crypki

README

crypki

A simple service for interacting with an HSM or other PKCS#11 device.

Table of Contents

• Background
• Install
• Configuration
• API
• Contribute
• License

Background

A simple service for interacting with an HSM or other PKCS #11 device. It supports minting and signing of both SSH and x509 certificates. Crypki is the certificate signing backend for the Athenz RBAC system.

Install

You should be able to run crypki server on any linux platform as long as you have crypki binary and .so file. We have tested it on RHEL 7, Debian 9 & Ubuntu 18.04.

Building crypki from source

Prerequisites:

• Go >= 1.16

Run:

go get github.com/theparanoids/crypki

Usage

To start crypki server clone the repo and run the following commands.

• Build docker image

  $ docker build -f docker-softhsm/Dockerfile -t crypki-local .
  

If you want to speed up docker image build process, before running the command above, you can cache the dependencies locally using the following command.

$ go mod vendor

• Generate certs and keys required for mutual TLS between the front end-client and the crypki backend server

  cd docker-softhsm
  ./gen-crt.sh
  

• Start the docker container

  docker run -d -p :4443:4443 -v $PWD/log:/var/log/crypki -v $PWD/tls-crt:/opt/crypki/tls-crt:ro -v $PWD/shm:/dev/shm --rm --name crypki -h "localhost" crypki-local
  

• Verify whether the server is up and running

  curl -X GET https://localhost:4443/ruok --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt 
  

Disclaimer: the above installation guidelines are to help you to get started with crypki; they should be used only for testing/development purposes. Please do not use this setup for production, because it is not secure.

Configuration

Take a look at the sample configuration file to see how to configure crypki

API

APIs for crypki are defined under crypki/proto. If you are familiar with or are using grpc, you can directly invoke the rpc methods defined in the proto file.

Examples:

Get all available SSH signing keys

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get SSH user public signing key

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign SSH user certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --data @ssh_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt 

Get all available x509 signing keys

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get x509 public CA certificate

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys/x509-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign x509 certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/x509-cert/keys/x509-key --data @x509_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt 

Get blob signing public key

curl -X GET https://localhost:4443/v3/sig/blob/keys/sign-blob-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign blob (input is base64 encoded value of raw hash of a blob. example code)

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/blob/keys/sign-blob-key --data @sign_blob.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Contribute

• Please refer to Contributing.md for information about how to get involved. We welcome issues, questions and pull requests.

• You can also contact us for any user and development discussions through our group crypki-dev

• Code of Conduct

License

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.

Documentation

Index

• type CAConfig
  • func (c *CAConfig) LoadDefaults()
• type CertSign
• type KeyID
  • func (k *KeyID) Process(kid string) (string, error)
• type KeyIDProcessor
• type PublicKeyAlgorithm
• type SignType
• type SignatureAlgorithm

Types

type CAConfig

type CAConfig struct {
	// Subject fields.
	Country            string `json:"Country"`
	State              string `json:"State"`
	Locality           string `json:"Locality"`
	Organization       string `json:"Organization"`
	OrganizationalUnit string `json:"OrganizationalUnit"`
	CommonName         string `json:"CommonName"`

	// The validity time period of the CA cert, which is specified in seconds.
	ValidityPeriod uint64 `json:"ValidityPeriod"`

	// PKCS#11 device fields.
	Identifier       string `json:"Identifier"`
	KeyLabel         string `json:"KeyLabel"`
	KeyType          int    `json:"KeyType"`
	SignatureAlgo    int    `json:"SignatureAlgo"`
	SlotNumber       int    `json:"SlotNumber"`
	UserPinPath      string `json:"UserPinPath"`
	PKCS11ModulePath string `json:"PKCS11ModulePath"`
}

CAConfig represents the configuration params for generating the CA certificate.

func (*CAConfig) LoadDefaults

func (c *CAConfig) LoadDefaults()

LoadDefaults assigns default values to missing required configuration fields.

type CertSign

type CertSign interface {
	// GetSSHCertSigningKey returns the SSH signing key of the specified key.
	GetSSHCertSigningKey(ctx context.Context, keyIdentifier string) ([]byte, error)
	// SignSSHCert returns an SSH cert signed by the specified key.
	SignSSHCert(ctx context.Context, cert *ssh.Certificate, keyIdentifier string) ([]byte, error)
	// GetX509CACert returns the X509 CA cert of the specified key.
	GetX509CACert(ctx context.Context, keyIdentifier string) ([]byte, error)
	// SignX509Cert returns an x509 cert signed by the specified key.
	SignX509Cert(ctx context.Context, cert *x509.Certificate, keyIdentifier string) ([]byte, error)
	// GetBlobSigningPublicKey returns the public signing key of the specified key that signs the user's data.
	GetBlobSigningPublicKey(ctx context.Context, keyIdentifier string) ([]byte, error)
	// SignBlob returns a signature signed by the specified key.
	SignBlob(ctx context.Context, digest []byte, opts crypto.SignerOpts, keyIdentifier string) ([]byte, error)
}

CertSign interface contains methods related to signing certificates.

type KeyID

type KeyID struct {
}

KeyID contains all the fields in key ID.

func (*KeyID) Process

func (k *KeyID) Process(kid string) (string, error)

Process can be used to add custom metadata like timestamp or crypki instance info to the keyID.

type KeyIDProcessor

type KeyIDProcessor interface {
	// Process will take in a key ID, add some more information, and then return the key ID back.
	Process(kid string) (string, error)
}

KeyIDProcessor is a interface containing all the possible operations on keyID.

type PublicKeyAlgorithm

type PublicKeyAlgorithm int

PublicKeyAlgorithm is used to specify public key algorithm.

const (
	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
	RSA
	ECDSA
)

List of supported public key algorithms.

type SignType

type SignType int

SignType represents the type of signing to be performed.

const (
	// HostSSHKey indicates that the request should be signed by Host SSHKey slot.
	HostSSHKey SignType = iota
	// X509Key indicates that the request should be signed by X509Key slot.
	X509Key
	// UserSSHKey indicates that the request should be signed by User SSHKey slot.
	UserSSHKey
)

type SignatureAlgorithm

type SignatureAlgorithm int

SignatureAlgorithm is used to specify signature key algorithm.

const (
	UnknownSignatureAlgorithm SignatureAlgorithm = iota
	SHA256WithRSA
	ECDSAWithSHA256
	ECDSAWithSHA384
)

List of supported signature hash algorithms. The naming convention adheres to x509.SignatureAlgorithm.