Commit 6fe950b

Roland Bracewell Shoemaker

authored

Add PKCS#11 certificate generation tool (letsencrypt#3729)

Tested against relevant hardware for generating both RSA and ECDSA roots and intermediates with keys generated using `gen-key`. Also this makes a few changes to the `gen-key` tool after further experience with the HSM and more reading of the PCKS#11 specification. Main change is the removal of `compatMode`, which was intended to provide support for two naming schemes for EC used in subsequent PKCS#11 drafts. It turns out these schemes were changes in name only and the underlying structs/ints were the exact same (i.e. `CKA_ECDSA_PARAMS == CKA_EC_PARAMS` and `CKM_ECDSA_KEY_PAIR_GEN == CKM_EC_KEY_PAIR_GEN`) and just allowed using one of the two names based on preference. This meant with `compatMode` enabled or disabled the tool did the exact same thing. Fixes letsencrypt#3697.

1 parent c96e1f1 commit 6fe950bCopy full SHA for 6fe950b

10 files changed

+1185

-263

lines changed

.gitignore
cmd
- gen-ca
  - main.go
  - main_test.go
- gen-key
pkcs11helpers
- helpers.go

10 files changed

+1185

-263

lines changed

`‎.gitignore‎`

Original file line number	Diff line number	Diff line change
`@@ -36,3 +36,4 @@ tags`
`36`	`36`	`# IDE support files`
`37`	`37`	`.idea`
`38`	`38`
	`39`	`+.vscode/*`

Comments

(0)