Additional behavior for verifying cert chains - now handles the cases…

… of: 1) a single cert being provided, where the root is used from the HSM; 2) a cert is provided along with a root (and possibly intermediates) - this results in the provided chain being verified followed by the root being compared against the one in the CA; 3) an intermediate CA being supplied along with the end certificate - this results in the intermediate-end chain being verified initially and then verified against the CA from the HSM
myidpt · Sep 23, 2020 · c762a3d · c762a3d
1 parent 72051fb
commit c762a3d
Show file tree

Hide file tree

Showing 5 changed files with 263 additions and 22 deletions.
diff --git a/cmd/k8s-kms-plugin/cmd/decrypt-csr.go b/cmd/k8s-kms-plugin/cmd/decrypt-csr.go
@@ -88,7 +88,7 @@ func decryptCSR() error {
 func init() {
 	rootCmd.AddCommand(decryptCSRCmd)
 	decryptCSRCmd.PersistentFlags().StringVar(&socketPath, "socket", filepath.Join(os.TempDir(), "run", "hsm-plugin-server.sock"), "Unix Socket")
-	decryptCSRCmd.Flags().DurationVar(&timeout, "timeout", 10*time.Second, "Timeout Duration")
+	decryptCSRCmd.Flags().DurationVar(&timeout, "timeout", 30*time.Second, "Timeout Duration")
 	decryptCSRCmd.Flags().StringVarP(&inName, "inName", "f", "", "Input file")
 	decryptCSRCmd.Flags().StringVarP(&outName, "outName", "o", "", "Output file")
 }
diff --git a/cmd/k8s-kms-plugin/cmd/generate-kek.go b/cmd/k8s-kms-plugin/cmd/generate-kek.go
@@ -46,6 +46,6 @@ func generateKEK() error {
 func init() {
 	rootCmd.AddCommand(generateKEKCmd)
 	generateKEKCmd.PersistentFlags().StringVar(&socketPath, "socket", filepath.Join(os.TempDir(), "run", "hsm-plugin-server.sock"), "Unix Socket")
-	generateKEKCmd.Flags().DurationVar(&timeout, "timeout", 10*time.Second, "Timeout Duration")
+	generateKEKCmd.Flags().DurationVar(&timeout, "timeout", 30*time.Second, "Timeout Duration")
 	generateKEKCmd.Flags().StringVar(&kekID, "kek-id", "", "KEK ID to request")
 }
diff --git a/cmd/k8s-kms-plugin/cmd/import-ca.go b/cmd/k8s-kms-plugin/cmd/import-ca.go
@@ -61,7 +61,7 @@ func init() {
 	rootCmd.AddCommand(importCaCmd)
 
 	importCaCmd.PersistentFlags().StringVar(&socketPath, "socket", filepath.Join(os.TempDir(), "run", "hsm-plugin-server.sock"), "Unix Socket")
-	importCaCmd.Flags().DurationVar(&timeout, "timeout", 10*time.Second, "Timeout Duration")
+	importCaCmd.Flags().DurationVar(&timeout, "timeout", 30*time.Second, "Timeout Duration")
 	importCaCmd.Flags().StringVarP(&caCertPath, "cert-file", "f", "", "Certificate File")
 	importCaCmd.MarkFlagRequired("cert-file")
 }