pkcs11client

package
v0.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2021 License: MPL-2.0 Imports: 23 Imported by: 1

Documentation

Overview

Helpers for PKCS#11 including instructions for configuring: - SoftHSM - Thales SafeNet DPoD - Entrust nShield

Index

Constants

View Source 
const (
	DEFAULT_CONNECTTIMEOUTS = 30
	DEFAULT_READTIMEOUTS    = 30
)
View Source 
const (
	PKCS11ERR_NONE Pkcs11ErrorCode = iota
	PKCS11ERR_GENERICERROR
	PKCS11ERR_CONNECTIONTIMEOUT
	PKCS11ERR_READTIMEOUT

	PKCS11CONNECTION_NONE = iota
	PKCS11CONNECTION_INPROGRESS
	PKCS11CONNECTION_FAILED
	PKCS11CONNECTION_SUCCEEDED
)
View Source 
const (
	CKM_EDDSA_NACL = (pkcs11.CKM_VENDOR_DEFINED + 0xC02) // ed25519 sign/verify - NaCl compatible
	CKM_EDDSA      = (pkcs11.CKM_VENDOR_DEFINED + 0xC03) // ed25519 sign/verify

	CKK_EC_EDWARDS = (pkcs11.CKK_VENDOR_DEFINED + 0x12)

	ERR_NEWKEYINTEGRITY      = "For new keys check that all of KeyBits, ID and Label are set"
	ERR_NEWKEYALREADYEXISTS  = "Key already exists"
	ERR_NOMECHANISMCREATE    = "Unable to find a key mechanism for key creation"
	ERR_UNSUPPORTEDKEYTYPE   = "Unsupported key type. Please use CKK_RSA or CKK_EC"
	ERR_UNSUPPORTEDCURVESIZE = "No curve for key bit size"
)

Variables

This section is empty.

Functions

func GenMechanismById 

func GenMechanismById(mechanismId uint) (mechanism []*pkcs11.Mechanism, err error)

For mechanisms that don't need additional params case pkcs11.CKM_RSA_PKCS: // PKCS#1 RSASSA v1.5 sign case pkcs11.CKM_RSA_X_509: // not in FIPS mode

func GenSignedCert 

func GenSignedCert(csr *x509.CertificateRequest,
	caCert *x509.Certificate,
	caSigner *HsmSigner) (signedCert *x509.Certificate, err error)

func GenSignerMechanismById 

func GenSignerMechanismById(mechanismId uint, opts crypto.SignerOpts) ([]*pkcs11.Mechanism, error)

func GenSubjectKeyID added in v0.3.2 

func GenSubjectKeyID(publicKey crypto.PublicKey) ([]byte, error)

used in the CA cert

func GetPubKeyType added in v0.3.3 

func GetPubKeyType(publicKey crypto.PublicKey) (keyType x509.PublicKeyAlgorithm, err error)

func LoadCertFromFile 

func LoadCertFromFile(filename string) (*x509.Certificate, error)

func LoadCertRequestFromFile 

func LoadCertRequestFromFile(filename string) (*x509.CertificateRequest, error)

func LoadFromFileAsString added in v0.3.2 

func LoadFromFileAsString(filename string) (*string, error)

func LoadPEMCertFromFile added in v0.3.2 

func LoadPEMCertFromFile(filename string) (*x509.Certificate, error)

func LoadPubkeyFromFile 

func LoadPubkeyFromFile(filename string) (interface{}, error)

func SaveCertToFile 

func SaveCertToFile(filename string, cert *x509.Certificate) error

func SaveDataToFile 

func SaveDataToFile(filename string, fileData *[]byte) (err error)

Types

type CASigningRequest 

type CASigningRequest struct {
	// contains filtered or unexported fields
}

type HsmConfig 

type HsmConfig struct {
	// the HSM's client PKCS#11 library
	Lib string

	// the HSM slot ID
	SlotId uint `json:"slot_id"`

	// the slot pin
	Pin string

	// a key label
	KeyLabel string `json:"key_label"`

	// connection timeout seconds
	ConnectTimeoutS uint `json:"connect_timeout_s"`

	// function timeout seconds
	ReadTimeoutS uint `json:"read_timeout_s"`
}

func ParseHsmConfig 

func ParseHsmConfig(filename string) (*HsmConfig, error)

func (*HsmConfig) CheckSetDefaultTimeouts 

func (h *HsmConfig) CheckSetDefaultTimeouts()

func (*HsmConfig) ValidateConfig 

func (h *HsmConfig) ValidateConfig() error

Only check the presence of the client lib the slot could be 0, the pin could be blank and the key label could be set dynamically

type HsmSigner 

type HsmSigner struct {
	CryptoSigner crypto.Signer

	Pkcs11Client  *Pkcs11Client
	PublicKey     crypto.PublicKey
	KeyConfig     KeyConfig
	SignerOpts    crypto.SignerOpts
	Serial        int64
	SignatureAlgo x509.SignatureAlgorithm
	// contains filtered or unexported fields
}

func (HsmSigner) Public 

func (t HsmSigner) Public() crypto.PublicKey

func (HsmSigner) Sign 

func (t HsmSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signedCsr []byte, err error)

type KeyConfig 

type KeyConfig struct {
	// CKA_LABEL
	Label string

	// CKA_ID doesn't appear to work with SoftHSM
	Id []byte

	// for CKA_KEY_TYPE
	Type uint

	// CKA_MODULUS BITS only needed for key creation
	KeyBits int

	// The mechanism will be auto populated but it can be manually set
	Mechanism []*pkcs11.Mechanism
}

type KeyConfigKeyPairTemplate added in v0.3.1 

type KeyConfigKeyPairTemplate struct {
	// contains filtered or unexported fields
}

func GenKeyConfigKeyPairTemplate added in v0.3.1 

func GenKeyConfigKeyPairTemplate(keyConfig *KeyConfig) KeyConfigKeyPairTemplate

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairPrivTemplateForSigning added in v0.3.1 

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPrivTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairPubTemplateForSigning added in v0.3.1 

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPubTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeyPairTemplateForSigning added in v0.3.1 

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairTemplateForSigning()

func (*KeyConfigKeyPairTemplate) GenDefaultKeySecurityTemplate added in v0.3.1 

func (kp *KeyConfigKeyPairTemplate) GenDefaultKeySecurityTemplate()

func (*KeyConfigKeyPairTemplate) GenKeyPairTemplateAttribs added in v0.3.1 

func (kp *KeyConfigKeyPairTemplate) GenKeyPairTemplateAttribs() (privAttribs []*pkcs11.Attribute, pubAttribs []*pkcs11.Attribute, err error)

type KeyTemplatePrivConfig added in v0.3.1 

type KeyTemplatePrivConfig struct {

	// CKA_DECRYPT
	IsDecrypt bool

	// CKA_UNWRAP
	IsUnwrap bool

	// CKA_SIGN
	IsSign bool

	// CKA_DERIVE
	IsDerive bool
}

type KeyTemplatePubConfig added in v0.3.1 

type KeyTemplatePubConfig struct {

	// CKA_ENCRYPT
	IsEncrypt bool

	// CKA_WRAP
	IsWrap bool

	// CKA_VERIFY
	IsVerify bool

	// CKA_PUBLIC_EXPONTENT
	Exponent []byte
}

type KeyTemplateSecurity added in v0.3.1 

type KeyTemplateSecurity struct {

	// CKA_TOKEN token or session object
	IsToken bool

	// CKA_PRIVATE requires elevated privileges to report the presence of a key object
	IsPrivate bool

	// CKA_SENSITIVE
	IsSensitive bool

	// CKA_ALWAYS_SENSITIVE
	IsAlwaysSensitive bool

	// CKA_MODIFIABLE
	IsModifiable bool

	// CKA_EXTRACTABLE
	IsExtractable bool

	// CKA_NEVER_EXTRACTABLE
	IsNeverExtractable bool
}

type Pkcs11Client 

type Pkcs11Client struct {
	HsmConfig   *HsmConfig
	Pkcs11Mutex sync.Mutex
	// the most recent error and code should only be used whilst holding the mutex lock
	ConnectionState Pkcs11ConnectionState
	LastErrCode     Pkcs11ErrorCode
	LastErr         error
	// contains filtered or unexported fields
}

func (*Pkcs11Client) CheckExistsCreateKeyPair added in v0.3.1 

func (p *Pkcs11Client) CheckExistsCreateKeyPair(keyConfig *KeyConfig) error

first see if the key already exists, whether identified by ID or by LABEL

func (*Pkcs11Client) CheckExistsOkCreateKeyPair added in v0.3.2 

func (p *Pkcs11Client) CheckExistsOkCreateKeyPair(keyConfig *KeyConfig) error

func (*Pkcs11Client) Cleanup 

func (p *Pkcs11Client) Cleanup()

func (*Pkcs11Client) CreateKeyPair added in v0.3.1 

func (p *Pkcs11Client) CreateKeyPair(keyConfig *KeyConfig) error

No existence check here, which means a new key can be created with the same label but a different ID

func (*Pkcs11Client) DecryptRsaPkcs1v15 

func (p *Pkcs11Client) DecryptRsaPkcs1v15(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig) (err error)

insecure PKCSv1_15 not supported by FIPS enabled SafeNet HSM but works with SoftHSM

func (*Pkcs11Client) DecryptRsaPkcsOaep 

func (p *Pkcs11Client) DecryptRsaPkcsOaep(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig, hashAlg crypto.Hash) (err error)

RSA OAEP requires additional params keyConfig.Mechanism will be auto populated based on the hashAlg unless already set, ie. it can be overridden hashAlg is eg. crypto.SHA256

func (*Pkcs11Client) DecryptRsaPkcsX509 

func (p *Pkcs11Client) DecryptRsaPkcsX509(encryptedData *[]byte, plainData *[]byte, keyConfig KeyConfig) (err error)

func (*Pkcs11Client) DecryptWithHandle 

func (p *Pkcs11Client) DecryptWithHandle(encryptedData *[]byte,
	plainText *[]byte,
	mechanism []*pkcs11.Mechanism,
	objHandle pkcs11.ObjectHandle) (err error)

func (*Pkcs11Client) DeleteKeyPair added in v0.3.1 

func (p *Pkcs11Client) DeleteKeyPair(keyConfig *KeyConfig) (err error)

func (*Pkcs11Client) EncryptRsaPkcs1v15 

func (p *Pkcs11Client) EncryptRsaPkcs1v15(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig) (err error)

PKCS v1_15 supports Encrypt/Decrypt, Sign/Verify, SR/VR, Wrap/Unwrap only insecure PKCSv1_15 not supported by FIPS enabled SafeNet HSM but works with SoftHSM

func (*Pkcs11Client) EncryptRsaPkcsOaep 

func (p *Pkcs11Client) EncryptRsaPkcsOaep(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig, hashAlg crypto.Hash) (err error)

RSA OAEP supports Encrypt/Decrypt and Wrap/Unwrap only requires additional params keyConfig.Mechanism will be auto populated based on the hashAlg unless already set, ie. it can be overridden hashAlg is eg. crypto.SHA256 check RSA mechanisms vs functions: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html#_Toc416959967

func (*Pkcs11Client) EncryptRsaPkcsX509 

func (p *Pkcs11Client) EncryptRsaPkcsX509(plainData *[]byte, encryptedData *[]byte, keyConfig KeyConfig) (err error)

func (*Pkcs11Client) EncryptWithHandle 

func (p *Pkcs11Client) EncryptWithHandle(plainData *[]byte,
	encryptedData *[]byte,
	mechanism []*pkcs11.Mechanism,
	objHandle pkcs11.ObjectHandle) (err error)

func (*Pkcs11Client) ExistsPublicKey added in v0.3.1 

func (p *Pkcs11Client) ExistsPublicKey(keyConfig *KeyConfig) (exists bool, err error)

Check the public part of the key exists by label and/or ID

func (*Pkcs11Client) FetchKeyPairHandles added in v0.3.1 

func (p *Pkcs11Client) FetchKeyPairHandles(keyConfig *KeyConfig) (privKeyHandle *[]pkcs11.ObjectHandle, pubKeyHandle *[]pkcs11.ObjectHandle, err error)

Fetch the key handles if exist

func (*Pkcs11Client) FindObjects 

func (p *Pkcs11Client) FindObjects(attribs []*pkcs11.Attribute, max int) (objHandles []pkcs11.ObjectHandle, err error)

func (*Pkcs11Client) FlushSession 

func (p *Pkcs11Client) FlushSession()

func (*Pkcs11Client) GetECDSAPublicKey 

func (p *Pkcs11Client) GetECDSAPublicKey(object pkcs11.ObjectHandle) (*ecdsa.PublicKey, error)

https://github.com/letsencrypt/boulder/blob/release-2021-02-08/pkcs11helpers/helpers.go#L208

func (*Pkcs11Client) GetGenSubjectKeyId added in v0.3.2 

func (p *Pkcs11Client) GetGenSubjectKeyId(keyConfig *KeyConfig, keyType uint) (subjectKeyId []byte, publicKey crypto.PublicKey, err error)

get the public key from the HSM and generate the subjectKeyID from it for CA cert gen

func (*Pkcs11Client) GetRSAPublicKey added in v0.3.3 

func (p *Pkcs11Client) GetRSAPublicKey(object pkcs11.ObjectHandle) (*rsa.PublicKey, error)

https://github.com/letsencrypt/boulder/blob/release-2021-02-08/pkcs11helpers/helpers.go#L178

func (*Pkcs11Client) Init 

func (p *Pkcs11Client) Init() (err error)

func (*Pkcs11Client) InitAndLoginWithTimeout 

func (p *Pkcs11Client) InitAndLoginWithTimeout() (err error)

this includes the PKCS#11 Initialize as part of the overall timeout

func (*Pkcs11Client) Login 

func (p *Pkcs11Client) Login() (err error)

func (*Pkcs11Client) LoginWithTimeout 

func (p *Pkcs11Client) LoginWithTimeout() error

for module handling of connection timeout without the PKCS#11 Initialize as part of the timeout alternatively the Login function can be called directly so that timeouts can be handled externally

func (*Pkcs11Client) Logout 

func (p *Pkcs11Client) Logout() (err error)

func (*Pkcs11Client) ReadECPublicKey 

func (p *Pkcs11Client) ReadECPublicKey(keyConfig *KeyConfig) (pubKey interface{}, err error)

func (*Pkcs11Client) ReadExistsPublicKey 

func (p *Pkcs11Client) ReadExistsPublicKey(keyConfig *KeyConfig) (publicKey []byte, err error)

func (*Pkcs11Client) ReadPublicKey 

func (p *Pkcs11Client) ReadPublicKey(keyConfig *KeyConfig, pubKeyType uint) (pubKey interface{}, err error)

func (*Pkcs11Client) ReadRSAPublicKey 

func (p *Pkcs11Client) ReadRSAPublicKey(keyConfig *KeyConfig) (pubKey interface{}, err error)

https://stackoverflow.com/a/25181584/2002211

func (*Pkcs11Client) SignCertDSA 

func (p *Pkcs11Client) SignCertDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertECDSA 

func (p *Pkcs11Client) SignCertECDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertEDDSA 

func (p *Pkcs11Client) SignCertEDDSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

EDDSA uses the Edwards Ed25519 elliptic curve in FIPS 186-5 https://csrc.nist.gov/publications/detail/fips/186/5/draft

func (*Pkcs11Client) SignCertRSA 

func (p *Pkcs11Client) SignCertRSA(csrData []byte, signer *HsmSigner) (cert []byte, err error)

func (*Pkcs11Client) SignCertRSAPSS 

func (p *Pkcs11Client) SignCertRSAPSS(csrData []byte, signer *HsmSigner) (cert []byte, err error)

type Pkcs11ConnectionState 

type Pkcs11ConnectionState int

type Pkcs11ErrorCode 

type Pkcs11ErrorCode int

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.