forked from TrueCloudLab/certificates
Revert "Remove extractable from StoreCertificate."
This reverts commit 614ee79489.
This commit is contained in:
Mariano Cano
parent
614ee79489
commit
8366b7ddf1
4 changed files with 34 additions and 11 deletions
|
|
@ -335,6 +335,7 @@ func createPKI(k kms.KeyManager, c Config) error {
|
||||||
if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
||||||
Name: c.RootObject,
|
Name: c.RootObject,
|
||||||
Certificate: root,
|
Certificate: root,
|
||||||
|
Extractable: c.Extractable,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -413,6 +414,7 @@ func createPKI(k kms.KeyManager, c Config) error {
|
||||||
if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
if err := cm.StoreCertificate(&apiv1.StoreCertificateRequest{
|
||||||
Name: c.CrtObject,
|
Name: c.CrtObject,
|
||||||
Certificate: intermediate,
|
Certificate: intermediate,
|
||||||
|
Extractable: c.Extractable,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ type GetPublicKeyRequest struct {
|
||||||
type CreateKeyRequest struct {
|
type CreateKeyRequest struct {
|
||||||
// Name represents the key name or label used to identify a key.
|
// Name represents the key name or label used to identify a key.
|
||||||
//
|
//
|
||||||
// Used by: awskms, cloudkms, azurekms, pkcs11, yubikey.
|
// Used by: awskms, cloudkms, pkcs11, yubikey.
|
||||||
Name string
|
Name string
|
||||||
|
|
||||||
// SignatureAlgorithm represents the type of key to create.
|
// SignatureAlgorithm represents the type of key to create.
|
||||||
|
|
@ -110,13 +110,11 @@ type CreateKeyRequest struct {
|
||||||
Bits int
|
Bits int
|
||||||
|
|
||||||
// ProtectionLevel specifies how cryptographic operations are performed.
|
// ProtectionLevel specifies how cryptographic operations are performed.
|
||||||
// Used by: cloudkms, azurekms
|
// Used by: cloudkms
|
||||||
ProtectionLevel ProtectionLevel
|
ProtectionLevel ProtectionLevel
|
||||||
|
|
||||||
// Extractable defines if the new key may be exported from the HSM under a
|
// Whether the key may be exported from the HSM under a wrap key.
|
||||||
// wrap key. On pkcs11 sets the CKA_EXTRACTABLE bit.
|
// Sets the CKA_EXTRACTABLE bit.
|
||||||
//
|
|
||||||
// Used by: pkcs11
|
|
||||||
Extractable bool
|
Extractable bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -158,4 +156,8 @@ type LoadCertificateRequest struct {
|
||||||
type StoreCertificateRequest struct {
|
type StoreCertificateRequest struct {
|
||||||
Name string
|
Name string
|
||||||
Certificate *x509.Certificate
|
Certificate *x509.Certificate
|
||||||
|
|
||||||
|
// Whether the key may be exported from the HSM under a wrap key.
|
||||||
|
// Sets the CKA_EXTRACTABLE bit.
|
||||||
|
Extractable bool
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ const DefaultRSASize = 3072
|
||||||
type P11 interface {
|
type P11 interface {
|
||||||
FindKeyPair(id, label []byte) (crypto11.Signer, error)
|
FindKeyPair(id, label []byte) (crypto11.Signer, error)
|
||||||
FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error)
|
FindCertificate(id, label []byte, serial *big.Int) (*x509.Certificate, error)
|
||||||
ImportCertificateWithLabel(id, label []byte, certificate *x509.Certificate) error
|
ImportCertificateWithAttributes(template crypto11.AttributeSet, certificate *x509.Certificate) error
|
||||||
DeleteCertificate(id, label []byte, serial *big.Int) error
|
DeleteCertificate(id, label []byte, serial *big.Int) error
|
||||||
GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error)
|
GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error)
|
||||||
GenerateECDSAKeyPairWithAttributes(public, private crypto11.AttributeSet, curve elliptic.Curve) (crypto11.Signer, error)
|
GenerateECDSAKeyPairWithAttributes(public, private crypto11.AttributeSet, curve elliptic.Curve) (crypto11.Signer, error)
|
||||||
|
|
@ -201,7 +201,15 @@ func (k *PKCS11) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
|
||||||
}, "storeCertificate failed")
|
}, "storeCertificate failed")
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := k.p11.ImportCertificateWithLabel(id, object, req.Certificate); err != nil {
|
// Import certificate with the necessary attributes.
|
||||||
|
template, err := crypto11.NewAttributeSetWithIDAndLabel(id, object)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "storeCertificate failed")
|
||||||
|
}
|
||||||
|
if req.Extractable {
|
||||||
|
template.Set(crypto11.CkaExtractable, true)
|
||||||
|
}
|
||||||
|
if err := k.p11.ImportCertificateWithAttributes(template, req.Certificate); err != nil {
|
||||||
return errors.Wrap(err, "storeCertificate failed")
|
return errors.Wrap(err, "storeCertificate failed")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -209,13 +209,13 @@ func TestPKCS11_CreateKey(t *testing.T) {
|
||||||
},
|
},
|
||||||
}, false},
|
}, false},
|
||||||
{"default extractable", args{&apiv1.CreateKeyRequest{
|
{"default extractable", args{&apiv1.CreateKeyRequest{
|
||||||
Name: testObjectAlt,
|
Name: testObject,
|
||||||
Extractable: true,
|
Extractable: true,
|
||||||
}}, &apiv1.CreateKeyResponse{
|
}}, &apiv1.CreateKeyResponse{
|
||||||
Name: testObjectAlt,
|
Name: testObject,
|
||||||
PublicKey: &ecdsa.PublicKey{},
|
PublicKey: &ecdsa.PublicKey{},
|
||||||
CreateSignerRequest: apiv1.CreateSignerRequest{
|
CreateSignerRequest: apiv1.CreateSignerRequest{
|
||||||
SigningKey: testObjectAlt,
|
SigningKey: testObject,
|
||||||
},
|
},
|
||||||
}, false},
|
}, false},
|
||||||
{"RSA SHA256WithRSA", args{&apiv1.CreateKeyRequest{
|
{"RSA SHA256WithRSA", args{&apiv1.CreateKeyRequest{
|
||||||
|
|
@ -573,6 +573,7 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
|
||||||
// Make sure to delete the created certificate
|
// Make sure to delete the created certificate
|
||||||
t.Cleanup(func() {
|
t.Cleanup(func() {
|
||||||
k.DeleteCertificate(testObject)
|
k.DeleteCertificate(testObject)
|
||||||
|
k.DeleteCertificate(testObjectAlt)
|
||||||
})
|
})
|
||||||
|
|
||||||
type args struct {
|
type args struct {
|
||||||
|
|
@ -587,6 +588,11 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
|
||||||
Name: testObject,
|
Name: testObject,
|
||||||
Certificate: cert,
|
Certificate: cert,
|
||||||
}}, false},
|
}}, false},
|
||||||
|
{"ok extractable", args{&apiv1.StoreCertificateRequest{
|
||||||
|
Name: testObjectAlt,
|
||||||
|
Certificate: cert,
|
||||||
|
Extractable: true,
|
||||||
|
}}, false},
|
||||||
{"fail already exists", args{&apiv1.StoreCertificateRequest{
|
{"fail already exists", args{&apiv1.StoreCertificateRequest{
|
||||||
Name: testObject,
|
Name: testObject,
|
||||||
Certificate: cert,
|
Certificate: cert,
|
||||||
|
|
@ -614,6 +620,11 @@ func TestPKCS11_StoreCertificate(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
if tt.args.req.Extractable {
|
||||||
|
if testModule == "SoftHSM2" {
|
||||||
|
t.Skip("Extractable certificates are not supported on SoftHSM2")
|
||||||
|
}
|
||||||
|
}
|
||||||
if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr {
|
if err := k.StoreCertificate(tt.args.req); (err != nil) != tt.wantErr {
|
||||||
t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
t.Errorf("PKCS11.StoreCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue