jandd
/
cacert-gosigner
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity
New signer implementation in Go
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 Commits
1 Branch
0 Tags
332 KiB
Go 99.7%
Makefile 0.3%
 
 
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de7e716a82'
${ noResults }
Go to file
Jan Dittberner de7e716a82 Improve signer setup code 
- allow multiple attempts to setup certificates
- use CAB forum BR compliant CRLDistributionPoint for Subordinate CA
  certificates by referencing their own CRL instead of their parent CA's CRL
- store certificates in DER encoded form
 		2 years ago
cmd Implement delta CRL support 2 years ago
docs Rename intermediary CA to subordinate CA 2 years ago
internal Improve signer setup code 2 years ago
pkg Implement delta CRL support 2 years ago
.gitattributes First DDD based signer implementation parts 3 years ago
.gitignore Implement command type handling 2 years ago
.golangci.yml Move internal code to internal packages 2 years ago
.goreleaser.yaml Remove example comments from goreleaser configuration 2 years ago
LICENSE Configure and apply golangci-lint 2 years ago
Makefile Protocol improvements 2 years ago
README.md Add documentation section for socat PTYs 2 years ago
go.mod Tidy up dependencies 2 years ago
go.sum Implement delta CRL support 2 years ago

README.md

CAcert signer

This is the CAcert signer reimplementation in Go that implements a more robust wire protocol and has configurable support for hardware security modules (HSMs) for online and offline key pairs.

See the design document for design considerations and architecture diagrams.

Development preconditions

You will need GNU make to build the application. On Debian systems you can install GNU make and crossbuild tools for ARM binary builds using:

sudo apt install make crossbuild-essential-arm64 crossbuild-essential-armhf

Install go >= 1.17, golangci-lint >= 1.50.0 and goreleaser, as these are used for building and linting the application.

Read the documentation of these tools, to find out how to use them.

Building the binaries

There is a Makefile to automate builds of the signer and clientsim binaries. Run

make

to run linting, tests and binary builds.

Running with softhsm2

Setup HSM keys and certificates

sudo apt install softhsm2
umask 077
mkdir -p ~/.config/softhsm2/tokens
echo "directories.tokendir = $HOME/.config/softhsm2/tokens/" > ~/.config/softhsm2/softhsm2.conf
cp docs/config.sample.yaml config.yaml
# modify config.yaml to fit your needs
softhsm2-util --init-token --free --label localhsm --so-pin 47110815 --pin 123456
# initialize the keys
export PKCS11_PIN_LOCALHSM=123456
go run ./cmd/signer -setup

Run the signer

export PKCS11_PIN_LOCALHSM=123456
go run ./cmd/signer

Run the client simulator with socat

You may run the client simulator that sends commands via stdout and reads responses on stdin via socat to simulate traffic on an emulated serial device:

sudo apt install socat

make clientsim
socat -d -d -v pty,rawer,link=$(pwd)/testPty EXEC:./clientsim,pty,rawer

You will need to configure $(pwd)/testPty as serial/device in your config.yaml to let the signer command find the emulated serial device.

Using socat to simulate TTYs for signer and signer client

The following socat command line will open TTY pseudo devices in ./testPty as well as ../cacert-gosignerclient/testPty. This will allow both the signer and the signer client code to have testPty as device value in their configuration YAML file.

socat -d -d pty,rawer,link=$(pwd)/testPty pty,rawer,link=$(pwd)/../cacert-gosignerclient/testPty