diff --git a/Makefile b/Makefile index 094c8c1b..ab7b2e28 100644 --- a/Makefile +++ b/Makefile @@ -11,6 +11,9 @@ build: fioctl-linux-amd64 fioctl-linux-arm64 fioctl-windows-amd64 fioctl-darwin- fioctl-static: CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o ./bin/fioctl-static ./main.go +fioctl-cgo-pkcs11: + CGO_ENABLED=1 go build -tags cgopki $(LDFLAGS) -o bin/$@ ./main.go + fioctl-linux-amd64: fioctl-linux-arm64: fioctl-linux-armv7: @@ -34,6 +37,7 @@ has-linter: linter-check: has-linter $(linter) run $(linter) run --build-tags bashpki + $(linter) run --build-tags cgopki linter: has-linter $(linter) run --fix diff --git a/go.mod b/go.mod index 7337e043..4f943abf 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.19 require ( cloud.google.com/go/pubsub v1.27.1 + github.com/ThalesIgnite/crypto11 v1.2.5 github.com/cheynewallace/tabby v1.1.1 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c github.com/fatih/color v1.13.0 @@ -41,7 +42,9 @@ require ( github.com/magiconair/properties v1.8.5 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect + github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f // indirect github.com/mitchellh/mapstructure v1.4.3 // indirect + github.com/pkg/errors v0.8.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect github.com/spf13/afero v1.6.0 // indirect @@ -49,6 +52,7 @@ require ( github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.2.0 // indirect + github.com/thales-e-security/pool v0.0.2 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.1.0 // indirect golang.org/x/net v0.7.0 // indirect diff --git a/go.sum b/go.sum index 3da0c356..70f2c8a7 100644 --- a/go.sum +++ b/go.sum @@ -13,6 +13,8 @@ cloud.google.com/go/pubsub v1.27.1 h1:q+J/Nfr6Qx4RQeu3rJcnN48SNC0qzlYzSeqkPq93VH cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= +github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= +github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/beorn7/perks v0.0.0-20150223135152-b965b613227f/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw= github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= @@ -128,6 +130,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f h1:eVB9ELsoq5ouItQBr5Tj334bhPJG/MX+m7rTchmzVUQ= +github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= @@ -143,6 +147,7 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -195,6 +200,8 @@ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKs github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= +github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.5.2 h1:habfDzTmpbzBLIFGWa2ZpVhYvFBoK0C1onC3a4zuPRA= github.com/theupdateframework/go-tuf v0.5.2/go.mod h1:SyMV5kg5n4uEclsyxXJZI2UxPFJNDc4Y+r7wv+MlvTA= github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c= diff --git a/x509/storage_pkcs11_cgo.go b/x509/storage_pkcs11_cgo.go new file mode 100644 index 00000000..737556e2 --- /dev/null +++ b/x509/storage_pkcs11_cgo.go @@ -0,0 +1,60 @@ +//go:build !bashpki && cgopki + +package x509 + +import ( + "crypto" + "crypto/elliptic" + "fmt" + + "github.com/ThalesIgnite/crypto11" + + "github.com/foundriesio/fioctl/subcommands" +) + +const hsmObjectId = "1" + +func newPkcs11Session(hsm HsmInfo) *crypto11.Context { + cfg := crypto11.Config{ + Path: hsm.Module, + TokenLabel: hsm.TokenLabel, + Pin: hsm.Pin, + MaxSessions: 0, + } + + ctx, err := crypto11.Configure(&cfg) + subcommands.DieNotNil(err) + return ctx +} + +func genAndSaveKeyToHsm(hsm HsmInfo, id, label string) crypto.Signer { + // See storage_pkcs11_tool.go why we need to first check for the key existance. + ctx := newPkcs11Session(hsm) + key, err := ctx.FindKeyPair([]byte(id), []byte(label)) + subcommands.DieNotNil(err) + if key != nil { + subcommands.DieNotNil(fmt.Errorf("Key %s already exists on the HSM device", label)) + } + + key, err = ctx.GenerateECDSAKeyPairWithLabel([]byte(id), []byte(label), elliptic.P256()) + subcommands.DieNotNil(err) + return key +} + +func loadKeyFromHsm(hsm HsmInfo, id, label string) crypto.Signer { + ctx := newPkcs11Session(hsm) + key, err := ctx.FindKeyPair([]byte(id), []byte(label)) + subcommands.DieNotNil(err) + if key == nil { + subcommands.DieNotNil(fmt.Errorf("Key %s not found on the HSM device", label)) + } + return key +} + +func (s *hsmStorage) genAndSaveKey() crypto.Signer { + return genAndSaveKeyToHsm(s.HsmInfo, hsmObjectId, s.Label) +} + +func (s *hsmStorage) loadKey() crypto.Signer { + return loadKeyFromHsm(s.HsmInfo, hsmObjectId, s.Label) +} diff --git a/x509/storage_pkcs11_tool.go b/x509/storage_pkcs11_tool.go index 54e6aa65..c34b0eb5 100644 --- a/x509/storage_pkcs11_tool.go +++ b/x509/storage_pkcs11_tool.go @@ -1,4 +1,4 @@ -//go:build !bashpki +//go:build !bashpki && !cgopki package x509