README

genpki

Simple utility to create a PKI for a contentsignaturepki signer.

It supports both SoftHSM and local key generation, but softhsm being the default. Use -no-hsm to create key in regular files instead.

Example

SoftHSM


First initialize a softhsm environment with

```bash
mkdir -p /var/lib/softhsm/tokens
softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000
```      

The configuration for how to talk to softhsm is kept in genpki.go
```go
p11Ctx, err := crypto11.Configure(&crypto11.PKCS11Config{
    Path:       "/usr/lib/softhsm/libsofthsm2.so",
    TokenLabel: "test",
    Pin:        "0000",
})
```

Then run the `genpki` tool. Genpki outputs the label of the root and intermediate keys in the HSM, and writes their public certificates to temp files.

```bash
$ go run genpki.go
2019/02/22 12:09:07 Using HSM on slot 1623786617
root key name: csroot1550855347
root cert path: /tmp/csrootcert097998013
inter key name: csinter1550855347
inter cert path: /tmp/csintercert802092792
```

The corresponding autograph configuration would be
```yaml
  - id: foo
    type: contentsignaturepki
    validity: 708h
    clockskewtolerance: 720h
    chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/
    x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/
    privatekey: csinter1550855347
    publickey: CONTENT_OF_/tmp/csintercert802092792
    cacert: CONTENT_OF_/tmp/csrootcert097998013
```

Local (No HSM)

With the -no-hsm flag set, genpki would write the private keys of the root CA and intermediate issuer to temp files instead. The private key of the intermediate issuer can then be added to the autograph privatekey signer configuration (instead of referencing the label of the key in the HSM).

$ go run genpki.go -no-hsm
[...]
root privkey path: /tmp/csrootkey339824548
inter privkey path: /tmp/csinterkey276780723

The corresponding autograph configuration would be

  - id: foo
    type: contentsignaturepki
    validity: 708h
    clockskewtolerance: 720h
    chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/
    x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/
    privatekey: CONTENT_OF_/tmp/csinterkey276780723
    publickey: CONTENT_OF_/tmp/csintercert802092792
    cacert: CONTENT_OF_/tmp/csrootcert097998013
Expand ▾ Collapse ▴

Documentation

The Go Gopher

There is no documentation for this package.

Source Files