Add ComplianceRegion to PrivateKey, NewRemoteSignerWithCertID, NewRemoteSigner

dt-dtran · dt-dtran · commit 84591a3fcff8 · 2025-09-23T12:19:04.000-06:00
diff --git a/client/client.go b/client/client.go
@@ -193,7 +193,7 @@ func (c *Client) getRemote(server string) (Remote, error) {
 // ski, sni, serverIP, and certID are used to identify the key by the remote
 // keyserver.
 func NewRemoteSignerWithCertID(ctx context.Context, c *Client, keyserver string, ski protocol.SKI,
-	pub crypto.PublicKey, sni string, certID string, serverIP net.IP) (crypto.Signer, error) {
+	pub crypto.PublicKey, sni string, certID string, serverIP net.IP, complianceRegion ...protocol.ComplianceRegion) (crypto.Signer, error) {
 	span, _ := opentracing.StartSpanFromContext(ctx, "client.NewRemoteSignerWithCertID")
 	defer span.Finish()
 	priv := PrivateKey{
@@ -205,6 +205,9 @@ func NewRemoteSignerWithCertID(ctx context.Context, c *Client, keyserver string,
 		keyserver: keyserver,
 		certID:    certID,
 	}
+	if len(complianceRegion) > 0 {
+		priv.complianceRegion = complianceRegion[0]
+	}
 	var err error
 	priv.JaegerSpan, err = tracing.SpanContextToBinary(span.Context())
 	if err != nil {
@@ -223,7 +226,7 @@ func NewRemoteSignerWithCertID(ctx context.Context, c *Client, keyserver string,
 // ski, sni, and serverIP are used to identified the key by the remote
 // keyserver.
 func NewRemoteSigner(ctx context.Context, c *Client, keyserver string, ski protocol.SKI,
-	pub crypto.PublicKey, sni string, serverIP net.IP) (crypto.Signer, error) {
+	pub crypto.PublicKey, sni string, serverIP net.IP, complianceRegion ...protocol.ComplianceRegion) (crypto.Signer, error) {
 
 	span, _ := opentracing.StartSpanFromContext(ctx, "client.NewRemoteSignerWithCertID")
 	defer span.Finish()
@@ -235,6 +238,10 @@ func NewRemoteSigner(ctx context.Context, c *Client, keyserver string, ski proto
 		serverIP:  serverIP,
 		keyserver: keyserver,
 	}
+
+	if len(complianceRegion) > 0 {
+		priv.complianceRegion = complianceRegion[0]
+	}
 	var err error
 	priv.JaegerSpan, err = tracing.SpanContextToBinary(span.Context())
 	if err != nil {
@@ -254,24 +261,24 @@ func NewRemoteSigner(ctx context.Context, c *Client, keyserver string, ski proto
 // SKI is computed from the public key and along with sni and serverIP,
 // the remote Signer uses those key identification info to contact the
 // remote keyserver for keyless operations.
-func (c *Client) NewRemoteSignerTemplate(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP) (crypto.Signer, error) {
+func (c *Client) NewRemoteSignerTemplate(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP, complianceRegion ...protocol.ComplianceRegion) (crypto.Signer, error) {
 	ski, err := protocol.GetSKI(pub)
 	if err != nil {
 		return nil, err
 	}
-	return NewRemoteSigner(ctx, c, keyserver, ski, pub, sni, serverIP)
+	return NewRemoteSigner(ctx, c, keyserver, ski, pub, sni, serverIP, complianceRegion...)
 }
 
 // NewRemoteSignerTemplateWithCertID returns a remote keyserver
 // based crypto.Signer with the public key.
 // SKI is computed from public key, and along with sni, serverIP, and
 // certID the remote signer uses these to contact the remote keyserver.
-func (c *Client) NewRemoteSignerTemplateWithCertID(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP, certID string) (crypto.Signer, error) {
+func (c *Client) NewRemoteSignerTemplateWithCertID(ctx context.Context, keyserver string, pub crypto.PublicKey, sni string, serverIP net.IP, certID string, complianceRegion ...protocol.ComplianceRegion) (crypto.Signer, error) {
 	ski, err := protocol.GetSKI(pub)
 	if err != nil {
 		return nil, err
 	}
-	return NewRemoteSignerWithCertID(ctx, c, keyserver, ski, pub, sni, certID, serverIP)
+	return NewRemoteSignerWithCertID(ctx, c, keyserver, ski, pub, sni, certID, serverIP, complianceRegion...)
 }
 
 // NewRemoteSignerByPublicKey returns a remote keyserver based signer
diff --git a/client/keys.go b/client/keys.go
@@ -93,7 +93,8 @@ type PrivateKey struct {
 
 	// We have shove the span context inside PrivateKey because
 	// it's used by calling functions on the `crypto.Signer` interface, which don't take ctx as a parameter.
-	JaegerSpan []byte
+	JaegerSpan       []byte
+	complianceRegion protocol.ComplianceRegion
 }
 
 // Public returns the public key corresponding to the opaque private key.
@@ -124,13 +125,14 @@ func (key *PrivateKey) execute(ctx context.Context, op protocol.Op, msg []byte)
 		// https://github.com/cloudflare/gokeyless/pull/276 makes it safe to fill it in,
 		// but there's no way to know the version of the remote keyserver
 		result, err = conn.Conn.DoOperation(ctx, protocol.Operation{
-			Opcode:   op,
-			Payload:  msg,
-			SKI:      key.ski,
-			ClientIP: key.clientIP,
-			ServerIP: key.serverIP,
-			SNI:      key.sni,
-			CertID:   key.certID,
+			Opcode:           op,
+			Payload:          msg,
+			SKI:              key.ski,
+			ClientIP:         key.clientIP,
+			ServerIP:         key.serverIP,
+			SNI:              key.sni,
+			CertID:           key.certID,
+			ComplianceRegion: key.complianceRegion,
 		})
 		if err != nil {
 			conn.Close()
