pkcs11

package
v0.0.0-...-9474aff Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2022 License: BSD-3-Clause Imports: 9 Imported by: 0

Documentation

Overview

Package pkcs11 implements the libraries for accessing and testing the chaps pkcs#11 keystore.

Index

Constants

View Source
const (
	// GenRSA2048 is used to specify that we want to generate RSA 2048 key in CreateGeneratedKey.
	GenRSA2048 = "rsa:2048"
	// GenECP256 is used to specify that we want to generate elliptic curve key with P256 curve in CreateGeneratedKey.
	GenECP256 = "EC:prime256v1"
)

Variables

View Source
var ECDSASHA1 = MechanismInfo{
	Name: "ECDSA-SHA1-P256",
	// contains filtered or unexported fields
}

ECDSASHA1 represents the MechanismInfo that uses ECDSA signature scheme with SHA1. Note that NIST P256 curve is used.

View Source
var GenericRSAPKCSPSSWithSHA1 = MechanismInfo{
	Name: "RSA-PKCS-PSS+SHA1",
	// contains filtered or unexported fields
}

GenericRSAPKCSPSSWithSHA1 represents the MechanismInfo that uses generic RSA PSS signature scheme with SHA1. Note that this mechanism is different from the other one in the sense that this one is using standalone, generic version of the RSA PSS mechanism, and SHA1 is specified as the hash algorithm in PSS parameters (instead of being part of mechanism).

View Source
var GenericRSAPKCSPSSWithSHA256 = MechanismInfo{
	Name: "RSA-PKCS-PSS+SHA256",
	// contains filtered or unexported fields
}

GenericRSAPKCSPSSWithSHA256 represents the MechanismInfo that uses generic RSA PSS signature scheme with SHA256. Note that this mechanism is different from the other one in the sense that this one is using standalone, generic version of the RSA PSS mechanism, and SHA256 is specified as the hash algorithm in PSS parameters (instead of being part of mechanism).

View Source
var SHA1RSAPKCS = MechanismInfo{
	Name: "SHA1-RSA-PKCS",
	// contains filtered or unexported fields
}

SHA1RSAPKCS represents the MechanismInfo that is a signing scheme that uses SHA1 for hashing and RSA PKCS#1 v1.5 for signing.

View Source
var SHA1RSAPKCSPSS = MechanismInfo{
	Name: "SHA1-RSA-PKCS-PSS",
	// contains filtered or unexported fields
}

SHA1RSAPKCSPSS represents the MechanismInfo that is a signing scheme that uses SHA1 for hashing and RSA PSS for signing.

View Source
var SHA256RSAPKCS = MechanismInfo{
	Name: "SHA256-RSA-PKCS",
	// contains filtered or unexported fields
}

SHA256RSAPKCS represents the MechanismInfo that is a signing scheme that uses SHA256 for hashing and RSA PKCS#1 v1.5 for signing.

View Source
var SHA256RSAPKCSPSS = MechanismInfo{
	Name: "SHA256-RSA-PKCS-PSS",
	// contains filtered or unexported fields
}

SHA256RSAPKCSPSS represents the MechanismInfo that is a signing scheme that uses SHA256 for hashing and RSA PSS for signing.

Functions

func HashFileProcessor

func HashFileProcessor(ctx context.Context, r hwsec.CmdRunner, input, hash string) string

HashFileProcessor is for MechanismInfo.toolSignInputFileProcessor. This function takes an input file and compute the hash hash and then return the hash file name. Usual inputs for hash is "sha1" or "sha256".

func NoOpFileProcessor

func NoOpFileProcessor(ctx context.Context, runner hwsec.CmdRunner, input string) string

NoOpFileProcessor is for MechanismInfo.toolSignInputFileProcessor. This function does nothing to the input.

Types

type Chaps

type Chaps struct {
	// contains filtered or unexported fields
}

Chaps is the class that stores the persistent state that is required to run all PKCS#11 related utility calls.

func NewChaps

NewChaps creates a new Chaps.

func (*Chaps) ClearObjects

func (p *Chaps) ClearObjects(ctx context.Context, slot int, objID, objType string) error

ClearObjects remove all objects with the given ID objID in the token in slot slot and of type objType. objType is usually "privkey" or "cert".

func (*Chaps) ClearObjectsOfAllType

func (p *Chaps) ClearObjectsOfAllType(ctx context.Context, slot int, objID string) error

ClearObjectsOfAllType remove all objects with the given ID objID in the token in slot slot, regardless of type.

func (*Chaps) CreateECSoftwareKey

func (p *Chaps) CreateECSoftwareKey(ctx context.Context, scratchpadPath, username, keyname, objID string, forceSoftwareBacked, checkSoftwareBacked bool) (*KeyInfo, error)

CreateECSoftwareKey create a key and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in the scratchpad.

func (*Chaps) CreateGeneratedKey

func (p *Chaps) CreateGeneratedKey(ctx context.Context, scratchpadPath, keyType, username, keyname, objID string) (*KeyInfo, error)

CreateGeneratedKey creates a key by generating it in TPM and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in /tmp/$keyname.key. Use GenRSA2048 or GenECP256 above for keyType.

func (*Chaps) CreateKeyCopy

func (p *Chaps) CreateKeyCopy(ctx context.Context, origKey *KeyInfo, objID string, attributes map[string]string) (*KeyInfo, string, error)

CreateKeyCopy creates a copy of origKey and sets its CKA_ID to objID, and other attributes according to attributes map. It returns (key, message, err), whereby err is nil iff the operation is successful. key is the new key and message is the stdout of p11_replay command where available.

func (*Chaps) CreateRSASoftwareKey

func (p *Chaps) CreateRSASoftwareKey(ctx context.Context, scratchpadPath, username, keyname, objID string, forceSoftwareBacked, checkSoftwareBacked bool) (*KeyInfo, error)

CreateRSASoftwareKey create a key and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in /tmp/$keyname.key.

func (*Chaps) DestroyKey

func (p *Chaps) DestroyKey(ctx context.Context, key *KeyInfo) error

DestroyKey destroys the given key by removing it from disk and keystore.

func (*Chaps) DumpKeyInfo

func (p *Chaps) DumpKeyInfo(k *KeyInfo) string

DumpKeyInfo converts the information in the key into a human readable string for debugging purpose.

func (*Chaps) GetObjectAttribute

func (p *Chaps) GetObjectAttribute(ctx context.Context, key *KeyInfo, objType, name string) (value string, err error)

GetObjectAttribute retrieves the object of objType type and the id specified in key, and returns its attribute specified by name. The returned values are (value, err), err is nil iff the operation is successful, and in that case value holds the hex encoded attribute value. err could be an error that contains only a single CKR_* code if that is the case.

func (*Chaps) ImportPEMKeyAndCertBySlot

func (p *Chaps) ImportPEMKeyAndCertBySlot(ctx context.Context, scratchpadPath, privKey, cert, objID string, slot int) (*KeyInfo, error)

ImportPEMKeyAndCertBySlot imports key and cert of PEM format to the token specified by slot. The object will have an ID of objID. It is OK for either privKey or cert to be empty if they are not needed.

func (*Chaps) ImportPrivateKeyBySlot

func (p *Chaps) ImportPrivateKeyBySlot(ctx context.Context, privKeyPath string, slot int, objID string, forceSoftwareBacked bool) (*KeyInfo, error)

ImportPrivateKeyBySlot creates a key by importing it from existing DER format private key file specified by privKeyPath. The key will be inserted into the token specified by slot. The object will have an ID of objID.

func (*Chaps) IsSoftwareBacked

func (p *Chaps) IsSoftwareBacked(ctx context.Context, key *KeyInfo) (bool, error)

IsSoftwareBacked checks if the given key is backed by hardware or software. The return error is nil iff the operation is successful, in that case, the boolean is true iff it is backed in software.

func (*Chaps) ListSlots

func (p *Chaps) ListSlots(ctx context.Context) ([]SlotInfo, error)

ListSlots lists the slots in chaps

func (*Chaps) ReplayWifiBySlot

func (p *Chaps) ReplayWifiBySlot(ctx context.Context, slot int, args ...string) error

ReplayWifiBySlot replays a EAP-TLS Wifi negotiation by slot.

func (*Chaps) RunPkcs11Tool

func (p *Chaps) RunPkcs11Tool(ctx context.Context, args ...string) ([]byte, error)

RunPkcs11Tool will execute "pkcs11-tool --module=chapsPath args..." on the DUT.

func (*Chaps) SetObjectAttribute

func (p *Chaps) SetObjectAttribute(ctx context.Context, key *KeyInfo, objType, name, value string) (err error)

SetObjectAttribute retrieves the object of objType type and the id specified in key, and sets its attribute specified by name with the value value. The returned value is err, whereby err is nil iff the operation is successful.

func (*Chaps) Sign

func (p *Chaps) Sign(ctx context.Context, key *KeyInfo, input, output string, mechanism *MechanismInfo) error

Sign sign the input and write the signature to output, using the mechanism, and signed with key. It'll return nil iff the signing is successful.

func (*Chaps) Verify

func (p *Chaps) Verify(ctx context.Context, key *KeyInfo, input, signaturePath string, mechanism *MechanismInfo) error

Verify verify the signature at signaturePath, signed with key and mechanism, and the message at input. It'll return nil iff the signature is valid.

type Error

type Error struct {
	*errors.E

	// PKCS11RetCode contains the return code from PKCS#11 method calls, and it should be of the form CKR_*
	PKCS11RetCode string

	// CmdMessage holds the stdout and stderr of the command execution, that is, the command that actually invoked the PKCS#11 calls.
	CmdMessage string
}

Error is a custom error type for storing error that occurs in PKCS#11 APIs with specific CKR_* error code.

type KeyInfo

type KeyInfo struct {
	// contains filtered or unexported fields
}

KeyInfo stores the information for a particular key, both on disk and in chaps keystore.

type MechanismInfo

type MechanismInfo struct {
	// Name used to identify this mechanism in debug message.
	Name string
	// contains filtered or unexported fields
}

MechanismInfo stores the information regarding a mechanism, and the various related parameters for using this mechanism with various tools such as openssl and pkcs11-tool. Note that there's a set of constants defined in this file for users of this struct.

type SlotInfo

type SlotInfo struct {
	// contains filtered or unexported fields
}

SlotInfo stores the information for a particular slot in chaps.

Directories

Path Synopsis
Package netcertstore hosts the NetCertStore.
Package netcertstore hosts the NetCertStore.
Package pkcs11test implements utilities for testing the chaps pkcs#11 keystore.
Package pkcs11test implements utilities for testing the chaps pkcs#11 keystore.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL