forked from TrueCloudLab/certificates
Extractable certs
This commit is contained in:
Gary Belvin
Gary Belvin
parent
be89459524
commit
22b471acf9
3 changed files with 26 additions and 1 deletions
|
|
@ -328,6 +328,7 @@ func createPKI(k kms.KeyManager, c Config) error {
|
|||
if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
||||
Name: c.RootObject,
|
||||
Certificate: root,
|
||||
Extractable: c.Extractable,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -406,6 +407,7 @@ func createPKI(k kms.KeyManager, c Config) error {
|
|||
if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
||||
Name: c.CrtObject,
|
||||
Certificate: intermediate,
|
||||
Extractable: c.Extractable,
|
||||
}); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -156,4 +156,8 @@ type LoadCertificateRequest struct {
|
|||
type StoreCertificateRequest struct {
|
||||
Name string
|
||||
Certificate *x509.Certificate
|
||||
|
||||
// Whether the key may be exported from the HSM under a wrap key.
|
||||
// Sets the CKA_EXTRACTABLE bit.
|
||||
Extractable bool
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ type P11 interface {
|
|||
FindKeyPair(id, label []byte) (crypto11.Signer, error)
|
||||
FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error)
|
||||
ImportCertificateWithLabel(id, label []byte, cert *x509.Certificate) error
|
||||
ImportCertificateWithAttributes(template crypto11.AttributeSet, certificate *x509.Certificate) error
|
||||
DeleteCertificate(id, label []byte, serial *big.Int) error
|
||||
GenerateRSAKeyPairWithLabel(id, label []byte, bits int) (crypto11.SignerDecrypter, error)
|
||||
GenerateECDSAKeyPairWithLabel(id, label []byte, curve elliptic.Curve) (crypto11.Signer, error)
|
||||
|
|
@ -197,13 +198,31 @@ func (k *PKCS11) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
|
|||
}, "storeCertificate failed")
|
||||
}
|
||||
|
||||
if err := k.p11.ImportCertificateWithLabel(id, object, req.Certificate); err != nil {
|
||||
if err := ImportCertificateWithLabel(k.p11, id, object, req.Certificate, req.Extractable); err != nil {
|
||||
return errors.Wrap(err, "storeCertificate failed")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func ImportCertificateWithLabel(ctx P11, id []byte, label []byte, certificate *x509.Certificate, extractable bool) error {
|
||||
if id == nil {
|
||||
return errors.New("id cannot be nil")
|
||||
}
|
||||
if label == nil {
|
||||
return errors.New("label cannot be nil")
|
||||
}
|
||||
|
||||
template, err := crypto11.NewAttributeSetWithIDAndLabel(id, label)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
template.AddIfNotPresent([]*pkcs11.Attribute{
|
||||
pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, extractable),
|
||||
})
|
||||
return ctx.ImportCertificateWithAttributes(template, certificate)
|
||||
}
|
||||
|
||||
// DeleteKey is a utility function to delete a key given an uri.
|
||||
func (k *PKCS11) DeleteKey(uri string) error {
|
||||
id, object, err := parseObject(uri)
|
||||
|
|
|
|||
Loading…
Reference in a new issue