Documentation
¶
Index ¶
- type Config
- type Store
- func (s Store) Certificate() (*x509.Certificate, error)
- func (s Store) Close() error
- func (s Store) Decrypt(rand io.Reader, msg []byte, opts crypto.DecrypterOpts) ([]byte, error)
- func (s Store) Public() crypto.PublicKey
- func (s Store) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
- func (s Store) Update(certificate x509.Certificate) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Full path to the PKCS#11 object on the filesystem. The exact value
// of this depends on the host, but should usually end in a .so
Module string
// Label of the x.509 Certificate stored on the PKCS#11 token,
// for PIV devices, one option for this might be
// "Certificate for PIV Authentication"
CertificateLabel string
// Private key material backing the x.509 Certificate indicated by
// CertificateLabel, one option for this might be "PIV AUTH key"
PrivateKeyLabel string
// Optional PIN for the PKCS#11 token. If this is nil, no PIN will be
// sent to the device.
PIN *string
TokenLabel string
}
HSM Configuration object, to define which PKCS#11 .so module to use, Certificate and Private Key strings, a PIN (if needed), and the label of the token.
func (Config) GetCertificateTemplate ¶
Create a pkcs11.Attribute array containing constraints that should uniquely identify the PKCS#11 Certificate we're interested in
func (Config) GetPrivateKeyTemplate ¶
Create a pkcs11.Attribute array containing constraints that should uniquely identify the PKCS#11 private key we're interested in
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
internal hsm.Store encaupsulating state. This implements the store.Store interface, as well as crypto.Signer, and crypto.Decryptor.
func New ¶
Create a new hsm.Store defined by the hsm.Config. If no slot can be found, or the underlying infrastructure throws a problem at us, we will return an error.
func (Store) Certificate ¶
func (s Store) Certificate() (*x509.Certificate, error)
Query the underlying HSM Store for the x509 Certificate we're interested in, and return a Go x509.Certificate.
func (Store) Close ¶
Method to log out of the Token, and close any open sessions we might have open. This method ought to be defer'd after creating a new hsm.Store.
func (Store) Decrypt ¶
implement crypto.Decryptor. This will have the HSM Decrypt the encrypted data given, ignoring `rand`, and using on chip entropy sources. This will returned the data in cleartext.
func (Store) Public ¶
Return the cached PublicKey, because uh, the interface we're implementing doesn't want us to return errors, so, we'll force errors during startup.
This has a downside of not being able to read the PublicKey if it changes during our session (womp), but maybe that's not a problem? Who can know. If that's a problem you hit, maybe we should do something smarter here.
Source Files