Documentation
¶
Index ¶
- Variables
- func InitSoftHSM(logger *logging.Logger, config *Config)
- func NewKeyStore(params *Params) (keystore.KeyStorer, error)
- func NewSignerECDSA(keyStore keystore.KeyStorer, signerStore keystore.SignerStorer, ...) crypto.Signer
- func NewSignerRSA(signerStore keystore.SignerStorer, keyAttributes *keystore.KeyAttributes, ...) crypto.Signer
- type Config
- type KeyStore
- func (ks *KeyStore) Backend() keystore.KeyBackend
- func (ks *KeyStore) Close() error
- func (ks *KeyStore) Decrypter(attrs *keystore.KeyAttributes) (crypto.Decrypter, error)
- func (ks *KeyStore) Delete(attrs *keystore.KeyAttributes) error
- func (store *KeyStore) Equal(opaque keystore.OpaqueKey, x crypto.PrivateKey) bool
- func (ks *KeyStore) GenerateECDSA(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) GenerateEd25519(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) GenerateKey(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) GenerateRSA(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) GenerateSecretKey(keyAttrs *keystore.KeyAttributes) error
- func (ks *KeyStore) Initialize(soPIN, userPIN keystore.Password) error
- func (ks *KeyStore) Key(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) RotateKey(attrs *keystore.KeyAttributes) (keystore.OpaqueKey, error)
- func (ks *KeyStore) Signer(attrs *keystore.KeyAttributes) (crypto.Signer, error)
- func (ks *KeyStore) Type() keystore.StoreType
- func (ks *KeyStore) Verifier(attrs *keystore.KeyAttributes, opts *keystore.VerifyOpts) keystore.Verifier
- type PKCS11
- func (pkcs11 *PKCS11) Close() error
- func (pkcs11 *PKCS11) DebugLibraryInfo()
- func (pkcs11 *PKCS11) DebugSlots()
- func (pkcs11 *PKCS11) Destroy() error
- func (pkcs11 PKCS11) Lib() *libpkcs11.Ctx
- func (p11 *PKCS11) Login() error
- func (pkcs11 *PKCS11) PrintLibraryInfo()
- func (pkcs11 *PKCS11) PrintTokenInfo()
- func (pkcs11 *PKCS11) Session() (libpkcs11.SessionHandle, error)
- type Params
- type SignerECDSA
- type SignerRSA
Constants ¶
This section is empty.
Variables ¶
var ( ErrUnsupportedKeyAlgorithm = errors.New("keystore/pkcs11: unsupported key algorithm") ErrUnsupportedOperation = errors.New("keystore/pkcs11: unsupported operation") ErrInvalidSOPIN = errors.New("keystore/pkcs11: invalid security officer pin") ErrInvalidUserPIN = errors.New("keystore/pkcs11: invalid user pin") ErrInvalidTokenLabel = errors.New("keystore/pkcs11: invalid token label") ErrInvalidSOPINLength = errors.New("keystore/pkcs11: invalid SO pin length, must be at least 4 characters") ErrInvalidPINLength = errors.New("keystore/pkcs11: invalid pin length, must be at least 4 characters") )
var (
ErrInvalidSlot = errors.New("pkcs11: invalid slot")
)
var SOFTHSM_CONF = []byte(`
# SoftHSM v2 configuration file
directories.tokendir = %s
objectstore.backend = file
objectstore.umask = 0077
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
# If the library should reset the state on fork
library.reset_on_fork = false
`)
Functions ¶
func InitSoftHSM ¶
Initializes SoftHSM with an external shell command to softhsm2-util
func NewKeyStore ¶
Generates a new connection to the underlying PKCS #11 module. Returns ErrNotInitialized if the token needs to be initialized.
func NewSignerECDSA ¶
func NewSignerECDSA( keyStore keystore.KeyStorer, signerStore keystore.SignerStorer, keyAttributes *keystore.KeyAttributes, ctx *crypto11.Context, publicKey crypto.PublicKey) crypto.Signer
Signer that uses the Elliptical Curve Cryptography Digital Signature Algorithm (ECDSA).
Signs the requested data using the Certificate Authority Private Key, or, optionally, the private key provided via SignerOpts during the call to Sign.
func NewSignerRSA ¶
Types ¶
type Config ¶
type Config struct {
CN string `yaml:"cn" json:"cn" mapstructure:"cn"`
Library string `yaml:"library" json:"library" mapstructure:"library"`
LibraryConfig string `yaml:"config" json:"config" mapstructure:"config"`
Pin string `yaml:"pin" json:"pin" mapstructure:"pin"`
PlatformPolicy bool `yaml:"platform-policy" json:"platform_policy" mapstructure:"platform-policy"`
Slot *int `yaml:"slot" json:"slot" mapstructure:"slot"`
SOPin string `yaml:"so-pin" json:"so_pin" mapstructure:"so-pin"`
TokenLabel string `yaml:"label" json:"label" mapstructure:"label"`
}
type KeyStore ¶
func (*KeyStore) Backend ¶
func (ks *KeyStore) Backend() keystore.KeyBackend
Returns the key store backend
func (*KeyStore) Delete ¶
func (ks *KeyStore) Delete(attrs *keystore.KeyAttributes) error
Deletes a key pair from the key store - this is a no-op for PKCS #11
func (*KeyStore) Equal ¶
Compares the provided keys and returns true if they have the same Modulus / Curve.
func (*KeyStore) GenerateECDSA ¶
Generates a new ECDSA key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying PKCS #11 HSM module.
func (*KeyStore) GenerateEd25519 ¶
Returns ErrUnsupportedKeyAlgorithm as the Thales PKCS #11 library doesn't support this operation. TODO: use miekg's PKCS #11 library to implement this operation.
func (*KeyStore) GenerateKey ¶
Generates a new key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying PKCS #11 HSM module.
func (*KeyStore) GenerateRSA ¶
Generates a new RSA key pair using the provided key attributes and returns an OpaqueKey implementing crypto.Signer using the underlying PKCS #11 HSM module.
func (*KeyStore) GenerateSecretKey ¶
func (ks *KeyStore) GenerateSecretKey( keyAttrs *keystore.KeyAttributes) error
Generates a new AES-256 secret key
func (*KeyStore) Initialize ¶
Generates a new connection to the underlying PKCS #11 module
func (*KeyStore) RotateKey ¶
Rotates an existing key by generating a new key pair and overwriting the existing key. This is a destructive operation that will cause the existing key pair to be irrecoverable.
func (*KeyStore) Verifier ¶
func (ks *KeyStore) Verifier( attrs *keystore.KeyAttributes, opts *keystore.VerifyOpts) keystore.Verifier
Returns a software runtime verifier to perform signature verifications. The verifier supports RSA PKCS1v15, RSA-PSS, ECDSA, and Ed25519.
type PKCS11 ¶
type PKCS11 struct {
// contains filtered or unexported fields
}
func NewPKCS11 ¶
Opens a new PKCS #11 session and using the library and settings provided in the platform configuration file.
func (*PKCS11) Close ¶
Closes the current session and logs the current user out of the token. The library remains available for future calls to Open.
func (*PKCS11) DebugLibraryInfo ¶
func (pkcs11 *PKCS11) DebugLibraryInfo()
func (*PKCS11) DebugSlots ¶
func (pkcs11 *PKCS11) DebugSlots()
func (*PKCS11) Destroy ¶
Destroys the session and signals the cryptoki library it's done being used. Thsi library is no longer available for calls to Open.
func (*PKCS11) Login ¶
Log into the token using the provided PIN. You must call Logout when done to prevent leaks.
func (*PKCS11) PrintLibraryInfo ¶
func (pkcs11 *PKCS11) PrintLibraryInfo()
func (*PKCS11) PrintTokenInfo ¶
func (pkcs11 *PKCS11) PrintTokenInfo()
type Params ¶
type Params struct {
Backend keystore.KeyBackend
Config *Config
DebugSecrets bool
Fs afero.Fs
Logger *logging.Logger
Random io.Reader
SignerStore keystore.SignerStorer
TPMKS tpm2ks.PlatformKeyStorer
}
type SignerECDSA ¶
func (SignerECDSA) Public ¶
func (signer SignerECDSA) Public() crypto.PublicKey
Returns the public half of the signing key
func (SignerECDSA) Sign ¶
func (signer SignerECDSA) Sign( rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Signs the requested digest using the PKCS #8 private key
Source Files