Issue-1: create key

Issue-2: CKA_ID byte array Issue-3: delete key
mode51software · Mar 5, 2021 · 2a39ada · 2a39ada
1 parent 93da1b7
commit 2a39ada
Show file tree

Hide file tree

Showing 6 changed files with 439 additions and 87 deletions.
diff --git a/SETUP.md b/SETUP.md
@@ -155,7 +155,7 @@ or
 
 ###### Gen Root CA Cert
 
-`openssl req -new -x509 -days 3560 -sha512 -extensions v3_ca  -engine pkcs11 -keyform engine -key 1601805484:0001 -out softhsm-root-0001.ca.cert.pem -set_serial 5000
+`openssl req -new -x509 -days 3560 -sha512 -extensions v3_ca  -engine pkcs11 -keyform engine -key 1601805484:0001 -out softhsm-root-0001.ca.cert.pem -set_serial 5000`
 
 ###### Gen Intermediate CA CSR
 
@@ -205,8 +205,15 @@ The signed Intermediate CA is now ready for use with [TESTING](TESTING.md)
 
 ##### SafeNet Configuration
 
-Using a SafeNet DPoD account, download the 
-source yoursafenetdpodpath/setenv needs to be run first.
+Using a SafeNet DPoD account, download the installation files.
+
+All of the following commands need a shell where the DPoD environment has been included using the source command:
+
+```
+cd /yoursafenetdpodpath
+. ./setenv
+```
+
 If you are using an IDE then source this script in a terminal and then start the IDE from the terminal.
 The unit tests should then work with debug enabled within the IDE.
 
@@ -234,46 +241,71 @@ MODULE_PATH = /yoursafenetpath/libs/64/libCryptoki2.so
 
 ##### Signing
 
+```
+...the value of the "id" attribute can contain non-textual data.  
+This is because the corresponding PKCS#11 "CKA_ID" object attribute can contain arbitrary binary data.
+```
+
 ###### Gen Root and Intermediate CA RSA Keys
 
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:4096 --label RSATestCARootKey0001 --id "0001"`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:4096 --label RSATestCARootKey0001 --id 1`
+
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestCAInterKey0002 --id 2`
+
+###### Extract the Root and Intermediate CAs' public keys
+
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id 1 --type pubkey -r -o safenet-root-01.ca.pub.der`
+
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id 2 --type pubkey -r -o safenet-inter-02.ca.pub.der`
 
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestCAInterKey0002 --id "0002"`
+###### Convert the Root and Intermediate CAs' public keys to PEM format
+
+`openssl rsa -pubin -inform DER -in ./safenet-root-01.ca.pub.der -out ./safenet-root-01.ca.pub.pem`
+
+`openssl rsa -pubin -inform DER -in ./safenet-inter-02.ca.pub.der -out ./safenet-inter-02.ca.pub.pem`
 
 ###### Gen Root CA Cert
 
-`openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:id=%00%01" -out safenet-root-0001.ca.cert.pem -set_serial 5000`
+`openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:id=%01" -out safenet-root-01.ca.cert.pem -set_serial 5000`
 
 ###### Gen Intermediate CA CSR
 
-`openssl req -new -sha512 -engine pkcs11 -keyform engine -key "pkcs11:id=%00%02" -out safenet-inter-0002.ca.csr.pem`
+`openssl req -new -sha512 -engine pkcs11 -keyform engine -key "pkcs11:id=%02" -out safenet-inter-02.ca.csr.pem`
 
 ###### Sign Intermediate CA CSR
 
-`openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%00%09" -in safenet-inter-0009.ca.csr.pem -out safenet-inter-0009.ca.cert.pem -cert safenet-root-0009.ca.cert.pem -noemailDN`
+`openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%01" -in safenet-inter-02.ca.csr.pem -out safenet-inter-02.ca.cert.pem -cert safenet-root-01.ca.cert.pem -noemailDN`
+
 
-###### Extract the Intermediate CA's public key
+###### Gen Root and Intermediate CA ECDSA Keys
 
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id "0010" --type pubkey -r -o /tmp/safenet-inter.ca.pub.der`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp521r1 --label ECTestCARootKey03 --id 3`
 
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestCAInterKey04 --id 4`
 
-###### Gen Root and Intermediate CA ECDSA Keys
+###### Extract the Root and Intermediate CAs' public keys
+
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id 3 --type pubkey -r -o safenet-root-03.ca.pub.der`
 
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp521r1 --label ECTestCARootKey0015 --id "0015"`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id 4 --type pubkey -r -o safenet-inter-04.ca.pub.der`
 
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestCAInterKey0016 --id "0016"`
+###### Convert the Root and Intermediate CAs' public keys to PEM format
+
+`openssl ec -pubin -inform DER -in ./safenet-root-03.ca.pub.der -out ./safenet-root-03.ca.pub.pem`
+
+`openssl ec -pubin -inform DER -in ./safenet-inter-04.ca.pub.der -out ./safenet-inter-04.ca.pub.pem`
 
 ###### Gen Root CA Cert
-`openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:id=%00%15" -out safenet-root-0015.ca.cert.pem -set_serial 5010`
+
+`openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:id=%03" -out safenet-root-03.ca.cert.pem -set_serial 5010`
 
 ###### Gen Intermediate CA CSR
-`openssl req -new -sha512 -engine pkcs11 -keyform engine -key "pkcs11:id=%00%16" -out safenet-inter-0016.ca.csr.pem`
+
+`openssl req -new -sha512 -engine pkcs11 -keyform engine -key "pkcs11:id=%04" -out safenet-inter-04.ca.csr.pem`
 
 ###### Sign Intermediate CA CSR
-`openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%00%15" -in safenet-inter-0016.ca.csr.pem -out safenet-inter-0016.ca.cert.pem -cert safenet-root-0015.ca.cert.pem -noemailDN`
 
-###### Extract the Intermediate CA's public key
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --id "0016" --type pubkey -r -o safenet-inter-0016.ca.pub.der`
+`openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%03" -in safenet-inter-04.ca.csr.pem -out safenet-inter-04.ca.cert.pem -cert safenet-root-03.ca.cert.pem -noemailDN`
 
 
 ##### Encryption
@@ -291,7 +323,7 @@ MODULE_PATH = /yoursafenetpath/libs/64/libCryptoki2.so
 `openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=0007;type=private;" -in ./testsafe.enc -out ./testsafe.dec`
 
 
-## Entrust nShield
+### Entrust nShield
 
 ```
 openssl_conf = openssl_init
@@ -308,22 +340,22 @@ dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
 MODULE_PATH = /opt/apps/nfast/20201219/bin/libcknfast.so
 ```
 
-### Commands
+#### Commands
 
-#### nCipher Encryption Test
+##### nCipher Encryption Test
 `openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%61%02%1f%1f%ed%1e%fc%39%f9%d6%0f%28%9b%d5%5f%e9%78%91%6c%e9;type=public;" -in ./test.txt -out ./testncipher.enc`
 
-#### nCipher Decryption Test
+##### nCipher Decryption Test
 `openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%61%02%1f%1f%ed%1e%fc%39%f9%d6%0f%28%9b%d5%5f%e9%78%91%6c%e9;type=public;" -in ./testncipher.enc -out ./testncipher.dec`
 
-#### OpenSSL Gen Root CA Cert
+##### OpenSSL Gen Root CA Cert
 `openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:id=%61%02%1f%1f%ed%1e%fc%39%f9%d6%0f%28%9b%d5%5f%e9%78%91%6c%e9;type=public;" -out ncipher-root-0005.ca.cert.pem -set_serial 5001`
 
-#### OpenSSL Gen Intermediate CA CSR
+##### OpenSSL Gen Intermediate CA CSR
 `openssl req -new -sha512 -engine pkcs11 -keyform engine -key "pkcs11:id=%88%d8%42%c8%6f%7a%49%ae%92%be%d6%0f%3b%e7%41%51%94%27%69%86" -out ncipher-inter-0006.ca.csr.pem`
 
-#### OpenSSL Sign Intermediate CA CSR
+##### OpenSSL Sign Intermediate CA CSR
 `openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%61%02%1f%1f%ed%1e%fc%39%f9%d6%0f%28%9b%d5%5f%e9%78%91%6c%e9" -in ncipher-inter-0006.ca.csr.pem -out ncipher-inter-0006.ca.cert.pem -cert ncipher-root-0005.ca.cert.pem -noemailDN`
 
-#### Extract the Intermediate CA's public key
+##### Extract the Intermediate CA's public key
 `pkcs11-tool --module=/opt/apps/nfast/20201219/bin/libcknfast.so --id "61021f1fed1efc39f9d60f289bd55fe978916ce9" --type pubkey -r -o /tmp/ncipher-inter.ca.pub.der`
diff --git a/pkg/pkcs11client/keyconfig.go b/pkg/pkcs11client/keyconfig.go
@@ -1,30 +1,236 @@
 package pkcs11client
 
 import (
+	"crypto/elliptic"
+	"encoding/asn1"
 	"errors"
 	"github.com/miekg/pkcs11"
 )
 
 type KeyConfig struct {
+	// CKA_LABEL
 	Label string
 
 	// CKA_ID doesn't appear to work with SoftHSM
-	Id string
+	Id []byte
 
 	// for CKA_KEY_TYPE
 	Type uint
 
+	// CKA_MODULUS BITS only needed for key creation
+	KeyBits int
+
 	// The mechanism will be auto populated but it can be manually set
 	Mechanism []*pkcs11.Mechanism
 }
 
+type KeyConfigKeyPairTemplate struct {
+	keyConfig             KeyConfig
+	keyTemplatePrivConfig KeyTemplatePrivConfig
+	keyTemplatePubConfig  KeyTemplatePubConfig
+	keyTemplateSecurity   KeyTemplateSecurity
+}
+
+type KeyTemplatePrivConfig struct {
+
+	// CKA_DECRYPT
+	IsDecrypt bool
+
+	// CKA_UNWRAP
+	IsUnwrap bool
+
+	// CKA_SIGN
+	IsSign bool
+
+	// CKA_DERIVE
+	IsDerive bool
+}
+
+type KeyTemplatePubConfig struct {
+
+	// CKA_ENCRYPT
+	IsEncrypt bool
+
+	// CKA_WRAP
+	IsWrap bool
+
+	// CKA_VERIFY
+	IsVerify bool
+
+	// CKA_PUBLIC_EXPONTENT
+	Exponent []byte
+}
+
+type KeyTemplateSecurity struct {
+
+	// CKA_TOKEN token or session object
+	IsToken bool
+
+	// CKA_PRIVATE requires elevated privileges to report the presence of a key object
+	IsPrivate bool
+
+	// CKA_SENSITIVE
+	IsSensitive bool
+
+	// CKA_ALWAYS_SENSITIVE
+	IsAlwaysSensitive bool
+
+	// CKA_MODIFIABLE
+	IsModifiable bool
+
+	// CKA_EXTRACTABLE
+	IsExtractable bool
+
+	// CKA_NEVER_EXTRACTABLE
+	IsNeverExtractable bool
+}
+
+// an ID and label are needed when creating a key, though when using a key either may be used
+func (k *KeyConfig) checkNewKeyIntegrity() bool {
+	return k.KeyBits > 0 && len(k.Id) > 0 && len(k.Label) > 0
+}
+
 func (k *KeyConfig) appendKeyIdentity(attribs []*pkcs11.Attribute) (fullAttribs []*pkcs11.Attribute, err error) {
+	found := false
+
+	var extraAttribs []*pkcs11.Attribute
+
 	if len(k.Id) > 0 {
-		fullAttribs = append(attribs, pkcs11.NewAttribute(pkcs11.CKA_ID, k.Id))
-	} else if len(k.Label) > 0 {
-		fullAttribs = append(attribs, pkcs11.NewAttribute(pkcs11.CKA_LABEL, k.Label))
-	} else {
+		extraAttribs = append(extraAttribs, pkcs11.NewAttribute(pkcs11.CKA_ID, k.Id))
+		found = true
+	}
+	if len(k.Label) > 0 {
+		extraAttribs = append(extraAttribs, pkcs11.NewAttribute(pkcs11.CKA_LABEL, k.Label))
+		found = true
+	}
+	if !found {
 		return nil, errors.New("Provide a key id or label")
 	}
+	fullAttribs = append(attribs, extraAttribs...)
+	return
+}
+
+func (kp *KeyConfigKeyPairTemplate) appendKeyPairGenParams(attribs []*pkcs11.Attribute) (fullAttribs []*pkcs11.Attribute, err error) {
+	found := false
+
+	var extraAttribs []*pkcs11.Attribute
+
+	if kp.keyConfig.Type == pkcs11.CKK_RSA {
+		extraAttribs = append(extraAttribs, pkcs11.NewAttribute(pkcs11.CKA_MODULUS_BITS, kp.keyConfig.KeyBits),
+			pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, kp.keyTemplatePubConfig.Exponent))
+		found = true
+	} else if kp.keyConfig.Type == pkcs11.CKK_EC || kp.keyConfig.Type == pkcs11.CKK_ECDSA {
+
+		var curve elliptic.Curve
+		switch kp.keyConfig.KeyBits {
+		case 224:
+			curve = elliptic.P224()
+		case 256:
+			curve = elliptic.P256()
+		case 384:
+			curve = elliptic.P384()
+		case 521:
+			curve = elliptic.P521()
+		default:
+			return nil, errors.New(ERR_UNSUPPORTEDCURVESIZE)
+		}
+		if curveOID, err := asn1.Marshal(curveOIDs[curve.Params().Name]); err != nil {
+			return nil, errors.New(ERR_UNSUPPORTEDCURVESIZE)
+		} else {
+			extraAttribs = append(extraAttribs, pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, curveOID))
+		}
+		found = true
+	}
+	if !found {
+		return nil, errors.New(ERR_UNSUPPORTEDKEYTYPE)
+	}
+	fullAttribs = append(attribs, extraAttribs...)
+	return
+}
+
+func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPrivTemplateForSigning() {
+
+	kp.keyTemplatePrivConfig = KeyTemplatePrivConfig{
+		IsDecrypt: false,
+		IsUnwrap:  false,
+		IsSign:    true,
+		IsDerive:  false,
+	}
+
+}
+
+func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairPubTemplateForSigning() {
+
+	kp.keyTemplatePubConfig = KeyTemplatePubConfig{
+		IsEncrypt: false,
+		IsWrap:    false,
+		IsVerify:  true,
+		Exponent:  []byte{1, 0, 1},
+	}
+}
+
+func GenKeyConfigKeyPairTemplate(keyConfig *KeyConfig) KeyConfigKeyPairTemplate {
+	kp := KeyConfigKeyPairTemplate{}
+	kp.keyConfig = *keyConfig
+	return kp
+}
+
+func (kp *KeyConfigKeyPairTemplate) GenDefaultKeyPairTemplateForSigning() {
+
+	kp.GenDefaultKeySecurityTemplate()
+	kp.GenDefaultKeyPairPrivTemplateForSigning()
+	kp.GenDefaultKeyPairPubTemplateForSigning()
+}
+
+func (kp *KeyConfigKeyPairTemplate) GenDefaultKeySecurityTemplate() {
+	kp.keyTemplateSecurity = KeyTemplateSecurity{
+		IsToken:            true,
+		IsPrivate:          true,
+		IsSensitive:        true,
+		IsAlwaysSensitive:  true,
+		IsModifiable:       false,
+		IsExtractable:      false,
+		IsNeverExtractable: true,
+	}
+}
+
+func (kp *KeyConfigKeyPairTemplate) GenKeyPairTemplateAttribs() (privAttribs []*pkcs11.Attribute, pubAttribs []*pkcs11.Attribute, err error) {
+
+	privAttribs = []*pkcs11.Attribute{
+		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
+		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, kp.keyTemplateSecurity.IsToken),
+		pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, kp.keyTemplateSecurity.IsPrivate),
+		pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, kp.keyTemplateSecurity.IsSensitive),
+		//		pkcs11.NewAttribute(pkcs11.CKA_ALWAYS_SENSITIVE, kp.keyTemplateSecurity.IsAlwaysSensitive),
+		pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, kp.keyTemplatePrivConfig.IsDecrypt),
+		pkcs11.NewAttribute(pkcs11.CKA_UNWRAP, kp.keyTemplatePrivConfig.IsUnwrap),
+		pkcs11.NewAttribute(pkcs11.CKA_SIGN, kp.keyTemplatePrivConfig.IsSign),
+		pkcs11.NewAttribute(pkcs11.CKA_DERIVE, kp.keyTemplatePrivConfig.IsDerive),
+		pkcs11.NewAttribute(pkcs11.CKA_MODIFIABLE, kp.keyTemplateSecurity.IsModifiable),
+		pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, kp.keyTemplateSecurity.IsExtractable),
+	}
+	privAttribs, err = (kp.keyConfig).appendKeyIdentity(privAttribs)
+	if err != nil {
+		return
+	}
+
+	pubAttribs = []*pkcs11.Attribute{
+		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
+		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, kp.keyConfig.Type),
+		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, kp.keyTemplateSecurity.IsToken),
+		pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, kp.keyTemplatePubConfig.IsEncrypt),
+		pkcs11.NewAttribute(pkcs11.CKA_WRAP, kp.keyTemplatePubConfig.IsWrap),
+		pkcs11.NewAttribute(pkcs11.CKA_VERIFY, kp.keyTemplatePubConfig.IsVerify),
+	}
+
+	pubAttribs, err = (kp.keyConfig).appendKeyIdentity(pubAttribs)
+	if err != nil {
+		return
+	}
+	pubAttribs, err = kp.appendKeyPairGenParams(pubAttribs)
+	if err != nil {
+		return
+	}
+
 	return
 }