pkcs11key

Documentation

Overview

Package pkcs11key implements crypto.Signer for PKCS #11 private keys. Currently, only RSA keys are support.

Package pkcs11key exists to satisfy Go build tools. Some Go tools will complain "no buildable Go source files in ..." because pkcs11key.go only builds when the pkcs11 tag is supplied. This empty file exists only to suppress that error, which blocks completion in some tools (specifically godep).

Index

• type PKCS11Key
  • func New(module, slot, pin, privLabel string) (ps *PKCS11Key, err error)
  • func (ps *PKCS11Key) Destroy()
  • func (ps *PKCS11Key) Public() crypto.PublicKey
  • func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)

Types

type PKCS11Key

type PKCS11Key struct {
	// contains filtered or unexported fields
}

PKCS11Key is an implementation of the crypto.Signer interface using a key stored in a PKCS#11 hardware token. This enables the use of PKCS#11 tokens with the Go x509 library's methods for signing certificates.

func New

func New(module, slot, pin, privLabel string) (ps *PKCS11Key, err error)

New instantiates a new handle to a PKCS #11-backed key.

func (*PKCS11Key) Destroy

func (ps *PKCS11Key) Destroy()

Destroy tears down a PKCS11Key.

This method must be called before the PKCS11Key is GC'ed, in order to ensure that the PKCS#11 module itself is properly finalized and destroyed.

The idiomatic way to do this (assuming no need for a long-lived signer) is as follows:

ps, err := NewPKCS11Signer(...)
if err != nil { ... }
defer ps.Destroy()

func (*PKCS11Key) Public

func (ps *PKCS11Key) Public() crypto.PublicKey

Public returns the public key for the PKCS #11 key.

func (*PKCS11Key) Sign

func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign performs a signature using the PKCS #11 key.