388ee880d2
- Upgrade github.com/containerd/imgcrypt to prepare for typeurl upgrade (see https://github.com/containerd/imgcrypt/pull/72) - Upgrade github.com/opencontainers/image-spec since imgcrypto needs at least 1.0.2. Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| error.go | ||
| hsm.db | ||
| LICENSE | ||
| Makefile.release | ||
| params.go | ||
| pkcs11.go | ||
| pkcs11.h | ||
| pkcs11f.h | ||
| pkcs11go.h | ||
| pkcs11t.h | ||
| README.md | ||
| release.go | ||
| softhsm2.conf | ||
| softhsm.conf | ||
| types.go | ||
| vendor.go | ||
| zconst.go | ||
PKCS#11
This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom where it makes sense. It has been tested with SoftHSM.
SoftHSM
-
Make it use a custom configuration file
export SOFTHSM_CONF=$PWD/softhsm.conf -
Then use
softhsmto init itsofthsm --init-token --slot 0 --label test --pin 1234 -
Then use
libsofthsm2.soas the pkcs11 module:p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
Examples
A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
err := p.Initialize()
if err != nil {
panic(err)
}
defer p.Destroy()
defer p.Finalize()
slots, err := p.GetSlotList(true)
if err != nil {
panic(err)
}
session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
if err != nil {
panic(err)
}
defer p.CloseSession(session)
err = p.Login(session, pkcs11.CKU_USER, "1234")
if err != nil {
panic(err)
}
defer p.Logout(session)
p.DigestInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA_1, nil)})
hash, err := p.Digest(session, []byte("this is a string"))
if err != nil {
panic(err)
}
for _, d := range hash {
fmt.Printf("%x", d)
}
fmt.Println()
Further examples are included in the tests.
To expose PKCS#11 keys using the crypto.Signer interface, please see github.com/thalesignite/crypto11.