Keyshop: a stub keyserver for E2E

This is a tiny Golang keyserver stub provided for testing the E2E extension.

I don't anticipate pushing much new code to this branch myself; but I'd happily accept pull requests to make this actually useful (and provide, like, actual security properties).

Before you even think about deploying this accessible on anything but localhost, you MUST do something like

ag 'FIXME|OSS' --go -C4

read the comments, and fix the FIXMEs.

If you want to deploy this in a realistic environment, you may want to privilege-separate the key authority. PRs to support using cloud HSMs would be accepted.

Note: DO NOT deploy this in production using Go 1.4, unless you incorporate the broken-random-safe ECDSA patch here

(It's called keyshop because I have a low opinion of certificate authorities, which this essentially is.)

Building

Install an official tarball or use your platform-of-choice's package manager. Or do the right thing, and build Go from source.

Just run:

go get github.com/yahoo/keyshop/ks/cmd/...

and you'll have three new Go binaries in your $GOPATH/bin. If you are Yahoo-internal, you probably want to clone this repo to its import path. E.g.:

git clone $PARANOIDS_GIT/keyshop-oss.git \
  ${GOPATH}/src/github.com/yahoo/keyshop

Using

Add ${GOPATH}/bin to your path and

cd ${GOPATH}/src/github.com/yahoo/keyshop
genkauth
./scripts/mktls.sh
ks -alsologtostderr -v 4 -log_dir ./data/logs

TODO for open-source version

Well, despite the disclaimer above, I probably will:

• Add an API spec in some format that can be pretty-printed.
• Add sanitized test data.
• Clean up and release the API conformance-test driver (which would then, effectively, be an implementation of a client in Python).