theparanoids / crypki Goto Github PK

v1.9.0 release notes says add TokenLabel support. But I found that v1.9.0 tag is associated with 0606760, not 8613f4d(TokenLabel support), so v1.9.0 doesn't support TokenLabel.

Is there any schedule for the release?
I'm looking forward to release. Thanks.

One can build SoftHSMv2 on Mac and it should be possible to use it as the HSM for the development or testing crypki instance. It would be helpful to have detailed instructions on how to do it.

Two possible changes. Either:

• Make the log flags configurable, or
• Add -LUTC and -Lmicroseconds to the standard log flags.

One of these two changes would be highly desirable.

When using the same slot with multiple keyUsages, crypki returns CKR_USER_ALREADY_LOGGED_IN .

 server.go:149: unable to initialize cert signer: unable to initialize key with identifier "ssh-host-key": error making dummy signer: makeSigner: error in Login: pkcs11: 0x100: CKR_USER_ALREADY_LOGGED_IN

config is like below.

...
    "Keys": [
        {
            "Identifier": "ssh-user-key",
            "KeyLabel": "user_ssh",
            "SlotNumber": 11111,
            "UserPinPath": "slot_pwd.txt"
        },
        {
            "Identifier": "ssh-host-key",
            "KeyLabel": "host_ssh",
            "SlotNumber": 11111,
            "UserPinPath": "slot_pwd.txt"
        },
...

If below line change, it works well.
https://github.com/yahoo/crypki/blob/f33a9e6a39cf9a0466ad1dc84f525852e7498268/pkcs11/p11signer.go#L30

if err = context.Login(session, p11.CKU_USER, userPin); err != nil && !strings.Contains(err.Error(), "CKR_USER_ALREADY_LOGGED_IN") {

The config value of TLSClientAuthMode is fixed on "RequireAndVerifyClientCert"(4) on TLS server whichever value is set.

https://github.com/yahoo/crypki/blob/8e3d5535f79a1a106fcf89e2b9a9a8ce04fff06a/server/server.go#L57

Is it a specification? This configuration is only for grpc?

Currently the DecodeRequest function https://github.com/theparanoids/crypki/blob/main/x509cert/encode.go#L16 ignores the ExtraExtensions field of the CSR https://pkg.go.dev/crypto/x509#CertificateRequest.ExtraExtensions. This leads to EKUs specified in the ExtraExtensions of the CSR not being propagated to the generated Certificate and therefore unusable Certificate due to the missing (possibly Critical) EKUs.

The link should go to: https://github.com/yahoo/crypki/blob/master/config/testdata/testconf-good.json

Hi
i trying to run docker container for crypki. After building when i running it i got error:

github.com/theparanoids/crypki/pkcs11.publicRSA(0xc000155640)
/home/runner/work/crypki/crypki/pkcs11/rsa.go:41 +0x31d
github.com/theparanoids/crypki/pkcs11.(*p11Signer).Public(0x0)
/home/runner/work/crypki/crypki/pkcs11/p11signer.go:76 +0x3a
github.com/theparanoids/crypki/x509cert.GenCACert(0xc0001e33e8, {0x7fe4c033beb8, 0xc000155640}, {0xc00011b990, 0x9}, {0xc0001b57d0, 0x2, 0x2}, 0x2, 0x3)
/home/runner/work/crypki/crypki/x509cert/x509.go:55 +0x407
github.com/theparanoids/crypki/pkcs11.getX509CACert({_, _}, {{0xc00011b8e8, 0x8}, 0x26693e95, {0x0, 0x0}, {0xc000144750, 0x15}, {0xc00011b8f0, ...}, ...}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:382 +0x645
github.com/theparanoids/crypki/pkcs11.NewCertSign({0xa75078, 0xc000154f80}, {0xc000140660, 0xc000203000}, {0xc0001d2d80, 0x4, 0x4}, 0x18, {0xc00011b990, 0x9}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:163 +0x4c5
github.com/theparanoids/crypki/server.Main()
/home/runner/work/crypki/crypki/server/server.go:171 +0x5e5
main.main()
/home/runner/work/crypki/crypki/cmd/crypki/main.go:10 +0x17

In server.log -> pkcs11: 0x12: CKR_ATTRIBUTE_TYPE_INVALID

My question is this is a bug or i missing something configure on project?

I'm attempting to follow the README instructions to build the Docker image but am running into an error wheninit_hsm.sh executes.

crypki $> docker build -f docker-softhsm/Dockerfile -t crypki-local .
[+] Building 39.3s (16/16) FINISHED
.....
 => ERROR [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh                              8.9s
------
 > [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh:
#16 0.311 Get:1 http://deb.debian.org/debian sid InRelease [161 kB]
.....
#16 8.893 + /usr/bin/pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin 123456 --slot 1037941344 --keypairgen --label user_ssh --key-type EC:prime384v1 --private
#16 8.895 sc_dlopen failed: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so: cannot open shared object file: No such file or directory
#16 8.895 error: Failed to load pkcs11 module
#16 8.895 Aborting.
------
executor failed running [/bin/sh -c mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh]: exit code: 1

The file /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so does not exist even after apt-get install -y softhsm opensc openssl successfully completes. Further investigation shows that package actually installs the .so to /usr/lib/softhsm/libsofthsm2.so.

Changing the modulepath in init_hsm.sh allows the script to complete successfully and the image to be created.

Total diff is

diff --git a/docker-softhsm/init_hsm.sh b/docker-softhsm/init_hsm.sh
index 3bd8741..92814bd 100755
--- a/docker-softhsm/init_hsm.sh
+++ b/docker-softhsm/init_hsm.sh
@@ -24,7 +24,7 @@ error() {
 SOPIN=1234
 USERPIN=123456

-modulepath="/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+modulepath="/usr/lib/softhsm/libsofthsm2.so"
 slot_pubkeys_path="/opt/crypki/slot_pubkeys"

 user_ssh_label="user_ssh"

I'm running this on an Apple M1 Macbook Pro, which may be the root cause.

Are others running into this issue as well? I'm happy to submit a PR with this change if so.