Merge pull request #24 from mode51software/develop

Sign Self Issued and Delete

CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.3.4
+### 27/03/2021
+
+* Sign Self Issued
+
 ## v0.3.3
 ### 18/03/2021
 

README.md

@@ -216,11 +216,30 @@ View the [TESTING](TESTING.md) README
 
 ### Troubleshooting
 
+#### Vault
+
+* api_addr must be configured in [Vault's server configuration file](https://www.vaultproject.io/docs/configuration#api_addr) otherwise plugins don't work properly.
+
+
 #### SafeNet DPoD [Troubleshooting](https://thalesdocs.com/dpod/services/hsmod_services/hsmod_troubleshooting/index.html)
 
+##### Environment
+
+The setenv script sets the following environment var. Please use the path to the root of your dpod files:
+
+```
+declare -x ChrystokiConfigurationPath="/opt/safenet/dpod/current"
+```
+
+This can be set in the service section of the systemd configuration file:
+
+```
+Environment="ChrystokiConfigurationPath=/opt/safenet/dpod/current"
+```
+
 ##### HSM error code 0x80001604
 
-This may indicate that the SafeNet DPoD partition is full
+* This may indicate that the SafeNet DPoD partition is full
 
 ## License
 

conf/config-nshield.hcl

@@ -0,0 +1,10 @@
+
+lib = "/opt/apps/nfast/20201219/bin/libcknfast.so"
+# list slots using pkcs11-tool -L --module /opt/nfast/toolkits/pkcs11/libcknfast.so and use the decimal slot ID
+slot_id = 761406614
+pin = "1234"
+# be aware that the key_label can be overridden by dynamically providing it during Set Signed Intermediate
+#key_label = "ECTestCAInterKey0016"
+#key_label = "ECTestCARootKey0017"
+connect_timeout_s = 10
+read_timeout_s = 5

pkg/hsmpki/backend.go

@@ -20,6 +20,14 @@ import (
 type cachedCAConfig struct {
 	caKeyAlias string
 	hashAlgo   crypto.Hash
+	caKeyType  uint
+	caKeySize  int
+}
+
+func (c *cachedCAConfig) flushCAConfig() {
+	c.caKeyAlias = ""
+	c.caKeyType = 0
+	c.caKeySize = 0
 }
 
 type HsmPkiBackend struct {
@@ -96,7 +104,7 @@ func Backend(conf *logical.BackendConfig) (*HsmPkiBackend, error) {
 			pki.PathRoles(&b.pkiBackend.Backend),
 			pathGenerateRoot(b),
 			pathSignIntermediate(b),
-			//pathSignSelfIssued(b),
+			pathSignSelfIssued(b),
 			pathDeleteRoot(b),
 			pathGenerateIntermediate(b),
 			pathSetSignedIntermediate(b),
@@ -258,7 +266,15 @@ func (b *HsmPkiBackend) loadStorage() {
 		b.cachedCAConfig.caKeyAlias = b.pkcs11client.HsmConfig.KeyLabel
 	} else {
 		b.cachedCAConfig.caKeyAlias = string(caKeyAlias.Value)
-		msg := fmt.Sprintf("Found HSM key label in storage: %s alias: %s", caKeyAlias.Value, b.cachedCAConfig.caKeyAlias)
+
+		if keyType, err := b.loadCAKeyType(context.Background(), b.pkiBackend.GetStorage()); err != nil {
+			b.pkiBackend.Backend.Logger().Error("Error retrieving key type")
+		} else {
+			b.cachedCAConfig.caKeyType = keyType
+		}
+
+		msg := fmt.Sprintf("Found HSM key label in storage: %s alias: %s keyType: %d",
+			caKeyAlias.Value, b.cachedCAConfig.caKeyAlias, b.cachedCAConfig.caKeyType)
 		b.pkiBackend.Backend.Logger().Info(msg)
 	}
 

pkg/hsmpki/hsmhelpers.go

@@ -329,8 +329,10 @@ func CreateCertificate(b *HsmPkiBackend, data *certutil.CreationBundle) (*certut
 			// gen a new key label based on the curr time
 			keyLabel := "ROOTCA" + GenDateTimeKeyLabel()
 			b.cachedCAConfig.caKeyAlias = keyLabel
-			b.saveCAKeyData(context.Background(), b.pkiBackend.GetStorage(),
-				&keyLabel, keyType, data.Params.KeyBits)
+			if err = b.saveCAKeyData(context.Background(), b.pkiBackend.GetStorage(),
+				&keyLabel, keyType, data.Params.KeyBits); err != nil {
+				return nil, errutil.InternalError{err.Error()}
+			}
 		}
 
 		keyConfig := &pkcs11client.KeyConfig{Label: b.cachedCAConfig.caKeyAlias, Type: keyType, KeyBits: data.Params.KeyBits}

pkg/hsmpki/hsmpath_fetch.go

@@ -46,43 +46,72 @@ func (b *HsmPkiBackend) loadCAKeyAlias(ctx context.Context, storage logical.Stor
 	return b.loadCAKeyData(ctx, storage, PATH_CAKEYLABEL)
 }
 
-/*func (b *HsmPkiBackend) loadCAKeyType(ctx context.Context, storage logical.Storage) (*logical.StorageEntry, error) {
-	return b.loadCAKeyData(ctx, storage, PATH_CAKEYTYPE)
+func (b *HsmPkiBackend) loadCAKeyType(ctx context.Context, storage logical.Storage) (uint, error) {
+	if data, err := b.loadCAKeyData(ctx, storage, PATH_CAKEYTYPE); err != nil {
+		b.cachedCAConfig.caKeyType = 0
+		return 0, err
+	} else {
+		val := uint(data.Value[0])
+		b.cachedCAConfig.caKeyType = val
+		return val, nil
+	}
 }
 
-func (b *HsmPkiBackend) loadCAKeySize(ctx context.Context, storage logical.Storage) (*logical.StorageEntry, error) {
-	return b.loadCAKeyData(ctx, storage, PATH_CAKEYSIZE)
-}*/
+func (b *HsmPkiBackend) loadCAKeySize(ctx context.Context, storage logical.Storage) (int, error) {
+	if data, err := b.loadCAKeyData(ctx, storage, PATH_CAKEYSIZE); err != nil {
+		b.cachedCAConfig.caKeySize = 0
+		return 0, err
+	} else {
+		val := (int(data.Value[0]) * 256) + (int(data.Value[1]))
+		b.cachedCAConfig.caKeySize = val
+		return val, nil
+	}
+}
 
 func (b *HsmPkiBackend) loadCAKeyData(ctx context.Context, storage logical.Storage, data string) (*logical.StorageEntry, error) {
-	caKeyAlias, err := storage.Get(ctx, data)
+	ret, err := storage.Get(ctx, data)
 	if err != nil {
 		return nil, err
 	}
-	return caKeyAlias, nil
+	return ret, nil
 }
 
 func (b *HsmPkiBackend) saveCAKeyData(ctx context.Context, storage logical.Storage,
-	caKeyAlias *string, caKeyType uint, caKeySize int) error {
-	return b.saveStoreData(ctx, storage, PATH_CAKEYLABEL, caKeyAlias)
+	caKeyLabel *string, caKeyType uint, caKeySize int) (err error) {
+	if err = b.saveCAKeyLabel(ctx, storage, caKeyLabel); err != nil {
+		return
+	}
+	if err = b.saveCAKeyType(ctx, storage, caKeyType); err != nil {
+		return
+	}
+	if err = b.saveCAKeySize(ctx, storage, caKeySize); err != nil {
+		return
+	}
+	return
 }
 
 func (b *HsmPkiBackend) saveCAKeyLabel(ctx context.Context, storage logical.Storage, caKeyAlias *string) error {
-	return b.saveStoreData(ctx, storage, PATH_CAKEYLABEL, caKeyAlias)
+	data := []byte(*caKeyAlias)
+	b.cachedCAConfig.caKeyAlias = *caKeyAlias
+	return b.saveStoreData(ctx, storage, PATH_CAKEYLABEL, &data)
 }
 
-/*func (b *HsmPkiBackend) saveCAKeyType(ctx context.Context, storage logical.Storage, caKeyType uint) error {
-	return b.saveStoreData(ctx, storage, PATH_CAKEYTYPE, caKeyType)
+func (b *HsmPkiBackend) saveCAKeyType(ctx context.Context, storage logical.Storage, caKeyType uint) error {
+	data := []byte{byte(caKeyType)}
+	b.cachedCAConfig.caKeyType = caKeyType
+	return b.saveStoreData(ctx, storage, PATH_CAKEYTYPE, &data)
 }
 
 func (b *HsmPkiBackend) saveCAKeySize(ctx context.Context, storage logical.Storage, caKeySize int) error {
-	return b.saveStoreData(ctx, storage, PATH_CAKEYSIZE, caKeySize)
-}*/
+	data := []byte{byte(caKeySize / 256), byte(caKeySize % 256)}
+	b.cachedCAConfig.caKeySize = caKeySize
+	return b.saveStoreData(ctx, storage, PATH_CAKEYSIZE, &data)
+}
 
-func (b *HsmPkiBackend) saveStoreData(ctx context.Context, storage logical.Storage, path string, data *string) error {
+func (b *HsmPkiBackend) saveStoreData(ctx context.Context, storage logical.Storage, path string, data *[]byte) error {
 	entry := logical.StorageEntry{
 		Key:      path,
-		Value:    []byte(*data),
+		Value:    *data,
 		SealWrap: false,
 	}
 	if err := storage.Put(ctx, &entry); err != nil {

pkg/hsmpki/hsmpath_root.go

@@ -2,10 +2,16 @@ package hsmpki
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/mode51software/pkcs11helper/pkg/pkcs11client"
 	"github.com/mode51software/vaultplugin-hsmpki/pkg/pki"
+	"reflect"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/errwrap"
@@ -86,7 +92,7 @@ the non-repudiation flag.`,
 	return ret
 }
 
-/*func pathSignSelfIssued(b *HsmPkiBackend) *framework.Path {
+func pathSignSelfIssued(b *HsmPkiBackend) *framework.Path {
 	ret := &framework.Path{
 		Pattern: "root/sign-self-issued",
 
@@ -106,7 +112,7 @@ the non-repudiation flag.`,
 	}
 
 	return ret
-}*/
+}
 
 func (b *HsmPkiBackend) pathCADeleteRoot(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 
@@ -121,6 +127,8 @@ func (b *HsmPkiBackend) pathCADeleteRoot(ctx context.Context, req *logical.Reque
 		if err := b.pkcs11client.DeleteKeyPair(&keyConfig); err != nil {
 			return nil, errutil.UserError{"Unable to delete CA #{{err}}"}
 		}
+		b.cachedCAConfig.flushCAConfig()
+		b.saveCAKeyData(ctx, req.Storage, &b.cachedCAConfig.caKeyAlias, 0, 0)
 
 	}
 	return nil, req.Storage.Delete(ctx, CA_BUNDLE)
@@ -407,7 +415,7 @@ func (b *HsmPkiBackend) pathCASignIntermediate(ctx context.Context, req *logical
 	return resp, nil
 }
 
-/*func (b *HsmPkiBackend) pathCASignSelfIssued(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *HsmPkiBackend) pathCASignSelfIssued(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	var err error
 
 	if err = b.checkPkcs11ConnectionSync(); err != nil {
@@ -459,17 +467,36 @@ func (b *HsmPkiBackend) pathCASignIntermediate(ctx context.Context, req *logical
 	cert.CRLDistributionPoints = urls.CRLDistributionPoints
 	cert.OCSPServer = urls.OCSPServers
 
-//	msg := fmt.Sprintf("sign type=%s", signingCB.PrivateKeyType)
-//	b.pkiBackend.Backend.Logger().Info(msg)
+	if len(b.cachedCAConfig.caKeyAlias) == 0 {
+		return nil, errutil.UserError{Err: "No HSM key label has been set"}
+	}
+
+	msg := fmt.Sprintf("keyLabel=%s, keyType=%d, keySize=%d",
+		b.cachedCAConfig.caKeyAlias, b.cachedCAConfig.caKeyType, b.cachedCAConfig.caKeySize)
+	b.pkiBackend.Backend.Logger().Info(msg)
 
-	//	publicKey, err := b.pkcs11client.ReadPublicKey(&keyConfig, keyConfig.Type)
+	//	msg := fmt.Sprintf("sign type=%s", signingCB.PrivateKeyType)
+	//	b.pkiBackend.Backend.Logger().Info(msg)
+
+	keyConfig := pkcs11client.KeyConfig{
+		Label:   b.cachedCAConfig.caKeyAlias,
+		Type:    b.cachedCAConfig.caKeyType,
+		KeyBits: b.cachedCAConfig.caKeySize,
+	}
+	publicKey, err := b.pkcs11client.ReadPublicKey(&keyConfig, b.cachedCAConfig.caKeyType)
+
+	if err != nil {
+		return nil, errutil.UserError{Err: "Unable to read CA public key for " + b.cachedCAConfig.caKeyAlias}
+	}
 
 	var caSigner pkcs11client.HsmSigner
 	caSigner.KeyConfig.Label = b.cachedCAConfig.caKeyAlias
+	caSigner.KeyConfig.Type = b.cachedCAConfig.caKeyType
+	caSigner.KeyConfig.KeyBits = b.cachedCAConfig.caKeySize
 	caSigner.Pkcs11Client = &b.pkcs11client
-	//	caSigner.PublicKey = publicKey
+	caSigner.PublicKey = publicKey
 
-	newCert, err := x509.CreateCertificate(rand.Reader, cert, signingBundle.Certificate, cert.PublicKey, signingBundle.PrivateKey)
+	newCert, err := x509.CreateCertificate(rand.Reader, cert, signingBundle.Certificate, cert.PublicKey, caSigner) //signingBundle.PrivateKey)
 	if err != nil {
 		return nil, errwrap.Wrapf("error signing self-issued certificate: {{err}}", err)
 	}
@@ -488,7 +515,7 @@ func (b *HsmPkiBackend) pathCASignIntermediate(ctx context.Context, req *logical
 		},
 	}, nil
 }
-*/
+
 const pathGenerateRootHelpSyn = `
 Generate a new CA certificate and private key used for signing.
 `