Add a new keyless protocol error type for remote configuration issues (#404)

Co-authored-by: Leland Garofalo <[email protected]>

Author: lgarofalo

client/keys.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/cloudflare/cfssl/log"
 	"github.com/cloudflare/gokeyless/protocol"
+	"github.com/cloudflare/gokeyless/server"
 	"github.com/cloudflare/gokeyless/tracing"
 	"github.com/opentracing/opentracing-go"
 	"github.com/opentracing/opentracing-go/ext"
@@ -112,12 +113,12 @@ func (key *PrivateKey) execute(ctx context.Context, op protocol.Op, msg []byte)
 	for attempts := 2; attempts > 0; attempts-- {
 		r, err := key.client.getRemote(key.keyserver)
 		if err != nil {
-			return nil, err
+			return nil, server.RemoteConfigurationErr{Err: err}
 		}
 
 		conn, err := r.Dial(key.client)
 		if err != nil {
-			return nil, err
+			return nil, server.RemoteConfigurationErr{Err: err}
 		}
 
 		// We explicitly do NOT want to fill in JaegerSpan here, since the remote keyless server

protocol/protocol.go

@@ -161,6 +161,8 @@ const (
 	ErrCertNotFound
 	// ErrExpired indicates that the sealed blob is no longer unsealable.
 	ErrExpired
+	// ErrRemoteConfiguration indicates that a remote keyserver was not configured correctly.
+	ErrRemoteConfiguration
 )
 
 func (e Error) Error() string {
@@ -191,6 +193,8 @@ func (e Error) String() string {
 		return "certificate not found"
 	case ErrExpired:
 		return "sealing key expired"
+	case ErrRemoteConfiguration:
+		return "remote configuration error"
 	default:
 		return "unknown error"
 	}

server/errors.go

@@ -0,0 +1,9 @@
+package server
+
+type RemoteConfigurationErr struct {
+	Err error
+}
+
+func (rce RemoteConfigurationErr) Error() string {
+	return rce.Err.Error()
+}

server/server.go

@@ -377,7 +377,15 @@ func (s *Server) unlimitedDo(pkt *protocol.Packet, connName string) response {
 		sig, err := key.Sign(rand.Reader, pkt.Operation.Payload, crypto.Hash(0))
 		if err != nil {
 			log.Errorf("Connection: %s: Signing error: %v", connName, protocol.ErrCrypto, err)
-			return makeErrResponse(pkt, protocol.ErrCrypto)
+			// This indicates that a remote keyserver is being used
+			var remoteConfigurationErr RemoteConfigurationErr
+			if errors.As(err, &remoteConfigurationErr) {
+				log.Errorf("Connection %v: %s: Signing error: %v\n", connName, protocol.ErrRemoteConfiguration, err)
+				return makeErrResponse(pkt, protocol.ErrRemoteConfiguration)
+			} else {
+				log.Errorf("Connection %v: %s: Signing error: %v\n", connName, protocol.ErrCrypto, err)
+				return makeErrResponse(pkt, protocol.ErrCrypto)
+			}
 		}
 		return makeRespondResponse(pkt, sig)
 
@@ -486,8 +494,15 @@ func (s *Server) unlimitedDo(pkt *protocol.Packet, connName string) response {
 				continue
 			} else {
 				tracing.LogError(span, err)
-				log.Errorf("Connection %v: %s: Signing error: %v\n", connName, protocol.ErrCrypto, err)
-				return makeErrResponse(pkt, protocol.ErrCrypto)
+				// This indicates that a remote keyserver is being used
+				var remoteConfigurationErr RemoteConfigurationErr
+				if errors.As(err, &remoteConfigurationErr) {
+					log.Errorf("Connection %v: %s: Signing error: %v\n", connName, protocol.ErrRemoteConfiguration, err)
+					return makeErrResponse(pkt, protocol.ErrRemoteConfiguration)
+				} else {
+					log.Errorf("Connection %v: %s: Signing error: %v\n", connName, protocol.ErrCrypto, err)
+					return makeErrResponse(pkt, protocol.ErrCrypto)
+				}
 			}
 		}
 		break