explicitly check pkcs11 and azure uri formats, add links to azure docs

README.md

@@ -10,7 +10,7 @@
   - [Protocol](#protocol)
   - [Key Management](#key-management)
     - [Hardware Security Modules](#hardware-security-modules)
-    - [Azure Key Store or Managed HSM](#azure-key-store-or-managed-hsm)
+    - [Azure Key Vault or Managed HSM](#azure-key-vault-or-managed-hsm)
 - [Deploying](#deploying)
   - [Installing](#installing)
     - [Package Installation](#package-installation)
@@ -155,9 +155,9 @@ Private keys can also be stored on a Hardware Security Module. Keyless can acces
 
 Note you must provide exactly one of the `token`, `serial`, or `slot-id` attributes to identify the token.
 
-### Azure Key Store or Managed HSM
+### Azure Key Vault or Managed HSM
 
-Private keys can also be stored in Azure's HSM offerings.
+Private keys can also be stored in Azure's [key management offerings](https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys).
 ```
     - uri: https://keyless-hsm-1.managedhsm.azure.net/keys/keyless-a/256400ae07e74327b5d233c15aea837
     - uri: https://keyless-vault-1.vault.azure.net/keys/keyless-b/d791e7f42b3a4f3ea8acc65014ea6a95

cmd/gokeyless/gokeyless.go

@@ -321,7 +321,7 @@ func initKeyStore() (server.Keystore, error) {
 				return nil, err
 			}
 		case store.URI != "":
-			if err := keys.AddFromURI(store.URI, loadURI); err != nil {
+			if err := keys.AddFromURI(store.URI); err != nil {
 				return nil, err
 			}
 		}

internal/rfc7512/rfc7512.go

@@ -9,7 +9,6 @@ import (
 	"crypto"
 	"fmt"
 	"net/url"
-	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -49,20 +48,6 @@ type PKCS11URI struct {
 	MaxSessions int // max-sessions
 }
 
-var re *regexp.Regexp
-
-func init() {
-	aChar := "[a-z-_]"
-	pChar := "[a-zA-Z0-9-_.~%:\\[\\]@!\\$'\\(\\)\\*\\+,=&]"
-	pAttr := aChar + "+=" + pChar + "+"
-	pClause := "(" + pAttr + ";)*(" + pAttr + ")"
-	qChar := "[a-zA-Z0-9-_.~%:\\[\\]@!\\$'\\(\\)\\*\\+,=/\\?\\|]"
-	qAttr := aChar + "+=" + qChar + "+"
-	qClause := "(" + qAttr + "&)*(" + qAttr + ")"
-
-	re = regexp.MustCompile("^pkcs11:" + pClause + "(\\?" + qClause + ")?$")
-}
-
 // ParsePKCS11URI decodes a PKCS #11 URI and returns it as a PKCS11URI object.
 //
 // A PKCS #11 URI is a sequence of attribute value pairs separated by a
@@ -83,7 +68,7 @@ func init() {
 // An error is returned if the input string does not appear to follow the rules
 // or if there are unrecognized path or query attributes.
 func ParsePKCS11URI(uri string) (*PKCS11URI, error) {
-	if !re.MatchString(uri) {
+	if IsPKCS11URI(uri) {
 		return nil, fmt.Errorf("error parsing pkcs11 uri %q: invalid format", uri)
 	}
 

internal/rfc7512/uri.go

@@ -0,0 +1,22 @@
+package rfc7512
+
+import "regexp"
+
+var re *regexp.Regexp
+
+func init() {
+	aChar := "[a-z-_]"
+	pChar := "[a-zA-Z0-9-_.~%:\\[\\]@!\\$'\\(\\)\\*\\+,=&]"
+	pAttr := aChar + "+=" + pChar + "+"
+	pClause := "(" + pAttr + ";)*(" + pAttr + ")"
+	qChar := "[a-zA-Z0-9-_.~%:\\[\\]@!\\$'\\(\\)\\*\\+,=/\\?\\|]"
+	qAttr := aChar + "+=" + qChar + "+"
+	qClause := "(" + qAttr + "&)*(" + qAttr + ")"
+
+	re = regexp.MustCompile("^pkcs11:" + pClause + "(\\?" + qClause + ")?$")
+}
+
+// IsPKCS11URI checks if the uri is in the pkcs11 format
+func IsPKCS11URI(uri string) bool {
+	return !re.MatchString(uri)
+}

cmd/gokeyless/nopkcs11.go → server/nopkcs11.go

@@ -1,12 +1,12 @@
 // +build !pkcs11 !cgo
 
-package main
+package server
 
 import (
 	"crypto"
 	"fmt"
 )
 
-func loadURI(uri string) (crypto.Signer, error) {
+func loadPKCS11URI(uri string) (crypto.Signer, error) {
 	return nil, fmt.Errorf("pkcs#11 support is not enabled")
 }

server/pkcs11.go

@@ -20,3 +20,7 @@ func DefaultLoadURI(uri string) (crypto.Signer, error) {
 
 	return rfc7512.LoadPKCS11Signer(pk11uri)
 }
+
+func loadPKCS11URI(uri string) (crypto.Signer, error) {
+	return DefaultLoadURI(uri)
+}

server/server.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/cloudflare/gokeyless/certmetrics"
 	"github.com/cloudflare/gokeyless/internal/azure"
+	"github.com/cloudflare/gokeyless/internal/rfc7512"
 	"github.com/cloudflare/gokeyless/tracing"
 	"github.com/opentracing/opentracing-go"
 	"github.com/opentracing/opentracing-go/ext"
@@ -111,17 +112,19 @@ func (keys *DefaultKeystore) AddFromFile(path string, LoadKey func([]byte) (cryp
 	return keys.Add(nil, priv)
 }
 
-// AddFromURI loads all keys matching the given PKCS#11 URI to the keystore. LoadURI
+// AddFromURI loads all keys matching the given PKCS#11 or Azure URI to the keystore. LoadPKCS11URI
 // is called to parse the URL, connect to the module, and populate a crypto.Signer,
 // which is stored in the Keystore.
-func (keys *DefaultKeystore) AddFromURI(uri string, LoadPKCS11URI func(string) (crypto.Signer, error)) error {
+func (keys *DefaultKeystore) AddFromURI(uri string) error {
 	log.Infof("loading %s...", uri)
 	var priv crypto.Signer
 	var err error
 	if azure.IsKeyVaultURI(uri) {
 		priv, err = azure.New(uri)
+	} else if rfc7512.IsPKCS11URI(uri) {
+		priv, err = loadPKCS11URI(uri)
 	} else {
-		priv, err = LoadPKCS11URI(uri)
+		return fmt.Errorf("unknown uri format: %s", uri)
 	}
 	if err != nil {
 		return err

tests/common_test.go

@@ -148,9 +148,9 @@ func (s *IntegrationTestSuite) SetupTest() {
 		s.server.SetKeystore(keys)
 	} else {
 		keys := server.NewDefaultKeystore()
-		err = keys.AddFromURI(params.RSAURI, loadURI)
+		err = keys.AddFromURI(params.RSAURI)
 		require.NoError(err)
-		err = keys.AddFromURI(params.ECDSAURI, loadURI)
+		err = keys.AddFromURI(params.ECDSAURI)
 		require.NoError(err)
 		s.server.SetKeystore(keys)
 	}