pkcs11

package

v0.0.0-...-683b059 Latest Latest Go to latest Published: Apr 23, 2022 License: BSD-3-Clause Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/chromiumos/platform/tast-tests

Documentation ¶

Overview ¶

Package pkcs11 implements the libraries for accessing and testing the chaps pkcs#11 keystore.

Index ¶

Constants
Variables
func HashFileProcessor(ctx context.Context, r hwsec.CmdRunner, input, hash string) string
func NoOpFileProcessor(ctx context.Context, runner hwsec.CmdRunner, input string) string
type Chaps
- func NewChaps(ctx context.Context, r hwsec.CmdRunner, u *hwsec.CryptohomeClient) (*Chaps, error)
type Error
type KeyInfo
type MechanismInfo
type SlotInfo

Constants ¶

View Source

const (
	// GenRSA2048 is used to specify that we want to generate RSA 2048 key in CreateGeneratedKey.
	GenRSA2048 = "rsa:2048"
	// GenECP256 is used to specify that we want to generate elliptic curve key with P256 curve in CreateGeneratedKey.
	GenECP256 = "EC:prime256v1"
)

Variables ¶

View Source

var ECDSASHA1 = MechanismInfo{
	Name: "ECDSA-SHA1-P256",
	// contains filtered or unexported fields
}

ECDSASHA1 represents the MechanismInfo that uses ECDSA signature scheme with SHA1. Note that NIST P256 curve is used.

View Source

var GenericRSAPKCSPSSWithSHA1 = MechanismInfo{
	Name: "RSA-PKCS-PSS+SHA1",
	// contains filtered or unexported fields
}

GenericRSAPKCSPSSWithSHA1 represents the MechanismInfo that uses generic RSA PSS signature scheme with SHA1. Note that this mechanism is different from the other one in the sense that this one is using standalone, generic version of the RSA PSS mechanism, and SHA1 is specified as the hash algorithm in PSS parameters (instead of being part of mechanism).

View Source

var GenericRSAPKCSPSSWithSHA256 = MechanismInfo{
	Name: "RSA-PKCS-PSS+SHA256",
	// contains filtered or unexported fields
}

GenericRSAPKCSPSSWithSHA256 represents the MechanismInfo that uses generic RSA PSS signature scheme with SHA256. Note that this mechanism is different from the other one in the sense that this one is using standalone, generic version of the RSA PSS mechanism, and SHA256 is specified as the hash algorithm in PSS parameters (instead of being part of mechanism).

View Source

var SHA1RSAPKCS = MechanismInfo{
	Name: "SHA1-RSA-PKCS",
	// contains filtered or unexported fields
}

SHA1RSAPKCS represents the MechanismInfo that is a signing scheme that uses SHA1 for hashing and RSA PKCS#1 v1.5 for signing.

View Source

var SHA1RSAPKCSPSS = MechanismInfo{
	Name: "SHA1-RSA-PKCS-PSS",
	// contains filtered or unexported fields
}

SHA1RSAPKCSPSS represents the MechanismInfo that is a signing scheme that uses SHA1 for hashing and RSA PSS for signing.

View Source

var SHA256RSAPKCS = MechanismInfo{
	Name: "SHA256-RSA-PKCS",
	// contains filtered or unexported fields
}

SHA256RSAPKCS represents the MechanismInfo that is a signing scheme that uses SHA256 for hashing and RSA PKCS#1 v1.5 for signing.

View Source

var SHA256RSAPKCSPSS = MechanismInfo{
	Name: "SHA256-RSA-PKCS-PSS",
	// contains filtered or unexported fields
}

SHA256RSAPKCSPSS represents the MechanismInfo that is a signing scheme that uses SHA256 for hashing and RSA PSS for signing.

Functions ¶

func HashFileProcessor ¶

func HashFileProcessor(ctx context.Context, r hwsec.CmdRunner, input, hash string) string

HashFileProcessor is for MechanismInfo.toolSignInputFileProcessor. This function takes an input file and compute the hash hash and then return the hash file name. Usual inputs for hash is "sha1" or "sha256".

func NoOpFileProcessor ¶

func NoOpFileProcessor(ctx context.Context, runner hwsec.CmdRunner, input string) string

NoOpFileProcessor is for MechanismInfo.toolSignInputFileProcessor. This function does nothing to the input.

Types ¶

type Chaps ¶

type Chaps struct {
	// contains filtered or unexported fields
}

Chaps is the class that stores the persistent state that is required to run all PKCS#11 related utility calls.

func NewChaps ¶

func NewChaps(ctx context.Context, r hwsec.CmdRunner, u *hwsec.CryptohomeClient) (*Chaps, error)

NewChaps creates a new Chaps.

func (*Chaps) ClearObjects ¶

func (p *Chaps) ClearObjects(ctx context.Context, slot int, objID, objType string) error

ClearObjects remove all objects with the given ID objID in the token in slot slot and of type objType. objType is usually "privkey" or "cert".

func (*Chaps) ClearObjectsOfAllType ¶

func (p *Chaps) ClearObjectsOfAllType(ctx context.Context, slot int, objID string) error

ClearObjectsOfAllType remove all objects with the given ID objID in the token in slot slot, regardless of type.

func (*Chaps) CreateECSoftwareKey ¶

func (p *Chaps) CreateECSoftwareKey(ctx context.Context, scratchpadPath, username, keyname, objID string, forceSoftwareBacked, checkSoftwareBacked bool) (*KeyInfo, error)

CreateECSoftwareKey create a key and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in the scratchpad.

func (*Chaps) CreateGeneratedKey ¶

func (p *Chaps) CreateGeneratedKey(ctx context.Context, scratchpadPath, keyType, username, keyname, objID string) (*KeyInfo, error)

CreateGeneratedKey creates a key by generating it in TPM and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in /tmp/$keyname.key. Use GenRSA2048 or GenECP256 above for keyType.

func (*Chaps) CreateKeyCopy ¶

func (p *Chaps) CreateKeyCopy(ctx context.Context, origKey *KeyInfo, objID string, attributes map[string]string) (*KeyInfo, string, error)

CreateKeyCopy creates a copy of origKey and sets its CKA_ID to objID, and other attributes according to attributes map. It returns (key, message, err), whereby err is nil iff the operation is successful. key is the new key and message is the stdout of p11_replay command where available.

func (*Chaps) CreateRSASoftwareKey ¶

func (p *Chaps) CreateRSASoftwareKey(ctx context.Context, scratchpadPath, username, keyname, objID string, forceSoftwareBacked, checkSoftwareBacked bool) (*KeyInfo, error)

CreateRSASoftwareKey create a key and insert it into the system token (if username is empty), or user token specified by username. The object will have an ID of objID, and the corresponding public key will be deposited in /tmp/$keyname.key.

func (*Chaps) DestroyKey ¶

func (p *Chaps) DestroyKey(ctx context.Context, key *KeyInfo) error

DestroyKey destroys the given key by removing it from disk and keystore.

func (*Chaps) DumpKeyInfo ¶

func (p *Chaps) DumpKeyInfo(k *KeyInfo) string

DumpKeyInfo converts the information in the key into a human readable string for debugging purpose.

func (*Chaps) GetObjectAttribute ¶

func (p *Chaps) GetObjectAttribute(ctx context.Context, key *KeyInfo, objType, name string) (value string, err error)

GetObjectAttribute retrieves the object of objType type and the id specified in key, and returns its attribute specified by name. The returned values are (value, err), err is nil iff the operation is successful, and in that case value holds the hex encoded attribute value. err could be an error that contains only a single CKR_* code if that is the case.

func (*Chaps) ImportPEMKeyAndCertBySlot ¶

func (p *Chaps) ImportPEMKeyAndCertBySlot(ctx context.Context, scratchpadPath, privKey, cert, objID string, slot int) (*KeyInfo, error)

ImportPEMKeyAndCertBySlot imports key and cert of PEM format to the token specified by slot. The object will have an ID of objID. It is OK for either privKey or cert to be empty if they are not needed.

func (*Chaps) ImportPrivateKeyBySlot ¶

func (p *Chaps) ImportPrivateKeyBySlot(ctx context.Context, privKeyPath string, slot int, objID string, forceSoftwareBacked bool) (*KeyInfo, error)

ImportPrivateKeyBySlot creates a key by importing it from existing DER format private key file specified by privKeyPath. The key will be inserted into the token specified by slot. The object will have an ID of objID.

func (*Chaps) IsSoftwareBacked ¶

func (p *Chaps) IsSoftwareBacked(ctx context.Context, key *KeyInfo) (bool, error)

IsSoftwareBacked checks if the given key is backed by hardware or software. The return error is nil iff the operation is successful, in that case, the boolean is true iff it is backed in software.

func (*Chaps) ListSlots ¶

func (p *Chaps) ListSlots(ctx context.Context) ([]SlotInfo, error)

ListSlots lists the slots in chaps

func (*Chaps) ReplayWifiBySlot ¶

func (p *Chaps) ReplayWifiBySlot(ctx context.Context, slot int, args ...string) error

ReplayWifiBySlot replays a EAP-TLS Wifi negotiation by slot.

func (*Chaps) RunPkcs11Tool ¶

func (p *Chaps) RunPkcs11Tool(ctx context.Context, args ...string) ([]byte, error)

RunPkcs11Tool will execute "pkcs11-tool --module=chapsPath args..." on the DUT.

func (*Chaps) SetObjectAttribute ¶

func (p *Chaps) SetObjectAttribute(ctx context.Context, key *KeyInfo, objType, name, value string) (err error)

SetObjectAttribute retrieves the object of objType type and the id specified in key, and sets its attribute specified by name with the value value. The returned value is err, whereby err is nil iff the operation is successful.

func (*Chaps) Sign ¶

func (p *Chaps) Sign(ctx context.Context, key *KeyInfo, input, output string, mechanism *MechanismInfo) error

Sign sign the input and write the signature to output, using the mechanism, and signed with key. It'll return nil iff the signing is successful.

func (*Chaps) Verify ¶

func (p *Chaps) Verify(ctx context.Context, key *KeyInfo, input, signaturePath string, mechanism *MechanismInfo) error

Verify verify the signature at signaturePath, signed with key and mechanism, and the message at input. It'll return nil iff the signature is valid.

type Error ¶

type Error struct {
	*errors.E

	// PKCS11RetCode contains the return code from PKCS#11 method calls, and it should be of the form CKR_*
	PKCS11RetCode string

	// CmdMessage holds the stdout and stderr of the command execution, that is, the command that actually invoked the PKCS#11 calls.
	CmdMessage string
}

Error is a custom error type for storing error that occurs in PKCS#11 APIs with specific CKR_* error code.

type KeyInfo ¶

type KeyInfo struct {
	// contains filtered or unexported fields
}

KeyInfo stores the information for a particular key, both on disk and in chaps keystore.

type MechanismInfo ¶

type MechanismInfo struct {
	// Name used to identify this mechanism in debug message.
	Name string
	// contains filtered or unexported fields
}

MechanismInfo stores the information regarding a mechanism, and the various related parameters for using this mechanism with various tools such as openssl and pkcs11-tool. Note that there's a set of constants defined in this file for users of this struct.

type SlotInfo ¶

type SlotInfo struct {
	// contains filtered or unexported fields
}

SlotInfo stores the information for a particular slot in chaps.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
netcertstore Package netcertstore hosts the NetCertStore.	Package netcertstore hosts the NetCertStore.
pkcs11test Package pkcs11test implements utilities for testing the chaps pkcs#11 keystore.	Package pkcs11test implements utilities for testing the chaps pkcs#11 keystore.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL