mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-22 08:24:25 +01:00
add PKCS11 support (#1153)
* add PKCS11 support * add pkcs11 build option to the makefile, add a stub pkclient to avoid forcing CGO onto people * don't print the pkcs11 option on nebula-cert keygen if not compiled in * remove linux-arm64-pkcs11 from the all target to fix CI * correctly serialize ec keys * nebula-cert: support PKCS#11 for sign and ca * fix gofmt lint * clean up some logic with regard to closing sessions * pkclient: handle empty correctly for TPM2 * Update Makefile and Actions --------- Co-authored-by: Morgan Jones <me@numin.it> Co-authored-by: John Maguire <contact@johnmaguire.me>
This commit is contained in:
Jack Doan
87
pkclient/pkclient.go
Normal file
87
pkclient/pkclient.go
Normal file
@@ -0,0 +1,87 @@
|
||||
package pkclient
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io"
|
||||
"strconv"
|
||||
|
||||
"github.com/stefanberger/go-pkcs11uri"
|
||||
)
|
||||
|
||||
type Client interface {
|
||||
io.Closer
|
||||
GetPubKey() ([]byte, error)
|
||||
DeriveNoise(peerPubKey []byte) ([]byte, error)
|
||||
Test() error
|
||||
}
|
||||
|
||||
const NoiseKeySize = 32
|
||||
|
||||
func FromUrl(pkurl string) (*PKClient, error) {
|
||||
uri := pkcs11uri.New()
|
||||
uri.SetAllowAnyModule(true) //todo
|
||||
err := uri.Parse(pkurl)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
module, err := uri.GetModule()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
slotid := 0
|
||||
slot, ok := uri.GetPathAttribute("slot-id", false)
|
||||
if !ok {
|
||||
slotid = 0
|
||||
} else {
|
||||
slotid, err = strconv.Atoi(slot)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
pin, _ := uri.GetPIN()
|
||||
id, _ := uri.GetPathAttribute("id", false)
|
||||
label, _ := uri.GetPathAttribute("object", false)
|
||||
|
||||
return New(module, uint(slotid), pin, id, label)
|
||||
}
|
||||
|
||||
func ecKeyToArray(key *ecdsa.PublicKey) []byte {
|
||||
x := make([]byte, 32)
|
||||
y := make([]byte, 32)
|
||||
key.X.FillBytes(x)
|
||||
key.Y.FillBytes(y)
|
||||
return append([]byte{0x04}, append(x, y...)...)
|
||||
}
|
||||
|
||||
func formatPubkeyFromPublicKeyInfoAttr(d []byte) ([]byte, error) {
|
||||
e, err := x509.ParsePKIXPublicKey(d)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
switch t := e.(type) {
|
||||
case *ecdsa.PublicKey:
|
||||
return ecKeyToArray(e.(*ecdsa.PublicKey)), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown public key type: %T", t)
|
||||
}
|
||||
}
|
||||
|
||||
func (c *PKClient) Test() error {
|
||||
pub, err := c.GetPubKey()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get public key: %w", err)
|
||||
}
|
||||
out, err := c.DeriveNoise(pub) //do an ECDH with ourselves as a quick test
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if len(out) != NoiseKeySize {
|
||||
return fmt.Errorf("got a key of %d bytes, expected %d", len(out), NoiseKeySize)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user