Feature: add HSM support via PKCS11 dlopen

This requires dynamic library linking of Libc, hence, not compatible with our static releases. But, it was fairly simple to implement, so can be interesting for some users. Signed-off-by: Volodymyr Khoroz <[email protected]>
foundriesio · Sep 28, 2023 · 72660c5 · 72660c5
1 parent 04a0476
commit 72660c5
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -11,6 +11,9 @@ build: fioctl-linux-amd64 fioctl-linux-arm64 fioctl-windows-amd64 fioctl-darwin-
 fioctl-static:
 	CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o ./bin/fioctl-static ./main.go
 
+fioctl-cgo-pkcs11:
+	CGO_ENABLED=1 go build -tags cgopki $(LDFLAGS) -o bin/$@ ./main.go
+
 fioctl-linux-amd64:
 fioctl-linux-arm64:
 fioctl-linux-armv7:
@@ -34,6 +37,7 @@ has-linter:
 linter-check: has-linter
 	$(linter) run
 	$(linter) run --build-tags bashpki
+	$(linter) run --build-tags cgopki
 
 linter: has-linter
 	$(linter) run --fix

diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	cloud.google.com/go/pubsub v1.27.1
+	github.com/ThalesIgnite/crypto11 v1.2.5
 	github.com/cheynewallace/tabby v1.1.1
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c
 	github.com/fatih/color v1.13.0
@@ -41,14 +42,17 @@ require (
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/pkg/errors v0.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/net v0.7.0 // indirect

diff --git a/go.sum b/go.sum
@@ -13,6 +13,8 @@ cloud.google.com/go/pubsub v1.27.1 h1:q+J/Nfr6Qx4RQeu3rJcnN48SNC0qzlYzSeqkPq93VH
 cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
+github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
+github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/beorn7/perks v0.0.0-20150223135152-b965b613227f/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
@@ -128,6 +130,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
 github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
+github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f h1:eVB9ELsoq5ouItQBr5Tj334bhPJG/MX+m7rTchmzVUQ=
+github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -143,6 +147,7 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -195,6 +200,8 @@ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKs
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
+github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.5.2 h1:habfDzTmpbzBLIFGWa2ZpVhYvFBoK0C1onC3a4zuPRA=
 github.com/theupdateframework/go-tuf v0.5.2/go.mod h1:SyMV5kg5n4uEclsyxXJZI2UxPFJNDc4Y+r7wv+MlvTA=
 github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c=

diff --git a/x509/storage_pkcs11_cgo.go b/x509/storage_pkcs11_cgo.go
@@ -0,0 +1,60 @@
+//go:build !bashpki && cgopki
+
+package x509
+
+import (
+	"crypto"
+	"crypto/elliptic"
+	"fmt"
+
+	"github.com/ThalesIgnite/crypto11"
+
+	"github.com/foundriesio/fioctl/subcommands"
+)
+
+const hsmObjectId = "1"
+
+func newPkcs11Session(hsm HsmInfo) *crypto11.Context {
+	cfg := crypto11.Config{
+		Path:        hsm.Module,
+		TokenLabel:  hsm.TokenLabel,
+		Pin:         hsm.Pin,
+		MaxSessions: 0,
+	}
+
+	ctx, err := crypto11.Configure(&cfg)
+	subcommands.DieNotNil(err)
+	return ctx
+}
+
+func genAndSaveKeyToHsm(hsm HsmInfo, id, label string) crypto.Signer {
+	// See storage_pkcs11_tool.go why we need to first check for the key existance.
+	ctx := newPkcs11Session(hsm)
+	key, err := ctx.FindKeyPair([]byte(id), []byte(label))
+	subcommands.DieNotNil(err)
+	if key != nil {
+		subcommands.DieNotNil(fmt.Errorf("Key %s already exists on the HSM device", label))
+	}
+
+	key, err = ctx.GenerateECDSAKeyPairWithLabel([]byte(id), []byte(label), elliptic.P256())
+	subcommands.DieNotNil(err)
+	return key
+}
+
+func loadKeyFromHsm(hsm HsmInfo, id, label string) crypto.Signer {
+	ctx := newPkcs11Session(hsm)
+	key, err := ctx.FindKeyPair([]byte(id), []byte(label))
+	subcommands.DieNotNil(err)
+	if key == nil {
+		subcommands.DieNotNil(fmt.Errorf("Key %s not found on the HSM device", label))
+	}
+	return key
+}
+
+func (s *hsmStorage) genAndSaveKey() crypto.Signer {
+	return genAndSaveKeyToHsm(s.HsmInfo, hsmObjectId, s.Label)
+}
+
+func (s *hsmStorage) loadKey() crypto.Signer {
+	return loadKeyFromHsm(s.HsmInfo, hsmObjectId, s.Label)
+}
diff --git a/x509/storage_pkcs11_tool.go b/x509/storage_pkcs11_tool.go
@@ -1,4 +1,4 @@
-//go:build !bashpki
+//go:build !bashpki && !cgopki
 
 package x509