github release

Makefile

@@ -0,0 +1,49 @@
+GOARCH = amd64
+
+UNAME = $(shell uname -s)
+
+ifndef OS
+	ifeq ($(UNAME), Linux)
+		OS = linux
+	else ifeq ($(UNAME), Darwin)
+		OS = darwin
+	endif
+endif
+
+.DEFAULT_GOAL := all
+
+all: fmt build start
+
+build:
+	GOOS=$(OS) GOARCH="$(GOARCH)" go build -o bin/plugins/vaultplugin-hsmpki cmd/vaultplugin-hsmpki/main.go
+
+start:
+	vault server -dev -dev-root-token-id=root -dev-plugin-dir=./bin/plugins -log-level=debug
+
+clean:
+	rm -f ./bin/plugins/vaultplugin-hsmpki
+
+#enable:
+#	vault secrets enable -path=hsmpki vaultplugin-hsmpki
+
+fmt:
+	go fmt $$(go list ./...)
+
+test:	hsmconnection
+
+hsmconnection:
+	go test -v -run TestConnectPkcs11Connection ./pkg/hsmpki
+
+pathrolecreate:
+	go test -v -run TestPathRoleCreate ./pkg/hsmpki
+
+pathsetsignedintermediate:
+	go test -v -run TestPathSetSignedIntermediate ./pkg/hsmpki
+
+pathsetcrlconfig:
+	go test -v -run TestPathSetCRLConfig ./pkg/hsmpki
+
+pathfetchcrl:
+	go test -v -run TestPathFetchCRL ./pkg/hsmpki
+
+.PHONY: build clean fmt start enable

README.md

@@ -0,0 +1,101 @@
+# Vault HSM PKI Plugin
+
+The Vault HSM PKI plugin overlays the modifications to the builtin PKI plugin that enable support for certificate signing using a Hardware Security Module via [PKCS#11](http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html).
+
+## Software Design
+
+### Reuse of builtin PKI
+
+The [builtin PKI](https://github.com/hashicorp/vault/tree/v1.6.3/builtin/logical/pki) has a [specified API](https://www.vaultproject.io/api-docs/secret/pki) in terms of usage which new plugins can conform to, but the code is not expressed as a reusable module. 
+
+As this HSM plugin seeks to retain the majority of existing functionality without modification, eg. roles, the builtin PKI code is included in the [pkg/pki](./pkg/pki) directory with the addition of the pki_api.go file that makes select functions externally accessible. The rest of the included PKI code is included verbatim in the pkg/pki directory.
+
+The HSM PKI plugin can therefore selectively override some of the PKI paths whilst using some unchanged paths.
+
+## Usage
+
+### Dependencies
+
+[Go](https://golang.org/doc/install)
+
+[Vault](https://www.vaultproject.io/downloads)
+
+### Setup HSMs
+
+The [pkcs11helper module](https://github.com/mode51software/pkcs11helper) provides [detailed setup instructions](https://github.com/mode51software/pkcs11helper/blob/master/SETUP.md) for SoftHSM, Thales's SafeNet and Entrust's nShield.
+
+### Build
+
+Note that the following env var may be needed:
+
+export GOSUMDB=off
+
+The following command will build the plugin binary and start the Vault server as an in memory dev instance:
+
+```
+make
+```
+
+Visit [INSTALL.md](INSTALL.md) for the plugin installation and registration details.
+
+### Login 
+Now open a new terminal window and login to Vault. This is an example for a dev instance:
+
+`export VAULT_ADDR='http://127.0.0.1:8200'`
+
+`vault login root`
+
+### Setup
+
+Enable the HSM PKI plugin:
+
+`vault secrets enable -path=hsmpki -options="config=conf/config-softhsm.hcl" vaultplugin-hsmpki`
+
+### Run
+
+#### Create a Role
+
+Create a role for the allowed domain, which configures the certificate signing template, in this case localhost:
+
+`vault write hsmpki/roles/localhost allowed_domains=localhost allow_subdomains=true ttl=24h max_ttl=72h key_type="ec" key_bits="384"`
+
+#### Set the Signed Intermediate CA
+
+Set the signed Intermediate certificate and use the HSM PKI extensions supporting the configuration of the HSM key alias and the preferred SHA algorithm :
+
+`vault write hsmpki/intermediate/set-signed certificate=@data/safenet-inter-0016.ca.cert.pem key_alias="ECTestCAInterKey0016" hash_algo="SHA-512"`
+
+#### Sign a CSR
+Now that Vault is ready for signing, sign a standalone CSR file using the HSM returning the CA and the signed certificate:
+
+`vault write hsmpki/sign/localhost csr=@data/localhost512.csr.pem`
+
+#### Generate a Key, CSR and Sign
+
+Ask Vault to create a new key pair, generate a CSR and sign it using the HSM, returning both the private key, the CA and the signed certificate:
+
+`vault write hsmpki/issue/localhost common_name=localhost`
+
+#### Revoke a Certificate
+
+`vault write hsmpki/revoke serial_number="<your serial number>"`
+
+#### View Revocation Time of Certificate
+
+`vault read hsmpki/cert/<your serial number>`
+
+#### View CRL
+
+`curl --header "X-Vault-Token: root"  http://127.0.0.1:8200/v1/hsmpki/crl/pem > data/crl.txt`
+
+`openssl crl -in ./data/crl.txt -text`
+
+### Testing
+
+View the [TESTING](TESTING.md) README
+
+## License
+
+HSM PKI for Vault was sponsored by [BT UK](https://www.globalservices.bt.com/en/aboutus/our-services/security), developed by [mode51 Software](https://mode51.software), and contributed to the [HashiCorp community](https://www.vaultproject.io/docs/plugin-portal) under the Mozilla Public License v2.
+
+By [Chris Newman](https://mode51.software)

TESTING.md

@@ -0,0 +1,21 @@
+# Testing
+
+## HSM Notes
+
+If you are running SafeNet's DPoD, then cd to the base directory and source the setenv file.
+
+If you want to run tests in an IDE then source DPoD in a shell and start the IDE from the same shell session.
+
+## Makefile Command Line Tests
+
+Test the HSM connection where the conf is loaded in from conf/config-hsm.hcl
+
+`make test hsmconnection`
+
+`make test pathrolecreate`
+
+`make test pathsetcrlconfig`
+
+`make test pathfetchcrl`
+
+`make test pathsetsignedintermediate`

bin/build.sh

@@ -0,0 +1 @@
+go build -o ./bin/plugins/vaultplugin-hsmpki ./cmd/vaultplugin-hsmpki/main.go

bin/runsigned.sh

@@ -0,0 +1,15 @@
+export VAULT_ADDR='http://127.0.0.1:8200'
+
+vault login root
+
+vault secrets enable -path=hsmpki -options="config=conf/config-softhsm.hcl" vaultplugin-hsmpki
+
+vault write hsmpki/roles/localhost allowed_domains=localhost allow_subdomains=true max_ttl=72h
+
+vault write hsmpki/intermediate/set-signed certificate=@data/softhsm-inter-0002.ca.cert.pem key_alias="RSATestCAInterKey0002" hash_algo="SHA-384"
+
+vault write hsmpki/config/crl expiry=48h
+
+#vault write hsmpki/sign/localhost csr=@data/localhost512.csr.pem
+
+#vault write hsmpki/issue/localhost common_name=localhost

cmd/vaultplugin-hsmpki/main.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	hsmpki "github.com/mode51software/vaultplugin-hsmpki/pkg/hsmpki"
+	"os"
+
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/plugin"
+)
+
+func main() {
+	apiClientMeta := &api.PluginAPIClientMeta{}
+	flags := apiClientMeta.FlagSet()
+
+	flags.Parse(os.Args[1:])
+
+	tlsConfig := apiClientMeta.GetTLSConfig()
+	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
+
+	err := plugin.Serve(&plugin.ServeOpts{
+		BackendFactoryFunc: hsmpki.Factory,
+		TLSProviderFunc:    tlsProviderFunc,
+	})
+
+	if err != nil {
+		logger := hclog.New(&hclog.LoggerOptions{})
+
+		logger.Error("plugin shutting down", "error", err)
+		os.Exit(1)
+	}
+}

conf/config-softhsm.hcl

@@ -0,0 +1,8 @@
+
+lib = "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+slot_id = 288648064
+pin = "1234"
+# be aware that the key_label can be overridden by dynamically providing it during Set Signed Intermediate
+key_label = "RSATestCAInterKey0002"
+connect_timeout_s = 10
+read_timeout_s = 5

go.mod

@@ -0,0 +1,18 @@
+module github.com/mode51software/vaultplugin-hsmpki
+
+go 1.13
+
+require (
+	github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
+	github.com/fatih/structs v1.1.0
+	github.com/hashicorp/errwrap v1.0.0
+	github.com/hashicorp/go-hclog v0.14.1
+	github.com/hashicorp/hcl v1.0.1-vault
+	github.com/hashicorp/vault v1.6.2
+	github.com/hashicorp/vault/api v1.0.5-0.20201001211907-38d91b749c77
+	github.com/hashicorp/vault/sdk v0.1.14-0.20210127182440-8477cfe632c0
+	github.com/ryanuber/go-glob v1.0.0
+	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
+	golang.org/x/net v0.0.0-20200625001655-4c5254603344
+	github.com/mode51software/pkcs11helper v0.3.0
+)