2022-11-29 19:12:04 +00:00
|
|
|
# CAcert signer
|
2022-04-20 07:04:24 +00:00
|
|
|
|
2022-11-29 19:12:04 +00:00
|
|
|
This is the CAcert signer reimplementation in Go that implements a more robust wire protocol and has configurable
|
|
|
|
support for hardware security modules (HSMs) for online and offline key pairs.
|
|
|
|
|
|
|
|
See [the design document](docs/design.md) for design considerations and architecture diagrams.
|
|
|
|
|
|
|
|
## Development preconditions
|
|
|
|
|
|
|
|
You will need GNU make to build the application. On Debian systems you can install GNU make and crossbuild tools
|
|
|
|
for ARM binary builds using:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
sudo apt install make crossbuild-essential-arm64 crossbuild-essential-armhf
|
|
|
|
```
|
|
|
|
|
|
|
|
Install [go](https://go.dev/) >= 1.17, [golangci-lint](https://golangci-lint.run/usage/install/) >= 1.50.0 and
|
|
|
|
[goreleaser](https://goreleaser.com/install/), as these are used for building and linting the application.
|
|
|
|
|
|
|
|
Read the documentation of these tools, to find out how to use them.
|
|
|
|
|
|
|
|
## Building the binaries
|
|
|
|
|
|
|
|
There is a `Makefile` to automate builds of the signer and clientsim binaries. Run
|
|
|
|
|
|
|
|
```shell
|
|
|
|
make
|
|
|
|
```
|
|
|
|
|
|
|
|
to run linting, tests and binary builds.
|
|
|
|
|
|
|
|
## Running with softhsm2
|
|
|
|
|
|
|
|
### Setup HSM keys and certificates
|
2022-04-13 06:30:20 +00:00
|
|
|
|
2022-08-03 12:38:36 +00:00
|
|
|
```shell
|
2022-04-20 07:04:24 +00:00
|
|
|
sudo apt install softhsm2
|
2022-04-13 06:30:20 +00:00
|
|
|
umask 077
|
|
|
|
mkdir -p ~/.config/softhsm2/tokens
|
|
|
|
echo "directories.tokendir = $HOME/.config/softhsm2/tokens/" > ~/.config/softhsm2/softhsm2.conf
|
2022-04-20 07:04:24 +00:00
|
|
|
cp docs/config.sample.yaml config.yaml
|
|
|
|
# modify config.yaml to fit your needs
|
2022-04-13 06:30:20 +00:00
|
|
|
softhsm2-util --init-token --free --label localhsm --so-pin 47110815 --pin 123456
|
2022-04-20 07:04:24 +00:00
|
|
|
# initialize the keys
|
|
|
|
export PKCS11_PIN_LOCALHSM=123456
|
|
|
|
go run ./cmd/signer -setup
|
|
|
|
```
|
|
|
|
|
2022-11-29 19:12:04 +00:00
|
|
|
### Run the signer
|
2022-04-20 07:04:24 +00:00
|
|
|
|
2022-08-03 12:38:36 +00:00
|
|
|
```shell
|
2022-04-20 07:04:24 +00:00
|
|
|
export PKCS11_PIN_LOCALHSM=123456
|
|
|
|
go run ./cmd/signer
|
2022-04-13 06:30:20 +00:00
|
|
|
```
|
2022-08-03 12:38:36 +00:00
|
|
|
|
2022-11-29 19:12:04 +00:00
|
|
|
### Run the client simulator with socat
|
2022-08-03 12:38:36 +00:00
|
|
|
|
|
|
|
You may run the client simulator that sends commands via `stdout` and reads responses on `stdin` via `socat` to
|
|
|
|
simulate traffic on an emulated serial device:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
sudo apt install socat
|
|
|
|
```
|
|
|
|
|
|
|
|
```shell
|
2022-11-29 19:12:04 +00:00
|
|
|
make clientsim
|
2022-08-03 12:38:36 +00:00
|
|
|
socat -d -d -v pty,rawer,link=$(pwd)/testPty EXEC:./clientsim,pty,rawer
|
|
|
|
```
|
|
|
|
|
|
|
|
You will need to configure `$(pwd)/testPty` as `serial`/`device` in your `config.yaml` to let the signer command find
|
|
|
|
the emulated serial device.
|