Merge pull request #9 from mode51software/feature/issue5-gensubjectkeyid

Issue-8: Add Read RSA for GenSubjectKeyId, allow key labels only for …

CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.3.3
+### 17/Mar/2021
+
+* Add Read RSA for GenSubjectKeyId
+
 ## v0.3.2
 ### 14/Mar/2021
 

pkg/pkcs11client/keyconfig.go

@@ -87,7 +87,7 @@ type KeyTemplateSecurity struct {
 
 // an ID and label are needed when creating a key, though when using a key either may be used
 func (k *KeyConfig) checkNewKeyIntegrity() bool {
-	return k.KeyBits > 0 && len(k.Id) > 0 && len(k.Label) > 0
+	return k.KeyBits > 0 && (len(k.Id) > 0 || len(k.Label) > 0)
 }
 
 func (k *KeyConfig) appendKeyIdentity(attribs []*pkcs11.Attribute) (fullAttribs []*pkcs11.Attribute, err error) {

pkg/pkcs11client/pkcs11client.go

@@ -8,11 +8,13 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/rsa"
 	"encoding/asn1"
 	"errors"
 	"fmt"
 	"github.com/miekg/pkcs11"
 	"github.com/rs/zerolog/log"
+	"math/big"
 	"sync"
 	"time"
 )
@@ -411,20 +413,53 @@ func (p *Pkcs11Client) ReadPublicKey(keyConfig *KeyConfig, pubKeyType uint) (pub
 		return
 	}
 	switch pubKeyType {
-	//case pkcs11.CKK_RSA:
+	case pkcs11.CKK_RSA:
+		return p.GetRSAPublicKey(objHandles[0])
 	case pkcs11.CKK_ECDSA:
 		return p.GetECDSAPublicKey(objHandles[0])
 	}
 	return nil, nil
 }
 
+// https://github.com/letsencrypt/boulder/blob/release-2021-02-08/pkcs11helpers/helpers.go#L178
+func (p *Pkcs11Client) GetRSAPublicKey(object pkcs11.ObjectHandle) (*rsa.PublicKey, error) {
+	// Retrieve the public exponent and modulus for the public key
+	attrs, err := p.context.GetAttributeValue(p.session, object, []*pkcs11.Attribute{
+		pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, nil),
+		pkcs11.NewAttribute(pkcs11.CKA_MODULUS, nil),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("Failed to retrieve key attributes: %s", err)
+	}
+
+	// Attempt to build the public key from the retrieved attributes
+	pubKey := &rsa.PublicKey{}
+	gotMod, gotExp := false, false
+	for _, a := range attrs {
+		switch a.Type {
+		case pkcs11.CKA_PUBLIC_EXPONENT:
+			pubKey.E = int(big.NewInt(0).SetBytes(a.Value).Int64())
+			gotExp = true
+		case pkcs11.CKA_MODULUS:
+			pubKey.N = big.NewInt(0).SetBytes(a.Value)
+			gotMod = true
+		}
+	}
+	// Fail if we are missing either the public exponent or modulus
+	if !gotExp || !gotMod {
+		return nil, errors.New("Couldn't retrieve modulus and exponent")
+	}
+	return pubKey, nil
+}
+
 // https://github.com/letsencrypt/boulder/blob/release-2021-02-08/pkcs11helpers/helpers.go#L208
 func (p *Pkcs11Client) GetECDSAPublicKey(object pkcs11.ObjectHandle) (*ecdsa.PublicKey, error) {
 	// Retrieve the curve and public point for the generated public key
 	attrs, err := p.context.GetAttributeValue(p.session, object, []*pkcs11.Attribute{
 		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, nil),
 		pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, nil),
 	})
+
 	if err != nil {
 		return nil, fmt.Errorf("Failed to retrieve key attributes: %s", err)
 	}
@@ -640,6 +675,9 @@ func (p *Pkcs11Client) GetGenSubjectKeyId(keyConfig *KeyConfig, keyType uint) (s
 		return nil, nil, errors.New("Only EC or RSA keys are supported")
 	}
 
+	if err != nil {
+		return
+	}
 	subjectKeyId, err = GenSubjectKeyID(publicKey)
 	return
 }

pkg/pkcs11client/utils.go

@@ -2,7 +2,9 @@ package pkcs11client
 
 import (
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/sha1"
 	"crypto/x509"
 	"encoding/asn1"
@@ -11,6 +13,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"io/ioutil"
 	"math/big"
+	"reflect"
 	"time"
 )
 
@@ -179,3 +182,15 @@ func GenSubjectKeyID(publicKey crypto.PublicKey) ([]byte, error) {
 
 	return subjKeyID[:], nil
 }
+
+func GetPubKeyType(publicKey crypto.PublicKey) (keyType x509.PublicKeyAlgorithm, err error) {
+	if reflect.TypeOf(publicKey) == reflect.TypeOf(&rsa.PublicKey{}) {
+		keyType = x509.RSA
+	} else if reflect.TypeOf(publicKey) == reflect.TypeOf(&ecdsa.PublicKey{}) {
+		keyType = x509.ECDSA
+	} else {
+		keyType = x509.UnknownPublicKeyAlgorithm
+		err = errors.New("Unsupported PublicKeyAlgorithm")
+	}
+	return
+}