Skip to content

Commit

Permalink
Ed25519 support for PKCS#11 backend
Browse files Browse the repository at this point in the history
  • Loading branch information
e-asphyx committed Oct 13, 2024
1 parent 9825b45 commit 02c1f29
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 41 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ In Tezos, you can infer the signing algorithm from the first three characters of
| AWS KMS ||||
| Azure KMS ||||
| YubiHSM2 ||||
| PKCS#11 | |||
| PKCS#11 | |||

---

Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
cloud.google.com/go/kms v1.15.5
github.com/certusone/yubihsm-go v0.3.0
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0
github.com/ecadlabs/go-pkcs11 v0.1.6
github.com/ecadlabs/go-pkcs11 v0.2.0
github.com/ecadlabs/goblst v1.0.0
github.com/ecadlabs/gotez/v2 v2.0.6
github.com/go-playground/validator/v10 v10.16.0
Expand All @@ -22,8 +22,8 @@ require (
github.com/segmentio/ksuid v1.0.4
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.8.4
golang.org/x/crypto v0.27.0
github.com/stretchr/testify v1.9.0
golang.org/x/crypto v0.28.0
golang.org/x/exp v0.0.0-20231127185646-65229373498e
golang.org/x/oauth2 v0.15.0
google.golang.org/api v0.152.0
Expand Down Expand Up @@ -85,9 +85,9 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/net v0.21.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/term v0.24.0
golang.org/x/text v0.18.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0
golang.org/x/text v0.19.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.59.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
Expand Down
24 changes: 12 additions & 12 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnNEcHYvcCuK6dPZSg=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
github.com/ecadlabs/go-pkcs11 v0.1.6 h1:YnskuaCjLHoY9Y3sdUxB4POlTApsmZAdc0yw7AKPpUU=
github.com/ecadlabs/go-pkcs11 v0.1.6/go.mod h1:PwcQJwjNjjE0WtXtkTv4E0JNIcbl3cdIw+J+pRQbVjE=
github.com/ecadlabs/go-pkcs11 v0.2.0 h1:/WWqMUWFOFr9j5O4E6LEort0YiqEeHriFtvwbtpCwNo=
github.com/ecadlabs/go-pkcs11 v0.2.0/go.mod h1:PwAVBY0muwp6quQFmSDcB5Ekl4TjGG7cEQQwY9KpNVc=
github.com/ecadlabs/goblst v1.0.0 h1:8/e3SQGwqbV0+ul+pg0aSNFfC3lgQcvEed3VdDBXSl8=
github.com/ecadlabs/goblst v1.0.0/go.mod h1:s67gqaOol9o6fguh+evH75X5uQniOhv1HG/EU8xPLPY=
github.com/ecadlabs/gotez/v2 v2.0.6 h1:P7eQ2G+SO1tTV4NHnkdNlrOHxKDo1iF9m34HTLfS3b8=
Expand Down Expand Up @@ -211,8 +211,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
Expand All @@ -222,8 +222,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
Expand Down Expand Up @@ -268,20 +268,20 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
Expand Down
49 changes: 27 additions & 22 deletions pkg/vault/pkcs11/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ import (
)

type PKCS11Vault struct {
module *pkcs11.Module
slot *pkcs11.Slot
info *pkcs11.ModuleInfo
conf Config
module *pkcs11.Module
session *pkcs11.Session
info *pkcs11.ModuleInfo
conf Config
}

type Config struct {
Expand All @@ -43,15 +43,21 @@ func (i *iterElem) Elem() (vault.StoredKey, error) {
if err != nil {
return nil, i.v.formatError(err)
}
kp, err := pk.KeyPair()
if err != nil {
return nil, i.v.formatError(err)
}
key := &keyPair{
obj: i.obj,
kp: kp,

switch pk.(type) {
case *pkcs11.ECDSAPrivateKey, *pkcs11.Ed25519PrivateKey:
kp, err := pk.KeyPair(pkcs11.MatchLabel | pkcs11.MatchID)
if err != nil {
return nil, i.v.formatError(err)
}
key := &keyPair{
obj: i.obj,
kp: kp,
}
return key, nil
default:
return nil, vault.ErrKey
}
return key, nil
}

type keyPair struct {
Expand Down Expand Up @@ -118,7 +124,7 @@ func New(ctx context.Context, config *Config) (*PKCS11Vault, error) {
}

func (v *PKCS11Vault) Close() error {
if err := v.slot.Close(); err != nil {
if err := v.session.Close(); err != nil {
return err
}
return v.module.Close()
Expand All @@ -134,13 +140,12 @@ func (e errIterator) Next() (vault.StoredKey, error) {

// GetPublicKey returns a public key by given ID
func (v *PKCS11Vault) ListPublicKeys(ctx context.Context) vault.StoredKeysIterator {
if v.slot == nil {
if v.session == nil {
return errIterator{v.formatError(errors.New("locked"))}
}

filter := []pkcs11.Filter{
pkcs11.FilterClass(pkcs11.ClassPrivateKey),
pkcs11.FilterKeyType(pkcs11.KeyTypeEC),
}
if v.conf.Label != "" {
filter = append(filter, pkcs11.FilterLabel(v.conf.Label))
Expand All @@ -149,7 +154,7 @@ func (v *PKCS11Vault) ListPublicKeys(ctx context.Context) vault.StoredKeysIterat
filter = append(filter, pkcs11.FilterID(v.conf.ObjectID))
}

objects, err := v.slot.Objects(filter...)
objects, err := v.session.Objects(filter...)
if err != nil {
return errIterator{v.formatError(err)}
}
Expand All @@ -165,14 +170,14 @@ func (v *PKCS11Vault) ListPublicKeys(ctx context.Context) vault.StoredKeysIterat
}

func (v *PKCS11Vault) GetPublicKey(ctx context.Context, id string) (vault.StoredKey, error) {
if v.slot == nil {
if v.session == nil {
return nil, v.formatError(errors.New("locked"))
}
handle, err := strconv.ParseUint(id, 16, 32)
if err != nil {
return nil, v.formatError(err)
}
obj, err := v.slot.NewObject(uint(handle))
obj, err := v.session.NewObject(uint(handle))
if err != nil {
if stderr.Is(err, pkcs11.ErrObjectHandleInvalid) {
return nil, errors.Wrap(v.formatError(err), http.StatusNotFound)
Expand All @@ -183,7 +188,7 @@ func (v *PKCS11Vault) GetPublicKey(ctx context.Context, id string) (vault.Stored
if err != nil {
return nil, v.formatError(err)
}
kp, err := pk.KeyPair()
kp, err := pk.KeyPair(pkcs11.MatchLabel | pkcs11.MatchID)
if err != nil {
return nil, v.formatError(err)
}
Expand All @@ -195,7 +200,7 @@ func (v *PKCS11Vault) GetPublicKey(ctx context.Context, id string) (vault.Stored
}

func (v *PKCS11Vault) SignMessage(ctx context.Context, msg []byte, key vault.StoredKey) (crypt.Signature, error) {
if v.slot == nil {
if v.session == nil {
return nil, v.formatError(errors.New("locked"))
}
kp, ok := key.(*keyPair)
Expand Down Expand Up @@ -236,11 +241,11 @@ func (v *PKCS11Vault) Unlock(ctx context.Context) error {
}
}

slot, err := v.module.Slot(*v.conf.Slot, pkcs11.OptUserPIN(v.conf.Pin))
session, err := v.module.NewSession(*v.conf.Slot, pkcs11.OptUserPIN(v.conf.Pin))
if err != nil {
return v.formatError(err)
}
v.slot = slot
v.session = session
return nil
}

Expand Down

0 comments on commit 02c1f29

Please sign in to comment.