Merge pull request #457 from smallstep/pkcs11

Add support for PKCS #11 KMS.

Author: maraino

Makefile

@@ -6,6 +6,8 @@ AWSKMS_BINNAME?=step-awskms-init
 AWSKMS_PKG?=github.com/smallstep/certificates/cmd/step-awskms-init
 YUBIKEY_BINNAME?=step-yubikey-init
 YUBIKEY_PKG?=github.com/smallstep/certificates/cmd/step-yubikey-init
+PKCS11_BINNAME?=step-pkcs11-init
+PKCS11_PKG?=github.com/smallstep/certificates/cmd/step-pkcs11-init
 
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
@@ -76,7 +78,7 @@ GOFLAGS := CGO_ENABLED=0
 download:
 	$Q go mod download
 
-build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME)
+build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME) $(PREFIX)bin/$(PKCS11_BINNAME)
 	@echo "Build Complete!"
 
 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
@@ -95,6 +97,10 @@ $(PREFIX)bin/$(YUBIKEY_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(YUBIKEY_BINNAME) $(LDFLAGS) $(YUBIKEY_PKG)
 
+$(PREFIX)bin/$(PKCS11_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(PKCS11_BINNAME) $(LDFLAGS) $(PKCS11_PKG)
+
 # Target to force a build of step-ca without running tests
 simple: build
 
@@ -113,7 +119,7 @@ generate:
 # Test
 #########################################
 test:
-	$Q $(GOFLAGS) go test -short -coverprofile=coverage.out ./...
+	$Q go test -short -coverprofile=coverage.out ./...
 
 .PHONY: test
 
@@ -171,6 +177,9 @@ endif
 ifneq ($(YUBIKEY_BINNAME),"")
 	$Q rm -f bin/$(YUBIKEY_BINNAME)
 endif
+ifneq ($(PKCS11_BINNAME),"")
+	$Q rm -f bin/$(PKCS11_BINNAME)
+endif
 
 .PHONY: clean
 

authority/authority.go

@@ -382,3 +382,10 @@ func (a *Authority) Shutdown() error {
 	}
 	return a.db.Shutdown()
 }
+
+// CloseForReload closes internal services, to allow a safe reload.
+func (a *Authority) CloseForReload() {
+	if err := a.keyManager.Close(); err != nil {
+		log.Printf("error closing the key manager: %v", err)
+	}
+}

authority/authority_test.go

@@ -306,3 +306,17 @@ func TestNewEmbedded_GetTLSCertificate(t *testing.T) {
 	assert.True(t, cert.Leaf.IPAddresses[0].Equal(net.ParseIP("127.0.0.1")))
 	assert.True(t, cert.Leaf.IPAddresses[1].Equal(net.ParseIP("::1")))
 }
+
+func TestAuthority_CloseForReload(t *testing.T) {
+	tests := []struct {
+		name string
+		auth *Authority
+	}{
+		{"ok", testAuthority(t)},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.auth.CloseForReload()
+		})
+	}
+}

ca/ca.go

@@ -227,9 +227,11 @@ func (ca *CA) Reload() error {
 	}
 
 	// 1. Stop previous renewer
-	// 2. Replace ca properties
+	// 2. Safely shutdown any internal resources (e.g. key manager)
+	// 3. Replace ca properties
 	// Do not replace ca.srv
 	ca.renewer.Stop()
+	ca.auth.CloseForReload()
 	ca.auth = newCA.auth
 	ca.config = newCA.config
 	ca.opts = newCA.opts

cmd/step-ca/main.go

@@ -31,6 +31,7 @@ import (
 	_ "github.com/smallstep/certificates/kms/sshagentkms"
 
 	// Experimental kms interfaces.
+	_ "github.com/smallstep/certificates/kms/pkcs11"
 	_ "github.com/smallstep/certificates/kms/yubikey"
 
 	// Enabled cas interfaces.

cmd/step-cloudkms-init/main.go

@@ -234,7 +234,7 @@ func createSSH(c *cloudkms.CloudKMS, project, location, keyRing string, protecti
 	resp, err = c.CreateKey(&apiv1.CreateKeyRequest{
 		Name:               parent + "/ssh-host-key",
 		SignatureAlgorithm: apiv1.ECDSAWithSHA256,
-		ProtectionLevel:    apiv1.Software,
+		ProtectionLevel:    protectionLevel,
 	})
 	if err != nil {
 		return err