-
Notifications
You must be signed in to change notification settings - Fork 43
/
key.go
453 lines (406 loc) · 16 KB
/
key.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
// Package pkcs11key implements crypto.Signer for PKCS #11 private keys.
// See https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.pdf
// for details of the Cryptoki PKCS#11 API.
// See https://github.com/letsencrypt/pkcs11key/blob/master/test.sh for examples
// of how to test and/or benchmark.
// Latest version of this package is v4: import "github.com/letsencrypt/pkcs11key/v4"
package pkcs11key
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
"encoding/asn1"
"errors"
"fmt"
"io"
"math/big"
"sync"
"github.com/miekg/pkcs11"
)
// from src/pkg/crypto/rsa/pkcs1v15.go
var hashPrefixes = map[crypto.Hash][]byte{
crypto.MD5: {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
crypto.SHA1: {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14},
crypto.SHA224: {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
crypto.SHA256: {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
crypto.SHA384: {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
crypto.MD5SHA1: {}, // A special TLS case which doesn't use an ASN1 prefix.
crypto.RIPEMD160: {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14},
}
// from src/pkg/crypto/x509/x509.go
var (
oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
)
var curveOIDs = map[string]asn1.ObjectIdentifier{
"P-224": oidNamedCurveP224,
"P-256": oidNamedCurveP256,
"P-384": oidNamedCurveP384,
"P-521": oidNamedCurveP521,
}
// ctx defines the subset of pkcs11.ctx's methods that we use, so we can inject
// a different ctx for testing.
type ctx interface {
CloseSession(sh pkcs11.SessionHandle) error
FindObjectsFinal(sh pkcs11.SessionHandle) error
FindObjectsInit(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) error
FindObjects(sh pkcs11.SessionHandle, max int) ([]pkcs11.ObjectHandle, bool, error)
GetAttributeValue(sh pkcs11.SessionHandle, o pkcs11.ObjectHandle, a []*pkcs11.Attribute) ([]*pkcs11.Attribute, error)
GetSlotList(tokenPresent bool) ([]uint, error)
GetTokenInfo(slotID uint) (pkcs11.TokenInfo, error)
Initialize() error
Login(sh pkcs11.SessionHandle, userType uint, pin string) error
Logout(sh pkcs11.SessionHandle) error
OpenSession(slotID uint, flags uint) (pkcs11.SessionHandle, error)
SignInit(sh pkcs11.SessionHandle, m []*pkcs11.Mechanism, o pkcs11.ObjectHandle) error
Sign(sh pkcs11.SessionHandle, message []byte) ([]byte, error)
}
// Key is an implementation of the crypto.Signer interface using a key stored
// in a PKCS#11 hardware token. This enables the use of PKCS#11 tokens with
// the Go x509 library's methods for signing certificates.
//
// Each Key represents one session. Its session handle is protected internally
// by a mutex, so at most one Sign operation can be active at a time. For best
// performance you may want to instantiate multiple Keys using pkcs11key.Pool.
// Each one will have its own session and can be used concurrently. Note that
// some smartcards like the Yubikey Neo do not support multiple simultaneous
// sessions and will error out on creation of the second Key object.
//
// Note: If you instantiate multiple Keys without using Pool, it is *highly*
// recommended that you create all your Key objects serially, on your main
// thread, checking for errors each time, and then farm them out for use by
// different goroutines. If you fail to do this, your application may attempt
// to login repeatedly with an incorrect PIN, locking the PKCS#11 token.
type Key struct {
// The PKCS#11 library to use
module ctx
// The label of the token to be used (mandatory).
// We will automatically search for this in the slot list.
tokenLabel string
// The PIN to be used to log in to the device
pin string
// The public key corresponding to the private key.
publicKey crypto.PublicKey
// The an ObjectHandle pointing to the private key on the HSM.
privateKeyHandle pkcs11.ObjectHandle
// A handle to the session used by this Key.
session *pkcs11.SessionHandle
sessionMu sync.Mutex
// True if the private key has the CKA_ALWAYS_AUTHENTICATE attribute set.
alwaysAuthenticate bool
}
var modules = make(map[string]ctx)
var modulesMu sync.Mutex
// initialize loads the given PKCS#11 module (shared library) if it is not
// already loaded. It's an error to load a PKCS#11 module multiple times, so we
// maintain a map of loaded modules. Note that there is no facility yet to
// unload a module ("finalize" in PKCS#11 parlance). In general, modules will
// be unloaded at the end of the process. The only place where you are likely
// to need to explicitly unload a module is if you fork your process after a
// Key has already been created, and the child process also needs to use
// that module.
func initialize(modulePath string) (ctx, error) {
modulesMu.Lock()
defer modulesMu.Unlock()
module, ok := modules[modulePath]
if ok {
return module, nil
}
newModule := pkcs11.New(modulePath)
if newModule == nil {
return nil, fmt.Errorf("failed to load module '%s'", modulePath)
}
err := newModule.Initialize()
if err != nil {
return nil, fmt.Errorf("failed to initialize module: %s", err)
}
modules[modulePath] = ctx(newModule)
return ctx(newModule), nil
}
// New instantiates a new handle to a PKCS #11-backed key.
//
// This function will find the private key to sign with by finding a copy of the
// provided public key in the token, then looking for a private key object that
// has the same CKA_ID as that public key. From
// https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.pdf:
//
// "The CKA_ID field is intended to distinguish among multiple keys. In
// the case of public and private keys, this field assists in handling
// multiple keys held by the same subject; the key identifier for a
// public key and its corresponding private key should be the same."
func New(modulePath, tokenLabel, pin string, publicKey crypto.PublicKey) (*Key, error) {
module, err := initialize(modulePath)
if err != nil {
return nil, fmt.Errorf("pkcs11key: %s", err)
}
if module == nil {
err = fmt.Errorf("pkcs11key: nil module")
return nil, err
}
// Initialize a partial key
ps := &Key{
module: module,
tokenLabel: tokenLabel,
pin: pin,
publicKey: publicKey,
}
err = ps.setup()
if err != nil {
return nil, fmt.Errorf("pkcs11key: %s", err)
}
return ps, nil
}
// findObject finds an object in the PKCS#11 token according to a template. It
// returns error if there is not exactly one result, or if there was an error
// during the find calls. It must be called with the ps.sessionMu lock held.
func (ps *Key) findObject(template []*pkcs11.Attribute) (pkcs11.ObjectHandle, error) {
if err := ps.module.FindObjectsInit(*ps.session, template); err != nil {
return 0, err
}
handles, moreAvailable, err := ps.module.FindObjects(*ps.session, 1)
if err != nil {
return 0, err
}
if moreAvailable {
return 0, errors.New("too many objects returned from FindObjects")
}
if err = ps.module.FindObjectsFinal(*ps.session); err != nil {
return 0, err
} else if len(handles) == 0 {
return 0, errors.New("no objects found")
}
return handles[0], nil
}
// getPublicKeyID looks up the given public key in the PKCS#11 token, and
// returns its ID as a []byte, for use in looking up the corresponding private
// key. It must be called with the ps.sessionMu lock held.
func (ps *Key) getPublicKeyID(publicKey crypto.PublicKey) ([]byte, error) {
var template []*pkcs11.Attribute
switch key := publicKey.(type) {
case *rsa.PublicKey:
template = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA),
pkcs11.NewAttribute(pkcs11.CKA_MODULUS, key.N.Bytes()),
pkcs11.NewAttribute(pkcs11.CKA_PUBLIC_EXPONENT, big.NewInt(int64(key.E)).Bytes()),
}
case *ecdsa.PublicKey:
// https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html#_ftn1
// PKCS#11 v2.20 specified that the CKA_EC_POINT was to be store in a DER-encoded
// OCTET STRING.
rawValue := asn1.RawValue{
Tag: 4, // in Go 1.6+ this is asn1.TagOctetString
Bytes: elliptic.Marshal(key.Curve, key.X, key.Y),
}
marshalledPoint, err := asn1.Marshal(rawValue)
if err != nil {
return nil, err
}
curveOID, err := asn1.Marshal(curveOIDs[key.Curve.Params().Name])
if err != nil {
return nil, err
}
template = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC),
pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, curveOID),
pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, marshalledPoint),
}
default:
return nil, fmt.Errorf("unsupported public key of type %T", publicKey)
}
publicKeyHandle, err := ps.findObject(template)
if err != nil {
return nil, err
}
attrs, err := ps.module.GetAttributeValue(*ps.session, publicKeyHandle, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_ID, nil),
})
if err != nil {
return nil, err
}
if len(attrs) > 0 && attrs[0].Type == pkcs11.CKA_ID {
return attrs[0].Value, nil
}
return nil, fmt.Errorf("invalid result from GetAttributeValue")
}
func (ps *Key) setup() error {
// Open a session
ps.sessionMu.Lock()
defer ps.sessionMu.Unlock()
session, err := ps.openSession()
if err != nil {
return fmt.Errorf("pkcs11key: opening session: %s", err)
}
ps.session = &session
publicKeyID, err := ps.getPublicKeyID(ps.publicKey)
if err != nil {
ps.module.CloseSession(session)
return fmt.Errorf("looking up public key: %s", err)
}
// Fetch the private key by matching its id to the public key handle.
privateKeyHandle, err := ps.getPrivateKey(ps.module, session, publicKeyID)
if err != nil {
ps.module.CloseSession(session)
return fmt.Errorf("getting private key: %s", err)
}
ps.privateKeyHandle = privateKeyHandle
return nil
}
// getPrivateKey gets a handle to the private key whose CKA_ID matches the
// provided publicKeyID. It must be called with the ps.sessionMu lock held.
func (ps *Key) getPrivateKey(module ctx, session pkcs11.SessionHandle, publicKeyID []byte) (pkcs11.ObjectHandle, error) {
var noHandle pkcs11.ObjectHandle
privateKeyHandle, err := ps.findObject([]*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
pkcs11.NewAttribute(pkcs11.CKA_ID, publicKeyID),
})
if err != nil {
return noHandle, err
}
// Check whether the key has the CKA_ALWAYS_AUTHENTICATE attribute.
// If so, fail: we don't want to have to re-authenticate for each sign
// operation.
attributes, err := module.GetAttributeValue(session, privateKeyHandle, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_ALWAYS_AUTHENTICATE, false),
})
// The PKCS#11 spec states that C_GetAttributeValue may return
// CKR_ATTRIBUTE_TYPE_INVALID if an object simply does not posses a given
// attribute. We don't consider that an error: the absence of the
// CKR_ATTRIBUTE_TYPE_INVALID property is just fine.
if err != nil && err == pkcs11.Error(pkcs11.CKR_ATTRIBUTE_TYPE_INVALID) {
return privateKeyHandle, nil
} else if err != nil {
return noHandle, err
}
if len(attributes) > 0 && len(attributes[0].Value) > 0 && attributes[0].Value[0] == 1 {
ps.alwaysAuthenticate = true
}
return privateKeyHandle, nil
}
// Destroy tears down a Key by closing the session. It should be
// called before the key gets GC'ed, to avoid leaving dangling sessions.
func (ps *Key) Destroy() error {
if ps.session != nil {
// NOTE: We do not want to call module.Logout here. module.Logout applies
// application-wide. So if there are multiple sessions active, the other ones
// would be logged out as well, causing CKR_OBJECT_HANDLE_INVALID next
// time they try to sign something. It's also unnecessary to log out explicitly:
// module.CloseSession will log out once the last session in the application is
// closed.
ps.sessionMu.Lock()
defer ps.sessionMu.Unlock()
err := ps.module.CloseSession(*ps.session)
ps.session = nil
if err != nil {
return fmt.Errorf("pkcs11key: close session: %s", err)
}
}
return nil
}
func (ps *Key) openSession() (pkcs11.SessionHandle, error) {
var noSession pkcs11.SessionHandle
slots, err := ps.module.GetSlotList(true)
if err != nil {
return noSession, err
}
for _, slot := range slots {
// Check that token label matches.
tokenInfo, err := ps.module.GetTokenInfo(slot)
if err != nil {
return noSession, err
}
if tokenInfo.Label != ps.tokenLabel {
continue
}
// Open session
session, err := ps.module.OpenSession(slot, pkcs11.CKF_SERIAL_SESSION)
if err != nil {
return session, err
}
// Login
// Note: Logged-in status is application-wide, not per session. But in
// practice it appears to be okay to login to a token multiple times with the same
// credentials.
if err = ps.module.Login(session, pkcs11.CKU_USER, ps.pin); err != nil {
if err == pkcs11.Error(pkcs11.CKR_USER_ALREADY_LOGGED_IN) {
// But if the token says we're already logged in, it's ok.
err = nil
} else {
ps.module.CloseSession(session)
return session, err
}
}
return session, err
}
return noSession, fmt.Errorf("no slot found matching token label %q", ps.tokenLabel)
}
// Public returns the public key for the PKCS #11 key.
func (ps *Key) Public() crypto.PublicKey {
return ps.publicKey
}
// Sign performs a signature using the PKCS #11 key.
func (ps *Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
ps.sessionMu.Lock()
defer ps.sessionMu.Unlock()
if ps.session == nil {
return nil, errors.New("pkcs11key: session was nil")
}
// When the alwaysAuthenticate bit is true (e.g. on a Yubikey NEO in PIV mode),
// each Sign has to include a Logout/Login, or the next Sign request will get
// CKR_USER_NOT_LOGGED_IN. This is very slow, but on the NEO it's not possible
// to clear the CKA_ALWAYS_AUTHENTICATE bit, so this is the only available
// workaround.
// Also, since logged in / logged out is application state rather than session
// state, we take a global lock while we do the logout and login, and during
// the signing.
if ps.alwaysAuthenticate {
modulesMu.Lock()
defer modulesMu.Unlock()
if err := ps.module.Logout(*ps.session); err != nil {
return nil, fmt.Errorf("pkcs11key: logout: %s", err)
}
if err = ps.module.Login(*ps.session, pkcs11.CKU_CONTEXT_SPECIFIC, ps.pin); err != nil {
return nil, fmt.Errorf("pkcs11key: login: %s", err)
}
}
// Verify that the length of the hash is as expected
hash := opts.HashFunc()
hashLen := hash.Size()
if len(msg) != hashLen {
err = fmt.Errorf("pkcs11key: input size does not match hash function output size: %d vs %d", len(msg), hashLen)
return
}
// Add DigestInfo prefix
var mechanism []*pkcs11.Mechanism
var signatureInput []byte
switch ps.publicKey.(type) {
case *rsa.PublicKey:
mechanism = []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)}
prefix, ok := hashPrefixes[hash]
if !ok {
err = errors.New("pkcs11key: unknown hash function")
return
}
signatureInput = append(prefix, msg...)
case *ecdsa.PublicKey:
mechanism = []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)}
signatureInput = msg
default:
return nil, fmt.Errorf("unrecognized key type %T", ps.publicKey)
}
// Perform the sign operation
err = ps.module.SignInit(*ps.session, mechanism, ps.privateKeyHandle)
if err != nil {
return nil, fmt.Errorf("pkcs11key: sign init: %s", err)
}
signature, err = ps.module.Sign(*ps.session, signatureInput)
if err != nil {
return nil, fmt.Errorf("pkcs11key: sign: %s", err)
}
return
}