Merge pull request #770 from smallstep/josh/capi-delete-key

Add support for 'DeleteKey' in CAPIKMS.

Author: joshdrake

internal/bcrypt_pbkdf/bcrypt_pbkdf.go

@@ -5,7 +5,7 @@
 // Package bcrypt_pbkdf implements password-based key derivation function based
 // on bcrypt compatible with bcrypt_pbkdf(3) from OpenBSD.
 //
-//nolint:revive,stylecheck // ignore underscore in package
+//nolint:revive,staticcheck // ignore underscore in package
 package bcrypt_pbkdf
 
 import (

internal/bcrypt_pbkdf/bcrypt_pbkdf_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //
-//nolint:revive,stylecheck // ignore underscore in package
+//nolint:revive,staticcheck // ignore underscore in package
 package bcrypt_pbkdf
 
 import (

jose/encrypt_test.go

@@ -103,7 +103,7 @@ func rsaEqual(priv *rsa.PrivateKey, x crypto.PrivateKey) bool {
 	if !ok {
 		return false
 	}
-	if !(priv.PublicKey.N.Cmp(xx.N) == 0 && priv.PublicKey.E == xx.E) || priv.D.Cmp(xx.D) != 0 {
+	if (priv.PublicKey.N.Cmp(xx.N) != 0 || priv.PublicKey.E != xx.E) || priv.D.Cmp(xx.D) != 0 {
 		return false
 	}
 	if len(priv.Primes) != len(xx.Primes) {

jose/types.go

@@ -133,7 +133,7 @@ var ErrIssuedInTheFuture = jwt.ErrIssuedInTheFuture
 
 // Key management algorithms
 //
-//nolint:stylecheck,revive // use standard names in upper-case
+//nolint:staticcheck,revive // use standard names in upper-case
 const (
 	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
 	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
@@ -174,7 +174,7 @@ const (
 
 // Content encryption algorithms
 //
-//nolint:revive,stylecheck // use standard names in upper-case
+//nolint:revive,staticcheck // use standard names in upper-case
 const (
 	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
 	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)

kms/awskms/decrypter_test.go

@@ -52,7 +52,7 @@ func TestCreateDecrypter(t *testing.T) {
 }
 
 func TestDecrypterDecrypts(t *testing.T) {
-	kms, pub := createTestKMS(t, 2048)
+	km, pub := createTestKMS(t, 2048)
 	fail1024KMS, _ := createTestKMS(t, 1024)
 
 	// prepare encrypted contents
@@ -62,15 +62,15 @@ func TestDecrypterDecrypts(t *testing.T) {
 	require.NoError(t, err)
 
 	// create a decrypter, identified by "test-sha256", and check the public key
-	d256, err := kms.CreateDecrypter(&apiv1.CreateDecrypterRequest{
+	d256, err := km.CreateDecrypter(&apiv1.CreateDecrypterRequest{
 		DecryptionKey: "test-sha256",
 	})
 	require.NoError(t, err)
 	require.NotNil(t, d256)
 	require.True(t, pub.Equal(d256.Public()))
 
 	// create a decrypter, identified by "test-sha1", and check the public key
-	d1, err := kms.CreateDecrypter(&apiv1.CreateDecrypterRequest{
+	d1, err := km.CreateDecrypter(&apiv1.CreateDecrypterRequest{
 		DecryptionKey: "test-sha1",
 	})
 	require.NoError(t, err)

kms/capi/capi.go

@@ -643,6 +643,28 @@ func (k *CAPIKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespon
 	}, nil
 }
 
+// DeleteKey deletes the key from the key id (Microsoft calls it 'Key Container Name') passed in via the URI
+func (k *CAPIKMS) DeleteKey(req *apiv1.DeleteKeyRequest) error {
+	u, err := uri.ParseWithScheme(Scheme, req.Name)
+	if err != nil {
+		return fmt.Errorf("failed to parse URI: %w", err)
+	}
+
+	var containerName string
+	if containerName = u.Get(ContainerNameArg); containerName == "" {
+		return fmt.Errorf("%v not specified", ContainerNameArg)
+	}
+
+	kh, err := nCryptOpenKey(k.providerHandle, containerName, 0, 0)
+	if err != nil {
+		return fmt.Errorf("unable to open key: %w", err)
+	}
+
+	defer nCryptFreeObject(kh)
+
+	return nCryptDeleteKey(kh)
+}
+
 // GetPublicKey returns the public key from the key id (Microsoft calls it 'Key Container Name') passed in via the URI
 func (k *CAPIKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
 	u, err := uri.ParseWithScheme(Scheme, req.Name)

kms/capi/ncrypt_windows.go

@@ -34,6 +34,7 @@ const (
 
 	// Key Storage Flags
 	NCRYPT_MACHINE_KEY_FLAG = 0x00000001
+	NCRYPT_SILENT_FLAG      = 0x00000040
 
 	// Errors
 	NTE_NOT_SUPPORTED         = uint32(0x80090029)
@@ -141,6 +142,7 @@ var (
 	procNCryptFinalizeKey         = nCrypt.MustFindProc("NCryptFinalizeKey")
 	procNCryptFreeObject          = nCrypt.MustFindProc("NCryptFreeObject")
 	procNCryptOpenKey             = nCrypt.MustFindProc("NCryptOpenKey")
+	procNCryptDeleteKey           = nCrypt.MustFindProc("NCryptDeleteKey")
 	procNCryptOpenStorageProvider = nCrypt.MustFindProc("NCryptOpenStorageProvider")
 	procNCryptGetProperty         = nCrypt.MustFindProc("NCryptGetProperty")
 	procNCryptSetProperty         = nCrypt.MustFindProc("NCryptSetProperty")
@@ -289,6 +291,21 @@ func nCryptOpenKey(provisionerHandle uintptr, containerName string, legacyKeySpe
 	return kh, nil
 }
 
+func nCryptDeleteKey(keyHandle uintptr) error {
+	r, _, err := procNCryptDeleteKey.Call(
+		keyHandle,
+		0,
+	)
+	if !errors.Is(err, windows.Errno(0)) {
+		return fmt.Errorf("NCryptDeleteKey returned %w", err)
+	}
+	if r != 0 {
+		return fmt.Errorf("NCryptDeleteKey returned %v", errNoToStr(uint32(r)))
+	}
+
+	return nil
+}
+
 func nCryptFinalizeKey(keyHandle uintptr, flags uint32) error {
 	r, _, err := procNCryptFinalizeKey.Call(keyHandle, uintptr(flags))
 	if !errors.Is(err, windows.Errno(0)) {

nssdb/attributes.go

@@ -5,32 +5,32 @@ import "encoding/binary"
 // CKA_CLASS values
 // https://github.com/nss-dev/nss/blob/NSS_3_107_RTM/lib/util/pkcs11t.h#L320-L334
 const (
-	CKO_DATA              = iota //nolint:stylecheck,revive // name matches source
-	CKO_CERTIFICATE              //nolint:stylecheck,revive // name matches source
-	CKO_PUBLIC_KEY               //nolint:stylecheck,revive // name matches source
-	CKO_PRIVATE_KEY              //nolint:stylecheck,revive // name matches source
-	CKO_SECRET_KEY               //nolint:stylecheck,revive // name matches source
-	CKO_HW_FEATURE               //nolint:stylecheck,revive // name matches source
-	CKO_DOMAIN_PARAMETERS        //nolint:stylecheck,revive // name matches source
-	CKO_MECHANISM                //nolint:stylecheck,revive // name matches source
-	CKO_PROFILE                  //nolint:stylecheck,revive // name matches source
+	CKO_DATA              = iota //nolint:staticcheck,revive // name matches source
+	CKO_CERTIFICATE              //nolint:staticcheck,revive // name matches source
+	CKO_PUBLIC_KEY               //nolint:staticcheck,revive // name matches source
+	CKO_PRIVATE_KEY              //nolint:staticcheck,revive // name matches source
+	CKO_SECRET_KEY               //nolint:staticcheck,revive // name matches source
+	CKO_HW_FEATURE               //nolint:staticcheck,revive // name matches source
+	CKO_DOMAIN_PARAMETERS        //nolint:staticcheck,revive // name matches source
+	CKO_MECHANISM                //nolint:staticcheck,revive // name matches source
+	CKO_PROFILE                  //nolint:staticcheck,revive // name matches source
 )
 
 // CKA_KEY_TYPE values
 // https://github.com/nss-dev/nss/blob/NSS_3_107_RTM/lib/util/pkcs11t.h#L366
 const (
-	CKK_RSA = iota //nolint:stylecheck,revive // name matches source
-	CKK_DSA        //nolint:stylecheck,revive // name matches source
-	CKK_DH         //nolint:stylecheck,revive // name matches source
-	CKK_EC         //nolint:stylecheck,revive // name matches source
+	CKK_RSA = iota //nolint:staticcheck,revive // name matches source
+	CKK_DSA        //nolint:staticcheck,revive // name matches source
+	CKK_DH         //nolint:staticcheck,revive // name matches source
+	CKK_EC         //nolint:staticcheck,revive // name matches source
 )
 
 // CKA_CERTIFICATE_TYPE values
 // https://github.com/nss-dev/nss/blob/NSS_3_107_RTM/lib/util/pkcs11t.h#L453-L458
 const (
-	CKC_X_509           = iota //nolint:stylecheck,revive // name matches source
-	CKC_X_509_ATTR_CERT        //nolint:stylecheck,revive // name matches source
-	CKC_WTLS                   //nolint:stylecheck,revive // name matches source
+	CKC_X_509           = iota //nolint:staticcheck,revive // name matches source
+	CKC_X_509_ATTR_CERT        //nolint:staticcheck,revive // name matches source
+	CKC_WTLS                   //nolint:staticcheck,revive // name matches source
 )
 
 // https://github.com/nss-dev/nss/blob/NSS_3_107_RTM/lib/softoken/sftkdb.c#L47

x509util/certificate.go

@@ -188,7 +188,7 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
 // See also https://datatracker.ietf.org/doc/html/rfc5280.html#section-4.2.1.6
 func (c *Certificate) hasExtendedSANs() bool {
 	for _, san := range c.SANs {
-		if !(san.Type == DNSType || san.Type == EmailType || san.Type == IPType || san.Type == URIType || san.Type == AutoType || san.Type == "") {
+		if !(san.Type == DNSType || san.Type == EmailType || san.Type == IPType || san.Type == URIType || san.Type == AutoType || san.Type == "") { //nolint:staticcheck // QF1001, this version is more semantically readable
 			return true
 		}
 	}

x509util/certificate_request.go

@@ -320,7 +320,7 @@ func (c *CertificateRequest) GetLeafCertificate() *Certificate {
 // See also https://datatracker.ietf.org/doc/html/rfc5280.html#section-4.2.1.6
 func (c *CertificateRequest) hasExtendedSANs() bool {
 	for _, san := range c.SANs {
-		if !(san.Type == DNSType || san.Type == EmailType || san.Type == IPType || san.Type == URIType || san.Type == AutoType || san.Type == "") {
+		if !(san.Type == DNSType || san.Type == EmailType || san.Type == IPType || san.Type == URIType || san.Type == AutoType || san.Type == "") { //nolint:staticcheck // QF1001, this version is more semantically readable
 			return true
 		}
 	}