letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ceremony: look up keys by pubkey instead of key ID (#4992) 

This moves x509Signer from cmd/ceremony into pkcs11helpers. It also
adds helper functions getPublicKeyID and getPrivateKey, copied and
adapted from pkcs11key. These act as counterparts to the existing
GetRSAPublicKey and GetECDSAPublicKey, which go from an object handle
to a Go public key object (and are used after key generation).

Fixes #4918
This commit is contained in:
Jacob Hoffman-Andrews 2020-08-10 10:14:23 -07:00 committed by GitHub
parent 0f5d2064a8
commit 5d7b589d1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 254 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cmd/ceremony/README.md
View File

@ -82,7 +82,6 @@ This config generates a ECDSA P-384 key in the HSM with the object label `root s
| `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
| `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
| `signing-key-label` | Specifies the HSM object label for the signing key. |
| `signing-key-id` | Specifies the HSM object ID for the signing key. |
- `inputs`: object containing paths for inputs
| Field | Description |
| --- | --- |
@ -102,7 +101,6 @@ pkcs11:
module: /usr/lib/opensc-pkcs11.so
signing-key-slot: 0
signing-key-label: root signing key
signing-key-id: ffff
inputs:
public-key-path: /home/user/intermediate-signing-pub.pem
issuer-certificate-path: /home/user/root-cert.pem
@ -140,7 +138,6 @@ This config generates an intermediate certificate signed by a key in the HSM, id
| `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
| `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
| `signing-key-label` | Specifies the HSM object label for the signing key. |
| `signing-key-id` | Specifies the HSM object ID for the signing key. |
- `inputs`: object containing paths for inputs
| Field | Description |
| --- | --- |
@ -162,7 +159,6 @@ pkcs11:
module: /usr/lib/opensc-pkcs11.so
signing-key-slot: 0
signing-key-label: intermediate signing key
signing-key-id: ffff
inputs:
public-key-path: /home/user/ocsp-signer-signing-pub.pem
issuer-certificate-path: /home/user/intermediate-cert.pem
@ -190,7 +186,6 @@ This config generates a delegated OCSP signing certificate signed by a key in th
| `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
| `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
| `signing-key-label` | Specifies the HSM object label for the signing key. |
| `signing-key-id` | Specifies the HSM object ID for the signing key. |
- `inputs`: object containing paths for inputs
| Field | Description |
| --- | --- |
@ -212,7 +207,6 @@ pkcs11:
module: /usr/lib/opensc-pkcs11.so
signing-key-slot: 0
signing-key-label: intermediate signing key
signing-key-id: ffff
inputs:
public-key-path: /home/user/crl-signer-signing-pub.pem
issuer-certificate-path: /home/user/intermediate-cert.pem
@ -278,7 +272,6 @@ This config generates an ECDSA P-384 key in the HSM with the object label `inter
| `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
| `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
| `signing-key-label` | Specifies the HSM object label for the signing key. |
| `signing-key-id` | Specifies the HSM object ID for the signing key. |
- `inputs`: object containing paths for inputs
| Field | Description |
| --- | --- |
@ -304,7 +297,6 @@ pkcs11:
module: /usr/lib/opensc-pkcs11.so
signing-key-slot: 0
signing-key-label: root signing key
signing-key-id: ffff
inputs:
certificate-path: /home/user/certificate.pem
issuer-certificate-path: /home/user/root-cert.pem
@ -328,7 +320,6 @@ This config generates a OCSP response signed by a key in the HSM, identified by
| `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
| `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
| `signing-key-label` | Specifies the HSM object label for the signing key. |
| `signing-key-id` | Specifies the HSM object ID for the signing key. |
- `inputs`: object containing paths for inputs
| Field | Description |
| --- | --- |
@ -353,7 +344,6 @@ pkcs11:
module: /usr/lib/opensc-pkcs11.so
signing-key-slot: 0
signing-key-label: root signing key
signing-key-id: ffff
inputs:
issuer-certificate-path: /home/user/root-cert.pem
outputs:

13
cmd/ceremony/main.go
View File

@ -6,7 +6,6 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/hex"
"encoding/pem"
"errors"
"flag"
@ -120,7 +119,6 @@ type PKCS11SigningConfig struct {
PIN string `yaml:"pin"`
SigningSlot uint `yaml:"signing-key-slot"`
SigningLabel string `yaml:"signing-key-label"`
SigningKeyID string `yaml:"signing-key-id"`
}
func (psc PKCS11SigningConfig) validate() error {
@ -130,9 +128,6 @@ func (psc PKCS11SigningConfig) validate() error {
if psc.SigningLabel == "" {
return errors.New("pkcs11.signing-key-label is required")
}
if psc.SigningKeyID == "" {
return errors.New("pkcs11.signing-key-id is required")
}
// key-slot is allowed to be 0 (which is a valid slot).
return nil
}
@ -348,11 +343,7 @@ func openSigner(cfg PKCS11SigningConfig, issuer *x509.Certificate) (crypto.Signe
cfg.SigningSlot, err)
}
log.Printf("Opened PKCS#11 session for slot %d\n", cfg.SigningSlot)
keyID, err := hex.DecodeString(cfg.SigningKeyID)
if err != nil {
return nil, nil, fmt.Errorf("failed to decode key-id: %s", err)
}
signer, err := session.NewSigner(cfg.SigningLabel, keyID)
signer, err := session.NewSigner(cfg.SigningLabel, issuer.PublicKey)
if err != nil {
return nil, nil, fmt.Errorf("failed to retrieve private key handle: %s", err)
}
@ -414,7 +405,7 @@ func rootCeremony(configBytes []byte) error {
if err != nil {
return err
}
signer, err := session.NewSigner(config.PKCS11.StoreLabel, keyInfo.id)
signer, err := session.NewSigner(config.PKCS11.StoreLabel, keyInfo.key)
if err != nil {
return fmt.Errorf("failed to retrieve signer: %s", err)
}

51
cmd/ceremony/main_test.go
View File

@ -227,23 +227,12 @@ func TestIntermediateConfigValidate(t *testing.T) {
},
expectedError: "pkcs11.signing-key-label is required",
},
{
name: "no pkcs11.key-id",
config: intermediateConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
},
},
expectedError: "pkcs11.signing-key-id is required",
},
{
name: "no inputs.public-key-path",
config: intermediateConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
},
expectedError: "inputs.public-key-path is required",
@ -254,7 +243,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
PublicKeyPath string `yaml:"public-key-path"`
@ -271,7 +259,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
PublicKeyPath string `yaml:"public-key-path"`
@ -289,7 +276,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
PublicKeyPath string `yaml:"public-key-path"`
@ -312,7 +298,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
PublicKeyPath string `yaml:"public-key-path"`
@ -447,23 +432,12 @@ func TestOCSPRespConfig(t *testing.T) {
},
expectedError: "pkcs11.signing-key-label is required",
},
{
name: "no pkcs11.key-id",
config: ocspRespConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
},
},
expectedError: "pkcs11.signing-key-id is required",
},
{
name: "no inputs.certificate-path",
config: ocspRespConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
},
expectedError: "inputs.certificate-path is required",
@ -474,7 +448,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -492,7 +465,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -511,7 +483,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -535,7 +506,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -566,7 +536,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -598,7 +567,6 @@ func TestOCSPRespConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
CertificatePath string `yaml:"certificate-path"`
@ -657,23 +625,12 @@ func TestCRLConfig(t *testing.T) {
},
expectedError: "pkcs11.signing-key-label is required",
},
{
name: "no pkcs11.key-id",
config: crlConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
},
},
expectedError: "pkcs11.signing-key-id is required",
},
{
name: "no inputs.issuer-certificate-path",
config: crlConfig{
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
},
expectedError: "inputs.issuer-certificate-path is required",
@ -684,7 +641,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -700,7 +656,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -721,7 +676,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -754,7 +708,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -788,7 +741,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -828,7 +780,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -870,7 +821,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`
@ -913,7 +863,6 @@ func TestCRLConfig(t *testing.T) {
PKCS11: PKCS11SigningConfig{
Module: "module",
SigningLabel: "label",
SigningKeyID: "id",
},
Inputs: struct {
IssuerCertificatePath string `yaml:"issuer-certificate-path"`

200
pkcs11helpers/helpers.go
View File

@ -1,7 +1,6 @@
package pkcs11helpers
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
@ -56,6 +55,116 @@ func Initialize(module string, slot uint, pin string) (*Session, error) {
return &Session{ctx, session}, nil
}
// https://tools.ietf.org/html/rfc5759#section-3.2
var curveOIDs = map[string]asn1.ObjectIdentifier{
"P-256": {1, 2, 840, 10045, 3, 1, 7},
"P-384": {1, 3, 132, 0, 34},
}
// getPublicKeyID looks up the given public key in the PKCS#11 token, and
// returns its ID as a []byte, for use in looking up the corresponding private
// key.
func (s *Session) getPublicKeyID(publicKey crypto.PublicKey) ([]byte, error) {
var template []*pkcs11.Attribute
switch key := publicKey.(type) {
case *rsa.PublicKey:
template = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA),
pkcs11.NewAttribute(pkcs11.CKA_MODULUS, key.N.Bytes()),
pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, big.NewInt(int64(key.E)).Bytes()),
}
case *ecdsa.PublicKey:
// http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html#_ftn1
// PKCS#11 v2.20 specified that the CKA_EC_POINT was to be store in a DER-encoded
// OCTET STRING.
rawValue := asn1.RawValue{
Tag: 4, // in Go 1.6+ this is asn1.TagOctetString
Bytes: elliptic.Marshal(key.Curve, key.X, key.Y),
}
marshalledPoint, err := asn1.Marshal(rawValue)
if err != nil {
return nil, err
}
curveOID, err := asn1.Marshal(curveOIDs[key.Curve.Params().Name])
if err != nil {
return nil, err
}
template = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC),
pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, curveOID),
pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, marshalledPoint),
}
default:
return nil, fmt.Errorf("unsupported public key of type %T", publicKey)
}
publicKeyHandle, err := s.FindObject(template)
if err != nil {
return nil, err
}
attrs, err := s.Module.GetAttributeValue(s.Session, publicKeyHandle, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_ID, nil),
})
if err != nil {
return nil, err
}
if len(attrs) == 1 && attrs[0].Type == pkcs11.CKA_ID {
return attrs[0].Value, nil
}
return nil, fmt.Errorf("invalid result from GetAttributeValue")
}
// getPrivateKey gets a handle to the private key whose CKA_ID matches the
// provided publicKeyID.
func (s *Session) getPrivateKey(publicKeyID []byte) (pkcs11.ObjectHandle, error) {
return s.FindObject([]*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
pkcs11.NewAttribute(pkcs11.CKA_ID, publicKeyID),
})
}
// x509Signer is a convenience wrapper used for converting between the
// PKCS#11 ECDSA signature format and the RFC 5480 one which is required
// for X.509 certificates. It implements crypt.Signer.
type x509Signer struct {
session *Session
objectHandle pkcs11.ObjectHandle
keyType keyType
pub crypto.PublicKey
}
// Sign wraps pkcs11helpers.Sign. If the signing key is ECDSA then the signature
// is converted from the PKCS#11 format to the RFC 5480 format. For RSA keys a
// conversion step is not needed.
func (p *x509Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
signature, err := p.session.Sign(p.objectHandle, p.keyType, digest, opts.HashFunc())
if err != nil {
return nil, err
}
if p.keyType == ECDSAKey {
// Convert from the PKCS#11 format to the RFC 5480 format so that
// it can be used in a X.509 certificate
r := big.NewInt(0).SetBytes(signature[:len(signature)/2])
s := big.NewInt(0).SetBytes(signature[len(signature)/2:])
signature, err = asn1.Marshal(struct {
R, S *big.Int
}{R: r, S: s})
if err != nil {
return nil, fmt.Errorf("failed to convert signature to RFC 5480 format: %s", err)
}
}
return signature, nil
}
func (p *x509Signer) Public() crypto.PublicKey {
return p.pub
}
func (s *Session) GetAttributeValue(object pkcs11.ObjectHandle, attributes []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return s.Module.GetAttributeValue(s.Session, object, attributes)
}
@ -154,10 +263,10 @@ func (s *Session) GetECDSAPublicKey(object pkcs11.ObjectHandle) (*ecdsa.PublicKe
return pubKey, nil
}
type KeyType int
type keyType int
const (
RSAKey KeyType = iota
RSAKey keyType = iota
ECDSAKey
)
@ -169,7 +278,7 @@ var hashIdentifiers = map[crypto.Hash][]byte{
crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
}
func (s *Session) Sign(object pkcs11.ObjectHandle, keyType KeyType, digest []byte, hash crypto.Hash) ([]byte, error) {
func (s *Session) Sign(object pkcs11.ObjectHandle, keyType keyType, digest []byte, hash crypto.Hash) ([]byte, error) {
if len(digest) != hash.Size() {
return nil, errors.New("digest length doesn't match hash length")
}
@ -230,7 +339,7 @@ func (s *Session) FindObject(tmpl []*pkcs11.Attribute) (pkcs11.ObjectHandle, err
type X509Signer struct {
session *Session
objectHandle pkcs11.ObjectHandle
keyType KeyType
keyType keyType
pub crypto.PublicKey
}
@ -264,68 +373,33 @@ func (p *X509Signer) Public() crypto.PublicKey {
}
// NewSigner constructs an X509Signer for the private key object associated with the
// given label and ID. Unlike letsencrypt/pkcs11key this method doesn't rely on
// having the actual public key object in order to retrieve the private key
// handle. This is because we already have the key pair object ID, and as such
// do not need to query the HSM to retrieve it.
func (s *Session) NewSigner(label string, id []byte) (crypto.Signer, error) {
// Retrieve the private key handle that will later be used for the certificate
// signing operation
privateHandle, err := s.FindObject([]*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
pkcs11.NewAttribute(pkcs11.CKA_ID, id),
})
if err != nil {
return nil, fmt.Errorf("failed to retrieve private key handle: %s", err)
}
attrs, err := s.GetAttributeValue(privateHandle, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, nil)},
)
if err != nil {
return nil, fmt.Errorf("failed to retrieve key type: %s", err)
}
if len(attrs) == 0 {
return nil, errors.New("failed to retrieve key attributes")
}
// Retrieve the public key handle with the same CKA_ID as the private key
// and construct a {rsa,ecdsa}.PublicKey for use in x509.CreateCertificate
pubHandle, err := s.FindObject([]*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
pkcs11.NewAttribute(pkcs11.CKA_ID, id),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, attrs[0].Value),
})
if err != nil {
return nil, fmt.Errorf("failed to retrieve public key handle: %s", err)
}
var pub crypto.PublicKey
var keyType KeyType
switch {
// 0x00000000, CKK_RSA
case bytes.Equal(attrs[0].Value, []byte{0, 0, 0, 0, 0, 0, 0, 0}):
keyType = RSAKey
pub, err = s.GetRSAPublicKey(pubHandle)
if err != nil {
return nil, fmt.Errorf("failed to retrieve public key: %s", err)
}
// 0x00000003, CKK_ECDSA
case bytes.Equal(attrs[0].Value, []byte{3, 0, 0, 0, 0, 0, 0, 0}):
keyType = ECDSAKey
pub, err = s.GetECDSAPublicKey(pubHandle)
if err != nil {
return nil, fmt.Errorf("failed to retrieve public key: %s", err)
}
// given label and public key.
func (s *Session) NewSigner(label string, publicKey crypto.PublicKey) (crypto.Signer, error) {
var kt keyType
switch publicKey.(type) {
case *rsa.PublicKey:
kt = RSAKey
case *ecdsa.PublicKey:
kt = ECDSAKey
default:
return nil, errors.New("unsupported key type")
return nil, fmt.Errorf("unsupported public key of type %T", publicKey)
}
return &X509Signer{
publicKeyID, err := s.getPublicKeyID(publicKey)
if err != nil {
return nil, fmt.Errorf("looking up public key: %s", err)
}
// Fetch the private key by matching its id to the public key handle.
privateKeyHandle, err := s.getPrivateKey(publicKeyID)
if err != nil {
return nil, fmt.Errorf("getting private key: %s", err)
}
return &x509Signer{
session: s,
objectHandle: privateHandle,
keyType: keyType,
pub: pub,
objectHandle: privateKeyHandle,
keyType: kt,
pub: publicKey,
}, nil
}

197
pkcs11helpers/helpers_test.go
View File

@ -6,6 +6,7 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"encoding/asn1"
"errors"
@ -239,99 +240,8 @@ func TestFindObjectSucceeds(t *testing.T) {
test.AssertEquals(t, handle, pkcs11.ObjectHandle(1))
}
func TestGetKey(t *testing.T) {
s, ctx := NewSessionWithMock()
// test newSigner fails when FindObject for private key handle fails
ctx.FindObjectsInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Attribute) error {
return errors.New("broken")
}
_, err := s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when FindObject for private key handle failed")
// test newSigner fails when GetAttributeValue fails
ctx.FindObjectsInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Attribute) error {
return nil
}
ctx.FindObjectsFunc = func(pkcs11.SessionHandle, int) ([]pkcs11.ObjectHandle, bool, error) {
return []pkcs11.ObjectHandle{1}, false, nil
}
ctx.FindObjectsFinalFunc = func(pkcs11.SessionHandle) error {
return nil
}
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return nil, errors.New("broken")
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type failed")
// test newSigner fails when GetAttributeValue returns no attributes
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return nil, nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type returned no attributes")
// test newSigner fails when FindObject for public key handle fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC)}, nil
}
ctx.FindObjectsInitFunc = func(_ pkcs11.SessionHandle, tmpl []*pkcs11.Attribute) error {
if bytes.Equal(tmpl[0].Value, []byte{2, 0, 0, 0, 0, 0, 0, 0}) {
return errors.New("broken")
}
return nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when FindObject for public key handle failed")
// test newSigner fails when FindObject for private key returns unknown CKA_KEY_TYPE
ctx.FindObjectsInitFunc = func(_ pkcs11.SessionHandle, tmpl []*pkcs11.Attribute) error {
return nil
}
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{2, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key returned unknown key type")
// test newSigner fails when GetRSAPublicKey fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when GetRSAPublicKey fails")
// test newSigner fails when GetECDSAPublicKey fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{3, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertError(t, err, "newSigner didn't fail when GetECDSAPublicKey fails")
// test newSigner works when everything... works
ctx.GetAttributeValueFunc = func(_ pkcs11.SessionHandle, _ pkcs11.ObjectHandle, attrs []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
var returns []*pkcs11.Attribute
for _, attr := range attrs {
switch attr.Type {
case pkcs11.CKA_KEY_TYPE:
returns = append(returns, pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0, 0, 0, 0, 0, 0, 0, 0}))
case pkcs11.CKA_PUBLIC_EXPONENT:
returns = append(returns, pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, []byte{1, 2, 3}))
case pkcs11.CKA_MODULUS:
returns = append(returns, pkcs11.NewAttribute(pkcs11.CKA_MODULUS, []byte{4, 5, 6}))
default:
return nil, errors.New("GetAttributeValue got unexpected attribute type")
}
}
return returns, nil
}
_, err = s.NewSigner("label", []byte{255, 255})
test.AssertNotError(t, err, "newSigner failed when everything worked properly")
}
func TestX509Signer(t *testing.T) {
s, ctx := NewSessionWithMock()
ctx := MockCtx{}
// test that x509Signer.Sign properly converts the PKCS#11 format signature to
// the RFC 5480 format signature
@ -362,7 +272,8 @@ func TestX509Signer(t *testing.T) {
return append(rBytes, sBytes...), nil
}
digest := sha256.Sum256([]byte("hello"))
signer := &X509Signer{session: s, keyType: ECDSAKey, pub: tk.Public()}
s := &Session{ctx, 0}
signer := &x509Signer{session: s, keyType: ECDSAKey, pub: tk.Public()}
signature, err := signer.Sign(nil, digest[:], crypto.SHA256)
test.AssertNotError(t, err, "x509Signer.Sign failed")
@ -377,3 +288,103 @@ func TestX509Signer(t *testing.T) {
// For the sake of coverage
test.AssertEquals(t, signer.Public(), tk.Public())
}
func TestGetKeyWhenGetAttributeValueFails(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
// test newSigner fails when GetAttributeValue fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return nil, errors.New("broken")
}
_, err := s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type failed")
}
func TestGetKeyWhenGetAttributeValueReturnsNone(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return nil, errors.New("broken")
}
// test newSigner fails when GetAttributeValue returns no attributes
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return nil, nil
}
_, err := s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type returned no attributes")
}
func TestGetKeyWhenFindObjectForPublicKeyFails(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
// test newSigner fails when FindObject for public key
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC)}, nil
}
ctx.FindObjectsInitFunc = func(_ pkcs11.SessionHandle, tmpl []*pkcs11.Attribute) error {
if bytes.Equal(tmpl[0].Value, []byte{2, 0, 0, 0, 0, 0, 0, 0}) {
return errors.New("broken")
}
return nil
}
_, err := s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when FindObject for public key handle failed")
}
func TestGetKeyWhenFindObjectForPrivateKeyReturnsUnknownType(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
// test newSigner fails when FindObject for private key returns unknown CKA_KEY_TYPE
ctx.FindObjectsInitFunc = func(_ pkcs11.SessionHandle, tmpl []*pkcs11.Attribute) error {
return nil
}
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{2, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err := s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key returned unknown key type")
}
func TestGetKeyWhenFindObjectForPrivateKeyFails(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
// test newSigner fails when FindObject for private key fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err := s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when GetRSAPublicKey fails")
// test newSigner fails when GetECDSAPublicKey fails
ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{3, 0, 0, 0, 0, 0, 0, 0})}, nil
}
_, err = s.NewSigner("label", pubKey)
test.AssertError(t, err, "newSigner didn't fail when GetECDSAPublicKey fails")
}
func TestGetKeySucceeds(t *testing.T) {
s, ctx := newSessionWithMock()
pubKey := &rsa.PublicKey{N: big.NewInt(1), E: 1}
// test newSigner works when everything... works
ctx.GetAttributeValueFunc = func(_ pkcs11.SessionHandle, _ pkcs11.ObjectHandle, attrs []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
var returns []*pkcs11.Attribute
for _, attr := range attrs {
switch attr.Type {
case pkcs11.CKA_ID:
returns = append(returns, pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{99}))
default:
return nil, errors.New("GetAttributeValue got unexpected attribute type")
}
}
return returns, nil
}
_, err := s.NewSigner("label", pubKey)
test.AssertNotError(t, err, "newSigner failed when everything worked properly")
}

31
test/cert-ceremonies/generate.go
View File

@ -28,23 +28,18 @@ func createSlot(label string) (string, error) {
return string(matches[1]), nil
}
// genKey is used to run ceremony when we need to capture the generated key ID.
// This is only necessary for root or key ceremonies.
func genKey(path string, inSlot string) (string, error) {
// genKey is used to run a key ceremony with a given config, replacing SlotID in
// the YAML with a specific slot ID.
func genKey(path string, inSlot string) error {
tmpPath, err := rewriteConfig(path, map[string]string{"SlotID": inSlot})
if err != nil {
return "", err
return err
}
output, err := exec.Command("bin/ceremony", "-config", tmpPath).CombinedOutput()
_, err = exec.Command("bin/ceremony", "-config", tmpPath).CombinedOutput()
if err != nil {
return "", err
return err
}
re := regexp.MustCompile(`and ID ([a-z0-9]{8})`)
matches := re.FindSubmatch(output)
if len(matches) != 2 {
return "", errors.New("unexpected number of key ID matches")
}
return string(matches[1]), nil
return nil
}
// rewriteConfig creates a temporary config based on the template at path
@ -81,23 +76,21 @@ func main() {
rootKeySlot, err := createSlot("root signing key (rsa)")
cmd.FailOnError(err, "failed creating softhsm2 slot for root key")
// Generate the root signing key and certificate and capture the
// key ID
rsaRootKeyID, err := genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rootKeySlot)
// Generate the root signing key and certificate
err = genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rootKeySlot)
cmd.FailOnError(err, "failed to generate root key + root cert")
// Create a SoftHSM slot for the intermediate signing key
intermediateKeySlot, err := createSlot("intermediate signing key (rsa)")
cmd.FailOnError(err, "failed to create softhsm2 slot for intermediate key")
// Generate the intermediate signing key, we don't need the key ID
_, err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", intermediateKeySlot)
// Generate the intermediate signing key
err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", intermediateKeySlot)
cmd.FailOnError(err, "failed to generate intermediate key")
// Create the A intermediate ceremony config file with the root
// signing key slot and ID
tmpRSAIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
"KeyID": rsaRootKeyID,
"SlotID": rootKeySlot,
"CertPath": "/tmp/intermediate-cert-rsa-a.pem",
"CommonName": "CA intermediate (RSA) A",
@ -110,7 +103,6 @@ func main() {
// Create the B intermediate ceremony config file with the root
// signing key slot and ID
tmpRSAIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
"KeyID": rsaRootKeyID,
"SlotID": rootKeySlot,
"CertPath": "/tmp/intermediate-cert-rsa-b.pem",
"CommonName": "CA intermediate (RSA) B",
@ -122,7 +114,6 @@ func main() {
// Create an OCSP response for the A intermediate
tmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp.yaml", map[string]string{
"KeyID": rsaRootKeyID,
"SlotID": rootKeySlot,
})
cmd.FailOnError(err, "failed to rewrite intermediate OCSP config with key ID")

1
test/cert-ceremonies/intermediate-ceremony-rsa.yaml
View File

@ -4,7 +4,6 @@ pkcs11:
pin: 1234
signing-key-slot: {{ .SlotID}}
signing-key-label: root signing key (rsa)
signing-key-id: {{ .KeyID }}
inputs:
public-key-path: /tmp/intermediate-signing-pub-rsa.pem
issuer-certificate-path: /tmp/root-cert-rsa.pem

1
test/cert-ceremonies/intermediate-ocsp.yaml
View File

@ -4,7 +4,6 @@ pkcs11:
pin: 1234
signing-key-slot: {{ .SlotID}}
signing-key-label: root signing key (rsa)
signing-key-id: {{ .KeyID }}
inputs:
certificate-path: /tmp/intermediate-cert-rsa-a.pem
issuer-certificate-path: /tmp/root-cert-rsa.pem