Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: Use RFC7512 PKCS#11 URI #1

Closed
dwmw2 opened this issue Jun 16, 2023 · 6 comments
Closed

RFE: Use RFC7512 PKCS#11 URI #1

dwmw2 opened this issue Jun 16, 2023 · 6 comments

Comments

@dwmw2
Copy link

dwmw2 commented Jun 16, 2023

   // crate a credential which will use the HSM embedded AWS Secret:
		cc, err = hmaccred.NewHMACCredential(&hmaccred.HMACCredentialConfig{
			PKCSConfig: hmaccred.PKCSConfig{
				Library: "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so",
				Slot:    0,
				Label:   "HMACKey",
				PIN:     "mynewpin",
				Id:      id,
			},
			AccessKeyID: *accessKeyID,
		})

Seeing that kind of thing in your documentation makes me sad. I prefer documentation which says "Just give me a PKCS#11 URI in place of a filename, and everything Just Works". Like at https://github.com/dwmw2/rolesanywhere-credential-helper/tree/pkcs11#pkcs11-integration

As discussed, feel free to steal anything you like from that code.

@salrashid123
Copy link
Owner

You're right, i'll look into this shortly and reusue that code that understand and URI format.

i'll also see if i can adapt a sample so its more generic (eg for psanford/awsv4signer)

@psanford

fyi, go-tpm and go-tpm-tools needs to support hmac import and even use

google/go-tpm-tools#317

thanks!

@salrashid123
Copy link
Owner

i'll have to update the the go-jwt issuer for pkcs as well

https://github.com/salrashid123/golang-jwt-pkcs11

@salrashid123
Copy link
Owner

this repo uses low-level github.com/miekg/pkcs11 constructs and its not easy to account for and appropriately inject values if given just the URI. closing this but will entertain if upstream miekg/pkcs11 supports interprting the uri on its own

@dwmw2
Copy link
Author

dwmw2 commented Jun 19, 2023

The code at https://github.com/stefanberger/go-pkcs11uri wraps around the miekg/pkcs11 code and provides the necessary URI parsing support.

Matching a PKCS#11 token given a URI, or generating a FindObjects template from a URI, is then fairly simple; examples in the matchSlots() and getFindTemplate() functions in https://github.com/dwmw2/rolesanywhere-credential-helper/blob/pkcs11/aws_signing_helper/pkcs11_signer.go

@dwmw2
Copy link
Author

dwmw2 commented Jun 19, 2023

I do agree it would be better if the underlying modules made it easy for applications to get this right. Filed miekg/pkcs11#170

@salrashid123
Copy link
Owner

i'll reopen this and await the upstream changes (which would address using the uri much easier for everyone and give near automatic support)

also noticed the issue for the thales library (which i also use elsewhere):
ThalesGroup/crypto11#104

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants