmt.Sprintf("1 validation error detected: Value '%s' at 'KeySpec' "+
 			"failed to satisfy constraint: Member must satisfy enum value set: [RSA_2048, ECC_NIST_P384, "+
-			"ECC_NIST_P256, ECC_NIST_P521, RSA_3072, ECC_SECG_P256K1, RSA_4096, SYMMETRIC_DEFAULT]", *body.CustomerMasterKeySpec)
+			"ECC_NIST_P256, ECC_NIST_P521, RSA_3072, ECC_SECG_P256K1, RSA_4096, SYMMETRIC_DEFAULT]", *body.KeySpec)
 
 		r.logger.Warnf(msg)
 
@@ -193,7 +204,7 @@ func (r *RequestHandler) CreateKey() Response {
 		return NewInternalFailureExceptionResponse(err.Error())
 	}
 
-	r.logger.Infof("New key created: %s\n", key.GetArn())
+	r.logger.Infof("New %s key created: %s\n", key.GetMetadata().KeySpec, key.GetArn())
 
 	//--------------------------------
 	// Create the tags

src/handler/generate_data_key_pair.go

@@ -71,7 +71,7 @@ func (r *RequestHandler) generateDataKeyPair() (Response, *GenerateDataKeyPairRe
 
 	//----------------------------------
 
-	keyPairSpec := cmk.CustomerMasterKeySpec(*body.KeyPairSpec)
+	keyPairSpec := cmk.KeySpec(*body.KeyPairSpec)
 
 	var publicKey interface{}
 	var privateKey interface{}
@@ -167,7 +167,7 @@ func (r *RequestHandler) generateDataKeyPair() (Response, *GenerateDataKeyPairRe
 			return NewInvalidKeyUsageException(msg), nil
 		}
 
-		msg := fmt.Sprintf("%s key CustomerMasterKeySpec is %s which is not valid for GenerateDataKeyPair.", k.GetArn(), k.GetMetadata().CustomerMasterKeySpec)
+		msg := fmt.Sprintf("%s key KeySpec is %s which is not valid for GenerateDataKeyPair.", k.GetArn(), k.GetMetadata().CustomerMasterKeySpec)
 		r.logger.Warnf(msg)
 		return NewInvalidKeyUsageException(msg), nil
 	}

src/handler/get_public_key.go

@@ -66,7 +66,7 @@ func (r *RequestHandler) GetPublicKey() Response {
 
 	return NewResponse(200, &struct {
 		KeyId                 string
-		CustomerMasterKeySpec cmk.CustomerMasterKeySpec
+		CustomerMasterKeySpec cmk.KeySpec
 		//EncryptionAlgorithms	[]cmk.EncryptionAlgorithm
 		SigningAlgorithms []cmk.SigningAlgorithm
 		KeyUsage          cmk.KeyUsage