Use KMS URIs without --kms flag

maraino · maraino · commit e6b08fed84ef · 2026-01-30T14:13:12.000-08:00
This command allows use use KMS URIs without using the `--kms` flag.
Those commands using cryptoutils package will read a key from a KMS if
the name is not a file and is one of the supported KMS types.
diff --git a/command/ca/rekey.go b/command/ca/rekey.go
@@ -239,7 +239,7 @@ func rekeyCertificateAction(ctx *cli.Context) error {
 	// For now, if the --kms flag is given, do not allow to generate a new key
 	// and write it on disk. We can't use the daemon mode because we
 	// cannot generate new keys.
-	if kmsURI != "" {
+	if kmsURI != "" || cryptoutil.IsKMS(keyFile) {
 		switch {
 		case givenPrivate == "":
 			return errs.RequiredWithFlag(ctx, "kms", "private-key")
diff --git a/internal/cryptoutil/cryptoutil.go b/internal/cryptoutil/cryptoutil.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"os/exec"
 	"strconv"
 	"strings"
@@ -22,15 +23,24 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 
-// IsKMS returns true if the given uri is a KMS URI.
+// IsKMS returns true if the given uri is a KMS URI. It will return false if a
+// file exists with the same name, even if the path matches a KMS uri pattern.
 func IsKMS(rawuri string) bool {
+	if _, err := os.Stat(rawuri); err == nil {
+		return false
+	}
+
 	typ, err := kms.TypeOf(rawuri)
 	if err != nil || typ == apiv1.DefaultKMS {
 		return false
 	}
 	return true
 }
 
+func isFilename(kmsURI, name string) bool {
+	return kmsURI == "" && !IsKMS(name)
+}
+
 // Attestor is the interface implemented by step-kms-plugin using the key, sign,
 // and attest commands.
 type Attestor interface {
@@ -39,7 +49,7 @@ type Attestor interface {
 }
 
 func PublicKey(kmsURI, name string, opts ...pemutil.Options) (crypto.PublicKey, error) {
-	if kmsURI == "" {
+	if isFilename(kmsURI, name) {
 		s, err := pemutil.Read(name, opts...)
 		if err != nil {
 			return nil, err
@@ -61,7 +71,7 @@ func PublicKey(kmsURI, name string, opts ...pemutil.Options) (crypto.PublicKey,
 // CreateSigner reads a key from a file with a given name or creates a signer
 // with the given kms and name uri.
 func CreateSigner(kmsURI, name string, opts ...pemutil.Options) (crypto.Signer, error) {
-	if kmsURI == "" || isSoftKMS(kmsURI) {
+	if isFilename(kmsURI, name) {
 		s, err := pemutil.Read(name, opts...)
 		if err != nil {
 			return nil, err
@@ -75,13 +85,9 @@ func CreateSigner(kmsURI, name string, opts ...pemutil.Options) (crypto.Signer,
 	return newKMSSigner(kmsURI, name)
 }
 
-func isSoftKMS(kmsURI string) bool {
-	return strings.HasPrefix(strings.ToLower(strings.TrimSpace(kmsURI)), "softkms")
-}
-
 // LoadCertificate returns a x509.Certificate from a kms or file
 func LoadCertificate(kmsURI, certPath string) ([]*x509.Certificate, error) {
-	if kmsURI == "" {
+	if isFilename(kmsURI, certPath) {
 		s, err := pemutil.ReadCertificateBundle(certPath)
 		if err != nil {
 			return nil, fmt.Errorf("file %s does not contain a valid certificate: %w", certPath, err)
@@ -117,7 +123,7 @@ func LoadCertificate(kmsURI, certPath string) ([]*x509.Certificate, error) {
 
 // LoadJSONWebKey returns a jose.JSONWebKey from a KMS or a file.
 func LoadJSONWebKey(kmsURI, name string, opts ...jose.Option) (*jose.JSONWebKey, error) {
-	if kmsURI == "" {
+	if isFilename(kmsURI, name) {
 		return jose.ReadKey(name, opts...)
 	}
 
