pkcs11

Documentation

Overview

Package pkcs11 implements logic for using PKCS #11 shared libraries.

Index

• type Certificate
  • func (c *Certificate) Type() CertificateType
  • func (c *Certificate) X509() (*x509.Certificate, error)
• type CertificateType
• type Class
  • func (c Class) String() string
• type Error
  • func (e *Error) Error() string
• type Filter
• type Info
• type Module
  • func Open(path string) (*Module, error)
  • func (m *Module) Close() error
  • func (m *Module) Info() Info
  • func (m *Module) Slot(id uint32, opts Options) (*Slot, error)
  • func (m *Module) SlotIDs() ([]uint32, error)
  • func (m *Module) SlotInfo(id uint32) (*SlotInfo, error)
• type Object
  • func (o Object) Certificate() (*Certificate, error)
  • func (o Object) Class() Class
  • func (o Object) Label() (string, error)
  • func (o Object) PrivateKey(pub crypto.PublicKey) (crypto.PrivateKey, error)
  • func (o Object) PublicKey() (crypto.PublicKey, error)
• type Options
• type Slot
  • func (s *Slot) Close() error
  • func (s *Slot) Objects(opts Filter) (objs []Object, err error)
• type SlotInfo
• type Version

Types

type Certificate

type Certificate struct {
	// contains filtered or unexported fields
}

Certificate holds a certificate object. Because certificates object can hold various kinds of certificates, callers should check the type before calling methods that parse the certificate.

cert, err := obj.Certificate()
if err != nil {
	// ...
}
if cert.Type() != pkcs11.CertificateX509 {
	// unexpected kind of certificate ...
}
x509Cert, err := cert.X509()

func (*Certificate) Type

func (c *Certificate) Type() CertificateType

Type returns the format of the underlying certificate.

func (*Certificate) X509

func (c *Certificate) X509() (*x509.Certificate, error)

X509 parses the underlying certificate as an X.509 certificate.

If the certificate holds a different type of certificate, this method returns an error.

type CertificateType

type CertificateType int

CertificateType determines the kind of certificate a certificate object holds. This can be X.509, WTLS, GPG, etc.

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html#_Toc416959709

const (
	CertificateX509 CertificateType = iota + 1
	CertificateUnknown
)

Certificate types supported by this package.

type Class

type Class int

Class is the primary object type. Such as a certificate, public key, or private key.

const (
	ClassData             Class = 0x00000000
	ClassCertificate      Class = 0x00000001
	ClassPublicKey        Class = 0x00000002
	ClassPrivateKey       Class = 0x00000003
	ClassSecretKey        Class = 0x00000004
	ClassDomainParameters Class = 0x00000006
)

Set of classes supported by this package.

func (Class) String

func (c Class) String() string

String returns a human readable version of the object class.

type Error

type Error struct {
	// contains filtered or unexported fields
}

Error is returned for cryptokit specific API codes.

func (*Error) Error

func (e *Error) Error() string

type Filter

type Filter struct {
	Class Class
	Label string
}

Filter hold options for returning a subset of objects from a slot.

The returned object will match all provided parameters. For example, if Class=ClassPrivateKey and Label="foo", the returned object must be a private key with label "foo".

type Info

type Info struct {
	// Manufacturer of the implementation. When multiple PKCS #11 devices are
	// present this is used to differentiate devices.
	Manufacturer string
	// Version of the module.
	Version Version
	// Human readable description of the module.
	Description string
}

Info holds global information about the module.

type Module

type Module struct {
	// contains filtered or unexported fields
}

Module represents an opened shared library. By default, this package requests locking support from the module, but concurrent safety may depend on the underlying library.

func Open

func Open(path string) (*Module, error)

Open dlopens a shared library by path, initializing the module.

func (*Module) Close

func (m *Module) Close() error

Close finalizes the module and releases any resources associated with the shared library.

func (*Module) Info

func (m *Module) Info() Info

Info returns additional information about the module.

func (*Module) Slot

func (m *Module) Slot(id uint32, opts Options) (*Slot, error)

Slot creates a session with the given slot, by default read-only. Users must call Close to release the session.

The returned Slot's behavior is undefined once the Module is closed.

func (*Module) SlotIDs

func (m *Module) SlotIDs() ([]uint32, error)

SlotIDs returns the IDs of all slots associated with this module, including ones that haven't been initialized.

func (*Module) SlotInfo

func (m *Module) SlotInfo(id uint32) (*SlotInfo, error)

SlotInfo queries for information about the slot, such as the label.

type Object

type Object struct {
	// contains filtered or unexported fields
}

Object represents a single object stored within a slot. For example a key or certificate.

func (Object) Certificate

func (o Object) Certificate() (*Certificate, error)

Certificate parses the underlying object as a certificate. If the object isn't a certificate, this method fails.

func (Object) Class

func (o Object) Class() Class

Class returns the type of the object stored. For example, certificate, public key, or private key.

func (Object) Label

func (o Object) Label() (string, error)

Label returns a string value attached to an object, which can be used to identify or group sets of keys and certificates.

func (Object) PrivateKey

func (o Object) PrivateKey(pub crypto.PublicKey) (crypto.PrivateKey, error)

PrivateKey parses the underlying object as a private key. Both RSA and ECDSA keys are supported.

The returned PrivateKey implements crypto.Signer and optionally crypto.Decrypter depending on the supported mechanisms.

If the object isn't a public key, this method fails.

func (Object) PublicKey

func (o Object) PublicKey() (crypto.PublicKey, error)

PublicKey parses the underlying object as a public key. Both RSA and ECDSA keys are supported.

If the object isn't a public key, this method fails.

type Options

type Options struct {
	PIN      string
	AdminPIN string
	// ReadWrite indicates that the slot should be opened with write capabilities,
	// such as generating keys or importing certificates.
	//
	// By default, sessions can access objects and perform signing requests.
	ReadWrite bool
}

Options holds configuration options for the slot session.

type Slot

type Slot struct {
	// contains filtered or unexported fields
}

Slot represents a session to a slot.

A slot holds a listable set of objects, such as certificates and cryptographic keys.

func (*Slot) Close

func (s *Slot) Close() error

Close releases the slot session.

func (*Slot) Objects

func (s *Slot) Objects(opts Filter) (objs []Object, err error)

Objects searches a slot for objects that match the given options, or all objects if no options are provided.

The returned objects behavior is undefined once the Slot object is closed.

type SlotInfo

type SlotInfo struct {
	Label  string
	Model  string
	Serial string

	Description string
}

SlotInfo holds information about the slot and underlying token.

type Version

type Version struct {
	Major uint8
	Minor uint8
}

Version holds a major and minor version.