From 3bc466f36f67a1f8cb7b8ec8604253ea3ae82ed6 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Mon, 19 Dec 2022 16:36:21 +0100 Subject: [PATCH 1/3] googleca: close connections when done Signed-off-by: Hector Fernandez --- cmd/app/http_test.go | 4 ++++ cmd/app/serve.go | 1 + cmd/fetch_ca_cert/fetch_ca_cert.go | 1 + pkg/ca/ca.go | 1 + pkg/ca/ephemeralca/ephemeral.go | 4 ++++ pkg/ca/fileca/fileca.go | 4 ++++ pkg/ca/googleca/v1/googleca.go | 4 ++++ pkg/ca/kmsca/kmsca.go | 4 ++++ pkg/ca/pkcs11ca/pkcs11ca.go | 4 ++++ pkg/ca/tinkca/tinkca.go | 4 ++++ pkg/server/grpc_server_test.go | 4 ++++ 11 files changed, 35 insertions(+) diff --git a/cmd/app/http_test.go b/cmd/app/http_test.go index f63867346..b8027e702 100644 --- a/cmd/app/http_test.go +++ b/cmd/app/http_test.go @@ -119,3 +119,7 @@ func (tca *TrivialCertificateAuthority) CreateCertificate(context.Context, ident func (tca *TrivialCertificateAuthority) TrustBundle(ctx context.Context) ([][]*x509.Certificate, error) { return [][]*x509.Certificate{}, nil } + +func (tca *TrivialCertificateAuthority) Close() error { + return nil +} diff --git a/cmd/app/serve.go b/cmd/app/serve.go index e8bfb87ff..9cae18a77 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -195,6 +195,7 @@ func runServeCmd(cmd *cobra.Command, args []string) { switch viper.GetString("ca") { case "googleca": baseca, err = googlecav1.NewCertAuthorityService(cmd.Context(), viper.GetString("gcp_private_ca_parent")) + defer baseca.Close() case "pkcs11ca": params := pkcs11ca.Params{ ConfigPath: viper.GetString("pkcs11-config-path"), diff --git a/cmd/fetch_ca_cert/fetch_ca_cert.go b/cmd/fetch_ca_cert/fetch_ca_cert.go index db808759c..09ba0e7b7 100644 --- a/cmd/fetch_ca_cert/fetch_ca_cert.go +++ b/cmd/fetch_ca_cert/fetch_ca_cert.go @@ -188,6 +188,7 @@ func main() { client, err := privateca.NewCertificateAuthorityClient(context.Background()) if err != nil { + client.Close() log.Fatal(err) } parsedCerts, err := fetchCACertificate(context.Background(), *gcpCaParent, *kmsKey, *tinkKeysetPath, *tinkKmsKey, client) diff --git a/pkg/ca/ca.go b/pkg/ca/ca.go index 31e02aa55..4c887318b 100644 --- a/pkg/ca/ca.go +++ b/pkg/ca/ca.go @@ -28,4 +28,5 @@ import ( type CertificateAuthority interface { CreateCertificate(context.Context, identity.Principal, crypto.PublicKey) (*CodeSigningCertificate, error) TrustBundle(ctx context.Context) ([][]*x509.Certificate, error) + Close() error } diff --git a/pkg/ca/ephemeralca/ephemeral.go b/pkg/ca/ephemeralca/ephemeral.go index 8eca18b09..d17cbe421 100644 --- a/pkg/ca/ephemeralca/ephemeral.go +++ b/pkg/ca/ephemeralca/ephemeral.go @@ -76,3 +76,7 @@ func NewEphemeralCA() (*EphemeralCA, error) { return e, nil } + +func (e *EphemeralCA) Close() error { + return nil +} diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go index 6228bf2b9..dca7d8f17 100644 --- a/pkg/ca/fileca/fileca.go +++ b/pkg/ca/fileca/fileca.go @@ -60,6 +60,10 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut return &fca, err } +func (fca *fileCA) Close() error { + return nil +} + func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, signer crypto.Signer) { scm := fca.SignerWithChain.(*ca.SignerCertsMutex) scm.Lock() diff --git a/pkg/ca/googleca/v1/googleca.go b/pkg/ca/googleca/v1/googleca.go index bbb9437c5..93749a595 100644 --- a/pkg/ca/googleca/v1/googleca.go +++ b/pkg/ca/googleca/v1/googleca.go @@ -76,6 +76,10 @@ func NewCertAuthorityService(ctx context.Context, parent string, opts ...option. return &c, nil } +func (c *CertAuthorityService) Close() error { + return c.client.Close() +} + // getPubKeyFormat Returns the PublicKey KeyFormat required by gcp privateca. // https://pkg.go.dev/google.golang.org/genproto/googleapis/cloud/security/privateca/v1#PublicKey_KeyType func getPubKeyFormat(pemBytes []byte) (privatecapb.PublicKey_KeyFormat, error) { diff --git a/pkg/ca/kmsca/kmsca.go b/pkg/ca/kmsca/kmsca.go index 84318d99a..e81d2c7d0 100644 --- a/pkg/ca/kmsca/kmsca.go +++ b/pkg/ca/kmsca/kmsca.go @@ -58,3 +58,7 @@ func NewKMSCA(ctx context.Context, kmsKey string, certs []*x509.Certificate) (ca return &ica, nil } + +func (k *kmsCA) Close() error { + return nil +} diff --git a/pkg/ca/pkcs11ca/pkcs11ca.go b/pkg/ca/pkcs11ca/pkcs11ca.go index 64b920bd3..ff9fa47b7 100644 --- a/pkg/ca/pkcs11ca/pkcs11ca.go +++ b/pkg/ca/pkcs11ca/pkcs11ca.go @@ -88,3 +88,7 @@ func NewPKCS11CA(params Params) (*PKCS11CA, error) { return pkcs11ca, nil } + +func (p *PKCS11CA) Close() error { + return nil +} diff --git a/pkg/ca/tinkca/tinkca.go b/pkg/ca/tinkca/tinkca.go index 2a7a7d97a..690fe6709 100644 --- a/pkg/ca/tinkca/tinkca.go +++ b/pkg/ca/tinkca/tinkca.go @@ -108,3 +108,7 @@ func GetPrimaryKey(ctx context.Context, kmsKey string) (tink.AEAD, error) { return nil, errors.New("unsupported KMS key type") } } + +func (t *tinkCA) Close() error { + return nil +} diff --git a/pkg/server/grpc_server_test.go b/pkg/server/grpc_server_test.go index 5c4b9c8ce..2b25c32ae 100644 --- a/pkg/server/grpc_server_test.go +++ b/pkg/server/grpc_server_test.go @@ -1542,3 +1542,7 @@ func (fca *FailingCertificateAuthority) CreateCertificate(context.Context, ident func (fca *FailingCertificateAuthority) TrustBundle(ctx context.Context) ([][]*x509.Certificate, error) { return nil, errors.New("TrustBundle always fails for testing") } + +func (fca *FailingCertificateAuthority) Close() error { + return nil +} From a830a398b4ef35e1ad01fadf0c6e149009d72885 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Mon, 19 Dec 2022 19:45:14 +0100 Subject: [PATCH 2/3] chore: close the client after the switch Signed-off-by: Hector Fernandez --- cmd/app/serve.go | 2 +- cmd/fetch_ca_cert/fetch_ca_cert.go | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/cmd/app/serve.go b/cmd/app/serve.go index 9cae18a77..997a5d132 100644 --- a/cmd/app/serve.go +++ b/cmd/app/serve.go @@ -195,7 +195,6 @@ func runServeCmd(cmd *cobra.Command, args []string) { switch viper.GetString("ca") { case "googleca": baseca, err = googlecav1.NewCertAuthorityService(cmd.Context(), viper.GetString("gcp_private_ca_parent")) - defer baseca.Close() case "pkcs11ca": params := pkcs11ca.Params{ ConfigPath: viper.GetString("pkcs11-config-path"), @@ -235,6 +234,7 @@ func runServeCmd(cmd *cobra.Command, args []string) { if err != nil { log.Logger.Fatal(err) } + defer baseca.Close() var ctClient *ctclient.LogClient if logURL := viper.GetString("ct-log-url"); logURL != "" { diff --git a/cmd/fetch_ca_cert/fetch_ca_cert.go b/cmd/fetch_ca_cert/fetch_ca_cert.go index 09ba0e7b7..b22d6c277 100644 --- a/cmd/fetch_ca_cert/fetch_ca_cert.go +++ b/cmd/fetch_ca_cert/fetch_ca_cert.go @@ -193,15 +193,19 @@ func main() { } parsedCerts, err := fetchCACertificate(context.Background(), *gcpCaParent, *kmsKey, *tinkKeysetPath, *tinkKmsKey, client) if err != nil { + client.Close() log.Fatal(err) } pemCerts, err := cryptoutils.MarshalCertificatesToPEM(parsedCerts) if err != nil { + client.Close() log.Fatal(err) } err = os.WriteFile(*outputPath, pemCerts, 0600) if err != nil { + client.Close() log.Fatal(err) } + defer client.Close() } From 179acd24b649d3c3c38842d9dd400c1bac7431d7 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Mon, 19 Dec 2022 21:53:43 +0100 Subject: [PATCH 3/3] implement close in baseca Signed-off-by: Hector Fernandez --- pkg/ca/baseca/baseca.go | 4 ++++ pkg/ca/ephemeralca/ephemeral.go | 4 ---- pkg/ca/fileca/fileca.go | 4 ---- pkg/ca/kmsca/kmsca.go | 4 ---- pkg/ca/pkcs11ca/pkcs11ca.go | 4 ---- pkg/ca/tinkca/tinkca.go | 4 ---- 6 files changed, 4 insertions(+), 20 deletions(-) diff --git a/pkg/ca/baseca/baseca.go b/pkg/ca/baseca/baseca.go index 8ff8c51fb..c593774af 100644 --- a/pkg/ca/baseca/baseca.go +++ b/pkg/ca/baseca/baseca.go @@ -143,3 +143,7 @@ func (bca *BaseCA) TrustBundle(ctx context.Context) ([][]*x509.Certificate, erro certs, _ := bca.GetSignerWithChain() return [][]*x509.Certificate{certs}, nil } + +func (bca *BaseCA) Close() error { + return nil +} diff --git a/pkg/ca/ephemeralca/ephemeral.go b/pkg/ca/ephemeralca/ephemeral.go index d17cbe421..8eca18b09 100644 --- a/pkg/ca/ephemeralca/ephemeral.go +++ b/pkg/ca/ephemeralca/ephemeral.go @@ -76,7 +76,3 @@ func NewEphemeralCA() (*EphemeralCA, error) { return e, nil } - -func (e *EphemeralCA) Close() error { - return nil -} diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go index dca7d8f17..6228bf2b9 100644 --- a/pkg/ca/fileca/fileca.go +++ b/pkg/ca/fileca/fileca.go @@ -60,10 +60,6 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut return &fca, err } -func (fca *fileCA) Close() error { - return nil -} - func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, signer crypto.Signer) { scm := fca.SignerWithChain.(*ca.SignerCertsMutex) scm.Lock() diff --git a/pkg/ca/kmsca/kmsca.go b/pkg/ca/kmsca/kmsca.go index e81d2c7d0..84318d99a 100644 --- a/pkg/ca/kmsca/kmsca.go +++ b/pkg/ca/kmsca/kmsca.go @@ -58,7 +58,3 @@ func NewKMSCA(ctx context.Context, kmsKey string, certs []*x509.Certificate) (ca return &ica, nil } - -func (k *kmsCA) Close() error { - return nil -} diff --git a/pkg/ca/pkcs11ca/pkcs11ca.go b/pkg/ca/pkcs11ca/pkcs11ca.go index ff9fa47b7..64b920bd3 100644 --- a/pkg/ca/pkcs11ca/pkcs11ca.go +++ b/pkg/ca/pkcs11ca/pkcs11ca.go @@ -88,7 +88,3 @@ func NewPKCS11CA(params Params) (*PKCS11CA, error) { return pkcs11ca, nil } - -func (p *PKCS11CA) Close() error { - return nil -} diff --git a/pkg/ca/tinkca/tinkca.go b/pkg/ca/tinkca/tinkca.go index 690fe6709..2a7a7d97a 100644 --- a/pkg/ca/tinkca/tinkca.go +++ b/pkg/ca/tinkca/tinkca.go @@ -108,7 +108,3 @@ func GetPrimaryKey(ctx context.Context, kmsKey string) (tink.AEAD, error) { return nil, errors.New("unsupported KMS key type") } } - -func (t *tinkCA) Close() error { - return nil -}