crypto/tls: Add HSM config support.

[zaolin]

What version of Go are you using (go version)?

1.9

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

I tried to setting up a tls connection based on a Trusted Platform Module key which
is basically a smartcard.

What did you expect to see?

Functions which can be implemented by myself hooking into the decrypt/sign operations
of the golang tls implementation: https://golang.org/pkg/crypto/tls/#Config

What did you see instead?

Using keys from a TPM requires custom hooks of decrypt/sign
operations because the private key never leaves the secure element. This was not
possible due to missing config functions ( https://golang.org/pkg/crypto/tls/#Config )
for the decrypt/sign operations of the TLS implementation in golang.

[rminnich]

can you say a little more about these functions? How many are there? What do they need as arguments? What do they return?

[paultag]

@zaolin The great thing about the built in crypto.Signer interface is that it allows other packages to implement that interface.

I had this same need for my Yubikey in PIV mode, so I wrote pault.ag/go/ykpiv, which will provide that type for use in Go. I even added a helper for TLS connections

So, this is likely a matter of writing the right shim to provide a crypto.Signer or a crypto.Decrypter for use by the builtins in a third party package 👍

[zaolin]

@paultag Okay good to know :) Thanks.