peculiarventures / graphene Goto Github PK

It should be possible to set the pin with graphene

When i wrote
npm install graphene-pk11
i received version 1.0.0 (without session.export method)

When i wrote
npm install [email protected]
i got error
npm ERR! version not found: [email protected]

When i manually download graphene-1.1.0.zip and replace lib folder, i got javascript error:
Uncaught Error: Cannot find module 'base64url'

How properly install latest release?

Hi,
session.find({ class: graphene.ObjectClass.PRIVATE_KEY }) [C_FindObjectsInit] method get not private key object.
Please help me.

enum.js has comment, but there is no CKR_FLAGS_INVALID value
CKR_FLAGS_INVALID was removed for v2.0

It should be possible to initialize a token with Graphene

Users may want to write code to initialize a token (slot) via this library. Would be good to have an example of how to do that.

Right now, in order to modify the SoftHSM PIN programmatically in Node, we use the following code:

child_process.spawnSync('softhsm2-util', [
    '--module', '/usr/local/lib/softhsm/libsofthsm.so', '--token-label', 'SoftHSM', '-l', '--change-pin', '--new-pin', password
  ], { stdio: 'inherit' });

However, for the sake of both code elegance and more easily attained cross-platform-compatibility, I was wondering if it was possible, or whether there are plans to make it possible, to change HSM pins using Graphene, considering all the other HSM interactions that Graphene supports? That would also allow a much easier configuration switch between emulated and hardware HSMs.

ECDSA (secp256k1) is increasingly common, having an example of how to generate and use these keys would be valuable.

npm WARN deprecated [email protected]: TSD is deprecated in favor of Typings (https://github.com/typings/typings) - see DefinitelyTyped/tsd#269 for more information

Right now there are magic numbers that are ored together for specifing read-write mode:

        session.start(2 | 4); //start session in RW mode

For a session, we should make sure there is a enum/constants for these values and get samples updated to use them.

It seems not all libraries export their functions by name, this is accommodated in PKCS#11 via the C_GetFunctionList API.

We need to re-tool Graphene to use this API to work with these implementations.

I am trying to run the following code:

var graphene = require('graphene-pk11');
var Module = graphene.Module;

var mod = Module.load('/usr/local/lib/softhsm/libsofthsm2.so', 'SoftHSM');
// var mod = Module.load('/usr/local/Cellar/softhsm/2.0.0/lib/softhsm/libsofthsm2.so', 'SoftHSM');
mod.initialize();

However, in line 4, it crashes with the following error:

/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/dynamic_library.js:74
throw new Error('Dynamic Linking Error: ' + err)
^

Error: Dynamic Linking Error: dlopen(/usr/local/lib/softhsm/libsofthsm2.so.dylib, 2): image not found
at new DynamicLibrary (/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/dynamic_library.js:74:11)
at Object.Library (/Users/project-folder/node_modules/graphene-pk11/node_modules/ffi/lib/library.js:45:12)
at new Pkcs11 (/Users/project-folder/node_modules/graphene-pk11/build/pkcs11/pkcs11.js:14:24)
at Function.Module.load (/Users/project-folder/node_modules/graphene-pk11/build/module.js:70:19)
at Object. (/Users/project-folder/lab/hsm.js:8:18)
at Module._compile (module.js:434:26)
at Object.Module._extensions..js (module.js:452:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Module.runMain as _onTimeout

Quite curiously, Node is complaining about not being able to find libsofthsm2.so.dylib even though in the method call it explicitly says libsofthsm2.so. What might be causing it?

Additionally, I should note that /usr/local/lib/softhsm/libsofthsm2.so is a symlink to /usr/local/Cellar/softhsm/2.0.0/lib/softhsm/libsofthsm2.so, which I have also tried using in the commented out line, with the same results.

Task
Provide a way to manage a token using Graphene and NodeJS.

Tool would be similar to : http://manpages.ubuntu.com/manpages/hardy/man1/pkcs11-tool.1.html or http://www.pkcs11admin.net/

Would be useful to people as an example, would also be useful to people using the HSMs in production environments.

We could use https://github.com/tj/commander.js for command line parsing

Concepts
Security Officer (SO) PIN
User PIN
Slot
Key
Certificate

Commands
These are some of the things we might want to support:

Init                Initialize the token
login               Login as the Security Officer
logout              Logout of the Security Officer
pwd                 Change the security officer password
device              Show details about the device 
slots       
        list        List the available slots
        benchmark   Benchmark the performance of the device using this 
        create      Create a new slot
        delete      Delete a specific slot
        login       Login as a user
        logout      Logout of a user
keys        
        list        List the keys in the slot
        create      Create a new key in this slot
        import      Import a key into this slot
        export      Export a key into this slot
        delete      Delete a specific key in this slot
x509        
        list        List the x509 certificates in the slot
        create      Create a new x509 certificate in this slot
        delete      Delete a specific x509 certificate in this slot
all
        list        List all the objects

The test command in the CLI does not currently support benchmarking hashes, it would be useful to add it.

Add structure for RSA-OAEP

typedef struct CK_RSA_PKCS_OAEP_PARAMS {
    CK_MECHANISM_TYPE hashAlg;
    CK_RSA_PKCS_MGF_TYPE mgf;
    CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
    CK_VOID_PTR pSourceData;
    CK_ULONG ulSourceDataLen;
} CK_RSA_PKCS_OAEP_PARAMS;

In theory we can add support for Curve25519 to Graphene. I have confimed with SafeNet that their devices should at least be in thoery capable of doing this.

They would support this by specifing the curve domain parameters in Weierstrass form.Curve25519 is a Edwards curve, we would need to convert that to a Montgomery curve, which in turn would be converted into a Weierstrass curve.

It seems NSS has similar constraints if we do this I suspect this bug would be helpful - https://bugzilla.mozilla.org/show_bug.cgi?id=957105#c19

https://travis-ci.org/PeculiarVentures/graphene/jobs/152292582#L1627-L1780

Properties:

• privateKey: PrivateKey
• publicKey: PublicKey

Methods:

• sign (SHA-1 | SHA-224 | SHA-256 | SHA-384 | SHA-512)
• verify (SHA-1 | SHA-224 | SHA-256 | SHA-384 | SHA-512)
• generate(props)
• toOAEP(params: RsaOAEPParams): RsaOAEP
• toRSA1(): Rsa1

props = {
    label: String ["RSA <time_stamp>"]
    extractable: boolean [false]
    publicExponent: 3 | 65537
    modulusLength: Number
}

getLabel can be empty, and it throws error will on res.toString("utf8")

It isnt right that vendor.js is in the root, we should put it elsewhere.

Expand object info to show details about each item (key or certificate), for example we might show alg name, its size, usage and params.

object info -obj 27

The diagram is a nice way to get a quick overview of the library we should check it in to the root of the project.

In theory we should be able to get very close to the rated capacity for each of of the devices we test with.

We need to do benchmarking to ensure that this is the case and if not identify the bottleneck and fix it.

How to export public key from token to file and then verify signature with OpenSSL?

mac -in file.txt -out.sig

Some Attribute conversions can return null but this is not currently caught.

Here is how to do that : https://gist.github.com/coolaj86/1318304

sign --in infile.txt --out outfile.txt -a RSA_PKCS

RsaOAEP

Properties:

• privateKey: PrivateKey
• publicKey: PublicKey
• params: OAEPParams

Methods:

• encrypt (data: Buffer): Buffer
• decrypt (data: Buffer): Buffer
• wrapKey(key: Key): Buffer
• unwrapKey(data: Buffer): Key

props = {
    label: String ["RSA <time_stamp>"]
    extractable: boolean [false]
    publicExponent: 3 | 65537
    modulusLength: Number
}

RsaOAEPParams

Properties:

• hashAlg: Enums.Mechanism [SHA1] (SHA1 | SHA224 | SHS256 | SHA386 | SHA512)
• mgf: Enums.MGF1 [SHA1] (SHA1 | SHA224 | SHS256 | SHA386 | SHA512)
• source: Number [CKI.CKZ_DATA_SPECIFIED];
• sourceData: Buffer [null];

Methods:

• toCKI(): RefStruct

We want to maintain a set of regression tests so that when we make changes moving forward any regressions can be found.

This will help us find issues that may exist in the library currently.

We could base these on :

• http://thewalter.net/git/cgit.cgi/p11-tests
• https://github.com/opendnssec/hsmbully
• https://github.com/opendnssec/pkcs11-testing
• https://github.com/miekg/pkcs11/blob/master/test/parallel_test.go
• https://github.com/larskanis/pkcs11/tree/master/test

We are having an issue working in windows which is blocked by node-ffi - TooTallNate/ref-struct#22

All testing to of Graphene has been on Linux, it seems we may have an alignment issue of some sort on Windows that needs to be resolved.

This does not reproduce on Linux.

Could it be possible to have the debug message of SoftHSM2 (stderr) (when log.level is set) displayed or returned in the Exception ? thanks !

I've experienced a few issues trying to get this library going on Ubuntu 15.10:

• The home readme says to install softhsm but you actually need softhsm2 to get the softhsm2-util.
• There seems to be some permission issues with softhsm2, mainly the token dirs are rwx for the root user only. I really not really your code's issue but I have to run softhsm2-util as root :( to create a token.
• Lastly, I npm install graphene-pk11 and then tried to run an example (the slots example). I had to change the require from pkcs11 to graphene-pk11 and then I get this error:

/tmp/soft/node_modules/graphene-pk11/node_modules/ref/node_modules/bindings/bindings.js:83
        throw e
              ^
Error: /tmp/soft/node_modules/graphene-pk11/node_modules/ref/build/Release/binding.node: undefined symbol: node_module_register
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at bindings (/tmp/soft/node_modules/graphene-pk11/node_modules/ref/node_modules/bindings/bindings.js:76:44)
    at Object.<anonymous> (/tmp/soft/node_modules/graphene-pk11/node_modules/ref/lib/ref.js:5:47)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)

node --version
v0.12.7

enc --in infile.txt --out outfile.txt -a AES_CBC --obj 1

graphene is registered in npm as graphene-pk11, but graphene.d.ts uses for module name graphene

Rsa1

Properties:

• privateKey: PrivateKey
• publicKey: PublicKey

Methods:

• sign(data: Buffer): Buffer
• verify(signature: Buffer, data: Buffer): Boolean
• encrypt (data: Buffer): Buffer
• decrypt (data: Buffer): Buffer
• wrapKey(key: Key): Buffer
• unwrapKey(data: Buffer): Key

https://coveralls.io

The CLI returns many different objects it would be nice to be able to filter the returns to specific types:

--filter - String
label=<String>;class=<Enums.ObjectClass>;
label=test RSA;class=PublicKey,PrivateKey;

var ObjectClass = {
Data: CKI.CKO_DATA,
Certificate: CKI.CKO_CERTIFICATE,
PublicKey: CKI.CKO_PUBLIC_KEY,
PrivateKey: CKI.CKO_PRIVATE_KEY,
SecretKey: CKI.CKO_SECRET_KEY,
HardwareFeature: CKI.CKO_HW_FEATURE,
DomainParameters: CKI.CKO_DOMAIN_PARAMETERS,
Mechanism: CKI.CKO_MECHANISM,
OTPKey: CKI.CKO_OTP_KEY,
VendorDefined: CKI.CKO_VENDOR_DEFINED

`

CKF_ERROR_STATE

This isn't really an issue as much as a question, but there aren't any examples for it, so I'll go ahead and ask. What is the best way to uniquely identify a generated keypair? When generating a keypair, it is possible to specify attributes such as e. g. "label," but labels aren't necessarily unique. What is unique is the key index after closing the session, but that is hard to obtain after the session is closed.

When doing session.find(), both class and label can be specified, but due to the aforementioned issue of the label not being unique, I was wondering if there is a better way of uniquely obtaining a key property upon generation and then finding it later using that same previously determined property?

key.publicKey.toType().getBinaryAttribute(key.CKI.CKA_EC_POINT)

Best way:

//SessionObject.getAttriute(attrName: string) boolean | string | number | buffer;

key.publicKey.getAttriute("pointEC");

Right now it is not possible to initialize the token in the CLI, we should also support that:

 init

  --token
      Initializes a token: set the token label as well as a Security
      Officer PIN (the label must be specified using --label).

   --pin
      Initializes the user PIN. This option differs from --change-pin in
      that it sets the user PIN for the first time. Once set, the user PIN
      can be changed using --change-pin.

    --change-pin
      Change the user PIN on the token

We can add generation of JSDOC derived documentation via docdash: https://github.com/clenemt/docdash

"script": {
"generate-docs": "node_modules/.bin/jsdoc -c jsdoc.json"
}
This way we can have standalone documentation showing how to use the library.