hsmpki

package
v0.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2021 License: MPL-2.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PATH_CA                    = "ca"
	PATH_CAKEYLABEL            = "cert/ca_keylabel"
	PATH_CAKEYTYPE             = "cert/ca_keytype"
	PATH_CAKEYSIZE             = "cert/ca_keysize"
	PATH_CERTS                 = "certs/"
	PATH_ROLE                  = "role/"
	PATH_SETSIGNEDINTERMEDIATE = "intermediate/set-signed"
	PATH_SETCRLCONFIG          = "config/crl"
	PATH_FETCHCRL              = "crl"
	PATH_REVOKE                = "revoke"
	PATH_TIDY                  = "tidy"
	PATH_ROTATECRL             = "crl/rotate"
	PATH_GENERATEROOT          = "root/generate/"
	PATH_GENERATEINTERMEDIATE  = "intermediate/generate/"
	PATH_SIGNINTERMEDIATE      = "root/sign-intermediate"
	PATH_ISSUE                 = "issue/"
	PATH_ROOT                  = "root"

	PATH_HASHALGO = "hash_algo"

	FIELD_ROLE                = "role"
	FIELD_KEYALIAS            = "key_label"
	FIELD_HASHALGO            = "hash_algo"
	FIELD_COMMON_NAME         = "common_name"
	FIELD_TYPE                = "type"
	FIELD_EXPORTED            = "exported"
	FIELD_TTL                 = "ttl"
	FIELD_KEY_TYPE            = "key_type"
	FIELD_KEY_BITS            = "key_bits"
	FIELD_PERMITTED_DNS_NAMES = "permitted_dns_names"
	FIELD_ORGANIZATION        = "organization"
	FIELD_OU                  = "ou"
	FIELD_COUNTRY             = "country"
	FIELD_LOCALITY            = "locality"
	FIELD_PROVINCE            = "province"
	FIELD_STREET_ADDRESS      = "street_address"
	FIELD_POSTAL_CODE         = "postal_code"
	FIELD_CSR                 = "csr"
	FIELD_CERTIFICATE         = "certificate"

	CONFIG_PARAM = "config"

	CONFIG_PLUGIN_NAME = "plugin_name"

	PLUGIN_HELP = "The hsmpki backend is a PKI plugin that uses an HSM for CA signing."

	DEFAULT_CRL_LIFETIME = 72

	//ROOTCA_BUNDLE  = "config/rootca_bundle"
	//INTERCA_BUNDLE = "config/ca_bundle"
	CA_BUNDLE = "config/ca_bundle"
	CA_TYPE   = "ca/catype"
	// relative to test working directory in pkg/hsmpki
	//TEST_CONFIG_HSM = "../../conf/config-softhsm.hcl"
	TEST_CONFIG_HSM = "../../conf/config-safenet.hcl"

	TEST_EXPORTED        = "internal"
	TEST_ROLENAME        = "localhost"
	TEST_ALLOWED_DOMAINS = "localhost"
	TEST_MAX_TTL         = "72h"
	TEST_TTL             = "1h"
	TEST_COMMON_NAME     = "localhost"
	TEST_ROLE_NAME       = "localhost"
	TEST_KEY_LABEL       = "ECTestCAInterKey0016"
	//TEST_SIGNEDCACERTFILE 	= "../../data/softhsm-inter-0002.ca.cert.pem"
	TEST_SIGNEDCACERTFILE      = "../../data/safenet-inter-02.ca.cert.pem"
	TEST_ROOTCACERTFILE        = "../../data/testrootca.cert.pem"
	TEST_INTERCSRFILE          = "../../data/testintermediate.csr.pem"
	TEST_INTERCERTFILE         = "../../data/testintermediate.cert.pem"
	TEST_CAROOTCOMMONNAME      = "safenet.ec17.rootca.mode51.software"
	TEST_CAINTERCOMMONNAME     = "safenet.ec17.interca.mode51.software"
	TEST_CAKEYTYPERSA          = "rsa"
	TEST_CAKEYBITSRSA          = "4096"
	TEST_CAKEYTYPEEC           = "ec"
	TEST_CAKEYBITSEC           = "521"
	TEST_CAPERMITTEDDNSDOMAINS = "localhost"
	TEST_CAORGANIZATION        = "mode51 Software Ltd"
	TEST_CAOU                  = "Security"
	TEST_CACOUNTRY             = "GB"
	TEST_CAPROVINCE            = "Cambridgeshire"
	TEST_CALOCALITY            = "Cambridge"
	TEST_CASTREETADDRESS       = "1 The Street"
	TEST_CAPOSTALCODE          = "CB1 1AA"
	TEST_CATTL                 = 8 * 60
)

Variables

This section is empty.

Functions

func CreateCSR added in v0.3.3 

func CreateCSR(b *HsmPkiBackend, data *certutil.CreationBundle, addBasicConstraints bool) (*certutil.ParsedCSRBundle, error)

// GeneratePrivateKey generates a private key with the specified type and key bits 

func GeneratePrivateKey(keyType string, keyBits int, container certutil.ParsedPrivateKeyContainer) error {
	var err error
	var privateKeyType certutil.PrivateKeyType
	var privateKeyBytes []byte
	var privateKey crypto.Signer

	switch keyType {
	case "rsa":
		privateKeyType = RSAPrivateKey
		privateKey, err = rsa.GenerateKey(rand.Reader, keyBits)
		if err != nil {
			return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)}
		}
		privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey))
	case "ec":
		privateKeyType = ECPrivateKey
		var curve elliptic.Curve
		switch keyBits {
		case 224:
			curve = elliptic.P224()
		case 256:
			curve = elliptic.P256()
		case 384:
			curve = elliptic.P384()
		case 521:
			curve = elliptic.P521()
		default:
			return errutil.UserError{Err: fmt.Sprintf("unsupported bit length for EC key: %d", keyBits)}
		}
		privateKey, err = ecdsa.GenerateKey(curve, rand.Reader)
		if err != nil {
			return errutil.InternalError{Err: fmt.Sprintf("error generating EC private key: %v", err)}
		}
		privateKeyBytes, err = x509.MarshalECPrivateKey(privateKey.(*ecdsa.PrivateKey))
		if err != nil {
			return errutil.InternalError{Err: fmt.Sprintf("error marshalling EC private key: %v", err)}
		}
	default:
		return errutil.UserError{Err: fmt.Sprintf("unknown key type: %s", keyType)}
	}

	container.SetParsedPrivateKey(privateKey, privateKeyType, privateKeyBytes)
	return nil
}

Creates a CSR. This is currently only meant for use when generating an intermediate certificate.

func CreateCertificate 

func CreateCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)

Performs the heavy lifting of creating a certificate. Returns a fully-filled-in ParsedCertBundle.

func Factory 

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory configures and returns backends

func GenDateTimeKeyLabel added in v0.3.3 

func GenDateTimeKeyLabel() (keyLabel string)

func GetDataKeyType added in v0.3.3 

func GetDataKeyType(data *string) (keyType uint, err error)

func SignCertificate 

func SignCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certutil.ParsedCertBundle, error)

Performs the heavy lifting of generating a certificate from a CSR. Returns a ParsedCertBundle sans private keys.

Types

type HsmConfigCompat 

type HsmConfigCompat struct {
	// the HSM's client PKCS#11 library
	Lib string

	// the HSM slot ID
	SlotId uint `json:"slot_id"`

	// the slot pin
	Pin string

	// a key label
	KeyLabel string `json:"key_label"`

	// connection timeout seconds
	ConnectTimeoutS uint `json:"connect_timeout_s"`

	// function timeout seconds
	ReadTimeoutS uint `json:"read_timeout_s"`
}

type HsmPkiBackend 

type HsmPkiBackend struct {
	HsmBackend *framework.Backend
	// contains filtered or unexported fields
}

func Backend 

func Backend(conf *logical.BackendConfig) (*HsmPkiBackend, error)

type HsmPkiConfig 

type HsmPkiConfig struct {

	// the PKCS#11 client library file
	Lib string

	// the slot ID on the HSM
	SlotId string `hcl:"slot_id"`

	// the slot's PIN
	Pin string

	// the HSM key label
	KeyLabel string `hcl:"key_label"`

	// connection timeout seconds
	ConnectTimeoutS string `hcl:"connect_timeout_s"`

	// function timeout seconds
	ReadTimeoutS string `hcl:"read_timeout_s"`
}

func (*HsmPkiConfig) ConvertHsmConfig 

func (h *HsmPkiConfig) ConvertHsmConfig(hsmConfig *HsmConfigCompat)

func (*HsmPkiConfig) ConvertToHsmConfig 

func (h *HsmPkiConfig) ConvertToHsmConfig() (hsmConfig *pkcs11client.HsmConfig)

func (*HsmPkiConfig) ValidateConfig 

func (h *HsmPkiConfig) ValidateConfig() error

only check the presence of the client lib the slot could b 0, the pin could be blank and the key label could be set dynamically

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.