Platform KMS

Makefile

@@ -45,7 +45,7 @@ race:
 #########################################
 
 fmt:
-	$Q goimports -l -w $(SRC)
+	$Q goimports --local go.step.sm/crypto -l -w $(SRC)
 
 lint: golint govulncheck
 

go.mod

@@ -1,6 +1,6 @@
 module go.step.sm/crypto
 
-go 1.24.0
+go 1.25.0
 
 require (
 	cloud.google.com/go/kms v1.25.0
@@ -24,7 +24,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/crypto v0.48.0
-	golang.org/x/net v0.50.0
+	golang.org/x/net v0.51.0
 	golang.org/x/sys v0.41.0
 	golang.org/x/term v0.40.0
 	google.golang.org/api v0.264.0

go.sum

@@ -1033,8 +1033,8 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

internal/templates/funcmap.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/Masterminds/sprig/v3"
+
 	"go.step.sm/crypto/jose"
 )
 

jose/encrypt.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/randutil"
 )
 

jose/generate.go

@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x25519"

jose/parse.go

@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x25519"
 )

jose/types.go

@@ -11,6 +11,7 @@ import (
 	jose "github.com/go-jose/go-jose/v3"
 	"github.com/go-jose/go-jose/v3/cryptosigner"
 	"github.com/go-jose/go-jose/v3/jwt"
+
 	"go.step.sm/crypto/x25519"
 )
 

jose/types_test.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/x25519"
 )
 

jose/validate.go

@@ -12,8 +12,9 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
-	"go.step.sm/crypto/keyutil"
 	"golang.org/x/crypto/ssh"
+
+	"go.step.sm/crypto/keyutil"
 )
 
 // ValidateSSHPOP validates the given SSH certificate and key for use in an

jose/x25519.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/x25519"
 )
 

keyutil/key.go

@@ -14,8 +14,9 @@ import (
 	"sync/atomic"
 
 	"github.com/pkg/errors"
-	"go.step.sm/crypto/x25519"
 	"golang.org/x/crypto/ssh"
+
+	"go.step.sm/crypto/x25519"
 )
 
 var (

kms/apiv1/options.go

@@ -18,6 +18,17 @@ type KeyManager interface {
 	Close() error
 }
 
+// KeyDeleter is an optional interface for KMS implementations that support
+// deleting keys.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+type KeyDeleter interface {
+	DeleteKey(req *DeleteKeyRequest) error
+}
+
 // SearchableKeyManager is an optional interface for KMS implementations
 // that support searching for keys based on certain attributes.
 //
@@ -54,6 +65,17 @@ type CertificateChainManager interface {
 	StoreCertificateChain(req *StoreCertificateChainRequest) error
 }
 
+// CertificateDeleter is an optional interface for KMS implementations that
+// support deleting certificates.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+type CertificateDeleter interface {
+	DeleteCertificate(req *DeleteCertificateRequest) error
+}
+
 // NameValidator is an interface that KeyManager can implement to validate a
 // given name or URI.
 type NameValidator interface {
@@ -151,6 +173,9 @@ const (
 	TPMKMS Type = "tpmkms"
 	// MacKMS is the KMS implementation using macOS Keychain and Secure Enclave.
 	MacKMS Type = "mackms"
+	// PlatformKMS is the KMS implementation that uses TPMKMS on Windows and
+	// Linux and MacKMS on macOS.
+	PlatformKMS Type = "kms"
 )
 
 // TypeOf returns the type of of the given uri.
@@ -181,7 +206,7 @@ func (t Type) Validate() error {
 		return nil
 	case YubiKey, PKCS11, TPMKMS: // Hardware based kms.
 		return nil
-	case SSHAgentKMS, CAPIKMS, MacKMS: // Others
+	case SSHAgentKMS, CAPIKMS, MacKMS, PlatformKMS: // Others
 		return nil
 	}
 

kms/apiv1/requests.go

@@ -265,6 +265,29 @@ type AttestationClient interface {
 	Attest(context.Context) ([]*x509.Certificate, error)
 }
 
+type attestSignerCtx struct{}
+
+// NewAttestSignerContext creates a new context with the given signer.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func NewAttestSignerContext(ctx context.Context, signer crypto.Signer) context.Context {
+	return context.WithValue(ctx, attestSignerCtx{}, signer)
+}
+
+// AttestSignerFromContext returns the signer from the context.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func AttestSignerFromContext(ctx context.Context) (crypto.Signer, bool) {
+	signer, ok := ctx.Value(attestSignerCtx{}).(crypto.Signer)
+	return signer, ok
+}
+
 // CertificationParameters encapsulates the inputs for certifying an application key.
 // Only TPM 2.0 is supported at this point.
 //

kms/apiv1/requests_test.go

@@ -1,6 +1,13 @@
 package apiv1
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.step.sm/crypto/keyutil"
+)
 
 func TestProtectionLevel_String(t *testing.T) {
 	tests := []struct {
@@ -49,3 +56,17 @@ func TestSignatureAlgorithm_String(t *testing.T) {
 		})
 	}
 }
+
+func TestNewAttestSignerContext(t *testing.T) {
+	signer, err := keyutil.GenerateDefaultSigner()
+	require.NoError(t, err)
+
+	ctx := NewAttestSignerContext(t.Context(), signer)
+	got, ok := AttestSignerFromContext(ctx)
+	assert.Equal(t, signer, got)
+	assert.True(t, ok)
+
+	got, ok = AttestSignerFromContext(t.Context())
+	assert.Nil(t, got)
+	assert.False(t, ok)
+}

kms/awskms/awskms.go

@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 	"go.step.sm/crypto/pemutil"

kms/awskms/awskms_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/pemutil"
 )

kms/awskms/no_awskms.go

@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 )
 

kms/awskms/signer.go

@@ -11,6 +11,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/kms/types"
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/pemutil"
 )
 

kms/awskms/signer_test.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/kms/types"
+
 	"go.step.sm/crypto/pemutil"
 )
 

kms/azurekms/key_vault.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 )

kms/azurekms/key_vault_test.go

@@ -15,10 +15,11 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
 	"github.com/go-jose/go-jose/v3"
+	"go.uber.org/mock/gomock"
+
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/azurekms/internal/mock"
-	"go.uber.org/mock/gomock"
 )
 
 var errTest = fmt.Errorf("test error")

kms/azurekms/no_azurekms.go

@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 )
 

kms/azurekms/signer_test.go

@@ -12,11 +12,12 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
-	"go.step.sm/crypto/keyutil"
-	"go.step.sm/crypto/kms/apiv1"
 	"go.uber.org/mock/gomock"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/cryptobyte/asn1"
+
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/kms/apiv1"
 )
 
 type FuncMatcher func(x interface{}) bool

kms/azurekms/utils.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
 	"github.com/pkg/errors"
+
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 )

kms/azurekms/utils_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
+
 	"go.step.sm/crypto/kms/apiv1"
 )