pkcs11ks

package
v0.0.0-...-48ac3e8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

README

pkcs11ks package

Provides a simple key store implementation for PKCS#11 tokens.

Documentation

Index

Constants

View Source 
const CKK_AES = CK_KEY_TYPE(p11api.CKK_AES)
View Source 
const CKK_EC = CK_KEY_TYPE(p11api.CKK_EC)
View Source 
const CKK_ECDSA = CK_KEY_TYPE(p11api.CKK_ECDSA)
View Source 
const CKK_RSA = CK_KEY_TYPE(p11api.CKK_RSA)

Variables

This section is empty.

Functions

This section is empty.

Types

type CK_ATTRIBUTE_PTR 

type CK_ATTRIBUTE_PTR CK_Bytes

type CK_BBOOL 

type CK_BBOOL bool

type CK_BigInt 

type CK_BigInt *big.Int

type CK_Bytes 

type CK_Bytes []byte

type CK_DATE 

type CK_DATE time.Time

type CK_KEY_TYPE 

type CK_KEY_TYPE CK_ULONG

type CK_MECHANISM_TYPE 

type CK_MECHANISM_TYPE CK_ULONG

type CK_MECHANISM_TYPE_PTR 

type CK_MECHANISM_TYPE_PTR []CK_MECHANISM_TYPE

type CK_OBJECT_CLASS 

type CK_OBJECT_CLASS CK_ULONG

type CK_String 

type CK_String string

type CK_ULONG 

type CK_ULONG uint32

From Pkcs11 spec: CK_ULONG will sometimes be 32 bits, and sometimes perhaps 64 bits

type CkaDesc 

type CkaDesc struct {
	// contains filtered or unexported fields
}

func CkaDescByCode 

func CkaDescByCode(code uint) *CkaDesc

func CkaDescByName 

func CkaDescByName(name string) *CkaDesc

type CkaStruct 

type CkaStruct interface {
	*CommonObjectAttributes | *CommonStorageObjectAttributes |
		*CommonKeyAttributes | *CommonPublicKeyAttributes | *CommonPrivateKeyAttributes |
		*RSAPublicKeyAttributes | *RSAPrivateKeyAttributes |
		*ECCPublicKeyAttributes | *ECCPrivateKeyAttributes | *GenericSecretKeyAttributes
}

type CommonKeyAttributes 

type CommonKeyAttributes struct {
	CommonStorageObjectAttributes
	CKA_KEY_TYPE           CK_KEY_TYPE           // Type of key
	CKA_ID                 CK_Bytes              // Key identifier for key (default empty)
	CKA_START_DATE         CK_DATE               // Start date for the key (default empty)
	CKA_END_DATE           CK_DATE               // End date for the key (default empty)
	CKA_DERIVE             CK_BBOOL              // CK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE)
	CKA_LOCAL              CK_BBOOL              // CK_TRUE only if key was either generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUE
	CKA_KEY_GEN_MECHANISM  CK_MECHANISM_TYPE     // Identifier of the mechanism used to generate the key material.
	CKA_ALLOWED_MECHANISMS CK_MECHANISM_TYPE_PTR // pointer to a CK_MECHANISM_TYPE array A list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the size of CK_MECHANISM_TYPE.
}

type CommonObjectAttributes 

type CommonObjectAttributes struct {
	CKA_CLASS CK_OBJECT_CLASS // Object class (type)
}

type CommonPrivateKeyAttributes 

type CommonPrivateKeyAttributes struct {
	CommonKeyAttributes
	CKA_SUBJECT             CK_Bytes         // DER-encoding of certificate subject name (default empty)
	CKA_SENSITIVE           CK_BBOOL         // CK_TRUE if key is sensitive
	CKA_DECRYPT             CK_BBOOL         // CK_TRUE if key supports decryption
	CKA_SIGN                CK_BBOOL         // CK_TRUE if key supports signatures where the signature is an appendix to the data
	CKA_SIGN_RECOVER        CK_BBOOL         // CK_TRUE if key supports signatures where the data can be recovered from the signature
	CKA_UNWRAP              CK_BBOOL         // CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)
	CKA_EXTRACTABLE         CK_BBOOL         // CK_TRUE if key is extractable and can be wrapped
	CKA_ALWAYS_SENSITIVE    CK_BBOOL         // CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE
	CKA_NEVER_EXTRACTABLE   CK_BBOOL         // CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE
	CKA_WRAP_WITH_TRUSTED   CK_BBOOL         // CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE.
	CKA_UNWRAP_TEMPLATE     CK_ATTRIBUTE_PTR // For wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE.
	CKA_ALWAYS_AUTHENTICATE CK_BBOOL         // If CK_TRUE, the user has to supply the PIN for each use (sign or decrypt) with the key. Default is CK_FALSE.
	CKA_PUBLIC_KEY_INFO     CK_Bytes         // DER-encoding of the SubjectPublicKeyInfo for the associated public key (MAY be empty; DEFAULT derived from the underlying private key data; MAY be manually set for specific key types; if set; MUST be consistent with the underlying private key data)
}

type CommonPublicKeyAttributes 

type CommonPublicKeyAttributes struct {
	CommonKeyAttributes
	CKA_SUBJECT         CK_Bytes         // DER-encoding of the key subject name (default empty)
	CKA_ENCRYPT         CK_BBOOL         // CK_TRUE if key supports encryption
	CKA_VERIFY          CK_BBOOL         // CK_TRUE if key supports verification where the signature is an appendix to the data
	CKA_VERIFY_RECOVER  CK_BBOOL         // CK_TRUE if key supports verification where the data is recovered from the signature
	CKA_WRAP            CK_BBOOL         // CK_TRUE if key supports wrapping (i.e., can be used to wrap other keys)
	CKA_TRUSTED         CK_BBOOL         // The key can be trusted for the application that it was created. The wrapping key can be used to wrap keys with  CKA_WRAP_WITH_TRUSTED set to CK_TRUE.
	CKA_WRAP_TEMPLATE   CK_ATTRIBUTE_PTR // For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE.
	CKA_PUBLIC_KEY_INFO CK_Bytes         // DER-encoding of the SubjectPublicKeyInfo for this public key.  (MAY be empty, DEFAULT derived from the underlying public key data)
}

type CommonStorageObjectAttributes 

type CommonStorageObjectAttributes struct {
	CommonObjectAttributes
	CKA_TOKEN       CK_BBOOL  // CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE.
	CKA_PRIVATE     CK_BBOOL  // CK_TRUE if object is a private object; CK_FALSE if object is a public object.  Default value is token-specific, and may depend on the values of other attributes of the object.
	CKA_MODIFIABLE  CK_BBOOL  // CK_TRUE if object can be modified Default is CK_TRUE.
	CKA_LABEL       CK_String // Description of the object (default empty).
	CKA_COPYABLE    CK_BBOOL  // CK_TRUE if object can be copied using C_CopyObject. Defaults to CK_TRUE. Can’t be set to TRUE once it is set to FALSE.
	CKA_DESTROYABLE CK_BBOOL  // CK_TRUE if the object can be destroyed using C_DestroyObject.  Default is CK_TRUE.
}

type ECCPrivateKeyAttributes 

type ECCPrivateKeyAttributes struct {
	CommonPrivateKeyAttributes
	CKA_EC_PARAMS CK_Bytes  // DER-encoding of an ANSI X9.62 Parameters value
	CKA_VALUE     CK_BigInt // ANSI X9.62 private value d
}

type ECCPublicKeyAttributes 

type ECCPublicKeyAttributes struct {
	CommonPublicKeyAttributes
	CKA_EC_PARAMS CK_Bytes // DER-encoding of an ANSI X9.62 Parameters value
	CKA_EC_POINT  CK_Bytes // DER-encoding of ANSI X9.62 ECPoint value Q
}

type GenericSecretKeyAttributes 

type GenericSecretKeyAttributes struct {
	CommonKeyAttributes
	CKA_VALUE     CK_Bytes // Key value (arbitrary length)
	CKA_VALUE_LEN CK_ULONG // Length in bytes of key value
}

type Pkcs11Config 

type Pkcs11Config struct {
	DriverPath string
}

type Pkcs11KeyPair 

type Pkcs11KeyPair struct {
	// contains filtered or unexported fields
}

func (*Pkcs11KeyPair) Algorithm 

func (kp *Pkcs11KeyPair) Algorithm() keystores.KeyAlgorithm

func (*Pkcs11KeyPair) Attestation 

func (kp *Pkcs11KeyPair) Attestation(nonce []byte) (att keystores.Attestation, err error)

func (*Pkcs11KeyPair) Decrypt 

func (kp *Pkcs11KeyPair) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error)

func (*Pkcs11KeyPair) Destroy 

func (kp *Pkcs11KeyPair) Destroy() (retErr error)

func (*Pkcs11KeyPair) ECDH 

func (kp *Pkcs11KeyPair) ECDH(remote *ecdsa.PublicKey) ([]byte, error)

func (*Pkcs11KeyPair) ExportPrivate 

func (kp *Pkcs11KeyPair) ExportPrivate() (privKey crypto.PrivateKey, err error)

func (*Pkcs11KeyPair) Id 

func (kp *Pkcs11KeyPair) Id() keystores.KeyPairId

func (*Pkcs11KeyPair) KeyStore 

func (kp *Pkcs11KeyPair) KeyStore() keystores.KeyStore

func (*Pkcs11KeyPair) KeyUsage 

func (kp *Pkcs11KeyPair) KeyUsage() map[keystores.KeyUsage]bool

func (*Pkcs11KeyPair) Label 

func (kp *Pkcs11KeyPair) Label() string

func (*Pkcs11KeyPair) Public 

func (kp *Pkcs11KeyPair) Public() crypto.PublicKey

func (*Pkcs11KeyPair) SetLabel 

func (kp *Pkcs11KeyPair) SetLabel(label string) error

func (*Pkcs11KeyPair) Sign 

func (kp *Pkcs11KeyPair) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

func (*Pkcs11KeyPair) Verify 

func (kp *Pkcs11KeyPair) Verify(signature []byte, digest []byte, opts crypto.SignerOpts) (err error)

type Pkcs11KeyStore 

type Pkcs11KeyStore struct {
	// contains filtered or unexported fields
}

func (*Pkcs11KeyStore) Close 

func (ks *Pkcs11KeyStore) Close() error

func (*Pkcs11KeyStore) CreateKeyPair 

func (ks *Pkcs11KeyStore) CreateKeyPair(opts keystores.GenKeyPairOpts) (keystores.KeyPair, error)

func (*Pkcs11KeyStore) Id 

func (ks *Pkcs11KeyStore) Id() string

func (*Pkcs11KeyStore) ImportKeyPair 

func (ks *Pkcs11KeyStore) ImportKeyPair(key crypto.PrivateKey, opts keystores.GenKeyPairOpts) (kp keystores.KeyPair, err error)

func (*Pkcs11KeyStore) IsOpen 

func (ks *Pkcs11KeyStore) IsOpen() bool

func (*Pkcs11KeyStore) KeyPairById 

func (ks *Pkcs11KeyStore) KeyPairById(id keystores.KeyPairId) keystores.KeyPair

func (*Pkcs11KeyStore) KeyPairs 

func (ks *Pkcs11KeyStore) KeyPairs(reload bool) (keyPairs map[keystores.KeyPairId]keystores.KeyPair, retErr error)

func (*Pkcs11KeyStore) Name 

func (ks *Pkcs11KeyStore) Name() string

func (*Pkcs11KeyStore) Open 

func (ks *Pkcs11KeyStore) Open() error

func (*Pkcs11KeyStore) Reload 

func (ks *Pkcs11KeyStore) Reload() error

func (*Pkcs11KeyStore) SupportedPrivateKeyAlgorithms 

func (ks *Pkcs11KeyStore) SupportedPrivateKeyAlgorithms() []keystores.KeyAlgorithm

type Pkcs11Provider 

type Pkcs11Provider struct {
	PINAuthenticator func(keystoreDesc string, keyDesc string, isSO bool) (string, error)
	// contains filtered or unexported fields
}

func NewPkcs11Provider 

func NewPkcs11Provider(config Pkcs11Config) *Pkcs11Provider

func (*Pkcs11Provider) Close 

func (p *Pkcs11Provider) Close() error

func (*Pkcs11Provider) FindKeyStore 

func (p *Pkcs11Provider) FindKeyStore(tokenLabel string, tokenSerial string) (*Pkcs11KeyStore, error)

func (*Pkcs11Provider) IsOpen 

func (p *Pkcs11Provider) IsOpen() bool

func (*Pkcs11Provider) KeyStores 

func (p *Pkcs11Provider) KeyStores() ([]keystores.KeyStore, error)

func (*Pkcs11Provider) Open 

func (p *Pkcs11Provider) Open() error

type Pkcs11Session 

type Pkcs11Session struct {
	// contains filtered or unexported fields
}

type Pkcs11TrustedCert 

type Pkcs11TrustedCert struct {
}

type RSAPrivateKeyAttributes 

type RSAPrivateKeyAttributes struct {
	CommonPrivateKeyAttributes
	CKA_MODULUS          CK_BigInt // Modulus n
	CKA_PUBLIC_EXPONENT  CK_BigInt // Public exponent e
	CKA_PRIVATE_EXPONENT CK_BigInt // Private exponent d
	CKA_PRIME_1          CK_BigInt // Prime p
	CKA_PRIME_2          CK_BigInt // Prime q
	CKA_EXPONENT_1       CK_BigInt // Private exponent d modulo p-1
	CKA_EXPONENT_2       CK_BigInt // Private exponent d modulo q-1
	CKA_COEFFICIENT      CK_BigInt // CRT coefficient 1/q mod p
}

type RSAPublicKeyAttributes 

type RSAPublicKeyAttributes struct {
	CommonPublicKeyAttributes
	CKA_MODULUS         CK_BigInt // Modulus n
	CKA_MODULUS_BITS    CK_ULONG  // Length in bits of modulus n
	CKA_PUBLIC_EXPONENT CK_BigInt // Public exponent e
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.