From 614ee794896a46c89bebb5734f744fbc6729c0cc Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 29 Oct 2021 12:02:24 -0700 Subject: [PATCH] Remove extractable from StoreCertificate. --- cmd/step-pkcs11-init/main.go | 2 -- kms/apiv1/requests.go | 14 ++++++-------- kms/pkcs11/pkcs11.go | 12 ++---------- kms/pkcs11/pkcs11_test.go | 17 +++-------------- 4 files changed, 11 insertions(+), 34 deletions(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index 0db1e4d9..df98aa8c 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -335,7 +335,6 @@ func createPKI(k kms.KeyManager, c Config) error { if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{ Name: c.RootObject, Certificate: root, - Extractable: c.Extractable, }); err != nil { return err } @@ -414,7 +413,6 @@ func createPKI(k kms.KeyManager, c Config) error { if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{ Name: c.CrtObject, Certificate: intermediate, - Extractable: c.Extractable, }); err != nil { return err } diff --git a/kms/apiv1/requests.go b/kms/apiv1/requests.go index 94d832f9..c2d1d49a 100644 --- a/kms/apiv1/requests.go +++ b/kms/apiv1/requests.go @@ -100,7 +100,7 @@ type GetPublicKeyRequest struct { type CreateKeyRequest struct { // Name represents the key name or label used to identify a key. // - // Used by: awskms, cloudkms, pkcs11, yubikey. + // Used by: awskms, cloudkms, azurekms, pkcs11, yubikey. Name string // SignatureAlgorithm represents the type of key to create. @@ -110,11 +110,13 @@ type CreateKeyRequest struct { Bits int // ProtectionLevel specifies how cryptographic operations are performed. - // Used by: cloudkms + // Used by: cloudkms, azurekms ProtectionLevel ProtectionLevel - // Whether the key may be exported from the HSM under a wrap key. - // Sets the CKA_EXTRACTABLE bit. + // Extractable defines if the new key may be exported from the HSM under a + // wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit. + // + // Used by: pkcs11 Extractable bool } @@ -156,8 +158,4 @@ type LoadCertificateRequest struct { type StoreCertificateRequest struct { Name string Certificate *x509.Certificate - - // Whether the key may be exported from the HSM under a wrap key. - // Sets the CKA_EXTRACTABLE bit. - Extractable bool } diff --git a/kms/pkcs11/pkcs11.go b/kms/pkcs11/pkcs11.go index cec05d33..3e14debe 100644 --- a/kms/pkcs11/pkcs11.go +++ b/kms/pkcs11/pkcs11.go @@ -32,7 +32,7 @@ const DefaultRSASize = 3072 type P11 interface { FindKeyPair(id, label []byte) (crypto11.Signer, error) FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error) - ImportCertificateWithAttributes(template crypto11.AttributeSet, certificate *x509.Certificate) error + ImportCertificateWithLabel(id, label []byte, certificate *x509.Certificate) error DeleteCertificate(id, label []byte, serial *big.Int) error GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error) GenerateECDSAKeyPairWithAttributes(public, private crypto11.AttributeSet, curve elliptic.Curve) (crypto11.Signer, error) @@ -201,15 +201,7 @@ func (k *PKCS11) StoreCertificate(req *apiv1.StoreCertificateRequest) error { }, "storeCertificate failed") } - // Import certificate with the necessary attributes. - template, err := crypto11.NewAttributeSetWithIDAndLabel(id, object) - if err != nil { - return errors.Wrap(err, "storeCertificate failed") - } - if req.Extractable { - template.Set(crypto11.CkaExtractable, true) - } - if err := k.p11.ImportCertificateWithAttributes(template, req.Certificate); err != nil { + if err := k.p11.ImportCertificateWithLabel(id, object, req.Certificate); err != nil { return errors.Wrap(err, "storeCertificate failed") } diff --git a/kms/pkcs11/pkcs11_test.go b/kms/pkcs11/pkcs11_test.go index 409cfb3f..dfb63753 100644 --- a/kms/pkcs11/pkcs11_test.go +++ b/kms/pkcs11/pkcs11_test.go @@ -209,13 +209,13 @@ func TestPKCS11_CreateKey(t *testing.T) { }, }, false}, {"default extractable", args{&apiv1.CreateKeyRequest{ - Name: testObject, + Name: testObjectAlt, Extractable: true, }}, &apiv1.CreateKeyResponse{ - Name: testObject, + Name: testObjectAlt, PublicKey: &ecdsa.PublicKey{}, CreateSignerRequest: apiv1.CreateSignerRequest{ - SigningKey: testObject, + SigningKey: testObjectAlt, }, }, false}, {"RSA SHA256WithRSA", args{&apiv1.CreateKeyRequest{ @@ -573,7 +573,6 @@ func TestPKCS11_StoreCertificate(t *testing.T) { // Make sure to delete the created certificate t.Cleanup(func() { k.DeleteCertificate(testObject) - k.DeleteCertificate(testObjectAlt) }) type args struct { @@ -588,11 +587,6 @@ func TestPKCS11_StoreCertificate(t *testing.T) { Name: testObject, Certificate: cert, }}, false}, - {"ok extractable", args{&apiv1.StoreCertificateRequest{ - Name: testObjectAlt, - Certificate: cert, - Extractable: true, - }}, false}, {"fail already exists", args{&apiv1.StoreCertificateRequest{ Name: testObject, Certificate: cert, @@ -620,11 +614,6 @@ func TestPKCS11_StoreCertificate(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if tt.args.req.Extractable { - if testModule == "SoftHSM2" { - t.Skip("Extractable certificates are not supported on SoftHSM2") - } - } if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr { t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr) }