Skip to content

Instantly share code, notes, and snippets.

@jvehent
Created Feb 1, 2019
Embed
What would you like to do?
Small Go program that makes a CSR using a private key in cloudhsm
// This code requires a configuration file to initialize the crypto11
// library. Use the following config in a file named "crypto11.config"
// {
// "Path" : "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so",
// "TokenLabel": "cavium",
// "Pin" : "$CRYPTO_USER:$PASSWORD"
// }
package main
import (
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"flag"
"fmt"
"log"
"os"
"github.com/ThalesIgnite/crypto11"
)
func main() {
var (
keyLabel string
ou string
cn string
email string
)
flag.StringVar(&keyLabel, "l", "mykey", "Label of the key in the HSM")
flag.StringVar(&ou, "ou", "Mozilla AMO Production Signing Service,", "OrganizationalUnit of the Subject")
flag.StringVar(&cn, "cn", "Content Signing Intermediate", "CommonName of the Subject")
flag.StringVar(&email, "email", "foxsec@mozilla.com", "Email of the Subject")
flag.Parse()
p11Ctx, err := crypto11.ConfigureFromFile("crypto11.config")
if err != nil {
log.Fatal(err)
}
slots, err := p11Ctx.GetSlotList(true)
if err != nil {
log.Fatalf("Failed to list PKCS#11 Slots: %s", err.Error())
}
if len(slots) < 1 {
log.Fatal("No slot found")
}
privKey, err := crypto11.FindKeyPair(nil, []byte(keyLabel))
if err != nil {
log.Fatal(err)
}
crtReq := &x509.CertificateRequest{
Subject: pkix.Name{
CommonName: fmt.Sprintf("%s/emailAddress=%s", cn, email),
Organization: []string{"Mozilla Corporation"},
OrganizationalUnit: []string{ou},
Country: []string{"US"},
},
DNSNames: []string{cn},
SignatureAlgorithm: x509.ECDSAWithSHA384,
}
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, crtReq, privKey)
if err != nil {
log.Fatal(err)
}
pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
}
@jvehent
Copy link
Author

jvehent commented Feb 1, 2019

$ ./makecsr -l csinter201901
        SDK Version: 2.03
-----BEGIN CERTIFICATE REQUEST-----
MIIB3DCCAWECAQAwgacxCzAJBgNVBAYTAlVTMRwwGgYDVQQKExNNb3ppbGxhIENv
cnBvcmF0aW9uMTAwLgYDVQQLEydNb3ppbGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25p
bmcgU2VydmljZSwxSDBGBgNVBAMMP0NOPUNvbnRlbnQgU2lnbmluZyBJbnRlcm1l
ZGlhdGUvZW1haWxBZGRyZXNzPWZveHNlY0Btb3ppbGxhLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABHDV3ITFXlo2Ick9r99Uc7qTEmfehktWi0nQPMVkD2vWxB/y
LT6/vw+DT9zedMDJlZ+RQvO86kpgr8YQYG2KzEKQMn4Xc24s+lIiDd9fbmkfQsTX
l+8BIFVyvy0otUd46aA6MDgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIcQ29u
dGVudCBTaWduaW5nIEludGVybWVkaWF0ZTAKBggqhkjOPQQDAwNpADBmAjEA9bQk
/oTNQn9uSofv+OqKuWv6NMt9C8pSOjZGA/j1kD7HMlKD+WQN8BhSt389+Y8fAjEA
oVu/TTSg/tRESIJCTdgeCxWiDfLQ6aEUZ4/KCwoe7APIVJk5RWjyPGWfneK2ZLF9
-----END CERTIFICATE REQUEST-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment