In #4992, we refactored NewSigner to look keys up by public key and by
label. However, we didn't correctly incorporate the label check into
the new code. This fixes that and adds a test.
This moves x509Signer from cmd/ceremony into pkcs11helpers. It also
adds helper functions getPublicKeyID and getPrivateKey, copied and
adapted from pkcs11key. These act as counterparts to the existing
GetRSAPublicKey and GetECDSAPublicKey, which go from an object handle
to a Go public key object (and are used after key generation).
Fixes#4918
Previously we were relying on a "more" boolean returned from
FindObjects. But according to
https://pkg.go.dev/github.com/miekg/pkcs11?tab=doc#Ctx.FindObjects,
> The returned boolean value is deprecated and should be ignored.
Instead, we ask for more objects than we need and error if we get more
than 1.
Add a test, and in the process split up the relevant test into
multiple smaller test cases.
Merges gen-ca and gen-key into a single tool that can be used to complete a key/certificate generation ceremony. The driving idea here is that instead of having to write out multiple long commands in a specific order in order to complete a ceremony a configuration file is fed to a single binary. This config file contains all of the information needed to complete the ceremony, and can be easily tested outside of the secure environment before hand without fear of later typing a command/flag incorrectly etc.
The tooling works against the test hardware I have (there are minimal changes to the actual PKCS#11 code behind the scenes). Specific attention should be given to the documentation, and the general UX of the tool.
Fixes#4639 and fixes#4667.
Jacob Hoffman-Andrews
Roland Bracewell Shoemaker