From e1e0465b9a677800fa886726d1c760c2554429de Mon Sep 17 00:00:00 2001 From: Chris Newman Date: Sun, 14 Mar 2021 17:36:05 +0000 Subject: [PATCH 1/2] Issue5: GenSubjectKeyID --- pkg/pkcs11client/pkcs11client.go | 30 +++++++++++++++++- pkg/pkcs11client/pkcs11client_test.go | 4 +-- pkg/pkcs11client/utils.go | 45 ++++++++++++++++++++++++++- 3 files changed, 75 insertions(+), 4 deletions(-) diff --git a/pkg/pkcs11client/pkcs11client.go b/pkg/pkcs11client/pkcs11client.go index b6c3603..ab49d77 100644 --- a/pkg/pkcs11client/pkcs11client.go +++ b/pkg/pkcs11client/pkcs11client.go @@ -557,6 +557,14 @@ func (p *Pkcs11Client) FetchKeyPairHandles(keyConfig *KeyConfig) (privKeyHandle // first see if the key already exists, whether identified by ID or by LABEL func (p *Pkcs11Client) CheckExistsCreateKeyPair(keyConfig *KeyConfig) error { + return p.checkExistsCreateKeyPair(keyConfig, false) +} + +func (p *Pkcs11Client) CheckExistsOkCreateKeyPair(keyConfig *KeyConfig) error { + return p.checkExistsCreateKeyPair(keyConfig, true) +} + +func (p *Pkcs11Client) checkExistsCreateKeyPair(keyConfig *KeyConfig, okExists bool) error { if !keyConfig.checkNewKeyIntegrity() { return errors.New(ERR_NEWKEYINTEGRITY) @@ -564,7 +572,11 @@ func (p *Pkcs11Client) CheckExistsCreateKeyPair(keyConfig *KeyConfig) error { if exists, err := p.ExistsPublicKey(keyConfig); err != nil || exists { if exists { - return errors.New(ERR_NEWKEYALREADYEXISTS) + if okExists { + return nil + } else { + return errors.New(ERR_NEWKEYALREADYEXISTS) + } } else { return err } @@ -615,3 +627,19 @@ func (p *Pkcs11Client) DeleteKeyPair(keyConfig *KeyConfig) (err error) { return } + +// get the public key from the HSM and generate the subjectKeyID from it for CA cert gen +func (p *Pkcs11Client) GetGenSubjectKeyId(keyConfig *KeyConfig, keyType uint) (subjectKeyId []byte, publicKey crypto.PublicKey, err error) { + + switch keyType { + case pkcs11.CKK_ECDSA: + publicKey, err = p.ReadECPublicKey(keyConfig) + case pkcs11.CKK_RSA: + publicKey, err = p.ReadRSAPublicKey(keyConfig) + default: + return nil, nil, errors.New("Only EC or RSA keys are supported") + } + + subjectKeyId, err = GenSubjectKeyID(publicKey) + return +} diff --git a/pkg/pkcs11client/pkcs11client_test.go b/pkg/pkcs11client/pkcs11client_test.go index a1a75db..98656d3 100644 --- a/pkg/pkcs11client/pkcs11client_test.go +++ b/pkg/pkcs11client/pkcs11client_test.go @@ -209,7 +209,7 @@ func TestCreateECKeyPair(t *testing.T) { registerTest(t) if err := pkcs11Client.CheckExistsCreateKeyPair( - &KeyConfig{Label: "testkey42", Id: []byte{42}, Type: pkcs11.CKK_EC, KeyBits: 521}); err != nil { + &KeyConfig{Label: "testkey43", Id: []byte{43}, Type: pkcs11.CKK_EC, KeyBits: 521}); err != nil { t.Error(err) } } @@ -218,7 +218,7 @@ func TestDeleteKeyPair(t *testing.T) { registerTest(t) if err := pkcs11Client.DeleteKeyPair( - &KeyConfig{Label: "testkey42", Type: pkcs11.CKK_EC}); err != nil { + &KeyConfig{Label: "testinterkeytest58", Type: pkcs11.CKK_EC}); err != nil { t.Error(err) } } diff --git a/pkg/pkcs11client/utils.go b/pkg/pkcs11client/utils.go index e74cade..33381e8 100644 --- a/pkg/pkcs11client/utils.go +++ b/pkg/pkcs11client/utils.go @@ -1,7 +1,9 @@ package pkcs11client import ( + "crypto" "crypto/rand" + "crypto/sha1" "crypto/x509" "encoding/asn1" "encoding/pem" @@ -38,6 +40,34 @@ func LoadCertFromFile(filename string) (*x509.Certificate, error) { return x509.ParseCertificate(fileData) } +func LoadPEMCertFromFile(filename string) (*x509.Certificate, error) { + + fileData, err := ioutil.ReadFile(filename) + + if err != nil { + return nil, err + } + + block, _ := pem.Decode(fileData) + + if block == nil { + return nil, errors.New("failed to parse certificate PEM") + } + + return x509.ParseCertificate(block.Bytes) + //return x509.ParseCertificate(fileData) +} + +func LoadFromFileAsString(filename string) (*string, error) { + + fileData, err := ioutil.ReadFile(filename) + if err != nil { + return nil, err + } + strData := string(fileData) + return &strData, err +} + func SaveCertToFile(filename string, cert *x509.Certificate) error { err := ioutil.WriteFile(filename, cert.Raw, 0644) @@ -70,7 +100,7 @@ func LoadPubkeyFromFile(filename string) (interface{}, error) { func SaveDataToFile(filename string, fileData *[]byte) (err error) { - err = ioutil.WriteFile(filename, *fileData, 0x644) + err = ioutil.WriteFile(filename, *fileData, 0644) if err != nil { return err @@ -136,3 +166,16 @@ func ecdsaPKCS11ToRFC5480(pkcs11Signature []byte) (rfc5480Signature []byte, err S: s.SetBytes(pkcs11Signature[mid:]), }) } + +// used in the CA cert +func GenSubjectKeyID(publicKey crypto.PublicKey) ([]byte, error) { + + marshaledKey, err := x509.MarshalPKIXPublicKey(publicKey) + if err != nil { + return nil, err + } + + subjKeyID := sha1.Sum(marshaledKey) + + return subjKeyID[:], nil +} From b1735d99ba012a0dd07b2dd89171028581299e54 Mon Sep 17 00:00:00 2001 From: Chris Newman Date: Sun, 14 Mar 2021 23:18:57 +0000 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 45785ec..ed9a295 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +## v0.3.2 +### 14/Mar/2021 + +* GenSubjectKeyId needed for CA cert gen + ## v0.3.1 ### 10/Mar/2021