cmd | ||
docs | ||
internal | ||
pkg | ||
.gitattributes | ||
.gitignore | ||
.golangci.yml | ||
.goreleaser.yaml | ||
go.mod | ||
go.sum | ||
LICENSE | ||
Makefile | ||
README.md |
CAcert signer
This is the CAcert signer reimplementation in Go that implements a more robust wire protocol and has configurable support for hardware security modules (HSMs) for online and offline key pairs.
See the design document for design considerations and architecture diagrams.
Development preconditions
You will need GNU make to build the application. On Debian systems you can install GNU make and crossbuild tools for ARM binary builds using:
sudo apt install make crossbuild-essential-arm64 crossbuild-essential-armhf
Install go >= 1.17, golangci-lint >= 1.50.0 and goreleaser, as these are used for building and linting the application.
Read the documentation of these tools, to find out how to use them.
Building the binaries
There is a Makefile
to automate builds of the signer and clientsim binaries. Run
make
to run linting, tests and binary builds.
Running with softhsm2
Setup HSM keys and certificates
sudo apt install softhsm2
umask 077
mkdir -p ~/.config/softhsm2/tokens
echo "directories.tokendir = $HOME/.config/softhsm2/tokens/" > ~/.config/softhsm2/softhsm2.conf
cp docs/config.sample.yaml config.yaml
# modify config.yaml to fit your needs
softhsm2-util --init-token --free --label localhsm --so-pin 47110815 --pin 123456
# initialize the keys
export PKCS11_PIN_LOCALHSM=123456
go run ./cmd/signer -setup
Run the signer
export PKCS11_PIN_LOCALHSM=123456
go run ./cmd/signer
Run the client simulator with socat
You may run the client simulator that sends commands via stdout
and reads responses on stdin
via socat
to
simulate traffic on an emulated serial device:
sudo apt install socat
make clientsim
socat -d -d -v pty,rawer,link=$(pwd)/testPty EXEC:./clientsim,pty,rawer
You will need to configure $(pwd)/testPty
as serial
/device
in your config.yaml
to let the signer command find
the emulated serial device.
Using socat to simulate TTYs for signer and signer client
The following socat
command line will open TTY pseudo devices in ./testPty
as well as
../cacert-gosignerclient/testPty
. This will allow both the signer and the signer client code to have
testPty
as device
value in their configuration YAML file.
socat -d -d pty,rawer,link=$(pwd)/testPty pty,rawer,link=$(pwd)/../cacert-gosignerclient/testPty