send request chan as part of get cert request as well (#171)

api/blob.go

@@ -63,7 +63,7 @@ func (s *SigningService) GetBlobSigningKey(ctx context.Context, keyMeta *proto.K
 		return nil, status.Errorf(codes.InvalidArgument, "Bad request: %v", err)
 	}
 
-	key, err := s.GetBlobSigningPublicKey(ctx, keyMeta.Identifier)
+	key, err := s.GetBlobSigningPublicKey(ctx, s.RequestChan[config.BlobEndpoint], keyMeta.Identifier)
 	if err != nil {
 		statusCode = http.StatusInternalServerError
 		return nil, status.Error(codes.Internal, "Internal server error")

api/sign_test.go

@@ -91,19 +91,19 @@ type mockSigningServiceParam struct {
 type mockBadCertSign struct {
 }
 
-func (mbcs *mockBadCertSign) GetSSHCertSigningKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mbcs *mockBadCertSign) GetSSHCertSigningKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return nil, errors.New("bad message")
 }
 func (mbcs *mockBadCertSign) SignSSHCert(ctx context.Context, reqChan chan scheduler.Request, cert *ssh.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error) {
 	return nil, errors.New("bad message")
 }
-func (mbcs *mockBadCertSign) GetX509CACert(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mbcs *mockBadCertSign) GetX509CACert(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return nil, errors.New("bad message")
 }
 func (mbcs *mockBadCertSign) SignX509Cert(ctx context.Context, reqChan chan scheduler.Request, cert *x509.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error) {
 	return nil, errors.New("bad message")
 }
-func (mbcs *mockBadCertSign) GetBlobSigningPublicKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mbcs *mockBadCertSign) GetBlobSigningPublicKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return nil, errors.New("bad message")
 }
 func (mbcs *mockBadCertSign) SignBlob(ctx context.Context, reqChan chan scheduler.Request, digest []byte, opts crypto.SignerOpts, keyIdentifier string, priority proto.Priority) ([]byte, error) {
@@ -113,19 +113,19 @@ func (mbcs *mockBadCertSign) SignBlob(ctx context.Context, reqChan chan schedule
 type mockGoodCertSign struct {
 }
 
-func (mgcs *mockGoodCertSign) GetSSHCertSigningKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mgcs *mockGoodCertSign) GetSSHCertSigningKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return []byte("good ssh signing key"), nil
 }
 func (mgcs *mockGoodCertSign) SignSSHCert(ctx context.Context, reqChan chan scheduler.Request, cert *ssh.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error) {
 	return []byte("good ssh cert"), nil
 }
-func (mgcs *mockGoodCertSign) GetX509CACert(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mgcs *mockGoodCertSign) GetX509CACert(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return []byte("good x509 ca cert"), nil
 }
 func (mgcs *mockGoodCertSign) SignX509Cert(ctx context.Context, reqChan chan scheduler.Request, cert *x509.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error) {
 	return []byte("good x509 cert"), nil
 }
-func (mgcs *mockGoodCertSign) GetBlobSigningPublicKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (mgcs *mockGoodCertSign) GetBlobSigningPublicKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	return []byte("good blob signing key"), nil
 }
 func (mgcs *mockGoodCertSign) SignBlob(ctx context.Context, reqChan chan scheduler.Request, digest []byte, opts crypto.SignerOpts, keyIdentifier string, priority proto.Priority) ([]byte, error) {

api/sshhost.go

@@ -73,7 +73,7 @@ func (s *SigningService) GetHostSSHCertificateSigningKey(ctx context.Context, ke
 	}
 	respCh := make(chan resp)
 	go func() {
-		key, err := s.GetSSHCertSigningKey(ctx, keyMeta.Identifier)
+		key, err := s.GetSSHCertSigningKey(ctx, s.RequestChan[config.SSHHostCertEndpoint], keyMeta.Identifier)
 		respCh <- resp{key, err}
 	}()
 

api/sshuser.go

@@ -73,7 +73,7 @@ func (s *SigningService) GetUserSSHCertificateSigningKey(ctx context.Context, ke
 	}
 	respCh := make(chan resp)
 	go func() {
-		key, err := s.GetSSHCertSigningKey(ctx, keyMeta.Identifier)
+		key, err := s.GetSSHCertSigningKey(ctx, s.RequestChan[config.SSHUserCertEndpoint], keyMeta.Identifier)
 		respCh <- resp{key, err}
 	}()
 

api/x509cert.go

@@ -72,7 +72,7 @@ func (s *SigningService) GetX509CACertificate(ctx context.Context, keyMeta *prot
 	}
 	respCh := make(chan resp)
 	go func() {
-		cert, err := s.GetX509CACert(ctx, keyMeta.Identifier)
+		cert, err := s.GetX509CACert(ctx, s.RequestChan[config.X509CertEndpoint], keyMeta.Identifier)
 		respCh <- resp{cert, err}
 	}()
 

cmd/gen-cacert/main.go

@@ -24,15 +24,16 @@ import (
 	"log"
 	"net"
 	"os"
+	"time"
 
 	"github.com/theparanoids/crypki"
 	"github.com/theparanoids/crypki/config"
 	"github.com/theparanoids/crypki/pkcs11"
+	"github.com/theparanoids/crypki/server/scheduler"
 )
 
 const (
-	defaultCAOutPath      = "/tmp/509_ca.crt"
-	defaultRequestTimeout = 10
+	defaultCAOutPath = "/tmp/509_ca.crt"
 )
 
 var cfg string
@@ -93,13 +94,18 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
 	// to make NewCertSign create the CA cert
 	requireX509CACert := map[string]bool{
 		cc.Identifier: true,
 	}
 
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	requestChan := make(chan scheduler.Request)
+	p := &scheduler.Pool{Name: cc.Identifier, PoolSize: 2, FeatureEnabled: true, PKCS11Timeout: config.DefaultPKCS11Timeout * time.Second}
+	go scheduler.CollectRequest(ctx, requestChan, p)
 
 	signer, err := pkcs11.NewCertSign(ctx, cc.PKCS11ModulePath, []config.KeyConfig{{
 		Identifier:             cc.Identifier,
@@ -118,11 +124,11 @@ func main() {
 		OrganizationalUnit:     cc.OrganizationalUnit,
 		CommonName:             cc.CommonName,
 		ValidityPeriod:         cc.ValidityPeriod,
-	}}, requireX509CACert, hostname, ips, defaultRequestTimeout)
+	}}, requireX509CACert, hostname, ips, config.DefaultPKCS11Timeout)
 	if err != nil {
 		log.Fatalf("unable to initialize cert signer: %v", err)
 	}
-	cert, err := signer.GetX509CACert(ctx, cc.Identifier)
+	cert, err := signer.GetX509CACert(ctx, requestChan, cc.Identifier)
 	if err != nil {
 		log.Fatalf("unable to get x509 CA cert: %v", err)
 	}

cmd/sign-x509cert/main.go

@@ -34,10 +34,9 @@ import (
 	"github.com/theparanoids/crypki/config"
 	"github.com/theparanoids/crypki/pkcs11"
 	"github.com/theparanoids/crypki/proto"
+	"github.com/theparanoids/crypki/server/scheduler"
 )
 
-const defaultRequestTimeout = 10
-
 var cfg string
 var validityDays uint64
 var csrPath string
@@ -131,6 +130,10 @@ func main() {
 		cc.Identifier: true,
 	}
 
+	requestChan := make(chan scheduler.Request)
+	p := &scheduler.Pool{Name: cc.Identifier, PoolSize: 2, FeatureEnabled: true, PKCS11Timeout: config.DefaultPKCS11Timeout * time.Second}
+	go scheduler.CollectRequest(ctx, requestChan, p)
+
 	signer, err := pkcs11.NewCertSign(ctx, cc.PKCS11ModulePath, []config.KeyConfig{{
 		Identifier:             cc.Identifier,
 		SlotNumber:             uint(cc.SlotNumber),
@@ -141,15 +144,15 @@ func main() {
 		SessionPoolSize:        2,
 		X509CACertLocation:     caPath,
 		CreateCACertIfNotExist: false,
-	}}, requireX509CACert, "", nil, defaultRequestTimeout) // Hostname and ips should not be needed as CreateCACertIfNotExist is set to be false.
+	}}, requireX509CACert, "", nil, config.DefaultPKCS11Timeout) // Hostname and ips should not be needed as CreateCACertIfNotExist is set to be false.
 
 	if err != nil {
 		log.Fatalf("unable to initialize cert signer: %v", err)
 	}
 
 	unsignedCert := constructUnsignedX509Cert()
 
-	data, err := signer.SignX509Cert(ctx, nil, unsignedCert, cc.Identifier, proto.Priority_Unspecified_priority)
+	data, err := signer.SignX509Cert(ctx, requestChan, unsignedCert, cc.Identifier, proto.Priority_Unspecified_priority)
 	if err != nil {
 		log.Fatalf("falied to sign x509 cert: %v", err)
 	}

crypki.go

@@ -39,15 +39,15 @@ const (
 // CertSign interface contains methods related to signing certificates.
 type CertSign interface {
 	// GetSSHCertSigningKey returns the SSH signing key of the specified key.
-	GetSSHCertSigningKey(ctx context.Context, keyIdentifier string) ([]byte, error)
+	GetSSHCertSigningKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error)
 	// SignSSHCert returns an SSH cert signed by the specified key.
 	SignSSHCert(ctx context.Context, reqChan chan scheduler.Request, cert *ssh.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error)
 	// GetX509CACert returns the X509 CA cert of the specified key.
-	GetX509CACert(ctx context.Context, keyIdentifier string) ([]byte, error)
+	GetX509CACert(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error)
 	// SignX509Cert returns an x509 cert signed by the specified key.
 	SignX509Cert(ctx context.Context, reqChan chan scheduler.Request, cert *x509.Certificate, keyIdentifier string, priority proto.Priority) ([]byte, error)
 	// GetBlobSigningPublicKey returns the public signing key of the specified key that signs the user's data.
-	GetBlobSigningPublicKey(ctx context.Context, keyIdentifier string) ([]byte, error)
+	GetBlobSigningPublicKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error)
 	// SignBlob returns a signature signed by the specified key.
 	SignBlob(ctx context.Context, reqChan chan scheduler.Request, digest []byte, opts crypto.SignerOpts, keyIdentifier string, priority proto.Priority) ([]byte, error)
 }

pkcs11/signer.go

@@ -158,7 +158,7 @@ func NewCertSign(ctx context.Context, pkcs11ModulePath string, keys []config.Key
 	return s, nil
 }
 
-func (s *signer) GetSSHCertSigningKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (s *signer) GetSSHCertSigningKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	pool, ok := s.sPool[keyIdentifier]
 	if !ok {
 		return nil, fmt.Errorf("unknown key identifier %q", keyIdentifier)
@@ -215,7 +215,7 @@ func (s *signer) SignSSHCert(ctx context.Context, reqChan chan scheduler.Request
 	return bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert)), nil
 }
 
-func (s *signer) GetX509CACert(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (s *signer) GetX509CACert(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	cert, ok := s.x509CACerts[keyIdentifier]
 	if !ok {
 		return nil, fmt.Errorf("unable to find CA cert for key identifier %q", keyIdentifier)
@@ -271,7 +271,7 @@ func (s *signer) SignX509Cert(ctx context.Context, reqChan chan scheduler.Reques
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: signedCert}), nil
 }
 
-func (s *signer) GetBlobSigningPublicKey(ctx context.Context, keyIdentifier string) ([]byte, error) {
+func (s *signer) GetBlobSigningPublicKey(ctx context.Context, reqChan chan scheduler.Request, keyIdentifier string) ([]byte, error) {
 	pool, ok := s.sPool[keyIdentifier]
 	if !ok {
 		return nil, fmt.Errorf("unknown key identifier %q", keyIdentifier)

pkcs11/signer_test.go

@@ -135,6 +135,7 @@ func TestGetSSHCertSigningKey(t *testing.T) {
 		"bad-signer":          {ctx, defaultIdentifier, true, true},
 		"bad-request-timeout": {timeoutCtx, defaultIdentifier, false, true},
 	}
+	reqChan := make(chan scheduler.Request)
 	for label, tt := range testcases {
 		label, tt := label, tt
 		t.Run(label, func(t *testing.T) {
@@ -143,7 +144,7 @@ func TestGetSSHCertSigningKey(t *testing.T) {
 				t.Fatalf("unable to create CA keys and certificate: %v", err)
 			}
 			signer := initMockSigner(x509.RSA, caPriv, caCert, tt.isBadSigner, timeout, 10)
-			_, err = signer.GetSSHCertSigningKey(tt.ctx, tt.identifier)
+			_, err = signer.GetSSHCertSigningKey(tt.ctx, reqChan, tt.identifier)
 			if err != nil != tt.expectError {
 				t.Fatalf("got err: %v, expect err: %v", err, tt.expectError)
 			}
@@ -285,6 +286,8 @@ func TestGetX509CACert(t *testing.T) {
 		"bad-identifier": {badIdentifier, false, true},
 		"bad-signer":     {defaultIdentifier, true, false},
 	}
+	reqChan := make(chan scheduler.Request)
+
 	for label, tt := range testcases {
 		label, tt := label, tt
 		t.Run(label, func(t *testing.T) {
@@ -293,7 +296,7 @@ func TestGetX509CACert(t *testing.T) {
 				t.Fatalf("unable to create CA keys and certificate: %v", err)
 			}
 			signer := initMockSigner(x509.RSA, caPriv, caCert, tt.isBadSigner, timeout, 10)
-			_, err = signer.GetX509CACert(ctx, tt.identifier)
+			_, err = signer.GetX509CACert(ctx, reqChan, tt.identifier)
 			if err != nil != tt.expectError {
 				t.Fatalf("got err: %v, expect err: %v", err, tt.expectError)
 			}
@@ -584,6 +587,7 @@ func TestGetBlobSigningPublicKey(t *testing.T) {
 		"bad-signer":          {ctx, defaultIdentifier, true, true},
 		"bad-request-timeout": {timeoutCtx, defaultIdentifier, false, true},
 	}
+	reqChan := make(chan scheduler.Request)
 	for label, tt := range testcases {
 		label, tt := label, tt
 		t.Run(label, func(t *testing.T) {
@@ -592,7 +596,7 @@ func TestGetBlobSigningPublicKey(t *testing.T) {
 				t.Fatalf("unable to create CA keys and certificate: %v", err)
 			}
 			signer := initMockSigner(x509.RSA, caPriv, caCert, tt.isBadSigner, timeout, 10)
-			_, err = signer.GetBlobSigningPublicKey(tt.ctx, tt.identifier)
+			_, err = signer.GetBlobSigningPublicKey(tt.ctx, reqChan, tt.identifier)
 			if err != nil != tt.expectError {
 				t.Fatalf("got err: %v, expect err: %v", err, tt.expectError)
 			}