crypki

package module
v1.1.15 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2020 License: Apache-2.0 Imports: 2 Imported by: 0

README

Build Status GoDoc Go Report Card Go Coverage

crypki

A simple service for interacting with an HSM or other PKCS#11 device.

Table of Contents

Background

A simple service for interacting with an HSM or other PKCS #11 device. It supports minting and signing of both SSH and x509 certificates. Crypki is the certificate signing backend for the Athenz RBAC system.

Install

You should be able to run crypki server on any linux platform as long as you have crypki binary and .so file. We have tested it on RHEL 7, Debian 9 & Ubuntu 18.04.

Building crypki from source

Prerequisites:

  • Go >= 1.13

Run:

go get github.com/yahoo/crypki

Usage

To start crypki server clone the repo and run the following commands.

  • Build docker image 
    $ docker build -f docker-softhsm/Dockerfile -t crypki-local .

If you want to speed up docker image build process, before running the command above, you can cache the dependencies locally using the following command.

$ go mod vendor

  • Generate certs and keys required for mutual TLS between the front end-client and the crypki backend server

    cd docker-softhsm
./gen-crt.sh

  • Start the docker container

    docker run -d -p :4443:4443 -v $PWD/log:/var/log/crypki -v $PWD/tls-crt:/opt/crypki/tls-crt:ro -v $PWD/shm:/dev/shm --rm --name crypki -h "localhost" crypki-local

  • Verify whether the server is up and running

    curl -X GET https://localhost:4443/ruok --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Disclaimer: the above installation guidelines are to help you to get started with crypki; they should be used only for testing/development purposes. Please do not use this setup for production, because it is not secure.

Configuration

Take a look at the sample configuration file to see how to configure crypki

API

APIs for crypki are defined under crypki/proto. If you are familiar with or are using grpc, you can directly invoke the rpc methods defined in the proto file.

Examples:

Get all available SSH signing keys

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get SSH user public signing key

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign SSH user certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --data @ssh_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get all available x509 signing keys

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get x509 public CA certificate

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys/x509-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign x509 certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/x509-cert/keys/x509-key --data @x509_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get blob signing public key

curl -X GET https://localhost:4443/v3/sig/blob/keys/sign-blob-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign blob (input is base64 encoded value of raw hash of a blob. example code)

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/blob/keys/sign-blob-key --data @sign_blob.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Contribute

  • Please refer to Contributing.md for information about how to get involved. We welcome issues, questions and pull requests.

  • You can also contact us for any user and development discussions through our group crypki-dev

  • Code of Conduct

License

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CAConfig 

type CAConfig struct {
	// Subject fields.
	Country            string `json:"Country"`
	State              string `json:"State"`
	Locality           string `json:"Locality"`
	Organization       string `json:"Organization"`
	OrganizationalUnit string `json:"OrganizationalUnit"`
	CommonName         string `json:"CommonName"`

	// PKCS#11 device fields.
	Identifier       string `json:"Identifier"`
	KeyLabel         string `json:"KeyLabel"`
	SlotNumber       int    `json:"SlotNumber"`
	UserPinPath      string `json:"UserPinPath"`
	PKCS11ModulePath string `json:"PKCS11ModulePath"`
}

CAConfig represents the configuration params for generating the CA certificate.

type CertSign 

type CertSign interface {
	// GetSSHCertSigningKey returns the SSH signing key of the specified key.
	GetSSHCertSigningKey(keyIdentifier string) ([]byte, error)
	// SignSSHCert returns an SSH cert signed by the specified key.
	SignSSHCert(cert *ssh.Certificate, keyIdentifier string) ([]byte, error)
	// GetX509CACert returns the X509 CA cert of the specified key.
	GetX509CACert(keyIdentifier string) ([]byte, error)
	// SignX509Cert returns an x509 cert signed by the specified key.
	SignX509Cert(cert *x509.Certificate, keyIdentifier string) ([]byte, error)
	// GetBlobSigningPublicKey returns the public signing key of the specified key that signs the user's data.
	GetBlobSigningPublicKey(keyIdentifier string) ([]byte, error)
	// SignBlob returns a signature signed by the specified key.
	SignBlob(digest []byte, opts crypto.SignerOpts, keyIdentifier string) ([]byte, error)
}

CertSign interface contains methods related to signing certificates.

type KeyID 

type KeyID struct {
}

KeyID contains all the fields in key ID.

func (*KeyID) Process 

func (k *KeyID) Process(kid string) (string, error)

Process can be used to add custom metadata like timestamp or crypki instance info to the keyID.

type KeyIDProcessor 

type KeyIDProcessor interface {
	// Process will take in a key ID, add some more information, and then return the key ID back.
	Process(kid string) (string, error)
}

KeyIDProcessor is a interface containing all the possible operations on keyID.

type PublicKeyAlgorithm 

type PublicKeyAlgorithm int

PublicKeyAlgorithm is used to specify public key algorithm. 

const (
	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
	RSA
	ECDSA
)

List of supported public key algorithms.

type SignType 

type SignType int

SignType represents the type of signing to be performed. 

const (
	// HostSSHKey indicates that the request should be signed by Host SSHKey slot.
	HostSSHKey SignType = iota
	// X509Key indicates that the request should be signed by X509Key slot.
	X509Key
	// UserSSHKey indicates that the request should be signed by User SSHKey slot.
	UserSSHKey
)

Source Files

View all Source files

Directories

Path Synopsis
cmd
crypki
gen-cacert
mock_pkcs11
Package mock_pkcs11 is a generated GoMock package.
 Package mock_pkcs11 is a generated GoMock package.
Package proto contains proto generated code.
 Package proto contains proto generated code.
mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.