pkcs11client

package
v0.3.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 27, 2021 License: MPL-2.0 Imports: 23 Imported by: 1

Documentation

Overview

Helpers for PKCS#11 including instructions for configuring: - SoftHSM - Thales SafeNet DPoD - Entrust nShield

Index

Constants

View Source
const (
	DEFAULT_CONNECTTIMEOUTS = 30
	DEFAULT_READTIMEOUTS    = 30
)
View Source
const (
	PKCS11ERR_NONE Pkcs11ErrorCode = iota
	PKCS11ERR_GENERICERROR
	PKCS11ERR_CONNECTIONTIMEOUT
	PKCS11ERR_READTIMEOUT

	PKCS11CONNECTION_NONE = iota
	PKCS11CONNECTION_INPROGRESS
	PKCS11CONNECTION_FAILED
	PKCS11CONNECTION_SUCCEEDED
)
View Source
const (
	CKM_EDDSA_NACL = (pkcs11.CKM_VENDOR_DEFINED + 0xC02) // ed25519 sign/verify - NaCl compatible
	CKM_EDDSA      = (pkcs11.CKM_VENDOR_DEFINED + 0xC03) // ed25519 sign/verify

	CKK_EC_EDWARDS = (pkcs11.CKK_VENDOR_DEFINED + 0x12)

	ERR_NEWKEYINTEGRITY      = "For new keys check that all of KeyBits, ID and Label are set"
	ERR_NEWKEYALREADYEXISTS  = "Key already exists"
	ERR_NOMECHANISMCREATE    = "Unable to find a key mechanism for key creation"
	ERR_UNSUPPORTEDKEYTYPE   = "Unsupported key type. Please use CKK_RSA or CKK_EC"
	ERR_UNSUPPORTEDCURVESIZE = "No curve for key bit size"
)

Variables

This section is empty.

Functions

func GenMechanismById

func GenMechanismById(mechanismId uint) (mechanism []*pkcs11.Mechanism, err error)

For mechanisms that don't need additional params case pkcs11.CKM_RSA_PKCS: // PKCS#1 RSASSA v1.5 sign case pkcs11.CKM_RSA_X_509: // not in FIPS mode

func GenSignedCert

func GenSignedCert(csr *x509.CertificateRequest,
	caCert *x509.Certificate,
	caSigner *HsmSigner) (signedCert *x509.Certificate, err error)

func GenSignerMechanismById

func GenSignerMechanismById(mechanismId uint, opts crypto.SignerOpts) ([]*pkcs11.Mechanism, error)

func GenSubjectKeyID added in v0.3.2

func GenSubjectKeyID(publicKey crypto.PublicKey) ([]byte, error)

used in the CA cert

func GetPubKeyType added in v0.3.3

func GetPubKeyType(publicKey crypto.PublicKey) (keyType x509.PublicKeyAlgorithm, err error)

func LoadCertFromFile

func LoadCertFromFile(filename string) (*x509.Certificate, error)

func LoadCertRequestFromFile

func LoadCertRequestFromFile(filename string) (*x509.CertificateRequest, error)

func LoadFromFileAsString added in v0.3.2

func LoadFromFileAsString(filename string) (*string, error)

func LoadPEMCertFromFile added in v0.3.2

func LoadPEMCertFromFile(filename string) (*x509.Certificate, error)

func LoadPubkeyFromFile

func LoadPubkeyFromFile(filename string) (interface{}, error)

func SaveCertToFile

func SaveCertToFile(filename string, cert *x509.Certificate) error

func SaveDataToFile

func SaveDataToFile(filename string, fileData *[]byte) (err error)

Types

type CASigningRequest

type CASigningRequest struct {
	// contains filtered or unexported fields
}

type HsmConfig

type HsmConfig struct {
	// the HSM's client PKCS#11 library
	Lib string

	// the HSM slot ID
	SlotId uint `json:"slot_id"`

	// the slot pin
	Pin string

	// a key label
	KeyLabel string `json:"key_label"`

	// connection timeout seconds
	ConnectTimeoutS uint `json:"connect_timeout_s"`

	// function timeout seconds
	ReadTimeoutS uint `json:"read_timeout_s"`
}

func ParseHsmConfig

func ParseHsmConfig(filename string) (*HsmConfig, error)

func (*HsmConfig) CheckSetDefaultTimeouts

func (h *HsmConfig) CheckSetDefaultTimeouts()

func (*HsmConfig) ValidateConfig

func (h *HsmConfig) ValidateConfig() error

Only check the presence of the client lib the slot could be 0, the pin could be blank and the key label could be set dynamically

type HsmSigner

type HsmSigner struct {
	CryptoSigner crypto.Signer

	Pkcs11Client  *Pkcs11Client
	PublicKey     crypto.PublicKey
	KeyConfig     KeyConfig
	SignerOpts    crypto.SignerOpts
	Serial        int64
	SignatureAlgo x509.SignatureAlgorithm
	// contains filtered or unexported fields
}

func (HsmSigner) Public

func (t HsmSigner) Public() crypto.PublicKey

func (HsmSigner) Sign

func (t HsmSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signedCsr []byte, err error)

type KeyConfig

type KeyConfig struct {
	// CKA_LABEL
	Label string

	// CKA_ID doesn't appear to work with SoftHSM
	Id []byte

	// for CKA_KEY_TYPE
	Type uint

	// CKA_MODULUS BITS only needed for key creation
	KeyBits int

	// The mechanism will be auto populated but it can be manually set
	Mechanism []*pkcs11.Mechanism
}

type KeyConfigKeyPairTemplate added in v0.3.1

type KeyConfigKeyPairTemplate struct {
	// contains filtered or unexported fields
}

func GenKeyConfigKeyPairTemplate added in v0.3.1

func GenKeyConfigKeyPairTemplate(keyConfig *KeyConfig) KeyConfigKeyPairTemplate

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairPrivTemplateForSigning added in v0.3.1

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPrivTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairPubTemplateForSigning added in v0.3.1

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPubTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairTemplateForSigning added in v0.3.1

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeySecurityTemplate added in v0.3.1

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeySecurityTemplate()

func (*KeyConfigKeyPairTemplate) GenKeyPairTemplateAttribs added in v0.3.1

func (kp *KeyConfigKeyPairTemplate) GenKeyPairTemplateAttribs() (privAttribs []*pkcs11.Attribute, pubAttribs []*pkcs11.Attribute, err error)

type KeyTemplatePrivConfig added in v0.3.1

type KeyTemplatePrivConfig struct {

	// CKA_DECRYPT
	IsDecrypt bool

	// CKA_UNWRAP
	IsUnwrap bool

	// CKA_SIGN
	IsSign bool

	// CKA_DERIVE
	IsDerive bool
}

type KeyTemplatePubConfig added in v0.3.1

type KeyTemplatePubConfig struct {

	// CKA_ENCRYPT
	IsEncrypt bool

	// CKA_WRAP
	IsWrap bool

	// CKA_VERIFY
	IsVerify bool

	// CKA_PUBLIC_EXPONTENT
	Exponent []byte
}

type KeyTemplateSecurity added in v0.3.1

type KeyTemplateSecurity struct {

	// CKA_TOKEN token or session object
	IsToken bool

	// CKA_PRIVATE requires elevated privileges to report the presence of a key object
	IsPrivate bool

	// CKA_SENSITIVE
	IsSensitive bool

	// CKA_ALWAYS_SENSITIVE
	IsAlwaysSensitive bool

	// CKA_MODIFIABLE
	IsModifiable bool

	// CKA_EXTRACTABLE
	IsExtractable bool

	// CKA_NEVER_EXTRACTABLE
	IsNeverExtractable bool
}

type Pkcs11Client

type Pkcs11Client struct {
	HsmConfig   *HsmConfig
	Pkcs11Mutex sync.Mutex
	// the most recent error and code should only be used whilst holding the mutex lock
	ConnectionState Pkcs11ConnectionState
	LastErrCode     Pkcs11ErrorCode
	LastErr         error
	// contains filtered or unexported fields
}

func (*Pkcs11Client) CheckExistsCreateKeyPair added in v0.3.1

func (p *Pkcs11Client) CheckExistsCreateKeyPair(keyConfig *KeyConfig) error

first see if the key already exists, whether identified by ID or by LABEL

func (*Pkcs11Client) CheckExistsOkCreateKeyPair added in v0.3.2

func (p *Pkcs11Client) CheckExistsOkCreateKeyPair(keyConfig *KeyConfig) error

func (*Pkcs11Client) Cleanup

func (p *Pkcs11Client) Cleanup()

func (*Pkcs11Client) CreateKeyPair added in v0.3.1

func (p *Pkcs11Client) CreateKeyPair(keyConfig *KeyConfig) error

No existence check here, which means a new key can be created with the same label but a different ID

func (*Pkcs11Client) DecryptRsaPkcs1v15

func (p *Pkcs11Client) DecryptRsaPkcs1v15(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig) (err error)

insecure PKCSv1_15 not supported by FIPS enabled SafeNet HSM but works with SoftHSM

func (*Pkcs11Client) DecryptRsaPkcsOaep

func (p *Pkcs11Client) DecryptRsaPkcsOaep(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig, hashAlg crypto.Hash) (err error)

RSA OAEP requires additional params keyConfig.Mechanism will be auto populated based on the hashAlg unless already set, ie. it can be overridden hashAlg is eg. crypto.SHA256

func (*Pkcs11Client) DecryptRsaPkcsX509

func (p *Pkcs11Client) DecryptRsaPkcsX509(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig) (err error)

func (*Pkcs11Client) DecryptWithHandle

func (p *Pkcs11Client) DecryptWithHandle(encryptedData *[]byte,
	plainText *[]byte,
	mechanism []*pkcs11.Mechanism,
	objHandle pkcs11.ObjectHandle) (err error)

func (*Pkcs11Client) DeleteKeyPair added in v0.3.1

func (p *Pkcs11Client) DeleteKeyPair(keyConfig *KeyConfig) (err error)

func (*Pkcs11Client) EncryptRsaPkcs1v15

func (p *Pkcs11Client) EncryptRsaPkcs1v15(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig) (err error)

PKCS v1_15 supports Encrypt/Decrypt, Sign/Verify, SR/VR, Wrap/Unwrap only insecure PKCSv1_15 not supported by FIPS enabled SafeNet HSM but works with SoftHSM

func (*Pkcs11Client) EncryptRsaPkcsOaep

func (p *Pkcs11Client) EncryptRsaPkcsOaep(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig, hashAlg crypto.Hash) (err error)

RSA OAEP supports Encrypt/Decrypt and Wrap/Unwrap only requires additional params keyConfig.Mechanism will be auto populated based on the hashAlg unless already set, ie. it can be overridden hashAlg is eg. crypto.SHA256 check RSA mechanisms vs functions: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html#_Toc416959967

func (*Pkcs11Client) EncryptRsaPkcsX509

func (p *Pkcs11Client) EncryptRsaPkcsX509(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig) (err error)

func (*Pkcs11Client) EncryptWithHandle

func (p *Pkcs11Client) EncryptWithHandle(plainData *[]byte,
	encryptedData *[]byte,
	mechanism []*pkcs11.Mechanism,
	objHandle pkcs11.ObjectHandle) (err error)

func (*Pkcs11Client) ExistsPublicKey added in v0.3.1

func (p *Pkcs11Client) ExistsPublicKey(keyConfig *KeyConfig) (exists bool, err error)

Check the public part of the key exists by label and/or ID

func (*Pkcs11Client) FetchKeyPairHandles added in v0.3.1

func (p *Pkcs11Client) FetchKeyPairHandles(keyConfig *KeyConfig) (privKeyHandle *[]pkcs11.ObjectHandle, pubKeyHandle *[]pkcs11.ObjectHandle, err error)

Fetch the key handles if exist

func (*Pkcs11Client) FindObjects

func (p *Pkcs11Client) FindObjects(attribs []*pkcs11.Attribute, max int) (objHandles []pkcs11.ObjectHandle, err error)

func (*Pkcs11Client) FlushSession

func (p *Pkcs11Client) FlushSession()

func (*Pkcs11Client) GetGenSubjectKeyId added in v0.3.2

func (p *Pkcs11Client) GetGenSubjectKeyId(keyConfig *KeyConfig, keyType uint) (subjectKeyId []byte, publicKey crypto.PublicKey, err error)

get the public key from the HSM and generate the subjectKeyID from it for CA cert gen

func (*Pkcs11Client) Init

func (p *Pkcs11Client) Init() (err error)

func (*Pkcs11Client) InitAndLoginWithTimeout

func (p *Pkcs11Client) InitAndLoginWithTimeout() (err error)

this includes the PKCS#11 Initialize as part of the overall timeout

func (*Pkcs11Client) Login

func (p *Pkcs11Client) Login() (err error)

func (*Pkcs11Client) LoginWithTimeout

func (p *Pkcs11Client) LoginWithTimeout() error

for module handling of connection timeout without the PKCS#11 Initialize as part of the timeout alternatively the Login function can be called directly so that timeouts can be handled externally

func (*Pkcs11Client) Logout

func (p *Pkcs11Client) Logout() (err error)

func (*Pkcs11Client) ReadECPublicKey

func (p *Pkcs11Client) ReadECPublicKey(keyConfig *KeyConfig) (pubKey interface{}, err error)

func (*Pkcs11Client) ReadExistsPublicKey

func (p *Pkcs11Client) ReadExistsPublicKey(keyConfig *KeyConfig) (publicKey []byte, err error)

func (*Pkcs11Client) ReadPublicKey

func (p *Pkcs11Client) ReadPublicKey(keyConfig *KeyConfig, pubKeyType uint) (pubKey interface{}, err error)

func (*Pkcs11Client) ReadRSAPublicKey

func (p *Pkcs11Client) ReadRSAPublicKey(keyConfig *KeyConfig) (pubKey interface{}, err error)

https://stackoverflow.com/a/25181584/2002211

func (*Pkcs11Client) SignCertDSA

func (p *Pkcs11Client) SignCertDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertECDSA

func (p *Pkcs11Client) SignCertECDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertEDDSA

func (p *Pkcs11Client) SignCertEDDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

EDDSA uses the Edwards Ed25519 elliptic curve in FIPS 186-5 https://csrc.nist.gov/publications/detail/fips/186/5/draft

func (*Pkcs11Client) SignCertRSA

func (p *Pkcs11Client) SignCertRSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertRSAPSS

func (p *Pkcs11Client) SignCertRSAPSS(csrData []byte, signer *HsmSigner) (cert []byte, err error)

type Pkcs11ConnectionState

type Pkcs11ConnectionState int

type Pkcs11ErrorCode

type Pkcs11ErrorCode int

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL