Skip to content

sign-kms · API 参考

gRPC KmsService

来源:api/v1/kms.proto:7-13internal/service/kms_service.go:20-80

方法行号 (proto)行号 (service)请求响应
GenerateKeypair820-29GenerateKeypairRequestPublicKeyResponse
GetPublicKey931-40GetPublicKeyRequestPublicKeyResponse
Sign1042-60SignRequestiddigestSignResponsesignature
Verify1162-78VerifyRequestiddigestsignatureVerifyResponse(bool valid
HealthCheck1280HealthCheckRequestHealthCheckResponsehealthypartitions map)

鉴权

internal/server/grpc.go:26-28 中间件链:recovery → signet → GrpcAuthMiddleware → audit

GrpcAuthMiddlewarepkg/auth/grpc_auth.go:48-80):

  • 解析 Authorization: Bearer <jwt>
  • 校验 JWT 签名(用 KMS_AUTH_SECRET)与过期。
  • 调用 TokenStore.GetByJTI:若 Disabled 返回 Forbidden(:62-74);若有 view,用 DB 中的 keys 覆盖 JWT claims.Keys
  • 注入 claims 到 context。

权限矩阵(pkg/auth/claims.go:42-46):

Role允许的 operation
readonlyget_public_keyverify
readwritesignverifyget_public_key
adminsignverifyget_public_keygen_keypairsign_certsign_crl

JWT claims(pkg/auth/claims.go:11-22):

go
type KMSClaims struct {
    jwt.RegisteredClaims
    PartitionID string
    Role        string
    Keys        []string
}

HTTP 端点

来源:api/v1/manage.proto:11-81internal/server/http.go:70internal/service/kms_manage_service.go

方法路径请求类型proto 行号
POST/api/v1/signinSigninRequestusernamepassword12-16
POST/api/v1/signoutEmpty18-22
GET/api/v1/currentEmpty24-26
POST/api/v1/create-nsCreateNsRequestnamedescriptionprovider_idtoken_labeluser_pin27-31
POST/api/v1/access-tokenGetAccessTokenRequestns_idsubjectrolekeys[]expires_in33-37
GET/api/v1/list-nsEmpty39-41
GET/api/v1/list-providersEmpty42-44
GET/api/v1/list-keysListKeysRequest45-47
POST/api/v1/create-keyCreateKeyRequest48-52
GET/api/v1/list-access-tokensListAccessTokensRequest54-56
POST/api/v1/sync-keysSyncKeysRequest57-61
POST/api/v1/disable-access-tokenDisableAccessTokenRequest63-67
POST/api/v1/enable-access-tokenEnableAccessTokenRequest69-73
POST/api/v1/update-access-token-keysUpdateAccessTokenKeysRequest75-79

中间件(internal/server/http.go:49-56):recovery → signet → loggingFilterFunc = HttpAuthMiddleware()

HttpAuthMiddlewarepkg/auth/http_auth.go:27-56):仅检查 /api/* 路径;白名单为 /api/v1/signinpkg/auth/config.go:11NoAuthPaths);从 cookie 读 token → ParseTokenjwt.NewContext

libkms_pkcs11.so

来源:p11client/kms_so.c

kms_so.c 定义 PKCS#11 全套 69 个 C_* 函数。与 KMS 操作相关者为实质实现(按源码顺序):

C_Initialize / C_Finalize / C_GetInfo / C_GetFunctionList / C_GetSlotList / C_GetSlotInfo / C_GetTokenInfo / C_GetMechanismList / C_GetMechanismInfo / C_InitToken / C_InitPIN / C_SetPIN / C_OpenSession / C_CloseSession / C_CloseAllSessions / C_GetSessionInfo / C_Login / C_Logout / C_GenerateKeyPair / C_GetPublicKey / C_SignInit / C_Sign / C_GetAttributeValue / C_SetAttributeValue / C_FindObjectsInit / C_FindObjects / C_FindObjectsFinal / C_VerifyInit / C_Verify

其余(加解密、摘要、Wrap/Unwrap、随机数等)为桩实现,返回 CKR_FUNCTION_NOT_SUPPORTED

环境变量(kms_so.c):

变量行号用途
KMS_SO_DEBUG39调试日志
SIGN_KMS_ENDPOINT202KMS gRPC 端点

Operations / 健康检查

来源:internal/server/http.go:73obs.RegisterRoutes(srv))。

注册路径:/healthz/readyz。具体响应字段 [未核],需读 obs 包源码。

CLI

仓库不含独立 CLI 工具;所有操作走 gRPC / HTTP API。