Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: Add HSM config support. #22124

Closed
zaolin opened this issue Oct 4, 2017 · 3 comments
Closed

crypto/tls: Add HSM config support. #22124

zaolin opened this issue Oct 4, 2017 · 3 comments

Comments

@zaolin
Copy link

@zaolin zaolin commented Oct 4, 2017

What version of Go are you using (go version)?

1.9

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

I tried to setting up a tls connection based on a Trusted Platform Module key which
is basically a smartcard.

What did you expect to see?

Functions which can be implemented by myself hooking into the decrypt/sign operations
of the golang tls implementation: https://golang.org/pkg/crypto/tls/#Config

What did you see instead?

Using keys from a TPM requires custom hooks of decrypt/sign
operations because the private key never leaves the secure element. This was not
possible due to missing config functions ( https://golang.org/pkg/crypto/tls/#Config )
for the decrypt/sign operations of the TLS implementation in golang.

@rminnich

This comment has been minimized.

Copy link
Contributor

@rminnich rminnich commented Oct 4, 2017

can you say a little more about these functions? How many are there? What do they need as arguments? What do they return?

@paultag

This comment has been minimized.

Copy link

@paultag paultag commented Oct 4, 2017

@zaolin The great thing about the built in crypto.Signer interface is that it allows other packages to implement that interface.

I had this same need for my Yubikey in PIV mode, so I wrote pault.ag/go/ykpiv, which will provide that type for use in Go. I even added a helper for TLS connections

So, this is likely a matter of writing the right shim to provide a crypto.Signer or a crypto.Decrypter for use by the builtins in a third party package 👍

@zaolin

This comment has been minimized.

Copy link
Author

@zaolin zaolin commented Oct 4, 2017

@paultag Okay good to know :) Thanks.

@zaolin zaolin closed this Oct 4, 2017
@golang golang locked and limited conversation to collaborators Oct 4, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.