peculiarventures / graphene Goto Github PK
View Code? Open in Web Editor NEWA simple layer for interacting with PKCS #11 / PKCS11 / CryptoKI for Node in TypeScript. (Keywords: Javascript, PKCS#11, Crypto, Smart Card, HSM)
License: MIT License
A simple layer for interacting with PKCS #11 / PKCS11 / CryptoKI for Node in TypeScript. (Keywords: Javascript, PKCS#11, Crypto, Smart Card, HSM)
License: MIT License
It should be possible to set the pin with graphene
When i wrote
npm install graphene-pk11
i received version 1.0.0 (without session.export method)
When i wrote
npm install [email protected]
i got error
npm ERR! version not found: [email protected]
When i manually download graphene-1.1.0.zip and replace lib folder, i got javascript error:
Uncaught Error: Cannot find module 'base64url'
How properly install latest release?
Hi,
session.find({ class: graphene.ObjectClass.PRIVATE_KEY }) [C_FindObjectsInit] method get not private key object.
Please help me.
enum.js has comment, but there is no CKR_FLAGS_INVALID value
CKR_FLAGS_INVALID was removed for v2.0
It should be possible to initialize a token with Graphene
Users may want to write code to initialize a token (slot) via this library. Would be good to have an example of how to do that.
Right now, in order to modify the SoftHSM PIN programmatically in Node, we use the following code:
child_process.spawnSync('softhsm2-util', [
'--module', '/usr/local/lib/softhsm/libsofthsm.so', '--token-label', 'SoftHSM', '-l', '--change-pin', '--new-pin', password
], { stdio: 'inherit' });
However, for the sake of both code elegance and more easily attained cross-platform-compatibility, I was wondering if it was possible, or whether there are plans to make it possible, to change HSM pins using Graphene, considering all the other HSM interactions that Graphene supports? That would also allow a much easier configuration switch between emulated and hardware HSMs.
ECDSA (secp256k1) is increasingly common, having an example of how to generate and use these keys would be valuable.
npm WARN deprecated [email protected]: TSD is deprecated in favor of Typings (https://github.com/typings/typings) - see DefinitelyTyped/tsd#269 for more information
Right now there are magic numbers that are ored together for specifing read-write mode:
session.start(2 | 4); //start session in RW mode
For a session, we should make sure there is a enum/constants for these values and get samples updated to use them.
{
name: "ECDH1_DERIVE",
params: new graphene.ECDSA.EcdhParams(
0x00000001, // CKD_NULL
null,
key.publicKey.toType().getBinaryAttribute(0x00000181) //CKA_EC_POINT
)
}
It seems not all libraries export their functions by name, this is accommodated in PKCS#11 via the C_GetFunctionList API.
We need to re-tool Graphene to use this API to work with these implementations.
I am trying to run the following code:
var graphene = require('graphene-pk11');
var Module = graphene.Module;
var mod = Module.load('/usr/local/lib/softhsm/libsofthsm2.so', 'SoftHSM');
// var mod = Module.load('/usr/local/Cellar/softhsm/2.0.0/lib/softhsm/libsofthsm2.so', 'SoftHSM');
mod.initialize();
However, in line 4, it crashes with the following error:
/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/dynamic_library.js:74
throw new Error('Dynamic Linking Error: ' + err)
^Error: Dynamic Linking Error: dlopen(/usr/local/lib/softhsm/libsofthsm2.so.dylib, 2): image not found
at new DynamicLibrary (/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/dynamic_library.js:74:11)
at Object.Library (/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/library.js:45:12)
at new Pkcs11 (/Users/project-folder/node_modules/graphene-pk11/build/pkcs11/pkcs11.js:14:24)
at Function.Module.load (/Users/project-folder/node_modules/graphene-pk11/build/module.js:70:19)
at Object. (/Users/project-folder/lab/hsm.js:8:18)
at Module._compile (module.js:434:26)
at Object.Module._extensions..js (module.js:452:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Module.runMain as _onTimeout
Quite curiously, Node is complaining about not being able to find libsofthsm2.so.dylib
even though in the method call it explicitly says libsofthsm2.so
. What might be causing it?
Additionally, I should note that /usr/local/lib/softhsm/libsofthsm2.so
is a symlink to /usr/local/Cellar/softhsm/2.0.0/lib/softhsm/libsofthsm2.so
, which I have also tried using in the commented out line, with the same results.
Task
Provide a way to manage a token using Graphene and NodeJS.
Tool would be similar to : http://manpages.ubuntu.com/manpages/hardy/man1/pkcs11-tool.1.html or http://www.pkcs11admin.net/
Would be useful to people as an example, would also be useful to people using the HSMs in production environments.
We could use https://github.com/tj/commander.js for command line parsing
Concepts
Security Officer (SO) PIN
User PIN
Slot
Key
Certificate
Commands
These are some of the things we might want to support:
Init Initialize the token
login Login as the Security Officer
logout Logout of the Security Officer
pwd Change the security officer password
device Show details about the device
slots
list List the available slots
benchmark Benchmark the performance of the device using this
create Create a new slot
delete Delete a specific slot
login Login as a user
logout Logout of a user
keys
list List the keys in the slot
create Create a new key in this slot
import Import a key into this slot
export Export a key into this slot
delete Delete a specific key in this slot
x509
list List the x509 certificates in the slot
create Create a new x509 certificate in this slot
delete Delete a specific x509 certificate in this slot
all
list List all the objects
The test command in the CLI does not currently support benchmarking hashes, it would be useful to add it.
Add structure for RSA-OAEP
typedef struct CK_RSA_PKCS_OAEP_PARAMS {
CK_MECHANISM_TYPE hashAlg;
CK_RSA_PKCS_MGF_TYPE mgf;
CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
CK_VOID_PTR pSourceData;
CK_ULONG ulSourceDataLen;
} CK_RSA_PKCS_OAEP_PARAMS;
In theory we can add support for Curve25519 to Graphene. I have confimed with SafeNet that their devices should at least be in thoery capable of doing this.
They would support this by specifing the curve domain parameters in Weierstrass form.Curve25519 is a Edwards curve, we would need to convert that to a Montgomery curve, which in turn would be converted into a Weierstrass curve.
It seems NSS has similar constraints if we do this I suspect this bug would be helpful - https://bugzilla.mozilla.org/show_bug.cgi?id=957105#c19
Properties:
Methods:
props = {
label: String ["RSA <time_stamp>"]
extractable: boolean [false]
publicExponent: 3 | 65537
modulusLength: Number
}
getLabel can be empty, and it throws error will on res.toString("utf8")
It isnt right that vendor.js is in the root, we should put it elsewhere.
Expand object info to show details about each item (key or certificate), for example we might show alg name, its size, usage and params.
object info -obj 27
Name | Value |
---|---|
ID | 27 |
Class | PrivateKey |
Label | 1448386896910 |
Token | true |
Private | true |
Modifiable | true |
The diagram is a nice way to get a quick overview of the library we should check it in to the root of the project.
In theory we should be able to get very close to the rated capacity for each of of the devices we test with.
We need to do benchmarking to ensure that this is the case and if not identify the bottleneck and fix it.
How to export public key from token to file and then verify signature with OpenSSL?
mac -in file.txt -out.sig
Some Attribute conversions can return null but this is not currently caught.
Here is how to do that : https://gist.github.com/coolaj86/1318304
sign --in infile.txt --out outfile.txt -a RSA_PKCS
Properties:
Methods:
props = {
label: String ["RSA <time_stamp>"]
extractable: boolean [false]
publicExponent: 3 | 65537
modulusLength: Number
}
Properties:
Methods:
We want to maintain a set of regression tests so that when we make changes moving forward any regressions can be found.
This will help us find issues that may exist in the library currently.
We could base these on :
We are having an issue working in windows which is blocked by node-ffi - TooTallNate/ref-struct#22
All testing to of Graphene has been on Linux, it seems we may have an alignment issue of some sort on Windows that needs to be resolved.
This does not reproduce on Linux.
Could it be possible to have the debug message of SoftHSM2 (stderr) (when log.level is set) displayed or returned in the Exception ? thanks !
I've experienced a few issues trying to get this library going on Ubuntu 15.10:
softhsm
but you actually need softhsm2
to get the softhsm2-util
.npm install graphene-pk11
and then tried to run an example (the slots example). I had to change the require from pkcs11 to graphene-pk11
and then I get this error:/tmp/soft/node_modules/graphene-pk11/node_modules/ref/node_modules/bindings/bindings.js:83
throw e
^
Error: /tmp/soft/node_modules/graphene-pk11/node_modules/ref/build/Release/binding.node: undefined symbol: node_module_register
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at bindings (/tmp/soft/node_modules/graphene-pk11/node_modules/ref/node_modules/bindings/bindings.js:76:44)
at Object.<anonymous> (/tmp/soft/node_modules/graphene-pk11/node_modules/ref/lib/ref.js:5:47)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
node --version
v0.12.7
enc --in infile.txt --out outfile.txt -a AES_CBC --obj 1
graphene
is registered in npm
as graphene-pk11
, but graphene.d.ts
uses for module name graphene
Properties:
Methods:
The CLI returns many different objects it would be nice to be able to filter the returns to specific types:
--filter - String
label=<String>;class=<Enums.ObjectClass>;
label=test RSA;class=PublicKey,PrivateKey;
var ObjectClass = {
Data: CKI.CKO_DATA,
Certificate: CKI.CKO_CERTIFICATE,
PublicKey: CKI.CKO_PUBLIC_KEY,
PrivateKey: CKI.CKO_PRIVATE_KEY,
SecretKey: CKI.CKO_SECRET_KEY,
HardwareFeature: CKI.CKO_HW_FEATURE,
DomainParameters: CKI.CKO_DOMAIN_PARAMETERS,
Mechanism: CKI.CKO_MECHANISM,
OTPKey: CKI.CKO_OTP_KEY,
VendorDefined: CKI.CKO_VENDOR_DEFINED
`
This isn't really an issue as much as a question, but there aren't any examples for it, so I'll go ahead and ask. What is the best way to uniquely identify a generated keypair? When generating a keypair, it is possible to specify attributes such as e. g. "label," but labels aren't necessarily unique. What is unique is the key index after closing the session, but that is hard to obtain after the session is closed.
When doing session.find()
, both class and label can be specified, but due to the aforementioned issue of the label not being unique, I was wondering if there is a better way of uniquely obtaining a key property upon generation and then finding it later using that same previously determined property?
key.publicKey.toType().getBinaryAttribute(key.CKI.CKA_EC_POINT)
Best way:
//SessionObject.getAttriute(attrName: string) boolean | string | number | buffer;
key.publicKey.getAttriute("pointEC");
Right now it is not possible to initialize the token in the CLI, we should also support that:
init
--token
Initializes a token: set the token label as well as a Security
Officer PIN (the label must be specified using --label).
--pin
Initializes the user PIN. This option differs from --change-pin in
that it sets the user PIN for the first time. Once set, the user PIN
can be changed using --change-pin.
--change-pin
Change the user PIN on the token
We can add generation of JSDOC derived documentation via docdash: https://github.com/clenemt/docdash
"script": {
"generate-docs": "node_modules/.bin/jsdoc -c jsdoc.json"
}
This way we can have standalone documentation showing how to use the library.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.