Use always go.step.sm/crypto

4 years ago · d30a95236d
parent 533ad0ca20
commit d30a95236d
40 changed files with 70 additions and 60 deletions
--- a/acme/api/handler_test.go
+++ b/acme/api/handler_test.go
@ -19,8 +19,8 @@ import (
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 )

 type mockAcmeAuthority struct {
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -14,9 +14,9 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
-	"github.com/smallstep/cli/crypto/keys"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/keyutil"
 )

 type nextHTTP = func(http.ResponseWriter, *http.Request)
@ -173,10 +173,10 @@ func (h *Handler) validateJWS(next nextHTTP) nextHTTP {
 			if hdr.JSONWebKey != nil {
 				switch k := hdr.JSONWebKey.Key.(type) {
 				case *rsa.PublicKey:
-					if k.Size() < keys.MinRSAKeyBytes {
+					if k.Size() < keyutil.MinRSAKeyBytes {
 						api.WriteError(w, acme.MalformedErr(errors.Errorf("rsa "+
 							"keys must be at least %d bits (%d bytes) in size",
-							8*keys.MinRSAKeyBytes, keys.MinRSAKeyBytes)))
+							8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes)))
 						return
 					}
 				default:
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -17,7 +17,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestNewOrderRequestValidate(t *testing.T) {
--- a/acme/certificate_test.go
+++ b/acme/certificate_test.go
@ -10,9 +10,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/nosql/database"
+	"go.step.sm/crypto/pemutil"
 )

 func defaultCertOps() (*CertOptions, error) {
--- a/authority/authority.go
+++ b/authority/authority.go
@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/certificates/kms"
 	kmsapi "github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )

--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -15,8 +15,8 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/crypto/pemutil"
 	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 )

 func testAuthority(t *testing.T, opts ...Option) *Authority {
--- a/authority/authorize_test.go
+++ b/authority/authorize_test.go
@ -17,8 +17,8 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"
 	"gopkg.in/square/go-jose.v2/jwt"
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -11,8 +11,8 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/options_test.go
+++ b/authority/provisioner/options_test.go
@ -7,7 +7,7 @@ import (
 	"reflect"
 	"testing"

-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )

--- a/authority/provisioner/sign_options_test.go
+++ b/authority/provisioner/sign_options_test.go
@ -12,7 +12,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func Test_emailOnlyIdentity_Valid(t *testing.T) {
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/crypto/keys"
+	"go.step.sm/crypto/keyutil"
 	"golang.org/x/crypto/ssh"
 )

@ -423,9 +423,9 @@ func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, o SignSSHOpti
 		if err != nil {
 			return err
 		}
-		if key.Size() < keys.MinRSAKeyBytes {
+		if key.Size() < keyutil.MinRSAKeyBytes {
 			return errors.Errorf("ssh certificate key must be at least %d bits (%d bytes)",
-				8*keys.MinRSAKeyBytes, keys.MinRSAKeyBytes)
+				8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes)
 		}
 		return nil
 	case ssh.KeyAlgoDSA:
--- a/authority/provisioner/sign_ssh_options_test.go
+++ b/authority/provisioner/sign_ssh_options_test.go
@ -7,7 +7,7 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/crypto/keys"
+	"go.step.sm/crypto/keyutil"
 	"golang.org/x/crypto/ssh"
 )

@ -489,7 +489,7 @@ func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
 }

 func Test_sshCertDefaultValidator_Valid(t *testing.T) {
-	pub, _, err := keys.GenerateDefaultKeyPair()
+	pub, _, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)
 	sshPub, err := ssh.NewPublicKey(pub)
 	assert.FatalError(t, err)
--- a/authority/provisioner/sshpop_test.go
+++ b/authority/provisioner/sshpop_test.go
@ -13,8 +13,8 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )

--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -16,8 +16,8 @@ import (
 	"time"

 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -9,8 +9,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 )

--- a/authority/root_test.go
+++ b/authority/root_test.go
@ -9,7 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestRoot(t *testing.T) {
--- a/authority/tls.go
+++ b/authority/tls.go
@ -15,9 +15,9 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )

@ -363,7 +363,7 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	}

 	// Generate default key.
-	priv, err := keys.GenerateDefaultKey()
+	priv, err := keyutil.GenerateDefaultKey()
 	if err != nil {
 		return fatal(err)
 	}
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -22,9 +22,9 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
@ -196,7 +196,7 @@ type basicConstraints struct {
 }

 func TestAuthority_Sign(t *testing.T) {
-	pub, priv, err := keys.GenerateDefaultKeyPair()
+	pub, priv, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)

 	a := testAuthority(t)
@ -745,7 +745,7 @@ func TestAuthority_Renew(t *testing.T) {
 }

 func TestAuthority_Rekey(t *testing.T) {
-	pub, _, err := keys.GenerateDefaultKeyPair()
+	pub, _, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)

 	a := testAuthority(t)
--- a/ca/acmeClient_test.go
+++ b/ca/acmeClient_test.go
@ -16,8 +16,8 @@ import (
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
 	"github.com/smallstep/certificates/api"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 )

 func TestNewACMEClient(t *testing.T) {
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -25,9 +25,9 @@ import (
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
 	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/x509util"
 	jose "gopkg.in/square/go-jose.v2"
@ -76,7 +76,7 @@ func TestMain(m *testing.M) {
 }

 func TestCASign(t *testing.T) {
-	pub, priv, err := keys.GenerateDefaultKeyPair()
+	pub, priv, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)

 	asn1dn := &authority.ASN1DN{
@ -551,7 +551,7 @@ func TestCAHealth(t *testing.T) {
 }

 func TestCARenew(t *testing.T) {
-	pub, priv, err := keys.GenerateDefaultKeyPair()
+	pub, priv, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)

 	asn1dn := &authority.ASN1DN{
--- a/ca/client.go
+++ b/ca/client.go
@ -28,8 +28,8 @@ import (
 	"github.com/smallstep/certificates/ca/identity"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/cli/config"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/net/http2"
 	"gopkg.in/square/go-jose.v2/jwt"
@ -1102,7 +1102,7 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
 // CreateCertificateRequest creates a new CSR with the given common name and
 // SANs. If no san is provided the commonName will set also a SAN.
 func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error) {
-	key, err := keys.GenerateDefaultKey()
+	key, err := keyutil.GenerateDefaultKey()
 	if err != nil {
 		return nil, nil, err
 	}
--- a/ca/identity/identity.go
+++ b/ca/identity/identity.go
@ -17,7 +17,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/cli/config"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 // Type represents the different types of identity files.
--- a/ca/identity/identity_test.go
+++ b/ca/identity/identity_test.go
@ -13,7 +13,7 @@ import (
 	"testing"

 	"github.com/smallstep/certificates/api"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestLoadDefaultIdentity(t *testing.T) {
--- a/ca/provisioner_test.go
+++ b/ca/provisioner_test.go
@ -7,8 +7,8 @@ import (
 	"testing"
 	"time"

-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )

--- a/cmd/step-awskms-init/main.go
+++ b/cmd/step-awskms-init/main.go
@ -16,9 +16,9 @@ import (

 	"github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/kms/awskms"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )

--- a/cmd/step-cloudkms-init/main.go
+++ b/cmd/step-cloudkms-init/main.go
@ -17,9 +17,9 @@ import (

 	"github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/kms/cloudkms"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )

--- a/cmd/step-yubikey-init/main.go
+++ b/cmd/step-yubikey-init/main.go
@ -19,9 +19,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms"
 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"go.step.sm/crypto/pemutil"

 	// Enable yubikey.
 	_ "github.com/smallstep/certificates/kms/yubikey"
--- a/go.mod
+++ b/go.mod
@ -18,7 +18,7 @@ require (
 	github.com/smallstep/nosql v0.3.0
 	github.com/urfave/cli v1.22.2
 	go.step.sm/crypto v0.1.1
-	golang.org/x/crypto v0.0.0-20200414173820-0848c9571904
+	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
 	golang.org/x/net v0.0.0-20200202094626-16171245cfb2
 	google.golang.org/api v0.15.0
 	google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb
@ -28,4 +28,4 @@ require (

 // replace github.com/smallstep/cli => ../cli
 // replace github.com/smallstep/nosql => ../nosql
-// replace go.step.sm/crypto => ../crypto
+replace go.step.sm/crypto => ../crypto
--- a/go.sum
+++ b/go.sum
@ -479,6 +479,7 @@ github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15/go.mod h1:MyOHs9P
 github.com/smallstep/certificates v0.14.5/go.mod h1:zzpB8wMz967gL8FmK6zvCNB4pDVwFDKjPg1diTVc1h8=
 github.com/smallstep/certinfo v1.3.0/go.mod h1:1gQJekdPwPvUwFWGTi7bZELmQT09cxC9wJ0VBkBNiwU=
 github.com/smallstep/cli v0.14.5/go.mod h1:mRFuqC3cGwQESBGJvog4o76jZZZ7bMjkE+hAnq2QyR8=
+github.com/smallstep/cli v0.14.6 h1:xc9rawDKB70Vgvg10gfQAh9EpDWS3k1O002J5bApqUk=
 github.com/smallstep/cli v0.14.7-rc.1.0.20200721180458-731b7c4c8c95 h1:TcCYqEqh6EIEiFabRdtG0IGyFK01kRLTjx6TIKqjxX8=
 github.com/smallstep/cli v0.14.7-rc.1.0.20200721180458-731b7c4c8c95/go.mod h1:7aWHk7WwJMpEP4PYyav86FMpaI9vuA0uJRliUAqCwxg=
 github.com/smallstep/nosql v0.3.0 h1:V1X5vfDsDt89499h3jZFUlR4VnnsYYs5tXaQZ0w8z5U=
@ -609,6 +610,8 @@ golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+v
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904 h1:bXoxMPcSLOq08zI3/c5dEBT6lE4eh+jOh886GHrn6V8=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
--- a/kms/awskms/awskms.go
+++ b/kms/awskms/awskms.go
@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms/apiv1"
 	"github.com/smallstep/certificates/kms/uri"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 // KMS implements a KMS using AWS Key Management Service.
--- a/kms/awskms/awskms_test.go
+++ b/kms/awskms/awskms_test.go
@ -14,7 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestNew(t *testing.T) {
--- a/kms/awskms/signer.go
+++ b/kms/awskms/signer.go
@ -8,7 +8,7 @@ import (

 	"github.com/aws/aws-sdk-go/service/kms"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 // Signer implements a crypto.Signer using the AWS KMS.
--- a/kms/awskms/signer_test.go
+++ b/kms/awskms/signer_test.go
@ -13,7 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/kms"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestNewSigner(t *testing.T) {
--- a/kms/cloudkms/cloudkms.go
+++ b/kms/cloudkms/cloudkms.go
@ -14,7 +14,7 @@ import (
 	gax "github.com/googleapis/gax-go/v2"
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	"google.golang.org/api/option"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
 )
--- a/kms/cloudkms/cloudkms_test.go
+++ b/kms/cloudkms/cloudkms_test.go
@ -11,7 +11,7 @@ import (

 	gax "github.com/googleapis/gax-go/v2"
 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
--- a/kms/cloudkms/signer.go
+++ b/kms/cloudkms/signer.go
@ -5,7 +5,7 @@ import (
 	"io"

 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
 )

--- a/kms/cloudkms/signer_test.go
+++ b/kms/cloudkms/signer_test.go
@ -11,7 +11,7 @@ import (
 	"testing"

 	gax "github.com/googleapis/gax-go/v2"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
 )

--- a/kms/softkms/softkms.go
+++ b/kms/softkms/softkms.go
@ -10,8 +10,9 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"github.com/smallstep/cli/ui"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 )

 type algorithmAttributes struct {
@ -41,7 +42,7 @@ var generateKey = func(kty, crv string, size int) (interface{}, interface{}, err
 	if kty == "RSA" && size == 0 {
 		size = DefaultRSAKeySize
 	}
-	return keys.GenerateKeyPair(kty, crv, size)
+	return keyutil.GenerateKeyPair(kty, crv, size)
 }

 // SoftKMS is a key manager that uses keys stored in disk.
@ -53,6 +54,9 @@ func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) {
 }

 func init() {
+	pemutil.PromptPassword = func(msg string) ([]byte, error) {
+		return ui.PromptPassword(msg)
+	}
 	apiv1.Register(apiv1.SoftKMS, func(ctx context.Context, opts apiv1.Options) (apiv1.KeyManager, error) {
 		return New(ctx, opts)
 	})
@ -98,6 +102,8 @@ func (k *SoftKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	}
 }

+// CreateKey generates a new key using Golang crypto and returns both public and
+// private key.
 func (k *SoftKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
 	v, ok := signatureAlgorithmMapping[req.SignatureAlgorithm]
 	if !ok {
@ -123,6 +129,7 @@ func (k *SoftKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespon
 	}, nil
 }

+// GetPublicKey returns the public key from the file passed in the request name.
 func (k *SoftKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
 	v, err := pemutil.Read(req.Name)
 	if err != nil {
--- a/kms/softkms/softkms_test.go
+++ b/kms/softkms/softkms_test.go
@ -16,7 +16,7 @@ import (
 	"testing"

 	"github.com/smallstep/certificates/kms/apiv1"
-	"github.com/smallstep/cli/crypto/pemutil"
+	"go.step.sm/crypto/pemutil"
 )

 func TestNew(t *testing.T) {
--- a/pki/pki.go
+++ b/pki/pki.go
@ -22,12 +22,12 @@ import (
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/config"
-	"github.com/smallstep/cli/crypto/keys"
-	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/errs"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"
 )
@ -115,7 +115,7 @@ func GetProvisioners(caURL, rootFile string) (provisioner.List, error) {
 }

 func generateDefaultKey() (crypto.Signer, error) {
-	priv, err := keys.GenerateDefaultKey()
+	priv, err := keyutil.GenerateDefaultKey()
 	if err != nil {
 		return nil, err
 	}
@ -369,7 +369,7 @@ func (p *PKI) GenerateSSHSigningKeys(password []byte) error {
 	var pubNames = []string{p.sshHostPubKey, p.sshUserPubKey}
 	var privNames = []string{p.sshHostKey, p.sshUserKey}
 	for i := 0; i < 2; i++ {
-		pub, priv, err := keys.GenerateDefaultKeyPair()
+		pub, priv, err := keyutil.GenerateDefaultKeyPair()
 		if err != nil {
 			return err
 		}