Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS11 support #366

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

PKCS11 support #366

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d692878
WIP: Initial skeleton of PKCS11
scj643 Aug 16, 2024
4c6525a
Merge branch 'Foxboron:master' into kms
scj643 Oct 11, 2024
05641ad
Merge branch 'Foxboron:master' into kms
scj643 Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions backend/backend.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type BackendType string
const (
FileBackend BackendType = "file"
YubikeyBackend BackendType = "yubikey"
PKCS11Backend BackendType = "pkcs11"
TPMBackend BackendType = "tpm"
)

Expand Down Expand Up @@ -200,6 +201,8 @@ func createKey(state *config.State, backend string, hier hierarchy.Hierarchy, de
return NewFileKey(hier, desc)
case "tpm":
return NewTPMKey(state.TPM, desc)
case "pkcs11":
return NewPKCS11Key(desc)
default:
return NewFileKey(hier, desc)
}
Expand Down Expand Up @@ -255,6 +258,8 @@ func readKey(state *config.State, keydir string, kc *config.KeyConfig, hier hier
return FileKeyFromBytes(keyb, pemb)
case TPMBackend:
return TPMKeyFromBytes(state.TPM, keyb, pemb)
case PKCS11Backend:
return PKCS11KeyFromBytes(keyb, pemb)
default:
return nil, fmt.Errorf("unknown key")
}
Expand Down Expand Up @@ -322,6 +327,9 @@ func InitBackendFromKeys(state *config.State, priv, pem []byte, hier hierarchy.H
return FileKeyFromBytes(priv, pem)
case "tpm":
return TPMKeyFromBytes(state.TPM, priv, pem)
case "pkcs11":
// TODO: This will error with not implemented.
return PKCS11KeyFromBytes(priv, pem)
default:
return nil, fmt.Errorf("unknown key backend: %s", t)
}
Expand Down
51 changes: 51 additions & 0 deletions backend/pkcs11.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package backend

import (
"crypto"
"crypto/x509"
"fmt"
"github.com/ThalesIgnite/crypto11"
)

type PKCS11Key struct {
keytype BackendType
cert *x509.Certificate
context *crypto11.Context
description string
}

func NewPKCS11Key(desc string) (*PKCS11Key, error) {
// TODO: Implement generating keys
return &PKCS11Key{
keytype: PKCS11Backend,
cert: nil,
description: desc,
context: nil,
}, nil
}

func (p *PKCS11Key) Type() BackendType { return p.keytype }
func (p *PKCS11Key) Certificate() *x509.Certificate { return p.cert }
func (p *PKCS11Key) Description() string { return p.description }

func (p *PKCS11Key) Signer() crypto.Signer {
// TODO: This will be the signer from PKCS11Key.context from finding the matching cert
return nil
}

func (p *PKCS11Key) PrivateKeyBytes() []byte {
// TODO: This should be a stub to describe the key object in PKCS11
return nil
}

func (p *PKCS11Key) CertificateBytes() []byte {
// TODO: Return key by using FindCertificate
return nil
}

func PKCS11KeyFromBytes(keyb, pemb []byte) (*PKCS11Key, error) {
// TODO: Make it so that the key file bytes are used to locate the key on the PKCS11 device
// This might be done by using signatures of the keys when generating
// We can use FindCertificate from FindCertificate from the PKCS11Key.context
return nil, fmt.Errorf("not implmented")
}
8 changes: 6 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ require (
github.com/goccy/go-yaml v1.11.3
github.com/google/go-attestation v0.5.1
github.com/google/go-tpm v0.9.1
github.com/google/uuid v1.4.0
github.com/google/uuid v1.6.0
github.com/ThalesIgnite/crypto11 v1.2.5
github.com/hugelgupf/vmtest v0.0.0-20240110072021-f6f07acb7aa1
github.com/landlock-lsm/go-landlock v0.0.0-20240715193425-db0c8d6f1dff
github.com/onsi/gomega v1.7.1
Expand All @@ -22,6 +23,7 @@ require (
)

require (
filippo.io/edwards25519 v1.1.0 // indirect
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 // indirect
github.com/creack/pty v1.1.21 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
Expand All @@ -40,9 +42,11 @@ require (
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mdlayher/packet v1.1.2 // indirect
github.com/mdlayher/socket v0.5.0 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
github.com/pierrec/lz4/v4 v4.1.14 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/u-root/gobusybox/src v0.0.0-20231224233253-2944a440b6b6 // indirect
github.com/u-root/u-root v0.11.1-0.20230807200058-f87ad7ccb594 // indirect
github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
Expand All @@ -51,7 +55,7 @@ require (
github.com/vishvananda/netns v0.0.4 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/mod v0.17.0 // indirect
golang.org/x/net v0.25.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
Expand Down
Loading