Git Product home page Git Product logo

go-p11-kit's Introduction

PKCS #11 modules in Go without cgo

Go Reference

This project implements p11-kit RPC server protocol, allowing Go programs to act as a PKCS #11 module without the need for cgo. Clients load the p11-kit-client.so shared library, then communicate over RPC to the Go server.

       ------------------------
       | client (e.g. Chrome) |
       ------------------------
                 |
     (PKCS #11 - shared library)
                 ↓ 
        ---------------------
        | p11-kit-client.so |
        ---------------------
                 |
        (RPC over unix socket)
                 ↓ 
---------------------------------------
| github.com/google/go-p11-kit/p11kit |
---------------------------------------

Demo

The example directory contains a demo server that reads keys and certificates from disk and serves them on a unix socket. To build and start the server, run the following commands:

go build -o bin/example-p11-kit-server ./example/example-p11-kit-server
./bin/example-p11-kit-server --priv example/priv.pem --pub example/pub.pem --cert example/cert.pem

The server will print out an environment variable to set similar to:

export P11_KIT_SERVER_ADDRESS=unix:path=/tmp/1056705225/p11kit.sock

In another shell, export the environment variable, and use p11-kit-client.so to query the example server:

$ export P11_KIT_SERVER_ADDRESS=unix:path=/tmp/1056705225/p11kit.sock
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so --list-slots
Available slots:
Slot 0 (0x1): example-slot
  token label        : example
  token manufacturer : go-p11-kit
  token model        : example-server
  token flags        : token initialized, readonly
  hardware version   : 0.1
  firmware version   : 0.1
  serial num         : 12345678
  pin min/max        : 0/0
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so --list-objects
Using slot 0 with a present token (0x1)
Certificate Object; type = X.509 cert
  subject:    DN: CN=test
Private Key Object; RSA
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 256 bits
  Usage:      encrypt, verify
  Access:     none

go-p11-kit's People

Contributors

cradiator avatar ericchiang avatar gerow avatar hunterking-google avatar joelferrier avatar mwielgoszewski avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

ericchiang cyberflamego frankfanslc cradiator neversphere hunterking-google gerow joelferrier isabella232 mwielgoszewski iq-scm usbarmory

go-p11-kit's Issues

Functions missing to support gnutls or managed p11-kit modules

#20 includes additional context here.

$ cat /usr/share/p11-kit/modules/gop11kit.module 
remote: |/home/gerow/repos/go-p11-kit/bin/example-p11-kit-server --priv /home/gerow/repos/go-p11-kit/example/priv.pem --pub /home/gerow/repos/go-p11-kit/example/pub.pem --cert /home/gerow/repos/go-p11-kit/example/cert.pem --stdio

$ p11tool --list-all
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example
2022/04/27 16:41:37 Handling over stdio: read request: reading request header: EOF

$ gnutls-cli google.com --app-proto=https --x509keyfile='pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example' --x509certfile='pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example'
Processed 141 CA certificate(s).
2022/04/27 16:42:49 Error with C_GetSessionInfo: CKR_FUNCTION_NOT_SUPPORTED
Token 'example' with URL 'pkcs11:model=example-server;manufacturer=go-p11-kit;serial=12345678;token=example' requires user PIN
Enter PIN: 
2022/04/27 16:42:52 Error with C_Login: CKR_FUNCTION_NOT_SUPPORTED
*** Error loading cert file.
2022/04/27 16:42:52 Handling over stdio: read request: reading request header: EOF

Seems we should just need to add support for C_GetSessionInfo if we want to be able to convince gnutls that we don't need a pin for the token.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.