Add Scaleway Key Manager KMS provider (scwkms)#1052
Open
guillaume-ro-fr wants to merge 1 commit into
Open
Conversation
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Name of feature:
Scaleway Key Manager (
scwkms) KMS provider.Adds a new
go.step.sm/crypto/kmsbackend for Scaleway Key Manager, built on the officialgithub.com/scaleway/scaleway-sdk-goSDK and modeled on the existingcloudkms/awskmsproviders.It implements:
apiv1.KeyManager:CreateKey,GetPublicKey,CreateSigner,Closecrypto.Signer(digest-only signing, EC P-256/P-384 and RSA-PKCS1/RSA-PSS all SHA-256 except EC P-384/SHA-384)apiv1.Decrypter: RSA-OAEP-SHA256apiv1.KeyDeleter:DeleteKeyPain or issue this feature alleviates:
step-ca / step users hosting keys on Scaleway had no way to use Scaleway Key Manager as a signing/decryption backend. This brings Scaleway to parity with the other cloud KMS providers (AWS, GCP, Azure), so a Scaleway-hosted key can back a
CA or signer through the same
kms.New(...)entrypoint.Why is this important to the project (if not answered above):
Broadens cloud KMS coverage with a popular European provider, using the same plugin model (self-registration via
init()+apiv1.Register) and the same narrow-client/mock test pattern as the existing providers - no new conventionsintroduced.
Is there documentation on how to use this feature? If so, where?
Package-level godoc on
kms/scwkms. Usage mirrors the other providers via aURI:
with credentials resolved through the standard Scaleway precedence (config-file profile → env vars → explicit URI params:
access-key,secret-key,project-id,organization-id,region,profile).In what environments or workflows is this feature supported?
Anywhere the
kmspackage is consumed (step-ca, step, step-kms-plugin) by blank-importinggo.step.sm/crypto/kms/scwkms. Asymmetric signing keys (EC P-256/P-384, RSA-PKCS1 & RSA-PSS at 2048/3072/4096, all SHA-256) and RSA-OAEP-SHA256 decryption keys. Builds with and without the provider via thenoscwkmsbuild tag (stub registers a clear "compiled without Scaleway Key Manager support" error).In what environments or workflows is this feature explicitly NOT supported (if any):
GenerateDataKey- out of scope (not part of theapiv1.KeyManagersurface).Note: the ECDSA signature DER-encoding and the RSA-PSS salt length cannot be validated by the mocked unit tests - they require a live integration test against a real Scaleway key to confirm signatures verify under the public key.
The signer defensively normalizes ECDSA signatures to ASN.1 DER to be correct regardless of Scaleway's wire format.
Non-standard public key PEM headers
The Scaleway Key Manager API returns public keys with non-standard PEM headers that
pemutil.ParseKeydoes not accept out of the box:EC PUBLIC KEY- used for EC keys. The DER payload is a standard PKIX SubjectPublicKeyInfo; the header is rewritten toPUBLIC KEYbefore parsing withx509.ParsePKIXPublicKey.RSA PUBLIC KEY- used for RSA keys. The DER payload is a PKCS#1RSAPublicKeystructure; parsed directly withx509.ParsePKCS1PublicKey.Both cases are handled in the
parsePublicKeyPEMhelper (scwkms.go), which is the single entry point for all PEM decoding in the package (GetPublicKey,Signer.preloadKey,Decrypter.preloadKey). StandardPUBLIC KEYheaders pass through topemutil.ParseKeyunchanged.Integration test results (step-kms-plugin)
Tested manually against a real Scaleway Key Manager account (region
fr-par) using a custom build ofstep-kms-pluginwithscwkmsblank-imported andgo.step.sm/cryptoreplaced with this branch.All 8 supported key types were created and exercised with
step-kms-plugin createfollowed bystep-kms-plugin sign --verify:sign --verifyconfirms end-to-end correctness: the ECDSA signatures returned by Scaleway are already in ASN.1 DER format (the defensive raw → DER normalization path was not triggered), and the RSA-PSS salt length is compatible with Go's verifier.Supporting links/other PRs/issues:
Closes #1037