This is the CAcert signer reimplementation in Go that implements a more robust wire protocol and has configurable support for hardware security modules (HSMs) for online and offline key pairs.
See the design document for design considerations and architecture diagrams.
You will need GNU make to build the application. On Debian systems you can install GNU make and crossbuild tools for ARM binary builds using:
sudo apt install make crossbuild-essential-arm64 crossbuild-essential-armhf
Read the documentation of these tools, to find out how to use them.
Building the binaries
There is a
Makefile to automate builds of the signer and clientsim binaries. Run
to run linting, tests and binary builds.
Running with softhsm2
Setup HSM keys and certificates
sudo apt install softhsm2 umask 077 mkdir -p ~/.config/softhsm2/tokens echo "directories.tokendir = $HOME/.config/softhsm2/tokens/" > ~/.config/softhsm2/softhsm2.conf cp docs/config.sample.yaml config.yaml # modify config.yaml to fit your needs softhsm2-util --init-token --free --label localhsm --so-pin 47110815 --pin 123456 # initialize the keys export PKCS11_PIN_LOCALHSM=123456 go run ./cmd/signer -setup
Run the signer
export PKCS11_PIN_LOCALHSM=123456 go run ./cmd/signer
Run the client simulator with socat
You may run the client simulator that sends commands via
stdout and reads responses on
simulate traffic on an emulated serial device:
sudo apt install socat
make clientsim socat -d -d -v pty,rawer,link=$(pwd)/testPty EXEC:./clientsim,pty,rawer
You will need to configure
device in your
config.yaml to let the signer command find
the emulated serial device.
Using socat to simulate TTYs for signer and signer client
socat command line will open TTY pseudo devices in
./testPty as well as
../cacert-gosignerclient/testPty. This will allow both the signer and the signer client code to have
device value in their configuration YAML file.
socat -d -d pty,rawer,link=$(pwd)/testPty pty,rawer,link=$(pwd)/../cacert-gosignerclient/testPty