Documentation ¶
Index ¶
- Constants
- func CreateCSR(b *HsmPkiBackend, data *certutil.CreationBundle, addBasicConstraints bool) (*certutil.ParsedCSRBundle, error)
- func CreateCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)
- func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)
- func GenDateTimeKeyLabel() (keyLabel string)
- func GetDataKeyType(data *string) (keyType uint, err error)
- func SignCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)
- type HsmConfigCompat
- type HsmPkiBackend
- type HsmPkiConfig
Constants ¶
View Source
const ( PATH_CA = "ca" PATH_CAKEYLABEL = "cert/ca_keylabel" PATH_CAKEYTYPE = "cert/ca_keytype" PATH_CAKEYSIZE = "cert/ca_keysize" PATH_CERTS = "certs/" PATH_ROLE = "role/" PATH_SETSIGNEDINTERMEDIATE = "intermediate/set-signed" PATH_SETCRLCONFIG = "config/crl" PATH_FETCHCRL = "crl" PATH_REVOKE = "revoke" PATH_TIDY = "tidy" PATH_ROTATECRL = "crl/rotate" PATH_GENERATEROOT = "root/generate/" PATH_GENERATEINTERMEDIATE = "intermediate/generate/" PATH_SIGNINTERMEDIATE = "root/sign-intermediate" PATH_ISSUE = "issue/" PATH_ROOT = "root" PATH_HASHALGO = "hash_algo" FIELD_ROLE = "role" FIELD_KEYALIAS = "key_label" FIELD_HASHALGO = "hash_algo" FIELD_COMMON_NAME = "common_name" FIELD_TYPE = "type" FIELD_EXPORTED = "exported" FIELD_TTL = "ttl" FIELD_KEY_TYPE = "key_type" FIELD_KEY_BITS = "key_bits" FIELD_PERMITTED_DNS_NAMES = "permitted_dns_names" FIELD_ORGANIZATION = "organization" FIELD_OU = "ou" FIELD_COUNTRY = "country" FIELD_LOCALITY = "locality" FIELD_PROVINCE = "province" FIELD_STREET_ADDRESS = "street_address" FIELD_POSTAL_CODE = "postal_code" FIELD_CSR = "csr" FIELD_CERTIFICATE = "certificate" CONFIG_PARAM = "config" CONFIG_PLUGIN_NAME = "plugin_name" PLUGIN_HELP = "The hsmpki backend is a PKI plugin that uses an HSM for CA signing." DEFAULT_CRL_LIFETIME = 72 //ROOTCA_BUNDLE = "config/rootca_bundle" //INTERCA_BUNDLE = "config/ca_bundle" CA_BUNDLE = "config/ca_bundle" CA_TYPE = "ca/catype" // relative to test working directory in pkg/hsmpki //TEST_CONFIG_HSM = "../../conf/config-softhsm.hcl" TEST_CONFIG_HSM = "../../conf/config-safenet.hcl" TEST_EXPORTED = "internal" TEST_ROLENAME = "localhost" TEST_ALLOWED_DOMAINS = "localhost" TEST_MAX_TTL = "72h" TEST_TTL = "1h" TEST_COMMON_NAME = "localhost" TEST_ROLE_NAME = "localhost" TEST_KEY_LABEL = "ECTestCAInterKey0016" //TEST_SIGNEDCACERTFILE = "../../data/softhsm-inter-0002.ca.cert.pem" TEST_SIGNEDCACERTFILE = "../../data/safenet-inter-02.ca.cert.pem" TEST_ROOTCACERTFILE = "../../data/testrootca.cert.pem" TEST_INTERCSRFILE = "../../data/testintermediate.csr.pem" TEST_INTERCERTFILE = "../../data/testintermediate.cert.pem" TEST_CAROOTCOMMONNAME = "safenet.ec17.rootca.mode51.software" TEST_CAINTERCOMMONNAME = "safenet.ec17.interca.mode51.software" TEST_CAKEYTYPERSA = "rsa" TEST_CAKEYBITSRSA = "4096" TEST_CAKEYTYPEEC = "ec" TEST_CAKEYBITSEC = "521" TEST_CAPERMITTEDDNSDOMAINS = "localhost" TEST_CAORGANIZATION = "mode51 Software Ltd" TEST_CAOU = "Security" TEST_CACOUNTRY = "GB" TEST_CAPROVINCE = "Cambridgeshire" TEST_CALOCALITY = "Cambridge" TEST_CASTREETADDRESS = "1 The Street" TEST_CAPOSTALCODE = "CB1 1AA" TEST_CATTL = 8 * 60 )
Variables ¶
This section is empty.
Functions ¶
func CreateCSR ¶ added in v0.3.3
func CreateCSR(b *HsmPkiBackend, data *certutil.CreationBundle, addBasicConstraints bool) (*certutil.ParsedCSRBundle, error)
// GeneratePrivateKey generates a private key with the specified type and key bits
func GeneratePrivateKey(keyType string, keyBits int, container certutil.ParsedPrivateKeyContainer) error { var err error var privateKeyType certutil.PrivateKeyType var privateKeyBytes []byte var privateKey crypto.Signer switch keyType { case "rsa": privateKeyType = RSAPrivateKey privateKey, err = rsa.GenerateKey(rand.Reader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve switch keyBits { case 224: curve = elliptic.P224() case 256: curve = elliptic.P256() case 384: curve = elliptic.P384() case 521: curve = elliptic.P521() default: return errutil.UserError{Err: fmt.Sprintf("unsupported bit length for EC key: %d", keyBits)} } privateKey, err = ecdsa.GenerateKey(curve, rand.Reader) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating EC private key: %v", err)} } privateKeyBytes, err = x509.MarshalECPrivateKey(privateKey.(*ecdsa.PrivateKey)) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error marshalling EC private key: %v", err)} } default: return errutil.UserError{Err: fmt.Sprintf("unknown key type: %s", keyType)} } container.SetParsedPrivateKey(privateKey, privateKeyType, privateKeyBytes) return nil }
Creates a CSR. This is currently only meant for use when generating an intermediate certificate.
func CreateCertificate ¶
func CreateCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)
Performs the heavy lifting of creating a certificate. Returns a fully-filled-in ParsedCertBundle.
func GenDateTimeKeyLabel ¶ added in v0.3.3
func GenDateTimeKeyLabel() (keyLabel string)
func GetDataKeyType ¶ added in v0.3.3
func SignCertificate ¶
func SignCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)
Performs the heavy lifting of generating a certificate from a CSR. Returns a ParsedCertBundle sans private keys.
Types ¶
type HsmConfigCompat ¶
type HsmConfigCompat struct { // the HSM's client PKCS#11 library Lib string // the HSM slot ID SlotId uint `json:"slot_id"` // the slot pin Pin string // a key label KeyLabel string `json:"key_label"` // connection timeout seconds ConnectTimeoutS uint `json:"connect_timeout_s"` // function timeout seconds ReadTimeoutS uint `json:"read_timeout_s"` }
type HsmPkiBackend ¶
type HsmPkiBackend struct { HsmBackend *framework.Backend // contains filtered or unexported fields }
func Backend ¶
func Backend(conf *logical.BackendConfig) (*HsmPkiBackend, error)
type HsmPkiConfig ¶
type HsmPkiConfig struct { // the PKCS#11 client library file Lib string // the slot ID on the HSM SlotId string `hcl:"slot_id"` // the slot's PIN Pin string // the HSM key label KeyLabel string `hcl:"key_label"` // connection timeout seconds ConnectTimeoutS string `hcl:"connect_timeout_s"` // function timeout seconds ReadTimeoutS string `hcl:"read_timeout_s"` }
func (*HsmPkiConfig) ConvertHsmConfig ¶
func (h *HsmPkiConfig) ConvertHsmConfig(hsmConfig *HsmConfigCompat)
func (*HsmPkiConfig) ConvertToHsmConfig ¶
func (h *HsmPkiConfig) ConvertToHsmConfig() (hsmConfig *pkcs11client.HsmConfig)
func (*HsmPkiConfig) ValidateConfig ¶
func (h *HsmPkiConfig) ValidateConfig() error
only check the presence of the client lib the slot could b 0, the pin could be blank and the key label could be set dynamically
Click to show internal directories.
Click to hide internal directories.