Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS#11 Vault #501

Merged
merged 10 commits into from
Oct 29, 2024
Merged

PKCS#11 Vault #501

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f2bef3a
PKCS#11 untested
e-asphyx Sep 29, 2024
658869d
PKCS#11 test
e-asphyx Oct 2, 2024
439e48d
PKCS#11 doc
e-asphyx Oct 2, 2024
70f7e04
missing docs
e-asphyx Oct 10, 2024
9825b45
limit PKCS#11 handle parsing to 32 bit
e-asphyx Oct 10, 2024
02c1f29
Ed25519 support for PKCS#11 backend
e-asphyx Oct 13, 2024
421ad64
chore: merged main
GImbrailo Oct 25, 2024
574a7de
go-pkcs11 v0.2.1
e-asphyx Oct 29, 2024
bfad602
chore: merge main
GImbrailo Oct 29, 2024
a031f52
chore: remove windows builds from goreleaser
GImbrailo Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,11 @@ dist
.release-env
.env
.docker-creds
./signatory
./signatory-cli
/signatory
/signatory-cli
.DS_Store

# some integration_tests write secret env var to files
integration_test/gcp-token.json
integration_test/.env.vaults.cicd
integration_test/service-principal.key
**vault**
/integration_test/gcp-token.json
/integration_test/.env.vaults.cicd
/integration_test/service-principal.key
1 change: 1 addition & 0 deletions cmd/signatory-cli/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
_ "github.com/ecadlabs/signatory/pkg/vault/mem"
_ "github.com/ecadlabs/signatory/pkg/vault/pkcs11"
_ "github.com/ecadlabs/signatory/pkg/vault/yubi"
)

Expand Down
1 change: 1 addition & 0 deletions cmd/signatory/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
_ "github.com/ecadlabs/signatory/pkg/vault/hashicorp"
_ "github.com/ecadlabs/signatory/pkg/vault/ledger"
_ "github.com/ecadlabs/signatory/pkg/vault/mem"
_ "github.com/ecadlabs/signatory/pkg/vault/pkcs11"
_ "github.com/ecadlabs/signatory/pkg/vault/yubi"
)

Expand Down
36 changes: 36 additions & 0 deletions docs/pkcs11.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
id: pkcs11
title: PKCS#11
---

# PKCS#11 Vault

## Configuration

|||||
|--- |--- |--- |--- |
|Name|Type|Required|Description|
|library_path|string|✅|Library Path|
|pin|string|✅|User PIN|
|slot|string||Slot ID|
|label|string||Limit key search to the specified label (use in case of multiple key pairs in the same token)|
|object_ih|hex||Limit key search to the specified object ID (use in case of multiple key pairs in the same token)|

**Note**: If the token contains multiple key pairs, every pair must have unique label or ID shared between private and public parts.

### Example

```yaml
library_path: /opt/homebrew/lib/softhsm/libsofthsm2.so
pin: 1234
slot: 0x4d0b85a2
label: TestKey
```

## Environment variables

* `PKCS11_PATH`
* `PKCS11_PIN`
* `PKCS11_SLOT`
* `PKCS11_LABEL`
* `PKCS11_OBJECT_ID`
18 changes: 11 additions & 7 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
module github.com/ecadlabs/signatory

go 1.21
go 1.22

toolchain go1.23.1

require (
cloud.google.com/go/kms v1.15.5
github.com/certusone/yubihsm-go v0.3.0
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0
github.com/ecadlabs/go-pkcs11 v0.1.6
github.com/ecadlabs/goblst v1.0.0
github.com/ecadlabs/gotez/v2 v2.0.6
github.com/go-playground/validator/v10 v10.16.0
Expand All @@ -20,7 +23,7 @@ require (
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.8.4
golang.org/x/crypto v0.23.0
golang.org/x/crypto v0.27.0
golang.org/x/exp v0.0.0-20231127185646-65229373498e
golang.org/x/oauth2 v0.15.0
google.golang.org/api v0.152.0
Expand Down Expand Up @@ -54,7 +57,7 @@ require (
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/rogpeppe/go-internal v1.12.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/genproto v0.0.0-20231127180814-3a041ad873d4 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231127180814-3a041ad873d4 // indirect
Expand Down Expand Up @@ -82,12 +85,13 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/net v0.21.0 // indirect
golang.org/x/sys v0.20.0 // indirect
golang.org/x/term v0.20.0
golang.org/x/text v0.15.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/term v0.24.0
golang.org/x/text v0.18.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.59.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
)

// replace github.com/ecadlabs/gotez/v2 => ../gotez
// replace github.com/ecadlabs/go-pkcs11 => ../go-pkcs11
36 changes: 14 additions & 22 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/ecadlabs/go-pkcs11 v0.1.6 h1:YnskuaCjLHoY9Y3sdUxB4POlTApsmZAdc0yw7AKPpUU=
github.com/ecadlabs/go-pkcs11 v0.1.6/go.mod h1:PwcQJwjNjjE0WtXtkTv4E0JNIcbl3cdIw+J+pRQbVjE=
github.com/ecadlabs/goblst v1.0.0 h1:8/e3SQGwqbV0+ul+pg0aSNFfC3lgQcvEed3VdDBXSl8=
github.com/ecadlabs/goblst v1.0.0/go.mod h1:s67gqaOol9o6fguh+evH75X5uQniOhv1HG/EU8xPLPY=
github.com/ecadlabs/gotez/v2 v2.0.5 h1:RmpCEKYlQD18TtL9vjSDRe3FYADhxlKh80DZQz8h31Q=
github.com/ecadlabs/gotez/v2 v2.0.5/go.mod h1:QypK0m1eDPmB9R7Uvgmsfm+JS7Z5Y6dIbIq1tMVYayU=
github.com/ecadlabs/gotez/v2 v2.0.6 h1:P7eQ2G+SO1tTV4NHnkdNlrOHxKDo1iF9m34HTLfS3b8=
github.com/ecadlabs/gotez/v2 v2.0.6/go.mod h1:QypK0m1eDPmB9R7Uvgmsfm+JS7Z5Y6dIbIq1tMVYayU=
github.com/ecadlabs/pretty v0.0.0-20230412124801-f948fc689a04 h1:7WdblGykGxtGGtchW4kzTaJJO8Fm+JKhLzhttOOWr9k=
Expand Down Expand Up @@ -222,10 +222,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
Expand Down Expand Up @@ -253,8 +251,8 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
Expand All @@ -270,26 +268,20 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
Expand Down
24 changes: 18 additions & 6 deletions pkg/vault/memory/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ type PrivateKey struct {
KeyID string
}

func (p *PrivateKey) Elem() (key vault.StoredKey, err error) {
return p, nil
}

// PublicKey get the public key associated with this key
func (f *PrivateKey) PublicKey() crypt.PublicKey {
return f.PrivateKey.Public()
Expand All @@ -44,18 +48,26 @@ type Vault struct {
unlocked bool
}

type iterator struct {
keys []*PrivateKey
type IteratorElem interface {
Elem() (key vault.StoredKey, err error)
}

type Iterator[T IteratorElem] struct {
keys []T
idx int
}

func (i *iterator) Next() (key vault.StoredKey, err error) {
func NewIterator[T IteratorElem](keys []T) *Iterator[T] {
return &Iterator[T]{keys: keys}
}

func (i *Iterator[T]) Next() (key vault.StoredKey, err error) {
if i.idx == len(i.keys) {
return nil, vault.ErrDone
}
key = i.keys[i.idx]
key, err = i.keys[i.idx].Elem()
i.idx++
return key, nil
return key, err
}

// NewUnparsed create a new in-mempory vault from Tezos encoded data. Call Unlock before use
Expand Down Expand Up @@ -108,7 +120,7 @@ func New(src []*PrivateKey, name string) (*Vault, error) {
func (v *Vault) ListPublicKeys(ctx context.Context) vault.StoredKeysIterator {
v.mtx.Lock()
defer v.mtx.Unlock()
return &iterator{keys: v.keys}
return &Iterator[*PrivateKey]{keys: v.keys}
}

// GetPublicKey retrieve a public key
Expand Down
94 changes: 94 additions & 0 deletions pkg/vault/pkcs11/pkcs11_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
package pkcs11

import (
"context"
"errors"
"fmt"
"os"
"os/exec"
"path/filepath"
"runtime"
"testing"

"github.com/ecadlabs/gotez/v2/crypt"
"github.com/ecadlabs/signatory/pkg/vault"
"github.com/stretchr/testify/require"
)

const (
libSoftHSMPathUnix = "/usr/lib/softhsm/libsofthsm2.so"
libSoftHSMPathMac = "/opt/homebrew/lib/softhsm/libsofthsm2.so"

userPIN = "1234"
soPIN = "1234"
keyLabel = "TestKey"
tokenLabel = "TestToken"
)

func TestPKCS11Vault(t *testing.T) {
var path string
if runtime.GOOS == "darwin" {
path = libSoftHSMPathMac
} else {
path = libSoftHSMPathUnix
}

if _, err := os.Stat(path); err != nil {
if errors.Is(err, os.ErrNotExist) {
t.Skipf("libsofthsm2 not installed, skipping testing")
}
t.Fatal(err)
}

if _, err := exec.LookPath("pkcs11-tool"); err != nil {
if errors.Is(err, exec.ErrNotFound) {
t.Skipf("pkcs11-tool not installed, skipping testing")
}
t.Fatal(err)
}

configPath := filepath.Join(t.TempDir(), "softhsm.conf")
tokensPath := t.TempDir()

fd, err := os.OpenFile(configPath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
require.NoError(t, err)
fmt.Fprintf(fd, "directories.tokendir = %s\n", tokensPath)
fd.Close()

t.Setenv("SOFTHSM2_CONF", configPath)

out, err := exec.Command("pkcs11-tool", "--verbose", "--module", path, "--init-token", "--label", tokenLabel, "--so-pin", soPIN).CombinedOutput()
if err != nil {
t.Fatal(string(out))
}

out, err = exec.Command("pkcs11-tool", "--verbose", "--module", path, "--login", "--so-pin", soPIN, "--init-pin", "--pin", userPIN).CombinedOutput()
if err != nil {
t.Fatal(string(out))
}

out, err = exec.Command("pkcs11-tool", "--verbose", "--module", path, "--login", "--pin", userPIN, "--keypairgen", "--key-type", "EC:prime256v1", "--usage-sign", "--label", keyLabel).CombinedOutput()
if err != nil {
t.Fatal(string(out))
}

v, err := New(context.Background(), &Config{
LibraryPath: path,
Pin: userPIN,
Label: keyLabel,
})
require.NoError(t, err)
t.Cleanup(func() { v.Close() })

require.NoError(t, v.Unlock(context.Background()))

keys, err := vault.Collect(v.ListPublicKeys(context.Background()))
require.NoError(t, err)
require.Len(t, keys, 1)
k0 := keys[0].PublicKey().(*crypt.ECDSAPublicKey)

key, err := v.GetPublicKey(context.Background(), keys[0].ID())
require.NoError(t, err)
k1 := key.PublicKey().(*crypt.ECDSAPublicKey)
require.Equal(t, k0, k1)
}
Loading
Loading