Skip to content

Commit

Permalink
Merge pull request #7 from mode51software/feature/issue5-gensubjectkeyid
Browse files Browse the repository at this point in the history
Feature/issue5 gensubjectkeyid
  • Loading branch information
mode51software authored Mar 14, 2021
2 parents ce52e57 + b1735d9 commit f4a6d21
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 4 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## v0.3.2
### 14/Mar/2021

* GenSubjectKeyId needed for CA cert gen

## v0.3.1
### 10/Mar/2021

Expand Down
30 changes: 29 additions & 1 deletion pkg/pkcs11client/pkcs11client.go
Original file line number Diff line number Diff line change
Expand Up @@ -557,14 +557,26 @@ func (p *Pkcs11Client) FetchKeyPairHandles(keyConfig *KeyConfig) (privKeyHandle

// first see if the key already exists, whether identified by ID or by LABEL
func (p *Pkcs11Client) CheckExistsCreateKeyPair(keyConfig *KeyConfig) error {
return p.checkExistsCreateKeyPair(keyConfig, false)
}

func (p *Pkcs11Client) CheckExistsOkCreateKeyPair(keyConfig *KeyConfig) error {
return p.checkExistsCreateKeyPair(keyConfig, true)
}

func (p *Pkcs11Client) checkExistsCreateKeyPair(keyConfig *KeyConfig, okExists bool) error {

if !keyConfig.checkNewKeyIntegrity() {
return errors.New(ERR_NEWKEYINTEGRITY)
}

if exists, err := p.ExistsPublicKey(keyConfig); err != nil || exists {
if exists {
return errors.New(ERR_NEWKEYALREADYEXISTS)
if okExists {
return nil
} else {
return errors.New(ERR_NEWKEYALREADYEXISTS)
}
} else {
return err
}
Expand Down Expand Up @@ -615,3 +627,19 @@ func (p *Pkcs11Client) DeleteKeyPair(keyConfig *KeyConfig) (err error) {

return
}

// get the public key from the HSM and generate the subjectKeyID from it for CA cert gen
func (p *Pkcs11Client) GetGenSubjectKeyId(keyConfig *KeyConfig, keyType uint) (subjectKeyId []byte, publicKey crypto.PublicKey, err error) {

switch keyType {
case pkcs11.CKK_ECDSA:
publicKey, err = p.ReadECPublicKey(keyConfig)
case pkcs11.CKK_RSA:
publicKey, err = p.ReadRSAPublicKey(keyConfig)
default:
return nil, nil, errors.New("Only EC or RSA keys are supported")
}

subjectKeyId, err = GenSubjectKeyID(publicKey)
return
}
4 changes: 2 additions & 2 deletions pkg/pkcs11client/pkcs11client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ func TestCreateECKeyPair(t *testing.T) {
registerTest(t)

if err := pkcs11Client.CheckExistsCreateKeyPair(
&KeyConfig{Label: "testkey42", Id: []byte{42}, Type: pkcs11.CKK_EC, KeyBits: 521}); err != nil {
&KeyConfig{Label: "testkey43", Id: []byte{43}, Type: pkcs11.CKK_EC, KeyBits: 521}); err != nil {
t.Error(err)
}
}
Expand All @@ -218,7 +218,7 @@ func TestDeleteKeyPair(t *testing.T) {
registerTest(t)

if err := pkcs11Client.DeleteKeyPair(
&KeyConfig{Label: "testkey42", Type: pkcs11.CKK_EC}); err != nil {
&KeyConfig{Label: "testinterkeytest58", Type: pkcs11.CKK_EC}); err != nil {
t.Error(err)
}
}
45 changes: 44 additions & 1 deletion pkg/pkcs11client/utils.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
package pkcs11client

import (
"crypto"
"crypto/rand"
"crypto/sha1"
"crypto/x509"
"encoding/asn1"
"encoding/pem"
Expand Down Expand Up @@ -38,6 +40,34 @@ func LoadCertFromFile(filename string) (*x509.Certificate, error) {
return x509.ParseCertificate(fileData)
}

func LoadPEMCertFromFile(filename string) (*x509.Certificate, error) {

fileData, err := ioutil.ReadFile(filename)

if err != nil {
return nil, err
}

block, _ := pem.Decode(fileData)

if block == nil {
return nil, errors.New("failed to parse certificate PEM")
}

return x509.ParseCertificate(block.Bytes)
//return x509.ParseCertificate(fileData)
}

func LoadFromFileAsString(filename string) (*string, error) {

fileData, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
strData := string(fileData)
return &strData, err
}

func SaveCertToFile(filename string, cert *x509.Certificate) error {

err := ioutil.WriteFile(filename, cert.Raw, 0644)
Expand Down Expand Up @@ -70,7 +100,7 @@ func LoadPubkeyFromFile(filename string) (interface{}, error) {

func SaveDataToFile(filename string, fileData *[]byte) (err error) {

err = ioutil.WriteFile(filename, *fileData, 0x644)
err = ioutil.WriteFile(filename, *fileData, 0644)

if err != nil {
return err
Expand Down Expand Up @@ -136,3 +166,16 @@ func ecdsaPKCS11ToRFC5480(pkcs11Signature []byte) (rfc5480Signature []byte, err
S: s.SetBytes(pkcs11Signature[mid:]),
})
}

// used in the CA cert
func GenSubjectKeyID(publicKey crypto.PublicKey) ([]byte, error) {

marshaledKey, err := x509.MarshalPKIXPublicKey(publicKey)
if err != nil {
return nil, err
}

subjKeyID := sha1.Sum(marshaledKey)

return subjKeyID[:], nil
}

0 comments on commit f4a6d21

Please sign in to comment.