[英]Correct way to conduct private key operation from PKCS11 for mTLS connection in Go
I have successfully imported the private key into the PKCS11 token.我已成功将私钥导入 PKCS11 令牌。 The token object looks like this:
令牌 object 如下所示:
Private Key Object; RSA
label: #####
ID: #####
Usage: decrypt, sign, unwrap
Access: sensitive
Public Key Object; RSA 2048 bits
label: #####
ID: #####
Usage: encrypt, verify, wrap
Access: none
I learned that CKA_VALUE usually could not be extracted.我了解到通常无法提取 CKA_VALUE。 And I would like to know what is the correct procedure to create mTLS connection by using pkcs#11 private key and certificate.
我想知道使用 pkcs#11 私钥和证书创建 mTLS 连接的正确程序是什么。
I learned that
CKA_VALUE
usually could not be extracted我了解到通常无法提取
CKA_VALUE
Just in case, check out ThalesIgnite/crypto11 exportDSAPublicKey()
which does export pkcs11.Attribute
, including pcs11.CKA_VALUE
, using the public key.为了以防万一,请查看ThalesIgnite/crypto11
exportDSAPublicKey()
,它使用公钥导出pkcs11.Attribute
,包括pcs11.CKA_VALUE
。
( CKA_VALUE
is one of the ECDSA
private key objects ) (
CKA_VALUE
是ECDSA
私钥对象之一)
For mTLS, check if miekg/pkcs11
can help (not tested).对于 mTLS,检查
miekg/pkcs11
是否有帮助(未测试)。
It can at least help creating a tlsConfig based on private key and certificate.它至少可以帮助创建基于私钥和证书的 tlsConfig。
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{
{
PrivateKey: privateKey,
Cert: cert,
},
},
}
Those should be extracted from your pkcs11 file:这些应该从您的 pkcs11 文件中提取:
privateKey, err := p.FindObject(session, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
pkcs11.NewAttribute(pkcs11.CKA_LABEL, "private_key_label"),
})
if err != nil {
panic(err)
}
cert, err := p.FindObject(session, []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
pkcs11.NewAttribute(pkcs11.CKA_LABEL, "certificate_label"),
})
if err != nil {
panic(err)
}
That does not seem to require CKA_VALUE
这似乎不需要
CKA_VALUE
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.