pkcs11

package

v0.56.0 Latest Latest Go to latest Published: Dec 19, 2024 License: Apache-2.0 Imports: 15 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/smallstep/crypto

Documentation ¶

Index ¶

Constants
type P11
type PKCS11
- func New(_ context.Context, opts apiv1.Options) (*PKCS11, error)

Constants ¶

View Source

const DefaultRSASize = 3072

DefaultRSASize is the number of bits of a new RSA key if no size has been specified.

View Source

const Scheme = string(apiv1.PKCS11)

Scheme is the scheme used in uris, the string "pkcs11".

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type P11 ¶

type P11 interface {
	FindKeyPair(id, label []byte) (crypto11.Signer, error)
	FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error)
	ImportCertificateWithAttributes(template crypto11.AttributeSet, certificate *x509.Certificate) error
	DeleteCertificate(id, label []byte, serial *big.Int) error
	GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error)
	GenerateECDSAKeyPairWithAttributes(public, private crypto11.AttributeSet, curve elliptic.Curve) (crypto11.Signer, error)
	Close() error
}

P11 defines the methods on crypto11.Context that this package will use. This interface will be used for unit testing.

type PKCS11 ¶

type PKCS11 struct {
	// contains filtered or unexported fields
}

PKCS11 is the implementation of a KMS using the PKCS #11 standard.

func New ¶

func New(_ context.Context, opts apiv1.Options) (*PKCS11, error)

New returns a new PKCS#11 KMS. To initialize it, you need to provide a URI with the following format:

pkcs11:token=smallstep?pin-value=password
pkcs11:serial=1a2b3c4d5e6f?pin-source=/path/to/pin.txt
pkcs11:slot-id=5?pin-value=password
pkcs11:module-path=/path/to/module.so;token=smallstep?pin-value=password
pkcs11:token=smallstep;max-sessions=100?pin-value=password

The scheme is "pkcs11"; "token", "serial", or "slot-id" defines the cryptographic device to use. "module-path" is the path of the PKCS#11 module to use. It will default to the proxy module of the p11-kit project if none is specified (p11-kit-proxy.so). "pin-value" provides the user's PIN, and "pin-source" defines a file that contains the PIN. "max-sessions" defines the maximum number of PKCS#11 sessions, it defaults to 1024.

A cryptographic key or object is identified by its "id" or "object" attributes. The "id" is the key identifier for the object, it's a hexadecimal string, and it will set the CKA_ID attribute of the object. The "object" is the name of the object, and it will set the CKA_LABEL attribute. Only one attribute is required to identify a key, but this package requires both to create a new key. The complete URI for a key looks like this:

pkcs11:token=smallstep;id=0a10;object=ec-key?pin-value=password
pkcs11:token=smallstep;id=%0a%10?pin-source=/path/to/pin.txt
pkcs11:token=smallstep;object=ec-key?pin-value=password

func (*PKCS11) Close ¶

func (k *PKCS11) Close() (err error)

Close releases the connection to the PKCS#11 module.

func (*PKCS11) CreateDecrypter ¶

func (k *PKCS11) CreateDecrypter(req *apiv1.CreateDecrypterRequest) (crypto.Decrypter, error)

CreateDecrypter creates a decrypter using a key present in the PKCS#11 module.

func (*PKCS11) CreateKey ¶

func (k *PKCS11) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error)

CreateKey generates a new key in the PKCS#11 module and returns the public key.

func (*PKCS11) CreateSigner ¶

func (k *PKCS11) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, error)

CreateSigner creates a signer using a key present in the PKCS#11 module.

func (*PKCS11) DeleteCertificate ¶

func (k *PKCS11) DeleteCertificate(u string) error

DeleteCertificate is a utility function to delete a certificate given an uri.

func (*PKCS11) DeleteKey ¶

func (k *PKCS11) DeleteKey(u string) error

DeleteKey is a utility function to delete a key given an uri.

func (*PKCS11) GetPublicKey ¶

func (k *PKCS11) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error)

GetPublicKey returns the public key stored in the object identified by the name URI.

func (*PKCS11) LoadCertificate ¶

func (k *PKCS11) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Certificate, error)

LoadCertificate implements kms.CertificateManager and loads a certificate from the YubiKey.

func (*PKCS11) StoreCertificate ¶

func (k *PKCS11) StoreCertificate(req *apiv1.StoreCertificateRequest) error

StoreCertificate implements kms.CertificateManager and stores a certificate in the YubiKey.

Source Files ¶

View all Source files

pkcs11.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL