alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Extractable certs

Browse source
This commit is contained in:
Gary Belvin 2021-06-17 09:23:22 -04:00 committed by Gary Belvin
parent be89459524
commit 22b471acf9
3 changed files with 26 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cmd/step-pkcs11-init/main.go
View file

@ -328,6 +328,7 @@ func createPKI(k kms.KeyManager, c Config) error {
if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{ if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
Name: c.RootObject, Name: c.RootObject,
Certificate: root, Certificate: root,
Extractable: c.Extractable,
}); err != nil { }); err != nil {
return err return err
} }
@ -406,6 +407,7 @@ func createPKI(k kms.KeyManager, c Config) error {
if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{ if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
Name: c.CrtObject, Name: c.CrtObject,
Certificate: intermediate, Certificate: intermediate,
Extractable: c.Extractable,
}); err != nil { }); err != nil {
return err return err
} }

4
kms/apiv1/requests.go
View file

@ -156,4 +156,8 @@ type LoadCertificateRequest struct {
type StoreCertificateRequest struct { type StoreCertificateRequest struct {
Name string Name string
Certificate *x509.Certificate Certificate *x509.Certificate
// Whether the key may be exported from the HSM under a wrap key.
// Sets the CKA_EXTRACTABLE bit.
Extractable bool
} }

21
kms/pkcs11/pkcs11.go
View file

@ -33,6 +33,7 @@ type P11 interface {
FindKeyPair(id, label []byte) (crypto11.Signer, error) FindKeyPair(id, label []byte) (crypto11.Signer, error)
FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error) FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error)
ImportCertificateWithLabel(id, label []byte, cert *x509.Certificate) error ImportCertificateWithLabel(id, label []byte, cert *x509.Certificate) error
ImportCertificateWithAttributes(template crypto11.AttributeSet, certificate *x509.Certificate) error
DeleteCertificate(id, label []byte, serial *big.Int) error DeleteCertificate(id, label []byte, serial *big.Int) error
GenerateRSAKeyPairWithLabel(id, label []byte, bits int) (crypto11.SignerDecrypter, error) GenerateRSAKeyPairWithLabel(id, label []byte, bits int) (crypto11.SignerDecrypter, error)
GenerateECDSAKeyPairWithLabel(id, label []byte, curve elliptic.Curve) (crypto11.Signer, error) GenerateECDSAKeyPairWithLabel(id, label []byte, curve elliptic.Curve) (crypto11.Signer, error)
@ -197,13 +198,31 @@ func (k *PKCS11) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
}, "storeCertificate failed") }, "storeCertificate failed")
} }
if err := k.p11.ImportCertificateWithLabel(id, object, req.Certificate); err != nil { if err := ImportCertificateWithLabel(k.p11, id, object, req.Certificate, req.Extractable); err != nil {
return errors.Wrap(err, "storeCertificate failed") return errors.Wrap(err, "storeCertificate failed")
} }
return nil return nil
} }
func ImportCertificateWithLabel(ctx P11, id []byte, label []byte, certificate *x509.Certificate, extractable bool) error {
if id == nil {
return errors.New("id cannot be nil")
}
if label == nil {
return errors.New("label cannot be nil")
}
template, err := crypto11.NewAttributeSetWithIDAndLabel(id, label)
if err != nil {
return err
}
template.AddIfNotPresent([]*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, extractable),
})
return ctx.ImportCertificateWithAttributes(template, certificate)
}
// DeleteKey is a utility function to delete a key given an uri. // DeleteKey is a utility function to delete a key given an uri.
func (k *PKCS11) DeleteKey(uri string) error { func (k *PKCS11) DeleteKey(uri string) error {
id, object, err := parseObject(uri) id, object, err := parseObject(uri)