beezy-dev
diff --git a/‎Containerfile-kleidi-kms-hsm‎
Lines changed: 4 additions & 2 deletions b/‎Containerfile-kleidi-kms-hsm‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎Containerfile-kleidi-kms-vault‎
Lines changed: 4 additions & 2 deletions b/‎Containerfile-kleidi-kms-vault‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎configuration/kleidi/cert-auth/ca/conf/openssl-ca.conf‎
Lines changed: 88 additions & 0 deletions b/‎configuration/kleidi/cert-auth/ca/conf/openssl-ca.conf‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/ca/conf/openssl-client.conf‎
Lines changed: 53 additions & 0 deletions b/‎configuration/kleidi/cert-auth/ca/conf/openssl-client.conf‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/ca/conf/openssl-intermediate.conf‎
Lines changed: 100 additions & 0 deletions b/‎configuration/kleidi/cert-auth/ca/conf/openssl-intermediate.conf‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/ca/gen-ca.sh‎
Lines changed: 18 additions & 0 deletions b/‎configuration/kleidi/cert-auth/ca/gen-ca.sh‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/kleidi.env‎
Lines changed: 3 additions & 0 deletions b/‎configuration/kleidi/cert-auth/kleidi.env‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/start-kleidi.sh‎
Lines changed: 15 additions & 0 deletions b/‎configuration/kleidi/cert-auth/start-kleidi.sh‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎configuration/kleidi/cert-auth/vault-config-cert.json‎
Lines changed: 9 additions & 0 deletions b/‎configuration/kleidi/cert-auth/vault-config-cert.json‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎configuration/kleidi/vault-config.json‎
Lines changed: 4 additions & 1 deletion b/‎configuration/kleidi/vault-config.json‎
Lines changed: 4 additions & 1 deletion
@@ -1,7 +1,7 @@
-FROM docker.io/library/golang:1.22.0-bullseye AS build
+FROM docker.io/library/golang:1.24.5-bookworm AS build
 
 ARG VERSION
-ENV VERSION $VERSION
+ENV VERSION=$VERSION
 WORKDIR /work
 
 # Copy the source
@@ -12,6 +12,8 @@ RUN go mod download
 
 RUN CGO_ENABLED=1 GO111MODULE=on go build -ldflags "-X main.kleidiVersion=$VERSION" -a -installsuffix cgo cmd/kleidi/main.go
 
+RUN go test -v ./...
+
 FROM quay.io/centos/centos:stream9
 RUN dnf -y install jq opensc softhsm; dnf clean all;
 
 
@@ -1,7 +1,7 @@
-FROM docker.io/library/golang:1.22.0-bullseye AS build
+FROM docker.io/library/golang:1.24.5-bookworm AS build
 
 ARG VERSION
-ENV VERSION $VERSION
+ENV VERSION=$VERSION
 WORKDIR /work
 
 # Copy the source
@@ -12,6 +12,8 @@ RUN go mod download
 
 RUN CGO_ENABLED=1 GO111MODULE=on go build -ldflags "-X main.kleidiVersion=$VERSION" -a -installsuffix cgo cmd/kleidi/main.go
 
+RUN go test -v ./...
+
 FROM quay.io/centos/centos:stream9
 
 LABEL org.opencontainers.image.source=https://github.com/beezy-dev/kleidi 
 
@@ -0,0 +1,88 @@
+# Generates CA cert to be the Root CA for intermediate CA (which then signes Kleidi client cert).
+# Example usage:
+# openssl req -x509 -config openssl-ca.conf -days 365 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+ 
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+
+####################################################################
+[ ca ]
+default_ca    = CA_default        # The default ca section
+[ CA_default ]
+
+default_days     = 365            # How long to certify for
+default_crl_days = 30             # How long before next CRL
+default_md       = sha256         # Use public key default MD
+preserve         = no             # Keep passed DN ordering
+
+x509_extensions  = ca_extensions  # The extensions to add to the cert
+
+email_in_dn      = no             # Don't concat the email in the DN
+copy_extensions  = copy           # Required to copy SANs from CSR to cert
+
+base_dir         = .
+certificate      = $base_dir/cacert.pem   # The CA certifcate
+private_key      = $base_dir/cakey.pem    # The CA private key
+new_certs_dir    = $base_dir              # Location for new certs after signing
+database         = $base_dir/index.txt    # Database index file
+serial           = $base_dir/serial.txt   # The current serial number
+
+unique_subject   = no  # Set to 'no' to allow creation of several certificates with same subject.
+
+####################################################################
+[ req ]
+default_bits       = 4096
+default_keyfile    = cakey.pem
+distinguished_name = ca_distinguished_name
+x509_extensions    = ca_extensions
+string_mask        = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = AA
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = AAAAA
+
+localityName                   = Locality Name (eg, city)
+localityName_default           = AAAAA
+
+organizationName               = Organization Name (eg, company)
+organizationName_default       = Some Company Ltd.
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Some-Org
+
+commonName                     = Common Name (e.g. server FQDN or YOUR name)
+commonName_default             = Kleidi-RootCA
+
+####################################################################
+[ ca_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer
+basicConstraints       = critical, CA:true
+keyUsage               = keyCertSign, cRLSign
+####################################################################
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints       = critical, CA:true, pathlen:0
+keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
+####################################################################
+[ signing_policy ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+####################################################################
+[ signing_req ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints       = CA:FALSE
+keyUsage               = digitalSignature, keyEncipherment
+####################################################################
@@ -0,0 +1,53 @@
+# client config to be used with intermediate ca
+# Example usage:
+# openssl req -config openssl-client.conf -newkey rsa:2048 -sha256 -nodes -out clientcert-intermediate.csr -outform PEM
+# creates server key and CSR for signing
+# sign it with the ca cert:
+# openssl ca -config openssl-intermediate.conf -policy signing_policy -extensions signing_req -out clientcert-intermediate.pem -infiles clientcert-intermediate.csr
+ 
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+
+####################################################################
+[ req ]
+default_bits       = 2048
+default_keyfile    = clientkey-intermediate.pem
+distinguished_name = client_distinguished_name
+req_extensions     = client_req_extensions
+string_mask        = utf8only
+
+####################################################################
+[ client_distinguished_name ]
+countryName                 = Country Name (2 letter code)
+countryName_default         = AA
+ 
+stateOrProvinceName         = State or Province Name (full name)
+stateOrProvinceName_default = AAAAA
+ 
+localityName                = Locality Name (eg, city)
+localityName_default        = AAAAA
+ 
+organizationName            = Organization Name (eg, company)
+organizationName_default    = Some Company Ltd.
+commonName                  = Common Name (e.g. server FQDN or YOUR name)
+commonName_default          = Kleidi-Client
+
+####################################################################
+[ client_req_extensions ]
+ 
+subjectKeyIdentifier = hash
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, keyEncipherment
+extendedKeyUsage     = serverAuth, clientAuth
+subjectAltName       = @alternate_names
+nsComment            = "OpenSSL Generated Certificate - Intermediate - Client"
+
+####################################################################
+[ alternate_names ]
+
+# adjust to your needs
+DNS.1  = kleidi-client.example.com
+# IPv4 localhost
+IP.1   = 127.0.0.1
+# IPv6 localhost
+IP.2   = ::1
@@ -0,0 +1,100 @@
+# Creates Intermediate CA cert+key with specified parameters.
+# This intermediate CA can be put into Vault Cert endpoint and is used to verify the client cert given to Kleidi.
+# create folder intermediate, serial.txt and index.txt
+# openssl req -config openssl-intermediate.conf -newkey rsa:4096 -sha256 -nodes -out intermediate/intermediate.csr -outform PEM
+# openssl ca -config openssl-ca.conf -policy signing_policy -extensions v3_intermediate_ca -out intermediate/intermediate-cacert.pem -infiles intermediate/intermediate.csr
+ 
+HOME            = .
+RANDFILE        = $ENV::HOME/.rnd
+####################################################################
+[ ca ]
+default_ca    = CA_default        # The default ca section
+
+[ CA_default ]
+
+default_days     = 365            # How long to certify for
+default_crl_days = 30             # How long before next CRL
+default_md       = sha256         # Use public key default MD
+preserve         = no             # Keep passed DN ordering
+
+x509_extensions  = ca_extensions  # The extensions to add to the cert
+
+email_in_dn      = no             # Don't concat the email in the DN
+copy_extensions  = copy           # Required to copy SANs from CSR to cert
+
+base_dir         = .
+certificate      = $base_dir/intermediate/intermediate-cacert.pem   # The CA certifcate
+private_key      = $base_dir/intermediate/intermediate-cakey.pem    # The CA private key
+new_certs_dir    = $base_dir/intermediate              # Location for new certs after signing
+database         = $base_dir/intermediate/index.txt    # Database index file
+serial           = $base_dir/intermediate/serial.txt   # The current serial number
+
+unique_subject   = no  # Set to 'no' to allow creation of several certificates with same subject.
+####################################################################
+[ req ]
+default_bits       = 4096
+default_keyfile    = intermediate-cakey.pem
+distinguished_name = ca_distinguished_name
+x509_extensions    = ca_extensions
+string_mask        = utf8only
+####################################################################
+[ ca_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = AA
+
+stateOrProvinceName            = State or Province Name (full name)
+stateOrProvinceName_default    = AAAAA
+
+localityName                   = Locality Name (eg, city)
+localityName_default           = AAAAA
+
+organizationName               = Organization Name (eg, company)
+organizationName_default       = Some Company Ltd.
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Some-Org
+
+commonName                     = Common Name (e.g. server FQDN or YOUR name)
+commonName_default             = Kleidi-IntermediateCA
+
+####################################################################
+[ ca_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints       = critical, CA:true, pathlen:0
+subjectAltName         = @alternate_names
+keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
+####################################################################
+[ server_req_extensions ]
+subjectKeyIdentifier = hash
+basicConstraints     = CA:TRUE
+keyUsage             = digitalSignature, keyEncipherment
+extendedKeyUsage     = serverAuth, clientAuth
+subjectAltName       = @alternate_names
+nsComment            = "OpenSSL Generated Certificate - Intermediate CA"
+####################################################################
+[ signing_policy ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+####################################################################
+[ signing_req ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+basicConstraints       = CA:FALSE
+keyUsage               = digitalSignature, keyEncipherment
+####################################################################
+[ alternate_names ]
+# adjust to your needs
+DNS.1  = intermediate.example.com
+# DNS.2  = www.example.com
+# DNS.3  = mail.example.com
+# DNS.4  = ftp.example.com
+# IPv4 localhost
+IP.1     = 127.0.0.1
+# IPv6 localhost
+IP.2     = ::1
@@ -0,0 +1,18 @@
+#!/usr/bin/bash
+# create root CA with serial and index
+# works in the current directory
+echo "0ABC" > serial.txt
+touch index.txt
+openssl req -x509 -config conf/openssl-ca.conf -days 365 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+
+# create intermediate CA and it's folder structure
+mkdir intermediate
+touch intermediate/index.txt
+# create CSR
+openssl req -config conf/openssl-intermediate.conf -newkey rsa:4096 -sha256 -nodes -out intermediate/intermediate.csr -outform PEM
+# sign it with the previous root CA
+openssl ca -config conf/openssl-ca.conf -policy signing_policy -extensions v3_intermediate_ca -out intermediate/intermediate-cacert.pem -infiles intermediate/intermediate.csr
+mv intermediate-cakey.pem intermediate/intermediate-cakey.pem
+# create client csr and key
+openssl req -config conf/openssl-client.conf -newkey rsa:2048 -sha256 -nodes -out clientcert-intermediate.csr -outform PEM
+openssl ca -config conf/openssl-intermediate.conf -rand_serial -policy signing_policy -extensions signing_req -out clientcert-intermediate.pem -infiles clientcert-intermediate.csr
@@ -0,0 +1,3 @@
+VAULT_CACERT=/etc/ssl/certs/vault-cert.pem
+VAULT_CLIENT_CERT=/etc/ssl/certs/clientcert-intermediate.pem
+VAULT_CLIENT_KEY=/etc/ssl/certs/clientkey-intermediate.pem
@@ -0,0 +1,15 @@
+# Example config to run kleidi with cert auth in standalone docker container
+# Before starting, do not forget to configure auth/cert in Vault with the generated intermediate CA cert.
+# File kleidi.env is used to populate env variables that are being read by cert auth from the container.
+# Adjust to your local configuration.
+#!/usr/bin/bash
+docker run -d --privileged --restart always \
+  --net=host --name kleidi \
+  -v /etc/kleidi/vault-config-cert.json:/etc/kleidi/config.json \
+  -v /var/run/kleidi/:/var/run/kleidi/:rw \
+  -v /etc/kleidi/tls/vault-cert.pem:/etc/ssl/certs/vault-cert.pem \
+  -v /etc/kleidi/tls/clientcert-intermediate.pem:/etc/ssl/certs/clientcert-intermediate.pem \
+  -v /etc/kleidi/tls/clientkey-intermediate.pem:/etc/ssl/certs/clientkey-intermediate.pem \
+  --env-file /etc/kleidi/kleidi.env \
+  github.com/beezy-dev/kleidi-kms-plugin:latest \
+  -provider=hvault -configfile=/etc/kleidi/config.json -debugmode=true -listen=unix:///var/run/kleidi/kms.socket
@@ -0,0 +1,9 @@
+{
+  "namespace": "",
+  "transitkey": "kleidi",
+  "vaultrole": "kleidi",
+  "address": "http://172.20.10.9:8200",
+  "transitpath": "transit",
+  "authmethod": "cert",
+  "authpath": "certauth"
+}
@@ -2,5 +2,8 @@
   "namespace": "",
   "transitkey": "kleidi",
   "vaultrole": "kleidi",
-  "address": "http://172.20.10.9:8200" 
+  "address": "http://172.20.10.9:8200",
+  "transitpath": "transit",
+  "authmethod": "k8s",
+  "authpath": "kubernetes"
 }
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+VAULT_CACERT=/etc/ssl/certs/vault-cert.pem`
	`2`	`+VAULT_CLIENT_CERT=/etc/ssl/certs/clientcert-intermediate.pem`
	`3`	`+VAULT_CLIENT_KEY=/etc/ssl/certs/clientkey-intermediate.pem`