Add support for HSMs

go.mod

@@ -3,7 +3,10 @@ module github.com/foundriesio/fioconfig
 go 1.13
 
 require (
+	github.com/ThalesIgnite/crypto11 v1.2.1
 	github.com/ethereum/go-ethereum v1.9.11
 	github.com/pelletier/go-toml v1.8.0
 	github.com/urfave/cli/v2 v2.2.0
 )
+
+replace github.com/ThalesIgnite/crypto11 => github.com/doanac/crypto11 v1.2.2-0.20200715151421-f3d2e17ac497

go.sum

@@ -15,6 +15,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OneOfOne/xxhash v1.2.5/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/ThalesIgnite/crypto11 v1.2.1/go.mod h1:vmlYtalkn8uCp3eStRZ0r7Sslmf1jAtL8De0PIyqPks=
 github.com/VictoriaMetrics/fastcache v1.5.3/go.mod h1:+jv9Ckb+za/P1ZRg/sulP5Ni1v49daAVERr0H3CuscE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -37,6 +38,8 @@ github.com/deckarep/golang-set v0.0.0-20180603214616-504e848d77ea/go.mod h1:93vs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dlclark/regexp2 v1.2.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
+github.com/doanac/crypto11 v1.2.2-0.20200715151421-f3d2e17ac497 h1:iyvvQeLbHqdu5L6x8OJLZ7rZb4tvoBs0h5liRkvIh6M=
+github.com/doanac/crypto11 v1.2.2-0.20200715151421-f3d2e17ac497/go.mod h1:vmlYtalkn8uCp3eStRZ0r7Sslmf1jAtL8De0PIyqPks=
 github.com/docker/docker v1.4.2-0.20180625184442-8e610b2b55bf/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/dop251/goja v0.0.0-20200106141417-aaec0e7bde29/go.mod h1:Mw6PkjjMXWbTj+nnj4s3QPXq1jaT0s5pC0iFD4+BOAA=
 github.com/edsrzf/mmap-go v0.0.0-20160512033002-935e0e8a636c/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
@@ -79,6 +82,8 @@ github.com/mattn/go-isatty v0.0.5-0.20180830101745-3fb116b82035/go.mod h1:M+lRXT
 github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f h1:eVB9ELsoq5ouItQBr5Tj334bhPJG/MX+m7rTchmzVUQ=
+github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/naoina/go-stringutil v0.1.0/go.mod h1:XJ2SJL9jCtBh+P9q5btrd/Ylo8XwT/h1USek5+NqSA0=
 github.com/naoina/toml v0.1.2-0.20170918210437-9fafd6967416/go.mod h1:NBIhNtsFMo3G2szEBne+bO4gS192HuIYRqfvOWb4i1E=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
@@ -93,6 +98,7 @@ github.com/pelletier/go-toml v1.8.0 h1:Keo9qb7iRJs2voHvunFtuuYFsbWeOBh8/P9v/kVMF
 github.com/pelletier/go-toml v1.8.0/go.mod h1:D6yutnOGMveHEPV7VQOuvI/gXY61bv+9bAOTRnLElKs=
 github.com/peterh/liner v1.1.1-0.20190123174540-a2c9a5303de7/go.mod h1:CRroGNssyjTd/qIG2FyxByd2S8JEAZXBl4qUrZf8GS0=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -117,6 +123,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/syndtr/goleveldb v1.0.1-0.20190923125748-758128399b1d/go.mod h1:9OrXJhf154huy1nPWmuSrkgjPUtUNhA+Zmy+6AESzuA=
+github.com/thales-e-security/pool v0.0.1 h1:1eJJNN2K/mAzwfr546brAiQVa3UaRC0gGENsHM8veS8=
+github.com/thales-e-security/pool v0.0.1/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/tyler-smith/go-bip39 v1.0.1-0.20181017060643-dbb3b84ba2ef/go.mod h1:sJ5fKU0s6JVwZjjcUEX2zFOnvq0ASQ2K9Zr6cf67kNs=
 github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=

internal/app.go

@@ -15,6 +15,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/ThalesIgnite/crypto11"
 	toml "github.com/pelletier/go-toml"
 )
 
@@ -56,10 +57,72 @@ func tomlAssertVal(tree *toml.Tree, key string, allowed []string) string {
 	return val
 }
 
-func createClient(sota *toml.Tree) (*http.Client, CryptoHandler) {
-	_ = tomlAssertVal(sota, "tls.ca_source", []string{"file"})
-	_ = tomlAssertVal(sota, "tls.pkey_source", []string{"file"})
-	_ = tomlAssertVal(sota, "tls.cert_source", []string{"file"})
+// sota.toml has slot id's as "01". We need to turn that into []byte{1}
+func idToBytes(id string) []byte {
+	bytes := []byte(id)
+	start := -1
+	for idx, char := range bytes {
+		bytes[idx] = char - byte('0')
+		if bytes[idx] != 0 && start == -1 {
+			start = idx
+		}
+	}
+	//strip off leading 0's
+	return bytes[start:]
+}
+
+func createClientPkcs11(sota *toml.Tree) (*http.Client, CryptoHandler) {
+	module := tomlGet(sota, "p11.module")
+	pin := tomlGet(sota, "p11.pass")
+	pkeyId := tomlGet(sota, "p11.tls_pkey_id")
+	certId := tomlGet(sota, "p11.tls_clientcert_id")
+	caFile := tomlGet(sota, "import.tls_cacert_path")
+
+	cfg := crypto11.Config{
+		Path:       module,
+		TokenLabel: "aktualizr",
+		Pin:        pin,
+	}
+
+	ctx, err := crypto11.Configure(&cfg)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	privKey, err := ctx.FindKeyPair(idToBytes(pkeyId), nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+	cert, err := ctx.FindCertificate(idToBytes(certId), nil, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if cert == nil || privKey == nil {
+		log.Fatal("Unable to load pkcs11 client cert and/or private key")
+	}
+
+	caCert, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		log.Fatal(err)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{
+			tls.Certificate{
+				Certificate: [][]byte{cert.Raw},
+				PrivateKey:  privKey,
+			},
+		},
+		RootCAs: caCertPool,
+	}
+	transport := &http.Transport{TLSClientConfig: tlsConfig}
+	client := &http.Client{Timeout: time.Second * 30, Transport: transport}
+	return client, NewEciesPkcs11Handler(ctx, privKey)
+}
+
+func createClientLocal(sota *toml.Tree) (*http.Client, CryptoHandler) {
 	certFile := tomlGet(sota, "import.tls_clientcert_path")
 	keyFile := tomlGet(sota, "import.tls_pkey_path")
 	caFile := tomlGet(sota, "import.tls_cacert_path")
@@ -83,12 +146,22 @@ func createClient(sota *toml.Tree) (*http.Client, CryptoHandler) {
 	transport := &http.Transport{TLSClientConfig: tlsConfig}
 	client := &http.Client{Timeout: time.Second * 30, Transport: transport}
 
-	if handler := NewEciesHandler(cert.PrivateKey); handler != nil {
+	if handler := NewEciesLocalHandler(cert.PrivateKey); handler != nil {
 		return client, handler
 	}
 	panic("Unsupported private key")
 }
 
+func createClient(sota *toml.Tree) (*http.Client, CryptoHandler) {
+	_ = tomlAssertVal(sota, "tls.ca_source", []string{"file"})
+	source := tomlAssertVal(sota, "tls.pkey_source", []string{"file", "pkcs11"})
+	_ = tomlAssertVal(sota, "tls.cert_source", []string{source})
+	if source == "file" {
+		return createClientLocal(sota)
+	}
+	return createClientPkcs11(sota)
+}
+
 func NewApp(sota_config, secrets_dir string, testing bool) (*App, error) {
 	sota, err := toml.LoadFile(filepath.Join(sota_config, "sota.toml"))
 	if err != nil {

internal/ecies.go

@@ -6,16 +6,16 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"github.com/ethereum/go-ethereum/crypto/ecies"
+	"github.com/ThalesIgnite/crypto11"
 )
 
 type EciesCrypto struct {
-	PrivKey *ecies.PrivateKey
+	PrivKey PrivateKey
 }
 
-func NewEciesHandler(privKey crypto.PrivateKey) CryptoHandler {
+func NewEciesLocalHandler(privKey crypto.PrivateKey) CryptoHandler {
 	if ec, ok := privKey.(*ecdsa.PrivateKey); ok {
-		return &EciesCrypto{ecies.ImportECDSA(ec)}
+		return &EciesCrypto{ImportECDSA(ec)}
 	}
 	return nil
 }
@@ -25,9 +25,13 @@ func (ec *EciesCrypto) Decrypt(value string) ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("Unable to base64 decode: %v", err)
 	}
-	decrypted, err := ec.PrivKey.Decrypt(data, nil, nil)
+	decrypted, err := EciesDecrypt(ec.PrivKey, data, nil, nil)
 	if err != nil {
 		return nil, fmt.Errorf("Unable to ECIES decrypt %v", err)
 	}
 	return decrypted, nil
 }
+
+func NewEciesPkcs11Handler(ctx *crypto11.Context, privKey crypto11.Signer) CryptoHandler {
+	return &EciesCrypto{ImportPcks11(ctx, privKey)}
+}