pkcs11

package
v1.20.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2024 License: Apache-2.0 Imports: 26 Imported by: 1

Documentation

Overview

Copyright 2021 Yahoo.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright 2021 Yahoo.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewCertSign 

func NewCertSign(ctx context.Context, pkcs11ModulePath string, keys []config.KeyConfig, requireX509CACert map[string]bool, hostname string, ips []net.IP, uris []*url.URL, requestTimeout uint) (crypki.CertSign, error)

NewCertSign initializes a CertSign object that interacts with PKCS11 compliant device.

Types

type Config 

type Config struct {
	// Keys are a map of key identifier and info
	Keys map[crypki.SignType]KeyInfo
	// ModulePath is the path of pkcs11 module
	ModulePath string
}

Config is the config struct used in pkcs11

type KeyInfo 

type KeyInfo struct {
	// SlotNumber indicates slot number on the HSM
	SlotNumber uint
	// TokenLabel indicates token label on the HSM
	TokenLabel string
	// UserPinPath indicates the filepath which contains the pin to login
	// to the specified slot.
	UserPinPath string
	// KeyLabel indicates the label of the key on the slot
	KeyLabel string
	// SignersPerPool is the number of signers we assign on a specific key
	SignersPerPool int
	// KeyType specifies the type of key, such as RSA or ECDSA.
	KeyType x509.PublicKeyAlgorithm
}

KeyInfo contains the info of specific key

type PKCS11Ctx 

type PKCS11Ctx interface {
	GetAttributeValue(p11.SessionHandle, p11.ObjectHandle, []*p11.Attribute) ([]*p11.Attribute, error)
	SignInit(p11.SessionHandle, []*p11.Mechanism, p11.ObjectHandle) error
	Sign(p11.SessionHandle, []byte) ([]byte, error)
	Login(p11.SessionHandle, uint, string) error
	GenerateRandom(p11.SessionHandle, int) ([]byte, error)
	FindObjectsInit(sh p11.SessionHandle, temp []*p11.Attribute) error
	FindObjects(sh p11.SessionHandle, max int) ([]p11.ObjectHandle, bool, error)
	FindObjectsFinal(sh p11.SessionHandle) error
	CloseSession(sh p11.SessionHandle) error
	OpenSession(slotID uint, flags uint) (p11.SessionHandle, error)
	GetSlotList(tokenPresent bool) ([]uint, error)
	GetSlotInfo(slotID uint) (p11.SlotInfo, error)
	GetTokenInfo(slotID uint) (p11.TokenInfo, error)
}

PKCS11Ctx interface is added to mock pkcs11.Ctx run the following command to generate mock

type Request added in v1.11.0 

type Request struct {
	// contains filtered or unexported fields
}

Request holds information needed by the collector to fetch the request & process it. It has multiple channels, one for response & other to notify the worker if the client request times out to stop processing any request from the client.

type SignerPool 

type SignerPool struct {
	// contains filtered or unexported fields
}

SignerPool is a pool of PKCS11 signers each key is corresponding with a SignerPool

type Work added in v1.11.0 

type Work struct {
	scheduler.DoWorker
	// contains filtered or unexported fields
}

func (*Work) DoWork added in v1.11.0 

func (w *Work) DoWork(workerCtx context.Context, worker *scheduler.Worker)

DoWork performs the work of fetching the signer from the pool and sending it back on the response channel. If the client cancels the request or times out, the worker should not wait indefinitely for getting the signer from the pool. We also have a PKCS11 timeout which is the maximum duration for which worker waits to fetch the signer from pool & cancel the client request if it exceeds that.

Source Files

View all Source files

Directories

Path Synopsis
Package mock_pkcs11 is a generated GoMock package.
 Package mock_pkcs11 is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.