hsmocsp

package module
v0.0.0-...-65cfdbf Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 1, 2020 License: BSD-3-Clause Imports: 30 Imported by: 0

README

Hardware Security Module (HSM) Online Certificate Status Protocol (OCSP)

This go module supports the creation of an ocsp server that is capable of using a PKCS#11 HSM, such as the NitroKey HSM, as the signer for the ocsp responder. When properly configured, the hsmocsp server will return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it will return an error code.

Supported Certificate Sources

The hsmocsp server currently supports two source types which implement the cfssl ocsp responder interface to validate certificates; additional support for cfssl certdb and response file sources could likely easily be added.

Source Type Description
OpenSslSource Uses the OpenSSL ca db and crl files; optionally supports hosting ca issuer and crl static files
VaultSource Uses the Vault PKI Engine ca and crl urls and cert api

Deployment

app-hsmocsp is a cloud-native application with kubectl and Helm deployments for this hsmocsp go module

In addition to the app-hsmocsp container, the provided dev and debug skaffold profiles will also deploy the app-pki container, which uses a helper script to create a working PKCS#11 HSM PKI environment for development purposes only; it includes configurable steps to automatically validate and initialize:

  • Certificates and Keypairs for the OpenSSL Root CA
  • Vault PKI Secrets engines and intermediate CA certificates properly signed and chained with the OpenSSL ca-keypair
  • Keypairs for OCSP server certificates for both OpenSSL and Vault CA sources for app-hsmocsp to consume
PKI Level Cert HSM Key Vault Key File Key
1 OpenSSL CA x
1 OpenSSL CA OCSP x
2 Vault Root CA x
2 Vault Root CA OCSP x
3 Vault Int Dev CA x
3 Vault Int Dev CA OCSP x
3 Vault Int Dev CA Client x

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewRouter 

func NewRouter(config Config) *http.ServeMux

NewRouter generates the router used in the HTTP Server

func NewVaultSourceFromHandleConfig 

func NewVaultSourceFromHandleConfig(handleConfig *VaultSourceHandleConfig) (*vault_ocsp.VaultSource, error)

NewVaultSourceFromHandleConfig creates VaultSources and adds the handle for the Ocsp Responder

func ParseOpenSslIndex 

func ParseOpenSslIndex(data []byte) (map[string]*OpenSslIndexRecord, error)

ParseOpenSslIndex parses csv byte data from an openssl ca database flat file https://pki-tutorial.readthedocs.io/en/latest/cadb.html

Types

type CaSourceHandleConfig 

type CaSourceHandleConfig struct {
	// CaCertPattern is pattern for the router handle
	CaCertPattern string `yaml:"certPattern"`
	// CaCertPath is a required Uri (file path or http url)
	CaCertPath string `yaml:"certPath"`
	// CaCrlPattern pattern for the router handle
	CaCrlPattern string `yaml:"crlPattern"`
	// CaCrlPath is a required Uri (file path or http url)
	CaCrlPath string `yaml:"crlPath"`
	// CaIncexPath is a required Uri (file path or http url)
	CaIndexPath string `yaml:"indexPath"`
}

CaSourceHandleConfig are the OpenSSL CA certs, crls, and index

type CertStatus 

type CertStatus string

CertStatus are the possible values for Cert Status from the openssl ca database flat file

type Config 

type Config struct {
	// LogLevel
	LogLevel int `yaml:"logLevel"`
	Server   struct {
		// Host is the local machine IP Address to bind the HTTP Server to
		Host string `yaml:"host"`
		// Port is the local machine TCP Port to bind the HTTP Server to
		Port string `yaml:"port"`
		// Time out
		Timeout struct {
			// Server is the general server timeout to use
			// for graceful shutdowns
			Server time.Duration `yaml:"server"`
			// Write is the amount of time to wait until an HTTP server
			// write opperation is cancelled
			Write time.Duration `yaml:"write"`
			// Read is the amount of time to wait until an HTTP server
			// read operation is cancelled
			Read time.Duration `yaml:"read"`
			// Idle is the amount of time to wait
			// until an IDLE HTTP session is closed
			Idle time.Duration `yaml:"idle"`
		} `yaml:"timeout"`
		// ReadinessProbeHandles configures the handle for readiness probe
		ReadinessProbeHandle ReadinessProbeHandleConfig `yaml:"readinessProbeHandle"`
		// LivenessProbeHandles configures the handle for liveness probe
		LivenessProbeHandle LivenessProbeHandleConfig `yaml:"livenessProbeHandle"`
		// OpenSslSourceHandles configures Source and Handles for ocsp responder
		OpenSslSourceHandles []OpenSslSourceHandleConfig `yaml:"opensslSourceHandles,flow"`
		// VaultSourceHandles configures Source and Handles for ocsp responder
		VaultSourceHandles []VaultSourceHandleConfig `yaml:"vaultSourceHandles,flow"`
	} `yaml:"server"`
}

Config struct for hsm ocsp server

func NewConfig 

func NewConfig(configPath string) (*Config, error)

NewConfig returns a new decoded Config struct

func (Config) Run 

func (config Config) Run()

Run will run the HTTP Server

type KeyHsmConfig 

type KeyHsmConfig struct {
	// ModulePath is path to PKCS#11 library.
	ModulePath string `yaml:"modulePath"`
	// SlotNumber identifies a token to use by the slot containing it.
	// negative value defaults to Token label
	SlotNumber int `yaml:"slotNumber"`
	// TokenLabel, used to identify the Token, which is prefered over SlotID
	TokenLabel string `yaml:"tokenLabel"`
	// KeyLabel, used to identify the KeyPair, which is prefered over the KeyID
	KeyLabel string `yaml:"keyLabel"`
	// KeyID, hex id used to identify the KeyPair, though not required to find if label is provided
	// KeyPairs must have a NON-EMPTY CKA_ID to be found
	KeyID string `yaml:"keyID"`
	// HSM Pin
	Pin string `required:"true" envconfig:"HSM_PIN" yaml:"pin"`
}

KeyHsmConfig is used to configure a PKCS11 cryptoSigner

type LivenessProbeHandleConfig 

type LivenessProbeHandleConfig struct {
	Pattern string `yaml:"pattern"`
}

LivenessProbeHandleConfig configures the handle for the Liveness Probe

type OcspSourceHandleConfig 

type OcspSourceHandleConfig struct {
	// Pattern is the pattern for the router handle
	OcspPattern string `yaml:"pattern"`
	// OscpCertPath is a required Uri (file path or http url)
	OcspCertPath string `yaml:"certPath"`
	// OcspKeyPath is the optional Uri (file path)
	OcspKeyPath string `yaml:"keyPath"`
	// OcspKeyHsm is used to configure a PKCS11 cryptoSigner
	// If OcspKeyPath is set to ”
	OcspKeyHsm KeyHsmConfig `yaml:"keyHsm"`
}

OcspSourceHandleConfig are the certs and keys required to sign OCSP responses

type OpenSslIndexRecord 

type OpenSslIndexRecord struct {
	// contains filtered or unexported fields
}

OpenSslIndexRecord for records from the openssl ca database flat file

func ParseOpenSslIndexRecord 

func ParseOpenSslIndexRecord(record []string) (*OpenSslIndexRecord, error)

ParseOpenSslIndexRecord creates a new struct from csv record

type OpenSslSource 

type OpenSslSource struct {
	// contains filtered or unexported fields
}

OpenSslSource Source struct for ocsp responder

func NewOpenSslSource 

func NewOpenSslSource(certIndex map[string]*OpenSslIndexRecord, caCrl *pkix.CertificateList, caCert *x509.Certificate, ocspCert *x509.Certificate, ocspSigner *crypto.Signer) (*OpenSslSource, error)

NewOpenSslSource creates a Source for OCSP server responder

func NewOpenSslSourceFromHandleConfig 

func NewOpenSslSourceFromHandleConfig(handleConfig OpenSslSourceHandleConfig) (*OpenSslSource, error)

NewOpenSslSourceFromHandleConfig creates OpenSslSources and adds the handle for the Ocsp Responder

func (OpenSslSource) Response 

func (source OpenSslSource) Response(request *ocsp.Request) ([]byte, http.Header, error)

Response required function for OCSP responder interface https://github.com/cloudflare/cfssl/blob/master/revoke/revoke.go

type OpenSslSourceHandleConfig 

type OpenSslSourceHandleConfig struct {
	OcspSourceHandle     OcspSourceHandleConfig `yaml:"ocsp"`
	CaSourceHandleConfig `yaml:"ca"`
}

OpenSslSourceHandleConfig configures the OCSP Sources for the ocsp responder

type ReadinessProbeHandleConfig 

type ReadinessProbeHandleConfig struct {
	Pattern string `yaml:"pattern"`
}

ReadinessProbeHandleConfig configures the handle for the Readiness Probe

type VaultConfig 

type VaultConfig struct {
	// VaultMount is the pki mount for your ocsp (assumes ca, crl, and cert vault urls)
	PkiMount string     `yaml:"pkiMount"`
	Client   api.Config `yaml:"api"`
}

VaultConfig configures the OCSP Sources for the ocsp responder

type VaultSourceHandleConfig 

type VaultSourceHandleConfig struct {
	OcspSourceHandle OcspSourceHandleConfig `yaml:"ocsp"`
	VaultConfig      `yaml:"vault"`
}

VaultSourceHandleConfig Source config for the ocsp responder http server(s)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.