blacknon/example_p11_getsinger.go

## example_p11_getsinger.go
// Copyright (c) 2020 Blacknon. All rights reserved.
// Use of this source code is governed by an MIT license
// that can be found in the LICENSE file.

// `github.com/miekg/pkcs11/p11`を使って、Yubikey内からsshのCryptoSignerを取得するサンプルコード

package main

import (
	"crypto"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"log"
	"os"

	"github.com/ThalesIgnite/crypto11"
	"github.com/miekg/pkcs11"
	"github.com/miekg/pkcs11/p11"
	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/terminal"
)

var (
	provider = "/usr/local/lib/opensc-pkcs11.so"
)

// C11 struct
type C11 struct {
	Provider string
	PIN      string
	SlotID   *int

	// Context is crypto11 Context
	Context *crypto11.Context
}

// CreateContext is create and set C11.Context
func (c *C11) CreateContext() (err error) {
	config := &crypto11.Config{
		Path:       c.Provider,
		SlotNumber: c.SlotID,
		Pin:        c.PIN,
	}

	// set c.Context
	c.Context, err = crypto11.Configure(config)
	return
}

// GetSigner is return crypto11.Signer and error
func (c *C11) GetSigner() (signers []crypto.Signer, err error) {
	c11signers, err := c.Context.FindAllKeyPairs()
	if err != nil {
		return
	}

	for _, sig := range c11signers {
		signers = append(signers, sig.(crypto.Signer))
	}

	return
}

// ------

// getPassphrase gets the passphrase from virtual terminal input and returns the result. Works only on UNIX-based OS.
func getPassphrase(msg string) (input string, err error) {
	fmt.Fprintf(os.Stderr, msg)

	// Open /dev/tty
	tty, err := os.Open("/dev/tty")
	if err != nil {
		log.Fatal(err)
	}
	defer tty.Close()

	// get input
	result, err := terminal.ReadPassword(int(tty.Fd()))

	if len(result) == 0 {
		err = fmt.Errorf("err: input is empty")
		return
	}

	input = string(result)
	fmt.Println()
	return
}

func getPIN() (pin string, err error) {
	pin, err = getPassphrase("PKCS11 PIN:")
	return
}

func main() {
	module, err := p11.OpenModule(provider)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	slots, err := module.Slots()
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	for _, slot := range slots {
		tokenInfo, err := slot.TokenInfo()
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			continue
		}
		fmt.Println(tokenInfo.Label)

		session, err := slot.OpenSession()
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			continue
		}

		// get public key
		pub := []*pkcs11.Attribute{
			pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
		}

		obj, _ := session.FindObjects(pub)
		for _, o := range obj {
			// get label
			l, err := o.Label()
			if err != nil {
				fmt.Fprintln(os.Stderr, err)
				continue
			}

			v, err := o.Value()
			if err != nil {
				fmt.Fprintln(os.Stderr, err)
				continue
			}

			rsaPubKey, err := x509.ParsePKIXPublicKey(v)
			if err != nil {
				fmt.Fprintln(os.Stderr, err)
				continue
			}

			sshKey, ok := rsaPubKey.(*rsa.PublicKey)
			if !ok {
				fmt.Fprintln(os.Stderr, "invalid PEM passed in from user")
				continue
			}

			pub, err := ssh.NewPublicKey(sshKey)
			if err != nil {
				fmt.Fprintln(os.Stderr, err)
				continue
			}

			p := base64.StdEncoding.EncodeToString(pub.Marshal())
			fmt.Println(l, ":", p)
		}

		// // login
		pin, err := getPIN()
		if err != nil {
			fmt.Fprintln(os.Stderr, err)
			continue
		}

		// // get signer
		// err = session.Login(pin)
		// if err != nil {
		// 	fmt.Fprintln(os.Stderr, err)
		// 	continue
		// }

		// priv := []*pkcs11.Attribute{
		// 	pkcs11.NewAttribute(pkcs11.CKA_ID, true),
		// 	pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
		// 	pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true),
		// 	pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA),
		// 	// pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
		// }

		// obj, err = session.FindObjects(priv)
		// if err != nil {
		// 	fmt.Fprintln(os.Stderr, err)
		// 	continue
		// }

		// for _, o := range obj {
		// 	fmt.Println(o.Label)

		// 	priv := p11.KeyPair(o.)
		// 	sig := priv.(crypto.Signer)
		// }
	}
}
	// Copyright (c) 2020 Blacknon. All rights reserved.
	// Use of this source code is governed by an MIT license
	// that can be found in the LICENSE file.

	// `github.com/miekg/pkcs11/p11`を使って、Yubikey内からsshのCryptoSignerを取得するサンプルコード

	package main

	import (
	"crypto"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"log"
	"os"

	"github.com/ThalesIgnite/crypto11"
	"github.com/miekg/pkcs11"
	"github.com/miekg/pkcs11/p11"
	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/terminal"
	)

	var (
	provider = "/usr/local/lib/opensc-pkcs11.so"
	)

	// C11 struct
	type C11 struct {
	Provider string
	PIN string
	SlotID *int

	// Context is crypto11 Context
	Context *crypto11.Context
	}

	// CreateContext is create and set C11.Context
	func (c *C11) CreateContext() (err error) {
	config := &crypto11.Config{
	Path: c.Provider,
	SlotNumber: c.SlotID,
	Pin: c.PIN,
	}

	// set c.Context
	c.Context, err = crypto11.Configure(config)
	return
	}

	// GetSigner is return crypto11.Signer and error
	func (c *C11) GetSigner() (signers []crypto.Signer, err error) {
	c11signers, err := c.Context.FindAllKeyPairs()
	if err != nil {
	return
	}

	for _, sig := range c11signers {
	signers = append(signers, sig.(crypto.Signer))
	}

	return
	}

	// ------

	// getPassphrase gets the passphrase from virtual terminal input and returns the result. Works only on UNIX-based OS.
	func getPassphrase(msg string) (input string, err error) {
	fmt.Fprintf(os.Stderr, msg)

	// Open /dev/tty
	tty, err := os.Open("/dev/tty")
	if err != nil {
	log.Fatal(err)
	}
	defer tty.Close()

	// get input
	result, err := terminal.ReadPassword(int(tty.Fd()))

	if len(result) == 0 {
	err = fmt.Errorf("err: input is empty")
	return
	}

	input = string(result)
	fmt.Println()
	return
	}

	func getPIN() (pin string, err error) {
	pin, err = getPassphrase("PKCS11 PIN:")
	return
	}

	func main() {
	module, err := p11.OpenModule(provider)
	if err != nil {
	fmt.Println(err)
	os.Exit(1)
	}

	slots, err := module.Slots()
	if err != nil {
	fmt.Println(err)
	os.Exit(1)
	}

	for _, slot := range slots {
	tokenInfo, err := slot.TokenInfo()
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}
	fmt.Println(tokenInfo.Label)

	session, err := slot.OpenSession()
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	// get public key
	pub := []*pkcs11.Attribute{
	pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
	}

	obj, _ := session.FindObjects(pub)
	for _, o := range obj {
	// get label
	l, err := o.Label()
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	v, err := o.Value()
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	rsaPubKey, err := x509.ParsePKIXPublicKey(v)
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	sshKey, ok := rsaPubKey.(*rsa.PublicKey)
	if !ok {
	fmt.Fprintln(os.Stderr, "invalid PEM passed in from user")
	continue
	}

	pub, err := ssh.NewPublicKey(sshKey)
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	p := base64.StdEncoding.EncodeToString(pub.Marshal())
	fmt.Println(l, ":", p)
	}

	// // login
	pin, err := getPIN()
	if err != nil {
	fmt.Fprintln(os.Stderr, err)
	continue
	}

	// // get signer
	// err = session.Login(pin)
	// if err != nil {
	// fmt.Fprintln(os.Stderr, err)
	// continue
	// }

	// priv := []*pkcs11.Attribute{
	// pkcs11.NewAttribute(pkcs11.CKA_ID, true),
	// pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
	// pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true),
	// pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_RSA),
	// // pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
	// }

	// obj, err = session.FindObjects(priv)
	// if err != nil {
	// fmt.Fprintln(os.Stderr, err)
	// continue
	// }

	// for _, o := range obj {
	// fmt.Println(o.Label)

	// priv := p11.KeyPair(o.)
	// sig := priv.(crypto.Signer)
	// }
	}
	}