cacert-gosigner/pkg/hsm/setup.go

package hsm

import (
	"log"

	"git.cacert.org/cacert-gosigner/pkg/config"
	"github.com/ThalesIgnite/crypto11"
)

func EnsureCAKeysAndCertificates(p11Context *crypto11.Context, conf *config.SignerConfig) error {
	var err error

	for _, root := range conf.CAs {
		root.Certificate, root.KeyPair, err = GetRootCACertificate(p11Context, conf.Global, root)
		if err != nil {
			return err
		}

		log.Printf("got root CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
			root.Certificate.Subject,
			root.Certificate.Issuer,
			root.Certificate.NotBefore,
			root.Certificate.NotAfter,
			root.Certificate.SerialNumber)

		for _, intermediary := range root.SubCAs {
			err := setupIntermediaries(p11Context, conf.Global, intermediary, root)
			if err != nil {
				return err
			}
		}
	}

	return nil
}

func setupIntermediaries(p11Context *crypto11.Context, settings *config.Settings, intermediary, parent *config.CaCertificateEntry) error {
	var err error

	intermediary.Parent = parent

	intermediary.Certificate, intermediary.KeyPair, err = GetIntermediaryCACertificate(p11Context, settings, intermediary)
	if err != nil {
		return err
	}

	log.Printf("got intermediary CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
		intermediary.Certificate.Subject,
		intermediary.Certificate.Issuer,
		intermediary.Certificate.NotBefore,
		intermediary.Certificate.NotAfter,
		intermediary.Certificate.SerialNumber)

	for _, sub := range intermediary.SubCAs {
		err := setupIntermediaries(p11Context, settings, sub, intermediary)
		if err != nil {
			return err
		}
	}

	return nil
}
Implement configuration and CA hierarchy setup This commit implements a mechanism to load CA configuration dynamically from JSON files. Missing keys and certificates can be generated in a PKCS#11 HSM or Smartcard. Certificates are stored as PEM encoded .crt files in the filesystem. The default PKCS#11 module (softhsm2) is now loaded from a platform specific path using go:build comments. 2022-04-16 20:24:32 +00:00			`package hsm`

			`import (`
			`"log"`

			`"git.cacert.org/cacert-gosigner/pkg/config"`
			`"github.com/ThalesIgnite/crypto11"`
			`)`

			`func EnsureCAKeysAndCertificates(p11Context crypto11.Context, conf config.SignerConfig) error {`
			`var err error`

			`for _, root := range conf.CAs {`
			`root.Certificate, root.KeyPair, err = GetRootCACertificate(p11Context, conf.Global, root)`
			`if err != nil {`
			`return err`
			`}`

			`log.Printf("got root CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",`
			`root.Certificate.Subject,`
			`root.Certificate.Issuer,`
			`root.Certificate.NotBefore,`
			`root.Certificate.NotAfter,`
			`root.Certificate.SerialNumber)`

			`for _, intermediary := range root.SubCAs {`
			`err := setupIntermediaries(p11Context, conf.Global, intermediary, root)`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`}`

			`return nil`
			`}`

			`func setupIntermediaries(p11Context crypto11.Context, settings config.Settings, intermediary, parent *config.CaCertificateEntry) error {`
			`var err error`

			`intermediary.Parent = parent`

			`intermediary.Certificate, intermediary.KeyPair, err = GetIntermediaryCACertificate(p11Context, settings, intermediary)`
			`if err != nil {`
			`return err`
			`}`

			`log.Printf("got intermediary CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",`
			`intermediary.Certificate.Subject,`
			`intermediary.Certificate.Issuer,`
			`intermediary.Certificate.NotBefore,`
			`intermediary.Certificate.NotAfter,`
			`intermediary.Certificate.SerialNumber)`

			`for _, sub := range intermediary.SubCAs {`
			`err := setupIntermediaries(p11Context, settings, sub, intermediary)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`