theparanoids / crypki Goto Github PK
View Code? Open in Web Editor NEWA simple service for interacting with an HSM or other PKCS#11 device.
License: Apache License 2.0
A simple service for interacting with an HSM or other PKCS#11 device.
License: Apache License 2.0
One can build SoftHSMv2 on Mac and it should be possible to use it as the HSM for the development or testing crypki instance. It would be helpful to have detailed instructions on how to do it.
$ crypki -h
2019/06/04 20:08:46 server.go:114: failed to create log file: open /var/log/crypki/server.log: no such file or directory
Two possible changes. Either:
One of these two changes would be highly desirable.
When using the same slot with multiple keyUsages, crypki returns CKR_USER_ALREADY_LOGGED_IN
.
server.go:149: unable to initialize cert signer: unable to initialize key with identifier "ssh-host-key": error making dummy signer: makeSigner: error in Login: pkcs11: 0x100: CKR_USER_ALREADY_LOGGED_IN
config is like below.
...
"Keys": [
{
"Identifier": "ssh-user-key",
"KeyLabel": "user_ssh",
"SlotNumber": 11111,
"UserPinPath": "slot_pwd.txt"
},
{
"Identifier": "ssh-host-key",
"KeyLabel": "host_ssh",
"SlotNumber": 11111,
"UserPinPath": "slot_pwd.txt"
},
...
If below line change, it works well.
https://github.com/yahoo/crypki/blob/f33a9e6a39cf9a0466ad1dc84f525852e7498268/pkcs11/p11signer.go#L30
if err = context.Login(session, p11.CKU_USER, userPin); err != nil && !strings.Contains(err.Error(), "CKR_USER_ALREADY_LOGGED_IN") {
The config value of TLSClientAuthMode is fixed on "RequireAndVerifyClientCert"(4) on TLS server whichever value is set.
https://github.com/yahoo/crypki/blob/8e3d5535f79a1a106fcf89e2b9a9a8ce04fff06a/server/server.go#L57
Is it a specification? This configuration is only for grpc?
Currently the DecodeRequest
function https://github.com/theparanoids/crypki/blob/main/x509cert/encode.go#L16 ignores the ExtraExtensions
field of the CSR https://pkg.go.dev/crypto/x509#CertificateRequest.ExtraExtensions. This leads to EKUs specified in the ExtraExtensions
of the CSR not being propagated to the generated Certificate and therefore unusable Certificate due to the missing (possibly Critical) EKUs.
The link should go to: https://github.com/yahoo/crypki/blob/master/config/testdata/testconf-good.json
Hi
i trying to run docker container for crypki. After building when i running it i got error:
github.com/theparanoids/crypki/pkcs11.publicRSA(0xc000155640)
/home/runner/work/crypki/crypki/pkcs11/rsa.go:41 +0x31d
github.com/theparanoids/crypki/pkcs11.(*p11Signer).Public(0x0)
/home/runner/work/crypki/crypki/pkcs11/p11signer.go:76 +0x3a
github.com/theparanoids/crypki/x509cert.GenCACert(0xc0001e33e8, {0x7fe4c033beb8, 0xc000155640}, {0xc00011b990, 0x9}, {0xc0001b57d0, 0x2, 0x2}, 0x2, 0x3)
/home/runner/work/crypki/crypki/x509cert/x509.go:55 +0x407
github.com/theparanoids/crypki/pkcs11.getX509CACert({_, _}, {{0xc00011b8e8, 0x8}, 0x26693e95, {0x0, 0x0}, {0xc000144750, 0x15}, {0xc00011b8f0, ...}, ...}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:382 +0x645
github.com/theparanoids/crypki/pkcs11.NewCertSign({0xa75078, 0xc000154f80}, {0xc000140660, 0xc000203000}, {0xc0001d2d80, 0x4, 0x4}, 0x18, {0xc00011b990, 0x9}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:163 +0x4c5
github.com/theparanoids/crypki/server.Main()
/home/runner/work/crypki/crypki/server/server.go:171 +0x5e5
main.main()
/home/runner/work/crypki/crypki/cmd/crypki/main.go:10 +0x17
In server.log -> pkcs11: 0x12: CKR_ATTRIBUTE_TYPE_INVALID
My question is this is a bug or i missing something configure on project?
I'm attempting to follow the README instructions to build the Docker image but am running into an error wheninit_hsm.sh
executes.
crypki $> docker build -f docker-softhsm/Dockerfile -t crypki-local .
[+] Building 39.3s (16/16) FINISHED
.....
=> ERROR [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh 8.9s
------
> [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh:
#16 0.311 Get:1 http://deb.debian.org/debian sid InRelease [161 kB]
.....
#16 8.893 + /usr/bin/pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin 123456 --slot 1037941344 --keypairgen --label user_ssh --key-type EC:prime384v1 --private
#16 8.895 sc_dlopen failed: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so: cannot open shared object file: No such file or directory
#16 8.895 error: Failed to load pkcs11 module
#16 8.895 Aborting.
------
executor failed running [/bin/sh -c mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh]: exit code: 1
The file /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
does not exist even after apt-get install -y softhsm opensc openssl
successfully completes. Further investigation shows that package actually installs the .so
to /usr/lib/softhsm/libsofthsm2.so
.
Changing the modulepath
in init_hsm.sh
allows the script to complete successfully and the image to be created.
Total diff is
diff --git a/docker-softhsm/init_hsm.sh b/docker-softhsm/init_hsm.sh
index 3bd8741..92814bd 100755
--- a/docker-softhsm/init_hsm.sh
+++ b/docker-softhsm/init_hsm.sh
@@ -24,7 +24,7 @@ error() {
SOPIN=1234
USERPIN=123456
-modulepath="/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+modulepath="/usr/lib/softhsm/libsofthsm2.so"
slot_pubkeys_path="/opt/crypki/slot_pubkeys"
user_ssh_label="user_ssh"
I'm running this on an Apple M1 Macbook Pro, which may be the root cause.
Are others running into this issue as well? I'm happy to submit a PR with this change if so.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.