mirror of https://github.com/docker/docs.git
655 lines
18 KiB
Go
655 lines
18 KiB
Go
// +build pkcs11
|
|
|
|
package api
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
"github.com/docker/notary/passphrase"
|
|
"github.com/docker/notary/trustmanager"
|
|
"github.com/docker/notary/tuf/data"
|
|
"github.com/miekg/pkcs11"
|
|
)
|
|
|
|
const (
|
|
USER_PIN = "123456"
|
|
SO_USER_PIN = "010203040506070801020304050607080102030405060708"
|
|
numSlots = 50 // number of slots in the yubikey
|
|
)
|
|
|
|
// Hardcoded yubikey PKCS11 ID
|
|
var YUBIKEY_ROOT_KEY_ID = []byte{2}
|
|
|
|
type yubiSlot struct {
|
|
role string
|
|
slotID []byte
|
|
}
|
|
|
|
// YubiPrivateKey represents a private key inside of a yubikey
|
|
type YubiPrivateKey struct {
|
|
data.ECDSAPublicKey
|
|
passRetriever passphrase.Retriever
|
|
slot []byte
|
|
}
|
|
|
|
type YubikeySigner struct {
|
|
YubiPrivateKey
|
|
}
|
|
|
|
func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey, passRetriever passphrase.Retriever) *YubiPrivateKey {
|
|
return &YubiPrivateKey{
|
|
ECDSAPublicKey: pubKey,
|
|
passRetriever: passRetriever,
|
|
slot: slot,
|
|
}
|
|
}
|
|
|
|
func (ys *YubikeySigner) Public() crypto.PublicKey {
|
|
publicKey, err := x509.ParsePKIXPublicKey(ys.YubiPrivateKey.Public())
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
return publicKey
|
|
}
|
|
|
|
// CryptoSigner returns a crypto.Signer tha wraps the YubiPrivateKey. Needed for
|
|
// Certificate generation only
|
|
func (y *YubiPrivateKey) CryptoSigner() crypto.Signer {
|
|
return &YubikeySigner{YubiPrivateKey: *y}
|
|
}
|
|
|
|
// Private is not implemented in hardware keys
|
|
func (y *YubiPrivateKey) Private() []byte {
|
|
// We cannot return the private material from a Yubikey
|
|
// TODO(david): We probably want to return an error here
|
|
return nil
|
|
}
|
|
|
|
func (y YubiPrivateKey) SignatureAlgorithm() data.SigAlgorithm {
|
|
return data.ECDSASignature
|
|
}
|
|
|
|
func (y *YubiPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
|
|
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer cleanup(ctx, session)
|
|
|
|
sig, err := sign(ctx, session, y.slot, y.passRetriever, msg)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to sign using Yubikey: %v", err)
|
|
}
|
|
|
|
return sig, nil
|
|
}
|
|
|
|
// addECDSAKey adds a key to the yubikey
|
|
func addECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, privKey data.PrivateKey, pkcs11KeyID []byte, passRetriever passphrase.Retriever, role string) error {
|
|
logrus.Debugf("Got into add key with key: %s\n", privKey.ID())
|
|
|
|
// TODO(diogo): Figure out CKU_SO with yubikey
|
|
err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer ctx.Logout(session)
|
|
|
|
// Create an ecdsa.PrivateKey out of the private key bytes
|
|
ecdsaPrivKey, err := x509.ParseECPrivateKey(privKey.Private())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ecdsaPrivKeyD := ecdsaPrivKey.D.Bytes()
|
|
logrus.Debugf("Getting D bytes: %v\n", ecdsaPrivKeyD)
|
|
|
|
template, err := trustmanager.NewCertificate(role)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create the certificate template: %v", err)
|
|
}
|
|
|
|
certBytes, err := x509.CreateCertificate(rand.Reader, template, template, ecdsaPrivKey.Public(), ecdsaPrivKey)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create the certificate: %v", err)
|
|
}
|
|
|
|
certTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
|
|
pkcs11.NewAttribute(pkcs11.CKA_VALUE, certBytes),
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
}
|
|
|
|
privateKeyTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
|
|
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}),
|
|
pkcs11.NewAttribute(pkcs11.CKA_VALUE, ecdsaPrivKeyD),
|
|
// 1 is touch enabled
|
|
// 2 is pin once
|
|
// 4 is pin always
|
|
pkcs11.NewAttribute(pkcs11.CKA_VENDOR_DEFINED, 3),
|
|
}
|
|
|
|
_, err = ctx.CreateObject(session, certTemplate)
|
|
if err != nil {
|
|
return fmt.Errorf("error importing: %v", err)
|
|
}
|
|
|
|
_, err = ctx.CreateObject(session, privateKeyTemplate)
|
|
if err != nil {
|
|
return fmt.Errorf("error importing: %v", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte) (*data.ECDSAPublicKey, string, error) {
|
|
findTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
|
|
}
|
|
|
|
attrTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0}),
|
|
pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, []byte{0}),
|
|
pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0}),
|
|
}
|
|
|
|
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
|
logrus.Debugf("Failed to init: %s\n", err.Error())
|
|
return nil, "", err
|
|
}
|
|
obj, b, err := ctx.FindObjects(session, 1)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
|
return nil, "", err
|
|
}
|
|
if err := ctx.FindObjectsFinal(session); err != nil {
|
|
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
|
return nil, "", err
|
|
}
|
|
if len(obj) != 1 {
|
|
logrus.Debugf("should have found one object")
|
|
return nil, "", errors.New("no matching keys found inside of yubikey")
|
|
}
|
|
|
|
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
|
attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to get Attribute for: %v\n", obj[0])
|
|
return nil, "", err
|
|
}
|
|
|
|
// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
|
|
var rawPubKey []byte
|
|
for _, a := range attr {
|
|
if a.Type == pkcs11.CKA_EC_POINT {
|
|
rawPubKey = a.Value
|
|
}
|
|
|
|
}
|
|
|
|
ecdsaPubKey := ecdsa.PublicKey{Curve: elliptic.P256(), X: new(big.Int).SetBytes(rawPubKey[3:35]), Y: new(big.Int).SetBytes(rawPubKey[35:])}
|
|
pubBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPubKey)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to Marshal public key")
|
|
return nil, "", err
|
|
}
|
|
|
|
// TODO(diogo): Actually get the right alias from the certificate instead of
|
|
// alwars returning data.CanonicalRootRole
|
|
return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
|
|
}
|
|
|
|
// Sign returns a signature for a given signature request
|
|
func sign(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever passphrase.Retriever, payload []byte) ([]byte, error) {
|
|
err := login(ctx, session, passRetriever, pkcs11.CKU_USER, USER_PIN)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error logging in: %v", err)
|
|
}
|
|
defer ctx.Logout(session)
|
|
|
|
// Define the ECDSA Private key template
|
|
class := pkcs11.CKO_PRIVATE_KEY
|
|
privateKeyTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, class),
|
|
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
}
|
|
|
|
if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
|
|
return nil, err
|
|
}
|
|
obj, _, err := ctx.FindObjects(session, 1)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err = ctx.FindObjectsFinal(session); err != nil {
|
|
return nil, err
|
|
}
|
|
if len(obj) != 1 {
|
|
return nil, errors.New("length of objects found not 1")
|
|
}
|
|
|
|
var sig []byte
|
|
ctx.SignInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)}, obj[0])
|
|
|
|
// Get the SHA256 of the payload
|
|
digest := sha256.Sum256(payload)
|
|
|
|
sig, err = ctx.Sign(session, digest[:])
|
|
if err != nil {
|
|
logrus.Debugf("Error while signing: %s", err)
|
|
return nil, err
|
|
}
|
|
|
|
if sig == nil {
|
|
return nil, errors.New("Failed to create signature")
|
|
}
|
|
return sig[:], nil
|
|
}
|
|
|
|
func removeKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever passphrase.Retriever, keyID string) error {
|
|
err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer ctx.Logout(session)
|
|
|
|
template := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
//pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
|
|
}
|
|
|
|
if err := ctx.FindObjectsInit(session, template); err != nil {
|
|
logrus.Printf("Failed to init: %s\n", err.Error())
|
|
return err
|
|
}
|
|
obj, b, err := ctx.FindObjects(session, 1)
|
|
if err != nil {
|
|
logrus.Printf("Failed to find: %s %v\n", err.Error(), b)
|
|
return err
|
|
}
|
|
if err := ctx.FindObjectsFinal(session); err != nil {
|
|
logrus.Printf("Failed to finalize: %s\n", err.Error())
|
|
return err
|
|
}
|
|
if len(obj) != 1 {
|
|
logrus.Printf("should have found one object")
|
|
return err
|
|
}
|
|
|
|
// Delete the certificate
|
|
err = ctx.DestroyObject(session, obj[0])
|
|
if err != nil {
|
|
logrus.Printf("Failed to delete cert")
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func listKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[string]yubiSlot, err error) {
|
|
keys = make(map[string]yubiSlot)
|
|
findTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
|
|
//pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
|
|
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
|
|
}
|
|
|
|
attrTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
|
|
pkcs11.NewAttribute(pkcs11.CKA_VALUE, []byte{0}),
|
|
}
|
|
|
|
if err = ctx.FindObjectsInit(session, findTemplate); err != nil {
|
|
logrus.Debugf("Failed to init: %s\n", err.Error())
|
|
return
|
|
}
|
|
objs, b, err := ctx.FindObjects(session, numSlots)
|
|
for err == nil {
|
|
var o []pkcs11.ObjectHandle
|
|
o, b, err = ctx.FindObjects(session, numSlots)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if len(o) == 0 {
|
|
break
|
|
}
|
|
objs = append(objs, o...)
|
|
}
|
|
if err != nil {
|
|
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
|
if len(objs) == 0 {
|
|
return nil, err
|
|
}
|
|
}
|
|
if err = ctx.FindObjectsFinal(session); err != nil {
|
|
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
|
return
|
|
}
|
|
if len(objs) == 0 {
|
|
return nil, errors.New("No keys found in yubikey.")
|
|
}
|
|
logrus.Debugf("Found %d objects matching list filters", len(objs))
|
|
for _, obj := range objs {
|
|
var (
|
|
cert *x509.Certificate
|
|
slot []byte
|
|
)
|
|
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
|
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
|
continue
|
|
}
|
|
|
|
// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
|
|
for _, a := range attr {
|
|
if a.Type == pkcs11.CKA_ID {
|
|
slot = a.Value
|
|
}
|
|
if a.Type == pkcs11.CKA_VALUE {
|
|
cert, err = x509.ParseCertificate(a.Value)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if !data.ValidRole(cert.Subject.CommonName) {
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
var ecdsaPubKey *ecdsa.PublicKey
|
|
switch cert.PublicKeyAlgorithm {
|
|
case x509.ECDSA:
|
|
ecdsaPubKey = cert.PublicKey.(*ecdsa.PublicKey)
|
|
default:
|
|
logrus.Infof("Unsupported x509 PublicKeyAlgorithm: %d", cert.PublicKeyAlgorithm)
|
|
continue
|
|
}
|
|
|
|
pubBytes, err := x509.MarshalPKIXPublicKey(ecdsaPubKey)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to Marshal public key")
|
|
continue
|
|
}
|
|
|
|
keys[data.NewECDSAPublicKey(pubBytes).ID()] = yubiSlot{
|
|
role: cert.Subject.CommonName,
|
|
slotID: slot,
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, error) {
|
|
findTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
|
|
}
|
|
attrTemplate := []*pkcs11.Attribute{
|
|
pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
|
|
}
|
|
|
|
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
|
logrus.Debugf("Failed to init: %s\n", err.Error())
|
|
return nil, err
|
|
}
|
|
objs, b, err := ctx.FindObjects(session, numSlots)
|
|
for err == nil {
|
|
var o []pkcs11.ObjectHandle
|
|
o, b, err = ctx.FindObjects(session, numSlots)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if len(o) == 0 {
|
|
break
|
|
}
|
|
objs = append(objs, o...)
|
|
}
|
|
taken := make([]bool, numSlots)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
|
return nil, err
|
|
}
|
|
for _, obj := range objs {
|
|
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
|
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
|
if err != nil {
|
|
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
|
continue
|
|
}
|
|
|
|
// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
|
|
for _, a := range attr {
|
|
if a.Type == pkcs11.CKA_ID {
|
|
if len(a.Value) < 1 {
|
|
continue
|
|
}
|
|
// max 50 slots so a single byte will always represent
|
|
// all possible slots positions
|
|
slotNum := int(a.Value[0])
|
|
if slotNum >= len(taken) {
|
|
// defensive
|
|
continue
|
|
}
|
|
taken[slotNum] = true
|
|
}
|
|
}
|
|
}
|
|
for i := 0; i < numSlots; i++ {
|
|
if !taken[i] {
|
|
return []byte{byte(i)}, nil
|
|
}
|
|
}
|
|
return nil, errors.New("Yubikey has no available slots.")
|
|
}
|
|
|
|
type YubiKeyStore struct {
|
|
passRetriever passphrase.Retriever
|
|
keys map[string]yubiSlot
|
|
}
|
|
|
|
func NewYubiKeyStore(passphraseRetriever passphrase.Retriever) *YubiKeyStore {
|
|
s := &YubiKeyStore{
|
|
passRetriever: passphraseRetriever,
|
|
keys: make(map[string]yubiSlot),
|
|
}
|
|
s.ListKeys() // populate keys field
|
|
return s
|
|
}
|
|
|
|
func (s *YubiKeyStore) ListKeys() map[string]string {
|
|
if len(s.keys) > 0 {
|
|
return buildKeyMap(s.keys)
|
|
}
|
|
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
defer cleanup(ctx, session)
|
|
keys, err := listKeys(ctx, session)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
s.keys = keys
|
|
return buildKeyMap(keys)
|
|
}
|
|
|
|
func (s *YubiKeyStore) AddKey(keyID, role string, privKey data.PrivateKey) error {
|
|
// We only allow adding root keys for now
|
|
if role != data.CanonicalRootRole {
|
|
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s\n", role, keyID)
|
|
}
|
|
|
|
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer cleanup(ctx, session)
|
|
|
|
if k, ok := s.keys[keyID]; ok {
|
|
if k.role == role {
|
|
|
|
}
|
|
}
|
|
|
|
slot, err := getNextEmptySlot(ctx, session)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
logrus.Debugf("Using yubikey slot %v", slot)
|
|
return addECDSAKey(ctx, session, privKey, slot, s.passRetriever, role)
|
|
}
|
|
|
|
func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
|
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
defer cleanup(ctx, session)
|
|
|
|
key, ok := s.keys[keyID]
|
|
if !ok {
|
|
return nil, "", errors.New("no matching keys found inside of yubikey")
|
|
}
|
|
|
|
pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
// Check to see if we're returning the intended keyID
|
|
if pubKey.ID() != keyID {
|
|
return nil, "", fmt.Errorf("expected root key: %s, but found: %s\n", keyID, pubKey.ID())
|
|
}
|
|
privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
|
|
if privKey == nil {
|
|
return nil, "", errors.New("could not initialize new YubiPrivateKey")
|
|
}
|
|
|
|
return privKey, alias, err
|
|
}
|
|
|
|
func (s *YubiKeyStore) RemoveKey(keyID string) error {
|
|
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
defer cleanup(ctx, session)
|
|
key, ok := s.keys[keyID]
|
|
if !ok {
|
|
return errors.New("Key not present in yubikey")
|
|
}
|
|
return removeKey(ctx, session, key.slotID, s.passRetriever, keyID)
|
|
}
|
|
|
|
func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) {
|
|
logrus.Debugf("Attempting to export: %s key inside of YubiKeyStore", keyID)
|
|
return nil, errors.New("Keys cannot be exported from a Yubikey.")
|
|
}
|
|
|
|
func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyID string) error {
|
|
logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", keyID)
|
|
privKey, _, err := trustmanager.GetPasswdDecryptBytes(s.passRetriever, pemBytes, "imported", "root")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return s.AddKey(privKey.ID(), "root", privKey)
|
|
}
|
|
|
|
func cleanup(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) {
|
|
ctx.CloseSession(session)
|
|
ctx.Finalize()
|
|
ctx.Destroy()
|
|
}
|
|
|
|
// SetupHSMEnv is a method that depends on the existences
|
|
func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle, error) {
|
|
p := pkcs11.New(libraryPath)
|
|
|
|
if p == nil {
|
|
return nil, 0, errors.New("Failed to init library")
|
|
}
|
|
|
|
if err := p.Initialize(); err != nil {
|
|
return nil, 0, fmt.Errorf("Initialize error %s\n", err.Error())
|
|
}
|
|
|
|
slots, err := p.GetSlotList(true)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("Failed to list HSM slots %s", err)
|
|
}
|
|
// Check to see if we got any slots from the HSM.
|
|
if len(slots) < 1 {
|
|
return nil, 0, fmt.Errorf("No HSM Slots found")
|
|
}
|
|
|
|
// CKF_SERIAL_SESSION: TRUE if cryptographic functions are performed in serial with the application; FALSE if the functions may be performed in parallel with the application.
|
|
// CKF_RW_SESSION: TRUE if the session is read/write; FALSE if the session is read-only
|
|
session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("Failed to Start Session with HSM %s", err)
|
|
}
|
|
|
|
return p, session, nil
|
|
}
|
|
|
|
func login(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, passRetriever passphrase.Retriever, userFlag uint, defaultPassw string) error {
|
|
// try default password
|
|
err := ctx.Login(session, userFlag, defaultPassw)
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
|
|
// default failed, ask user for password
|
|
for attempts := 0; ; attempts++ {
|
|
var (
|
|
giveup bool
|
|
err error
|
|
user string
|
|
)
|
|
if userFlag == pkcs11.CKU_SO {
|
|
user = "SO Pin"
|
|
} else {
|
|
user = "User Pin"
|
|
}
|
|
passwd, giveup, err := passRetriever(user, "yubikey", false, attempts)
|
|
// Check if the passphrase retriever got an error or if it is telling us to give up
|
|
if giveup || err != nil {
|
|
return trustmanager.ErrPasswordInvalid{}
|
|
}
|
|
if attempts > 2 {
|
|
return trustmanager.ErrAttemptsExceeded{}
|
|
}
|
|
|
|
// Try to convert PEM encoded bytes back to a PrivateKey using the passphrase
|
|
err = ctx.Login(session, userFlag, passwd)
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func buildKeyMap(keys map[string]yubiSlot) map[string]string {
|
|
res := make(map[string]string)
|
|
for k, v := range keys {
|
|
res[k] = v.role
|
|
}
|
|
return res
|
|
}
|