Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Considered settings for new connector instances and refactored cli commands #23

Merged
merged 8 commits into from
Dec 16, 2024
Merged

Considered settings for new connector instances and refactored cli commands #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8a84679
consider settings for new connector instances
MGTheTrain Dec 16, 2024
9621656
fix tests
MGTheTrain Dec 16, 2024
35ec9c2
remove obsolete comments
MGTheTrain Dec 16, 2024
d3cc960
modify content in ADR on blob storage schemas
MGTheTrain Dec 16, 2024
460d6d6
add implementations and tests in regards to RSA signing and verifying
MGTheTrain Dec 16, 2024
8098a94
add missing crypto vault cli commands and adjust input arguments in t…
MGTheTrain Dec 16, 2024
59a2323
remove section
MGTheTrain Dec 16, 2024
0a87fca
modify e2e-test
MGTheTrain Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 47 additions & 62 deletions cmd/crypto-vault-cli/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,9 @@

- [Summary](#summary)
- [Getting Started](#getting-started)
- [Encryption and Decryption](#encryption-and-decryption)
- [AES Example](#aes-example)
- [RSA Example](#rsa-example)
- [PKCS#11 Encryption and Decryption](#pkcs11-encryption-and-decryption)
- [Signing and Verifying Signatures](#signing-and-verifying-signatures)
- [ECDSA Example](#ecdsa-example)
- [PKCS#11 Signing and Verifying](#pkcs11-signing-and-verifying)
- [PKCS#11 key management operations](#pkcs11-key-management-operations)
- [AES Example](#aes-example)
- [RSA Example](#rsa-example)
- [PKCS#11 Example](#pkcs11-example)
- [Running the e2e-test](#running-the-e2e-test)


Expand All @@ -21,86 +16,55 @@

## Getting Started

### Encryption and Decryption

#### AES example

*NOTE:* Keys will be generated internally during the encryption operations.
### AES example

```sh
uuid=$(cat /proc/sys/kernel/random/uuid)
# Generate AES keys
go run crypto_vault_cli.go generate-aes-keys --key-size 16 --key-dir data/
# Encryption
go run crypto_vault_cli.go encrypt-aes --input-file data/input.txt --output-file data/${uuid}-output.enc --key-size 16 --key-dir data/
go run crypto_vault_cli.go encrypt-aes --input-file data/input.txt --output-file data/${uuid}-output.enc --symmetric-key <your generated symmetric key>
# Decryption
go run crypto_vault_cli.go decrypt-aes --input-file data/${uuid}-output.enc --output-file data/${uuid}-decrypted.txt --symmetric-key <your generated symmetric key from previous encryption operation>
go run crypto_vault_cli.go decrypt-aes --input-file data/${uuid}-output.enc --output-file data/${uuid}-decrypted.txt --symmetric-key <your generated symmetric key>
```

#### RSA Example

*NOTE:* Keys will be generated internally during the encryption operations.
### RSA Example

```sh
uuid=$(cat /proc/sys/kernel/random/uuid)

# Encryption
go run crypto_vault_cli.go encrypt-rsa --input-file data/input.txt --output-file data/${uuid}-encrypted.txt --key-dir data/

# Decryption
go run crypto_vault_cli.go decrypt-rsa --input-file data/${uuid}-encrypted.txt --output-file data/${uuid}-decrypted.txt --private-key <your generated private key from previous encryption operation>
```

#### PKCS#11 encryption and decryption
# Generate RSA keys
go run crypto_vault_cli.go generate-rsa-keys --key-size 2048 --key-dir data/

*NOTE:* Requires RSA keys managed in FIPS-compliant software or hardware trough `pkcs11-tool` or utilize commands in [PKCS#11 key management operations](#pkcs11-key-management-operations):

```sh
# RSA-PKCS
# Encryption
go run crypto_vault_cli.go encrypt --token-label my-token --object-label my-rsa-key --key-type RSA --input-file data/input.txt --output-file data/encrypted-output.enc
go run crypto_vault_cli.go encrypt-rsa --input-file data/input.txt --output-file data/${uuid}-encrypted.txt --public-key <your generated public key>

# Decryption
go run crypto_vault_cli.go decrypt --token-label my-token --object-label my-rsa-key --key-type RSA --input-file data/encrypted-output.enc --output-file data/decrypted-output.txt
```

---
go run crypto_vault_cli.go decrypt-rsa --input-file data/${uuid}-encrypted.txt --output-file data/${uuid}-decrypted.txt --private-key <your generated private key>

### Signing and Verifying signatures
# Sign
go run crypto_vault_cli.go sign-rsa --input-file data/input.txt --output-file data/${uuid}-signature.bin --private-key <your generated private key>

#### ECDSA Example

*NOTE:* Keys will be generated internally during signature generation operations.

```sh
# Sign a file with a newly generated ECC key pair (internally generated)
go run crypto_vault_cli.go sign-ecc --input-file data/input.txt --key-dir data

# Verify the signature using the generated public key
go run crypto_vault_cli.go verify-ecc --input-file data/input.txt --public-key <your generated public key from previous signing operation> --signature-file <your generated signature file from previous signing operation>
# Verify
go run crypto_vault_cli.go verify-rsa --input-file data/input.txt --signature-file data/${uuid}-signature.bin --public-key <your generated public key>
```

#### PKCS#11 signing and verifying

*NOTE:* Requires RSA or EC keys managed in FIPS-compliant software or hardware trough `pkcs11-tool` or utilize commands in [PKCS#11 key management operations](#pkcs11-key-management-operations):
### ECDSA Example

```sh
# RSA-PSS
# Sign data with a PKCS#11 token
go run crypto_vault_cli.go sign --token-label my-token --object-label my-rsa-key --key-type RSA --data-file data/input.txt --signature-file data/signature.sig
uuid=$(cat /proc/sys/kernel/random/uuid)

# Verify the signature using the generated public key from the PKCS#11 token
go run crypto_vault_cli.go verify --token-label my-token --object-label my-rsa-key --key-type RSA --data-file data/input.txt --signature-file data/signature.sig
# Generate ECC keys
go run crypto_vault_cli.go generate-ecc-keys --key-size 256 --key-dir data/

# ECDSA
# Sign data with a PKCS#11 token
go run crypto_vault_cli.go sign --token-label my-token --object-label my-ecdsa-key --key-type ECDSA --data-file data/input.txt --signature-file data/signature.sig
# Sign a file with a newly generated ECC key pair (internally generated)
go run crypto_vault_cli.go sign-ecc --input-file data/input.txt --output-file data/${uuid}-signature.bin --private-key <your generated private key>

# Verify the signature using the generated public key from the PKCS#11 token
go run crypto_vault_cli.go verify --token-label my-token --object-label my-ecdsa-key --key-type ECDSA --data-file data/input.txt --signature-file data/signature.sig
# Verify the signature using the generated public key
go run crypto_vault_cli.go verify-ecc --input-file data/input.txt --signature-file data/${uuid}-signature.bin --public-key <your generated public key>
```

---

### PKCS#11 key management operations
### PKCS#11 example

```sh
# Configure settings
Expand All @@ -125,6 +89,27 @@ go run crypto_vault_cli.go list-objects --token-label "my-token"
# Delete an object (e.g., RSA or EC key) from the PKCS#11 token
go run crypto_vault_cli.go delete-object --token-label my-token --object-label my-rsa-key --object-type pubkey
go run crypto_vault_cli.go delete-object --token-label my-token --object-label my-rsa-key --object-type privkey

# RSA-PKCS
# Encryption
go run crypto_vault_cli.go encrypt --token-label my-token --object-label my-rsa-key --key-type RSA --input-file data/input.txt --output-file data/encrypted-output.enc

# Decryption
go run crypto_vault_cli.go decrypt --token-label my-token --object-label my-rsa-key --key-type RSA --input-file data/encrypted-output.enc --output-file data/decrypted-output.txt

# RSA-PSS
# Sign data with a PKCS#11 token
go run crypto_vault_cli.go sign --token-label my-token --object-label my-rsa-key --key-type RSA --data-file data/input.txt --signature-file data/signature.sig

# Verify the signature using the generated public key from the PKCS#11 token
go run crypto_vault_cli.go verify --token-label my-token --object-label my-rsa-key --key-type RSA --data-file data/input.txt --signature-file data/signature.sig

# ECDSA
# Sign data with a PKCS#11 token
go run crypto_vault_cli.go sign --token-label my-token --object-label my-ecdsa-key --key-type ECDSA --data-file data/input.txt --signature-file data/signature.sig

# Verify the signature using the generated public key from the PKCS#11 token
go run crypto_vault_cli.go verify --token-label my-token --object-label my-ecdsa-key --key-type ECDSA --data-file data/input.txt --signature-file data/signature.sig
```

## Running the e2e-test
Expand Down
75 changes: 54 additions & 21 deletions cmd/crypto-vault-cli/crypto_vault_cli_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ func runCommand(t *testing.T, cmd string, args []string) (string, error) {
return out.String(), nil
}

func TestEncryptionAndDecryption(t *testing.T) {
func TestAESEncryptionAndDecryption(t *testing.T) {
uuid := "test-uuid-1234"
inputFile := "data/input.txt"

encOutputFile := fmt.Sprintf("data/%s-output.enc", uuid)
cmdEncrypt := "go"
argsEncrypt := []string{"run", "crypto_vault_cli.go", "encrypt-aes", "--input-file", inputFile, "--output-file", encOutputFile, "--key-size", "16", "--key-dir", "data/"}
argsEncrypt := []string{"run", "crypto_vault_cli.go", "encrypt-aes", "--input-file", inputFile, "--output-file", encOutputFile, "--symmetric-key", "your-generated-symmetric-key"}

_, err := runCommand(t, cmdEncrypt, argsEncrypt)
if err != nil {
Expand All @@ -51,7 +51,7 @@ func TestRSAEncryptionAndDecryption(t *testing.T) {

encOutputFile := fmt.Sprintf("data/%s-encrypted.txt", uuid)
cmdEncryptRSA := "go"
argsEncryptRSA := []string{"run", "crypto_vault_cli.go", "encrypt-rsa", "--input-file", inputFile, "--output-file", encOutputFile, "--key-dir", "data/"}
argsEncryptRSA := []string{"run", "crypto_vault_cli.go", "encrypt-rsa", "--input-file", inputFile, "--output-file", encOutputFile, "--public-key", "your-generated-public-key"}

_, err := runCommand(t, cmdEncryptRSA, argsEncryptRSA)
if err != nil {
Expand All @@ -68,48 +68,50 @@ func TestRSAEncryptionAndDecryption(t *testing.T) {
}
}

func TestPKCS11EncryptionAndDecryption(t *testing.T) {
uuid := "test-uuid-pkcs11"
func TestRSASignAndVerify(t *testing.T) {
uuid := "test-uuid-5678"
inputFile := "data/input.txt"
signatureFile := fmt.Sprintf("data/%s-signature.bin", uuid)

encOutputFile := fmt.Sprintf("data/%s-encrypted-output.enc", uuid)
cmdEncryptPKCS11 := "go"
argsEncryptPKCS11 := []string{
"run", "crypto_vault_cli.go", "encrypt", "--token-label", "my-token", "--object-label", "my-rsa-key", "--key-type", "RSA", "--input-file", inputFile, "--output-file", encOutputFile,
}
// Sign
cmdSignRSA := "go"
argsSignRSA := []string{"run", "crypto_vault_cli.go", "sign-rsa", "--input-file", inputFile, "--output-file", signatureFile, "--private-key", "your-generated-private-key"}

_, err := runCommand(t, cmdEncryptPKCS11, argsEncryptPKCS11)
_, err := runCommand(t, cmdSignRSA, argsSignRSA)
if err != nil {
t.Fatalf("PKCS11 Encryption failed: %v", err)
t.Fatalf("RSA Signing failed: %v", err)
}

decOutputFile := fmt.Sprintf("data/%s-decrypted-output.txt", uuid)
cmdDecryptPKCS11 := "go"
argsDecryptPKCS11 := []string{
"run", "crypto_vault_cli.go", "decrypt", "--token-label", "my-token", "--object-label", "my-rsa-key", "--key-type", "RSA", "--input-file", encOutputFile, "--output-file", decOutputFile,
// Verify
cmdVerifyRSA := "go"
argsVerifyRSA := []string{
"run", "crypto_vault_cli.go", "verify-rsa", "--input-file", inputFile, "--signature-file", signatureFile, "--public-key", "your-generated-public-key",
}

_, err = runCommand(t, cmdDecryptPKCS11, argsDecryptPKCS11)
_, err = runCommand(t, cmdVerifyRSA, argsVerifyRSA)
if err != nil {
t.Fatalf("PKCS11 Decryption failed: %v", err)
t.Fatalf("RSA Verification failed: %v", err)
}
}

func TestSigningAndVerificationECDSA(t *testing.T) {
uuid := "test-uuid-ecc"
inputFile := "data/input.txt"
signatureFile := "data/signature.sig"
signatureFile := fmt.Sprintf("data/%s-signature.bin", uuid)

// Sign
cmdSignECDSA := "go"
argsSignECDSA := []string{"run", "crypto_vault_cli.go", "sign-ecc", "--input-file", inputFile, "--key-dir", "data"}
argsSignECDSA := []string{"run", "crypto_vault_cli.go", "sign-ecc", "--input-file", inputFile, "--output-file", signatureFile, "--private-key", "your-generated-private-key"}

_, err := runCommand(t, cmdSignECDSA, argsSignECDSA)
if err != nil {
t.Fatalf("ECDSA Signing failed: %v", err)
}

// Verify
cmdVerifyECDSA := "go"
argsVerifyECDSA := []string{
"run", "crypto_vault_cli.go", "verify-ecc", "--input-file", inputFile, "--public-key", "your-generated-public-key", "--signature-file", signatureFile,
"run", "crypto_vault_cli.go", "verify-ecc", "--input-file", inputFile, "--signature-file", signatureFile, "--public-key", "your-generated-public-key",
}

_, err = runCommand(t, cmdVerifyECDSA, argsVerifyECDSA)
Expand All @@ -118,8 +120,36 @@ func TestSigningAndVerificationECDSA(t *testing.T) {
}
}

func TestPKCS11EncryptionAndDecryption(t *testing.T) {
uuid := "test-uuid-pkcs11"
inputFile := "data/input.txt"

encOutputFile := fmt.Sprintf("data/%s-encrypted-output.enc", uuid)
cmdEncryptPKCS11 := "go"
argsEncryptPKCS11 := []string{
"run", "crypto_vault_cli.go", "encrypt", "--token-label", "my-token", "--object-label", "my-rsa-key", "--key-type", "RSA", "--input-file", inputFile, "--output-file", encOutputFile,
}

_, err := runCommand(t, cmdEncryptPKCS11, argsEncryptPKCS11)
if err != nil {
t.Fatalf("PKCS11 Encryption failed: %v", err)
}

decOutputFile := fmt.Sprintf("data/%s-decrypted-output.txt", uuid)
cmdDecryptPKCS11 := "go"
argsDecryptPKCS11 := []string{
"run", "crypto_vault_cli.go", "decrypt", "--token-label", "my-token", "--object-label", "my-rsa-key", "--key-type", "RSA", "--input-file", encOutputFile, "--output-file", decOutputFile,
}

_, err = runCommand(t, cmdDecryptPKCS11, argsDecryptPKCS11)
if err != nil {
t.Fatalf("PKCS11 Decryption failed: %v", err)
}
}

func TestPKCS11KeyManagement(t *testing.T) {

// Store PKCS#11 settings
cmdStorePKCS11 := "go"
argsStorePKCS11 := []string{
"run", "crypto_vault_cli.go", "store-pkcs11-settings", "--module", "/usr/lib/softhsm/libsofthsm2.so", "--so-pin", "1234", "--user-pin", "5678", "--slot-id", "0x0",
Expand All @@ -130,6 +160,7 @@ func TestPKCS11KeyManagement(t *testing.T) {
t.Fatalf("Storing PKCS#11 settings failed: %v", err)
}

// Add RSA Key
cmdAddRSAKey := "go"
argsAddRSAKey := []string{"run", "crypto_vault_cli.go", "add-key", "--token-label", "my-token", "--object-label", "my-rsa-key", "--key-type", "RSA", "--key-size", "2048"}

Expand All @@ -138,6 +169,7 @@ func TestPKCS11KeyManagement(t *testing.T) {
t.Fatalf("Adding RSA Key to PKCS#11 failed: %v", err)
}

// List Objects
cmdListObjects := "go"
argsListObjects := []string{"run", "crypto_vault_cli.go", "list-objects", "--token-label", "my-token"}

Expand All @@ -146,6 +178,7 @@ func TestPKCS11KeyManagement(t *testing.T) {
t.Fatalf("Listing PKCS#11 objects failed: %v", err)
}

// Delete RSA Key
cmdDeleteRSAKey := "go"
argsDeleteRSAKey := []string{"run", "crypto_vault_cli.go", "delete-object", "--token-label", "my-token", "--object-label", "my-rsa-key", "--object-type", "pubkey"}

Expand Down
Loading
Loading