lorica

module

v0.0.0-...-48496ca Latest Latest Go to latest Published: Aug 16, 2018 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ericyan/lorica

Links

Open Source Insights

README ¶

Lorica

Lorica provides tools for operating a certification authority (CA) that leverages PKCS #11 cryptographic tokens.

PKCS #11 cryptographic tokens

By design, Lorica does not get hold of the private key. Instead, it asks another device, usually a hardware security module (HSM), to perform the cryptographic functions on its behalf.

Such devices, commonly known as cryptographic tokens, are purpose-built to generate cryptographic keys and sign information without revealing the private key. This greatly reduces the risk of key compromise, one of the main risks certification authorities defend against.

Lorica interacts with cryptographic tokens using the Cryptoki API, as specified by the PKCS #11 standard.

SoftHSM2

SoftHSM2 is a software implementation of a generic cryptographic token with a PKCS #11 interface.

SoftHSM2 is required for running the test suite. The user running the test suite should have access to softhsm2-util command and the PKCS#11 module should be available at /usr/lib/softhsm/libsofthsm2.so.

Quickstart

In this tutorial, we will use the lorica command-line tool with a SoftHSM2 token to deploy a two-tier PKI.

Prepare the cryptographic token

Lorica loads PKCS #11 token configurations from environment variables, you can also use a .env file like this:

LORICA_TOKEN_MODULE="/usr/lib/softhsm/libsofthsm2.so"
LORICA_TOKEN_LABEL=lorica_demo
LORICA_TOKEN_PIN=123456

The token must be initialized before use. For SoftHSM2, you can do it by using this command:

$ softhsm2-util --init-token --free --label lorica_demo --pin 123456 --so-pin lorica

You can do a quick smoke test with the lorica info command:

$ lorica info
Token label:    lorica_demo
Manufacturer:   SoftHSM project
Token model:    SoftHSM v2
Serial number:  4788d9b901eef752

Set up the Root CA

First we need to prepare a configuration file in JSON format, like this:

{
  "CN": "Pied Piper Root CA",
  "name": {
    "OU": "Certification Authority",
    "O": "Pied Piper",
    "L": "Silicon Valley",
    "ST": "CA",
    "C": "US"
  },
  "key": {
    "algo": "rsa",
    "size": 4096
  },
  "self_sign": true,
  "expiry": "87600h",
  "ca_constraint": {
    "is_ca": true
  }
}

Then we use the lorica init command to set up the Root CA:

$ lorica init root_ca.json -f root.ca

This will create a new file, root.ca, which keeps the internal state. Just specify this file when running a command and Lorica will know which CA you are working with. For example, to view the certificate of Root CA:

$ lorica cert -f root.ca | openssl x509 -noout -text

Set up the Subordinate CA

Similarly, prepare a configuration for the Subordinate CA. Note that we have self_sign set to false:

{
  "CN": "Pied Piper Subordinate CA",
  "name": {
    "OU": "Certification Authority",
    "O": "Pied Piper",
    "L": "Silicon Valley",
    "ST": "CA",
    "C": "US"
  },
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "self_sign": false,
  "usages":  [
    "signing",
    "key encipherment",
    "server auth",
    "client auth"
  ],
  "expiry": "8760h",
  "ca_constraint": {
    "is_ca": false
  }
}

Use the same lorica init command to set up the Subordinate CA. Only this time, we need to export the CSR.

$ lorica init sub_ca.json -f sub.ca --export-csr sub_ca.csr

After that, ask the Root CA to sign the CSR of the Subordinate CA and import the newly-issued certificate to the Subordinate CA:

$ lorica issue -f root.ca sub_ca.csr --export-cert sub_ca.crt
$ lorica cert -f sub.ca --import sub_ca.crt

The Subordinate CA is now fully operational.

Issue a end-entity certificate

Create a CSR for the end-entity:

$ openssl req -nodes -newkey rsa:2048 -sha256 \
  -subj /CN=piedpiper.example.com \
  -keyout piedpiper.example.com.key \
  -out piedpiper.example.com.csr

Ask Subordinate CA to sign the CSR and export the issued certificate:

$ lorica issue -f sub.ca piedpiper.example.com.csr --export-cert piedpiper.example.com.crt

Revoke a certificate

To revoke a certificate, pass its serial number to the lorica revoke command:

$ lorica revoke -f sub.ca 154650704943387378214337212672624373342364461517

After that, update the certificate revocation list:

$ lorica crl -f sub.ca sub_ca.crl

Inpsect the CRL to confirm the certificate is now being revoked:

$ openssl crl -inform DER -text -noout -in sub_ca.crl

Directories ¶

Path	Synopsis
cmd
lorica Package main implements a command-line tool, lorica, for operating a certification authority.	Package main implements a command-line tool, lorica, for operating a certification authority.
internal
certsql package certsql is a copy of github.com/cloudflare/cfssl/certdb/sql.	package certsql is a copy of github.com/cloudflare/cfssl/certdb/sql.
cliutil
mock
pkg
ca
cryptoki Package cryptoki implements cryptographic token interface as defined in PKCS #11.	Package cryptoki implements cryptographic token interface as defined in PKCS #11.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL