Refactor HSM setup
- create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access
This commit is contained in:
parent
7acec714e3
commit
0d69a9013d
10 changed files with 226 additions and 244 deletions
|
|
@ -40,11 +40,13 @@ func main() {
|
|||
var (
|
||||
showVersion, setupMode, verbose bool
|
||||
signerConfigFile string
|
||||
infoLog, errorLog *log.Logger
|
||||
)
|
||||
|
||||
log.SetFlags(log.Ldate | log.Lmicroseconds | log.LUTC)
|
||||
infoLog = log.New(os.Stdout, "INFO ", log.Ldate|log.Lmicroseconds|log.LUTC)
|
||||
errorLog = log.New(os.Stderr, "ERROR ", log.Ldate|log.Lmicroseconds|log.LUTC)
|
||||
|
||||
log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)
|
||||
infoLog.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)
|
||||
|
||||
flag.StringVar(&signerConfigFile, "config", defaultSignerConfigFile, "signer configuration file")
|
||||
flag.BoolVar(&showVersion, "version", false, "show version")
|
||||
|
|
@ -59,20 +61,20 @@ func main() {
|
|||
|
||||
configFile, err := os.Open(signerConfigFile)
|
||||
if err != nil {
|
||||
log.Fatalf("could not open signer configuration file %s: %v", signerConfigFile, err)
|
||||
errorLog.Fatalf("could not open signer configuration file %s: %v", signerConfigFile, err)
|
||||
}
|
||||
|
||||
opts := make([]hsm.ConfigOption, 0)
|
||||
|
||||
caConfig, err := config.LoadConfiguration(configFile)
|
||||
if err != nil {
|
||||
log.Fatalf("could not load CA hierarchy: %v", err)
|
||||
errorLog.Fatalf("could not load CA hierarchy: %v", err)
|
||||
}
|
||||
|
||||
opts = append(opts, hsm.CaConfigOption(caConfig))
|
||||
|
||||
if setupMode {
|
||||
log.Print("running in setup mode")
|
||||
infoLog.Print("running in setup mode")
|
||||
|
||||
opts = append(opts, hsm.SetupModeOption())
|
||||
}
|
||||
|
|
@ -81,16 +83,19 @@ func main() {
|
|||
opts = append(opts, hsm.VerboseLoggingOption())
|
||||
}
|
||||
|
||||
ctx := hsm.SetupContext(opts...)
|
||||
|
||||
err = hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
acc, err := hsm.NewAccess(infoLog, opts...)
|
||||
if err != nil {
|
||||
log.Fatalf("could not ensure CA keys and certificates exist: %v", err)
|
||||
errorLog.Fatalf("could not setup HSM access: %v", err)
|
||||
}
|
||||
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
if err != nil {
|
||||
errorLog.Fatalf("could not ensure CA keys and certificates exist: %v", err)
|
||||
}
|
||||
|
||||
if setupMode {
|
||||
return
|
||||
}
|
||||
|
||||
log.Print("setup complete, starting signer operation")
|
||||
infoLog.Print("setup complete, starting signer operation")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -239,7 +239,16 @@ func (c *SignerConfig) GetParentCA(label string) (*CaCertificateEntry, error) {
|
|||
return nil, fmt.Errorf("CA %s is a root CA and has no parent", label)
|
||||
}
|
||||
|
||||
return c.caMap[entry.Parent], nil
|
||||
if entry.Parent == "" {
|
||||
return nil, fmt.Errorf("parent for %s is empty", label)
|
||||
}
|
||||
|
||||
parent, ok := c.caMap[entry.Parent]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("parent %s for %s not found in signer config", entry.Parent, label)
|
||||
}
|
||||
|
||||
return parent, nil
|
||||
}
|
||||
|
||||
// RootCAs returns the labels of all configured root CAs
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@ limitations under the License.
|
|||
package hsm
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/ThalesIgnite/crypto11"
|
||||
|
|
@ -27,111 +25,72 @@ import (
|
|||
"git.cacert.org/cacert-gosigner/pkg/config"
|
||||
)
|
||||
|
||||
type ctxKey int
|
||||
type ConfigOption func(a *Access)
|
||||
|
||||
const (
|
||||
ctxCADirectory ctxKey = iota
|
||||
ctxP11Contexts
|
||||
ctxSetupMode
|
||||
ctxSignerConfig
|
||||
ctxVerboseLogging
|
||||
)
|
||||
|
||||
type ConfigOption func(ctx context.Context) context.Context
|
||||
|
||||
func CADirectoryOption(path string) func(ctx context.Context) context.Context {
|
||||
return func(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, ctxCADirectory, path)
|
||||
func CADirectoryOption(path string) func(a *Access) {
|
||||
return func(a *Access) {
|
||||
a.caDirectory = path
|
||||
}
|
||||
}
|
||||
|
||||
func CaConfigOption(signerConfig *config.SignerConfig) func(context.Context) context.Context {
|
||||
return func(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, ctxSignerConfig, signerConfig)
|
||||
func CaConfigOption(signerConfig *config.SignerConfig) func(a *Access) {
|
||||
return func(a *Access) {
|
||||
a.signerConfig = signerConfig
|
||||
}
|
||||
}
|
||||
|
||||
func SetupModeOption() func(context.Context) context.Context {
|
||||
return func(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, ctxSetupMode, true)
|
||||
func SetupModeOption() func(a *Access) {
|
||||
return func(a *Access) {
|
||||
a.setupMode = true
|
||||
}
|
||||
}
|
||||
|
||||
func VerboseLoggingOption() func(ctx context.Context) context.Context {
|
||||
return func(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, ctxVerboseLogging, true)
|
||||
func VerboseLoggingOption() func(a *Access) {
|
||||
return func(a *Access) {
|
||||
a.verbose = true
|
||||
}
|
||||
}
|
||||
|
||||
// SetupContext sets global context for HSM operations.
|
||||
func SetupContext(options ...ConfigOption) context.Context {
|
||||
ctx := context.Background()
|
||||
|
||||
ctx = context.WithValue(ctx, ctxP11Contexts, make(map[string]*crypto11.Context))
|
||||
// setupContext sets global context for HSM operations.
|
||||
func (a *Access) setupContext(options ...ConfigOption) {
|
||||
a.p11Contexts = make(map[string]*crypto11.Context)
|
||||
|
||||
for _, opt := range options {
|
||||
ctx = opt(ctx)
|
||||
opt(a)
|
||||
}
|
||||
|
||||
return ctx
|
||||
}
|
||||
|
||||
func GetSignerConfig(ctx context.Context) *config.SignerConfig {
|
||||
signerConfig, ok := ctx.Value(ctxSignerConfig).(*config.SignerConfig)
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
|
||||
return signerConfig
|
||||
func (a *Access) GetSignerConfig() *config.SignerConfig {
|
||||
return a.signerConfig
|
||||
}
|
||||
|
||||
func IsSetupMode(ctx context.Context) bool {
|
||||
setupMode, ok := ctx.Value(ctxSetupMode).(bool)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
|
||||
return setupMode
|
||||
func (a *Access) IsSetupMode() bool {
|
||||
return a.setupMode
|
||||
}
|
||||
|
||||
func IsVerbose(ctx context.Context) bool {
|
||||
verbose, ok := ctx.Value(ctxVerboseLogging).(bool)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
|
||||
return verbose
|
||||
func (a *Access) IsVerbose() bool {
|
||||
return a.verbose
|
||||
}
|
||||
|
||||
func GetP11Context(ctx context.Context, entry *config.CaCertificateEntry) (*crypto11.Context, error) {
|
||||
contexts, ok := ctx.Value(ctxP11Contexts).(map[string]*crypto11.Context)
|
||||
if !ok {
|
||||
return nil, errors.New("type assertion failed, use hsm.SetupContext first")
|
||||
}
|
||||
|
||||
if p11Context, ok := contexts[entry.Storage]; ok {
|
||||
func (a *Access) GetP11Context(entry *config.CaCertificateEntry) (*crypto11.Context, error) {
|
||||
if p11Context, ok := a.p11Contexts[entry.Storage]; ok {
|
||||
return p11Context, nil
|
||||
}
|
||||
|
||||
p11Context, err := prepareCrypto11Context(ctx, entry.Storage)
|
||||
p11Context, err := a.prepareCrypto11Context(entry.Storage)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
contexts[entry.Storage] = p11Context
|
||||
a.p11Contexts[entry.Storage] = p11Context
|
||||
|
||||
return p11Context, nil
|
||||
}
|
||||
|
||||
func CloseP11Contexts(ctx context.Context) error {
|
||||
contexts, ok := ctx.Value(ctxP11Contexts).(map[string]*crypto11.Context)
|
||||
if !ok {
|
||||
return errors.New("type assertion failed, use hsm.SetupContext first")
|
||||
}
|
||||
|
||||
func (a *Access) CloseP11Contexts() error {
|
||||
seen := make(map[*crypto11.Context]struct{}, 0)
|
||||
|
||||
for _, p11Context := range contexts {
|
||||
for _, p11Context := range a.p11Contexts {
|
||||
if _, ok := seen[p11Context]; ok {
|
||||
continue
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,8 +18,8 @@ limitations under the License.
|
|||
package hsm_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path"
|
||||
|
|
@ -36,67 +36,72 @@ import (
|
|||
func TestCaConfigOption(t *testing.T) {
|
||||
testSignerConfig := config.SignerConfig{}
|
||||
|
||||
ctx := hsm.SetupContext(hsm.CaConfigOption(&testSignerConfig))
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.CaConfigOption(&testSignerConfig))
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.Equal(t, &testSignerConfig, hsm.GetSignerConfig(ctx))
|
||||
assert.Equal(t, &testSignerConfig, access.GetSignerConfig())
|
||||
}
|
||||
|
||||
func TestGetSignerConfig_empty(t *testing.T) {
|
||||
ctx := hsm.SetupContext()
|
||||
access, err := hsm.NewAccess(log.Default())
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.Nil(t, hsm.GetSignerConfig(ctx))
|
||||
assert.Nil(t, access.GetSignerConfig())
|
||||
}
|
||||
|
||||
func TestSetupModeOption(t *testing.T) {
|
||||
ctx := hsm.SetupContext(hsm.SetupModeOption())
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.SetupModeOption())
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.True(t, hsm.IsSetupMode(ctx))
|
||||
assert.True(t, access.IsSetupMode())
|
||||
}
|
||||
|
||||
func TestIsSetupMode_not_set(t *testing.T) {
|
||||
ctx := hsm.SetupContext()
|
||||
access, err := hsm.NewAccess(log.Default())
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.False(t, hsm.IsSetupMode(ctx))
|
||||
assert.False(t, access.IsSetupMode())
|
||||
}
|
||||
|
||||
func TestVerboseLoggingOption(t *testing.T) {
|
||||
ctx := hsm.SetupContext(hsm.VerboseLoggingOption())
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.VerboseLoggingOption())
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.True(t, hsm.IsVerbose(ctx))
|
||||
assert.True(t, access.IsVerbose())
|
||||
}
|
||||
|
||||
func TestIsVerbose_not_set(t *testing.T) {
|
||||
ctx := hsm.SetupContext()
|
||||
access, err := hsm.NewAccess(log.Default())
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.False(t, hsm.IsVerbose(ctx))
|
||||
assert.False(t, access.IsVerbose())
|
||||
}
|
||||
|
||||
func TestSetupContext(t *testing.T) {
|
||||
testConfig := setupSignerConfig(t)
|
||||
|
||||
ctx := hsm.SetupContext(hsm.SetupModeOption(), hsm.VerboseLoggingOption(), hsm.CaConfigOption(testConfig))
|
||||
access, err := hsm.NewAccess(
|
||||
log.Default(),
|
||||
hsm.SetupModeOption(),
|
||||
hsm.VerboseLoggingOption(),
|
||||
hsm.CaConfigOption(testConfig),
|
||||
)
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.True(t, hsm.IsSetupMode(ctx))
|
||||
assert.True(t, hsm.IsVerbose(ctx))
|
||||
assert.Equal(t, hsm.GetSignerConfig(ctx), testConfig)
|
||||
}
|
||||
|
||||
func TestGetP11Context_missing_SetupContext(t *testing.T) {
|
||||
p11Context, err := hsm.GetP11Context(context.Background(), &config.CaCertificateEntry{Storage: "default"})
|
||||
|
||||
assert.Error(t, err)
|
||||
assert.ErrorContains(t, err, "type assertion failed, use hsm.SetupContext first")
|
||||
assert.Nil(t, p11Context)
|
||||
assert.True(t, access.IsSetupMode())
|
||||
assert.True(t, access.IsVerbose())
|
||||
assert.Equal(t, access.GetSignerConfig(), testConfig)
|
||||
}
|
||||
|
||||
func TestGetP11Context_unknown_storage(t *testing.T) {
|
||||
testConfig := setupSignerConfig(t)
|
||||
|
||||
ctx := hsm.SetupContext(hsm.SetupModeOption(), hsm.CaConfigOption(testConfig))
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.SetupModeOption(), hsm.CaConfigOption(testConfig))
|
||||
assert.NoError(t, err)
|
||||
|
||||
definition := &config.CaCertificateEntry{Storage: "undefined"}
|
||||
|
||||
p11Context, err := hsm.GetP11Context(ctx, definition)
|
||||
p11Context, err := access.GetP11Context(definition)
|
||||
|
||||
assert.Error(t, err)
|
||||
assert.ErrorContains(t, err, "key storage undefined not available")
|
||||
|
|
@ -109,13 +114,14 @@ func TestGetP11Context_wrong_pin(t *testing.T) {
|
|||
|
||||
t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "wrongpin")
|
||||
|
||||
ctx := hsm.SetupContext(hsm.CaConfigOption(testConfig))
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.CaConfigOption(testConfig))
|
||||
assert.NoError(t, err)
|
||||
|
||||
definition, err := testConfig.GetCADefinition("root")
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = hsm.GetP11Context(ctx, definition)
|
||||
_, err = access.GetP11Context(definition)
|
||||
|
||||
assert.ErrorContains(t, err, "could not configure PKCS#11 library")
|
||||
}
|
||||
|
|
@ -124,13 +130,14 @@ func TestGetP11Context_no_pin(t *testing.T) {
|
|||
testConfig := setupSignerConfig(t)
|
||||
setupSoftHsm(t)
|
||||
|
||||
ctx := hsm.SetupContext(hsm.CaConfigOption(testConfig))
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.CaConfigOption(testConfig))
|
||||
assert.NoError(t, err)
|
||||
|
||||
definition, err := testConfig.GetCADefinition("root")
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = hsm.GetP11Context(ctx, definition)
|
||||
_, err = access.GetP11Context(definition)
|
||||
|
||||
assert.ErrorContains(t, err, "stdin is not a terminal")
|
||||
}
|
||||
|
|
@ -141,25 +148,26 @@ func TestGetP11Context(t *testing.T) {
|
|||
|
||||
t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")
|
||||
|
||||
ctx := hsm.SetupContext(hsm.CaConfigOption(testConfig))
|
||||
access, err := hsm.NewAccess(log.Default(), hsm.CaConfigOption(testConfig))
|
||||
assert.NoError(t, err)
|
||||
|
||||
definition, err := testConfig.GetCADefinition("root")
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
p11Context1, err := hsm.GetP11Context(ctx, definition)
|
||||
|
||||
p11Context1, err := access.GetP11Context(definition)
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.NotNil(t, p11Context1)
|
||||
|
||||
p11Context2, err := hsm.GetP11Context(ctx, definition)
|
||||
p11Context2, err := access.GetP11Context(definition)
|
||||
assert.NoError(t, err)
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := access.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, p11Context1)
|
||||
assert.Equal(t, p11Context1, p11Context2)
|
||||
}
|
||||
|
|
@ -212,10 +220,10 @@ func setupSignerConfig(t *testing.T) *config.SignerConfig {
|
|||
func setupSoftHsm(t *testing.T) {
|
||||
t.Helper()
|
||||
|
||||
tempdir := t.TempDir()
|
||||
tempDir := t.TempDir()
|
||||
|
||||
tokenDir := path.Join(tempdir, "tokens")
|
||||
softhsmConfig := path.Join(tempdir, "softhsm2.conf")
|
||||
tokenDir := path.Join(tempDir, "tokens")
|
||||
softhsmConfig := path.Join(tempDir, "softhsm2.conf")
|
||||
|
||||
err := os.Mkdir(tokenDir, 0o700)
|
||||
|
||||
|
|
@ -241,10 +249,3 @@ func setupSoftHsm(t *testing.T) {
|
|||
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
func TestCloseP11Contexts_without_setup(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
|
||||
assert.ErrorContains(t, err, "type assertion failed, use hsm.SetupContext first")
|
||||
}
|
||||
|
|
|
|||
124
pkg/hsm/hsm.go
124
pkg/hsm/hsm.go
|
|
@ -19,7 +19,6 @@ limitations under the License.
|
|||
package hsm
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/rand"
|
||||
|
|
@ -54,25 +53,34 @@ type caFile struct {
|
|||
label string
|
||||
}
|
||||
|
||||
func (c *caFile) buildCertificatePath(ctx context.Context) (string, error) {
|
||||
fileName := c.sc.CertificateFileName(c.label)
|
||||
|
||||
caDir := ctx.Value(ctxCADirectory)
|
||||
|
||||
if caDir != nil {
|
||||
caPath, ok := caDir.(string)
|
||||
if !ok {
|
||||
return "", errors.New("context object CA directory is not a string")
|
||||
}
|
||||
|
||||
return path.Join(caPath, fileName), nil
|
||||
}
|
||||
|
||||
return fileName, nil
|
||||
type Access struct {
|
||||
infoLog *log.Logger
|
||||
caDirectory string
|
||||
signerConfig *config.SignerConfig
|
||||
p11Contexts map[string]*crypto11.Context
|
||||
setupMode bool
|
||||
verbose bool
|
||||
}
|
||||
|
||||
func (c *caFile) loadCertificate(ctx context.Context) (*x509.Certificate, error) {
|
||||
certFile, err := c.buildCertificatePath(ctx)
|
||||
func NewAccess(infoLog *log.Logger, options ...ConfigOption) (*Access, error) {
|
||||
access := &Access{infoLog: infoLog}
|
||||
access.setupContext(options...)
|
||||
|
||||
return access, nil
|
||||
}
|
||||
|
||||
func (c *caFile) buildCertificatePath(caDirectory string) (string, error) {
|
||||
fileName := c.sc.CertificateFileName(c.label)
|
||||
|
||||
if caDirectory == "" {
|
||||
return "", errors.New("CA directory is not set")
|
||||
}
|
||||
|
||||
return path.Join(caDirectory, fileName), nil
|
||||
}
|
||||
|
||||
func (c *caFile) loadCertificate(caDirectory string) (*x509.Certificate, error) {
|
||||
certFile, err := c.buildCertificatePath(caDirectory)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -112,8 +120,8 @@ func (c *caFile) loadCertificate(ctx context.Context) (*x509.Certificate, error)
|
|||
return certificate, nil
|
||||
}
|
||||
|
||||
func (c *caFile) storeCertificate(ctx context.Context, certificate []byte) error {
|
||||
certFile, err := c.buildCertificatePath(ctx)
|
||||
func (c *caFile) storeCertificate(caDirectory string, certificate []byte) error {
|
||||
certFile, err := c.buildCertificatePath(caDirectory)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -126,13 +134,13 @@ func (c *caFile) storeCertificate(ctx context.Context, certificate []byte) error
|
|||
return nil
|
||||
}
|
||||
|
||||
func GetRootCACertificate(ctx context.Context, label string) (*x509.Certificate, error) {
|
||||
func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
|
||||
var (
|
||||
certificate *x509.Certificate
|
||||
keyPair crypto.Signer
|
||||
)
|
||||
|
||||
sc := GetSignerConfig(ctx)
|
||||
sc := a.GetSignerConfig()
|
||||
|
||||
caCert, err := sc.GetCADefinition(label)
|
||||
if err != nil {
|
||||
|
|
@ -145,37 +153,39 @@ func GetRootCACertificate(ctx context.Context, label string) (*x509.Certificate,
|
|||
|
||||
caFile := &caFile{sc: sc, label: label}
|
||||
|
||||
certificate, err = caFile.loadCertificate(ctx)
|
||||
certificate, err = caFile.loadCertificate(a.caDirectory)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if certificate != nil && !IsSetupMode(ctx) {
|
||||
if certificate != nil && !a.IsSetupMode() {
|
||||
caCert.Certificate = certificate
|
||||
|
||||
return certificate, nil
|
||||
}
|
||||
|
||||
keyPair, err = getKeyPair(ctx, label, caCert.KeyInfo)
|
||||
keyPair, err = a.getKeyPair(label, caCert.KeyInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if certificate != nil && certificateMatches(certificate, keyPair) {
|
||||
caCert.Certificate, caCert.KeyPair = certificate, keyPair
|
||||
if certificate != nil {
|
||||
err := certificateMatches(certificate, keyPair)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return certificate, nil
|
||||
}
|
||||
|
||||
if !IsSetupMode(ctx) {
|
||||
if !a.IsSetupMode() {
|
||||
return nil, errCertificateGenerationRefused
|
||||
}
|
||||
|
||||
notBefore, notAfter := sc.CalculateValidity(caCert, time.Now())
|
||||
subject := sc.CalculateSubject(caCert)
|
||||
|
||||
certificate, err = generateRootCACertificate(
|
||||
ctx,
|
||||
certificate, err = a.generateRootCACertificate(
|
||||
caFile,
|
||||
keyPair,
|
||||
&x509.Certificate{
|
||||
|
|
@ -194,7 +204,7 @@ func GetRootCACertificate(ctx context.Context, label string) (*x509.Certificate,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
p11Context, err := GetP11Context(ctx, caCert)
|
||||
p11Context, err := a.GetP11Context(caCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -209,13 +219,13 @@ func GetRootCACertificate(ctx context.Context, label string) (*x509.Certificate,
|
|||
return certificate, nil
|
||||
}
|
||||
|
||||
func GetIntermediaryCACertificate(ctx context.Context, certLabel string) (*x509.Certificate, error) {
|
||||
func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certificate, error) {
|
||||
var (
|
||||
certificate *x509.Certificate
|
||||
keyPair crypto.Signer
|
||||
)
|
||||
|
||||
sc := GetSignerConfig(ctx)
|
||||
sc := a.GetSignerConfig()
|
||||
|
||||
caCert, err := sc.GetCADefinition(certLabel)
|
||||
if err != nil {
|
||||
|
|
@ -229,33 +239,35 @@ func GetIntermediaryCACertificate(ctx context.Context, certLabel string) (*x509.
|
|||
)
|
||||
}
|
||||
|
||||
keyPair, err = getKeyPair(ctx, certLabel, caCert.KeyInfo)
|
||||
keyPair, err = a.getKeyPair(certLabel, caCert.KeyInfo)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
certFile := &caFile{sc: sc, label: certLabel}
|
||||
|
||||
certificate, err = certFile.loadCertificate(ctx)
|
||||
certificate, err = certFile.loadCertificate(a.caDirectory)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if certificate != nil && certificateMatches(certificate, keyPair) {
|
||||
caCert.Certificate, caCert.KeyPair = certificate, keyPair
|
||||
if certificate != nil {
|
||||
err := certificateMatches(certificate, keyPair)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return certificate, nil
|
||||
}
|
||||
|
||||
if !IsSetupMode(ctx) {
|
||||
if !a.IsSetupMode() {
|
||||
return nil, errCertificateGenerationRefused
|
||||
}
|
||||
|
||||
notBefore, notAfter := sc.CalculateValidity(caCert, time.Now())
|
||||
subject := sc.CalculateSubject(caCert)
|
||||
|
||||
certificate, err = generateIntermediaryCACertificate(
|
||||
ctx,
|
||||
certificate, err = a.generateIntermediaryCACertificate(
|
||||
certFile,
|
||||
sc,
|
||||
certLabel,
|
||||
|
|
@ -284,7 +296,7 @@ func GetIntermediaryCACertificate(ctx context.Context, certLabel string) (*x509.
|
|||
return nil, err
|
||||
}
|
||||
|
||||
p11Context, err := GetP11Context(ctx, caCert)
|
||||
p11Context, err := a.GetP11Context(caCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -299,8 +311,7 @@ func GetIntermediaryCACertificate(ctx context.Context, certLabel string) (*x509.
|
|||
return certificate, nil
|
||||
}
|
||||
|
||||
func generateIntermediaryCACertificate(
|
||||
ctx context.Context,
|
||||
func (a *Access) generateIntermediaryCACertificate(
|
||||
certFile *caFile,
|
||||
config *config.SignerConfig,
|
||||
certLabel string,
|
||||
|
|
@ -340,7 +351,7 @@ func generateIntermediaryCACertificate(
|
|||
Bytes: certBytes,
|
||||
}
|
||||
|
||||
err = certFile.storeCertificate(ctx, pem.EncodeToMemory(certBlock))
|
||||
err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -367,8 +378,8 @@ func addCertificate(p11Context *crypto11.Context, label string, certificate *x50
|
|||
return nil
|
||||
}
|
||||
|
||||
func getKeyPair(ctx context.Context, label string, keyInfo *config.PrivateKeyInfo) (crypto.Signer, error) {
|
||||
sc := GetSignerConfig(ctx)
|
||||
func (a *Access) getKeyPair(label string, keyInfo *config.PrivateKeyInfo) (crypto.Signer, error) {
|
||||
sc := a.GetSignerConfig()
|
||||
|
||||
cert, err := sc.GetCADefinition(label)
|
||||
if err != nil {
|
||||
|
|
@ -379,7 +390,7 @@ func getKeyPair(ctx context.Context, label string, keyInfo *config.PrivateKeyInf
|
|||
return cert.KeyPair, nil
|
||||
}
|
||||
|
||||
p11Context, err := GetP11Context(ctx, cert)
|
||||
p11Context, err := a.GetP11Context(cert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -393,7 +404,7 @@ func getKeyPair(ctx context.Context, label string, keyInfo *config.PrivateKeyInf
|
|||
return keyPair, nil
|
||||
}
|
||||
|
||||
if !IsSetupMode(ctx) {
|
||||
if !a.IsSetupMode() {
|
||||
return nil, errKeyGenerationRefused
|
||||
}
|
||||
|
||||
|
|
@ -480,8 +491,7 @@ func randomObjectID() ([]byte, error) {
|
|||
return result, nil
|
||||
}
|
||||
|
||||
func generateRootCACertificate(
|
||||
ctx context.Context,
|
||||
func (a *Access) generateRootCACertificate(
|
||||
certFile *caFile,
|
||||
keyPair crypto.Signer,
|
||||
template *x509.Certificate,
|
||||
|
|
@ -514,7 +524,7 @@ func generateRootCACertificate(
|
|||
Bytes: certBytes,
|
||||
}
|
||||
|
||||
if err = certFile.storeCertificate(ctx, pem.EncodeToMemory(certBlock)); err != nil {
|
||||
if err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
@ -538,31 +548,29 @@ func determineSignatureAlgorithm(keyPair crypto.Signer) (x509.SignatureAlgorithm
|
|||
}
|
||||
}
|
||||
|
||||
func certificateMatches(certificate *x509.Certificate, key crypto.Signer) bool {
|
||||
func certificateMatches(certificate *x509.Certificate, key crypto.Signer) error {
|
||||
switch v := certificate.PublicKey.(type) {
|
||||
case *ecdsa.PublicKey:
|
||||
if pub, ok := key.Public().(*ecdsa.PublicKey); ok {
|
||||
if v.Equal(pub) {
|
||||
return true
|
||||
return nil
|
||||
}
|
||||
}
|
||||
case *rsa.PublicKey:
|
||||
if pub, ok := key.Public().(*rsa.PublicKey); ok {
|
||||
if v.Equal(pub) {
|
||||
return true
|
||||
return nil
|
||||
}
|
||||
}
|
||||
default:
|
||||
log.Printf("unsupported public key %v", v)
|
||||
return fmt.Errorf("unsupported public key %v", v)
|
||||
}
|
||||
|
||||
log.Printf(
|
||||
return fmt.Errorf(
|
||||
"public key from certificate does not match private key: %s != %s",
|
||||
certificate.PublicKey,
|
||||
key.Public(),
|
||||
)
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func randomSerialNumber() (*big.Int, error) {
|
||||
|
|
|
|||
|
|
@ -18,15 +18,15 @@ limitations under the License.
|
|||
package hsm_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"log"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.cacert.org/cacert-gosigner/pkg/config"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"git.cacert.org/cacert-gosigner/pkg/config"
|
||||
"git.cacert.org/cacert-gosigner/pkg/hsm"
|
||||
)
|
||||
|
||||
|
|
@ -36,21 +36,22 @@ func TestEnsureCAKeysAndCertificates_not_in_setup_mode(t *testing.T) {
|
|||
|
||||
t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")
|
||||
|
||||
ctx := hsm.SetupContext(
|
||||
acc, err := hsm.NewAccess(log.Default(),
|
||||
hsm.CaConfigOption(testConfig),
|
||||
hsm.CADirectoryOption(t.TempDir()))
|
||||
assert.NoError(t, err)
|
||||
|
||||
err := hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := acc.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
assert.ErrorContains(t, err, "not in setup mode")
|
||||
}
|
||||
|
||||
func prepareSoftHSM(t *testing.T) context.Context {
|
||||
func prepareSoftHSM(t *testing.T) *hsm.Access {
|
||||
t.Helper()
|
||||
|
||||
testConfig := setupSignerConfig(t)
|
||||
|
|
@ -58,25 +59,26 @@ func prepareSoftHSM(t *testing.T) context.Context {
|
|||
|
||||
t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")
|
||||
|
||||
ctx := hsm.SetupContext(
|
||||
acc, err := hsm.NewAccess(log.Default(),
|
||||
hsm.CaConfigOption(testConfig),
|
||||
hsm.SetupModeOption(),
|
||||
hsm.CADirectoryOption(t.TempDir()))
|
||||
assert.NoError(t, err)
|
||||
|
||||
err := hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := acc.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
return ctx
|
||||
return acc
|
||||
}
|
||||
|
||||
func TestGetRootCACertificate(t *testing.T) {
|
||||
ctx := prepareSoftHSM(t)
|
||||
acc := prepareSoftHSM(t)
|
||||
|
||||
testData := map[string]struct {
|
||||
label, errMsg string
|
||||
|
|
@ -96,7 +98,7 @@ func TestGetRootCACertificate(t *testing.T) {
|
|||
|
||||
for name, item := range testData {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
root, err := hsm.GetRootCACertificate(ctx, item.label)
|
||||
root, err := acc.GetRootCACertificate(item.label)
|
||||
|
||||
if item.errMsg != "" {
|
||||
assert.ErrorContains(t, err, item.errMsg)
|
||||
|
|
@ -110,7 +112,7 @@ func TestGetRootCACertificate(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestGetIntermediaryCACertificate(t *testing.T) {
|
||||
ctx := prepareSoftHSM(t)
|
||||
acc := prepareSoftHSM(t)
|
||||
|
||||
testData := map[string]struct {
|
||||
label, errMsg string
|
||||
|
|
@ -130,7 +132,7 @@ func TestGetIntermediaryCACertificate(t *testing.T) {
|
|||
|
||||
for name, item := range testData {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
root, err := hsm.GetIntermediaryCACertificate(ctx, item.label)
|
||||
root, err := acc.GetIntermediaryCACertificate(item.label)
|
||||
|
||||
if item.errMsg != "" {
|
||||
assert.ErrorContains(t, err, item.errMsg)
|
||||
|
|
@ -166,6 +168,7 @@ KeyStorage:
|
|||
type: softhsm
|
||||
label: acme-test-hsm
|
||||
`
|
||||
|
||||
testConfig, err := config.LoadConfiguration(strings.NewReader(testRSASignerConfig))
|
||||
|
||||
require.NoError(t, err)
|
||||
|
|
@ -174,21 +177,22 @@ KeyStorage:
|
|||
|
||||
t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")
|
||||
|
||||
ctx := hsm.SetupContext(
|
||||
acc, err := hsm.NewAccess(
|
||||
log.Default(),
|
||||
hsm.CaConfigOption(testConfig),
|
||||
hsm.SetupModeOption(),
|
||||
hsm.CADirectoryOption(t.TempDir()))
|
||||
assert.NoError(t, err)
|
||||
|
||||
err = hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := acc.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
root, err := hsm.GetRootCACertificate(ctx, "root")
|
||||
root, err := acc.GetRootCACertificate("root")
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, root)
|
||||
|
|
|
|||
|
|
@ -17,24 +17,19 @@ limitations under the License.
|
|||
|
||||
package hsm
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log"
|
||||
)
|
||||
|
||||
func EnsureCAKeysAndCertificates(ctx context.Context) error {
|
||||
func (a *Access) EnsureCAKeysAndCertificates() error {
|
||||
var label string
|
||||
|
||||
conf := GetSignerConfig(ctx)
|
||||
conf := a.GetSignerConfig()
|
||||
|
||||
for _, label = range conf.RootCAs() {
|
||||
crt, err := GetRootCACertificate(ctx, label)
|
||||
crt, err := a.GetRootCACertificate(label)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if IsVerbose(ctx) {
|
||||
log.Printf(
|
||||
if a.IsVerbose() {
|
||||
a.infoLog.Printf(
|
||||
"found root CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
|
||||
label,
|
||||
crt.Subject,
|
||||
|
|
@ -43,18 +38,18 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error {
|
|||
crt.NotAfter,
|
||||
crt.SerialNumber)
|
||||
} else {
|
||||
log.Printf("found root CA certificate %s: %s", label, crt.Subject.CommonName)
|
||||
a.infoLog.Printf("found root CA certificate %s: %s", label, crt.Subject.CommonName)
|
||||
}
|
||||
}
|
||||
|
||||
for _, label = range conf.IntermediaryCAs() {
|
||||
crt, err := GetIntermediaryCACertificate(ctx, label)
|
||||
crt, err := a.GetIntermediaryCACertificate(label)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if IsVerbose(ctx) {
|
||||
log.Printf(
|
||||
if a.IsVerbose() {
|
||||
a.infoLog.Printf(
|
||||
"found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
|
||||
label,
|
||||
crt.Subject,
|
||||
|
|
@ -63,7 +58,7 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error {
|
|||
crt.NotAfter,
|
||||
crt.SerialNumber)
|
||||
} else {
|
||||
log.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName)
|
||||
a.infoLog.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -35,17 +35,17 @@ func TestEnsureCAKeysAndCertificates(t *testing.T) {
|
|||
|
||||
buf := bytes.NewBuffer(nil)
|
||||
|
||||
log.SetOutput(buf)
|
||||
testLogger := log.New(buf, "TEST ", log.LstdFlags)
|
||||
|
||||
ctx := hsm.SetupContext(
|
||||
hsm.CaConfigOption(testConfig),
|
||||
acc, err := hsm.NewAccess(testLogger, hsm.CaConfigOption(testConfig),
|
||||
hsm.SetupModeOption(),
|
||||
hsm.CADirectoryOption(t.TempDir()))
|
||||
assert.NoError(t, err)
|
||||
|
||||
err := hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := acc.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
|
|
@ -66,18 +66,18 @@ func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) {
|
|||
|
||||
buf := bytes.NewBuffer(nil)
|
||||
|
||||
log.SetOutput(buf)
|
||||
testLogger := log.New(buf, "TEST ", log.LstdFlags)
|
||||
|
||||
ctx := hsm.SetupContext(
|
||||
hsm.CaConfigOption(testConfig),
|
||||
acc, err := hsm.NewAccess(testLogger, hsm.CaConfigOption(testConfig),
|
||||
hsm.SetupModeOption(),
|
||||
hsm.VerboseLoggingOption(),
|
||||
hsm.CADirectoryOption(t.TempDir()))
|
||||
assert.NoError(t, err)
|
||||
|
||||
err := hsm.EnsureCAKeysAndCertificates(ctx)
|
||||
err = acc.EnsureCAKeysAndCertificates()
|
||||
|
||||
t.Cleanup(func() {
|
||||
err := hsm.CloseP11Contexts(ctx)
|
||||
err := acc.CloseP11Contexts()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ limitations under the License.
|
|||
package hsm
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
|
|
@ -30,13 +29,13 @@ import (
|
|||
"golang.org/x/term"
|
||||
)
|
||||
|
||||
func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Context, error) {
|
||||
func (a *Access) prepareCrypto11Context(label string) (*crypto11.Context, error) {
|
||||
var (
|
||||
err error
|
||||
p11Context *crypto11.Context
|
||||
)
|
||||
|
||||
storage, err := GetSignerConfig(ctx).GetKeyStorage(label)
|
||||
storage, err := a.GetSignerConfig().GetKeyStorage(label)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("key storage %s not available: %w", label, err)
|
||||
}
|
||||
|
|
@ -46,10 +45,10 @@ func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Contex
|
|||
TokenLabel: storage.Label,
|
||||
}
|
||||
|
||||
log.Printf("using PKCS#11 module %s", p11Config.Path)
|
||||
log.Printf("looking for token with label %s", p11Config.TokenLabel)
|
||||
a.infoLog.Printf("using PKCS#11 module %s", p11Config.Path)
|
||||
a.infoLog.Printf("looking for token with label %s", p11Config.TokenLabel)
|
||||
|
||||
p11Config.Pin, err = getPin(p11Config)
|
||||
p11Config.Pin, err = getPin(p11Config, a.infoLog)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -62,17 +61,21 @@ func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Contex
|
|||
return p11Context, nil
|
||||
}
|
||||
|
||||
func getPin(p11Config *crypto11.Config) (string, error) {
|
||||
func getPin(p11Config *crypto11.Config, infoLog *log.Logger) (string, error) {
|
||||
var err error
|
||||
|
||||
tokenPinEnv := strings.ReplaceAll(p11Config.TokenLabel, "-", "_")
|
||||
tokenPinEnv = strings.ReplaceAll(tokenPinEnv, " ", "_")
|
||||
tokenPinEnv := strings.NewReplacer(
|
||||
"-", "_",
|
||||
" ", "_",
|
||||
"(", "_",
|
||||
")", "_",
|
||||
).Replace(p11Config.TokenLabel)
|
||||
tokenPinEnv = strings.ToUpper(tokenPinEnv)
|
||||
tokenPinEnv = fmt.Sprintf("TOKEN_PIN_%s", tokenPinEnv)
|
||||
|
||||
pin, found := os.LookupEnv(tokenPinEnv)
|
||||
if !found {
|
||||
log.Printf("environment variable %s has not been set", tokenPinEnv)
|
||||
infoLog.Printf("environment variable %s has not been set", tokenPinEnv)
|
||||
|
||||
if !term.IsTerminal(syscall.Stdin) {
|
||||
return "", errors.New("stdin is not a terminal")
|
||||
|
|
|
|||
|
|
@ -50,9 +50,7 @@ func (t *testRepo) NextCRLNumber() (*big.Int, error) {
|
|||
func (t *testRepo) RevokedCertificates() ([]pkix.RevokedCertificate, error) {
|
||||
result := make([]pkix.RevokedCertificate, len(t.revoked))
|
||||
|
||||
for i, revoked := range t.revoked {
|
||||
result[i] = revoked
|
||||
}
|
||||
copy(result, t.revoked)
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue