added opencryptoki as another trustmanager

resolves notaryproject#1289 Signed-off-by: Florian Eichin <florian.eichin@gmail.com>
florianeichin · Feb 16, 2018 · 88e9037 · 88e9037
1 parent 3811106
commit 88e9037
Show file tree

Hide file tree

Showing 6 changed files with 1,479 additions and 1 deletion.
diff --git a/cmd/notary/integration_pkcs11_test.go b/cmd/notary/integration_pkcs11_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/passphrase"
 	"github.com/theupdateframework/notary/trustmanager/pkcs11/common"
+	"github.com/theupdateframework/notary/trustmanager/pkcs11/opencryptoki"
 	"github.com/theupdateframework/notary/trustmanager/pkcs11/yubikey"
 	"github.com/theupdateframework/notary/tuf/data"
 )
@@ -18,6 +19,8 @@ var _retriever notary.PassRetriever
 
 func init() {
 	yubikey.SetYubikeyKeyMode(yubikey.KeymodeNone)
+	opencryptoki.SetPin("password")
+	opencryptoki.SetSlot(3)
 	regRetriver := passphrase.PromptRetriever()
 	_retriever := func(k, a string, c bool, n int) (string, bool, error) {
 		if k == "Yubikey" {

diff --git a/trustmanager/pkcs11/import.go b/trustmanager/pkcs11/import.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/trustmanager"
+	"github.com/theupdateframework/notary/trustmanager/pkcs11/opencryptoki"
 	"github.com/theupdateframework/notary/trustmanager/pkcs11/common"
 	"github.com/theupdateframework/notary/trustmanager/pkcs11/yubikey"
 	"github.com/theupdateframework/notary/tuf/data"
@@ -23,9 +24,16 @@ func Setup() {
 		return
 	}
 	hardwareKeyStore = yubikey.NewKeyStore()
+	ctx, session, err := hardwareKeyStore.SetupHSMEnv(common.DefaultLoader)
+	if err == nil {
+		common.SetKeyStore(hardwareKeyStore)
+		defer common.Cleanup(ctx, session)
+		return
+	}
+
+	hardwareKeyStore = opencryptoki.NewKeyStore()
 	common.SetKeyStore(hardwareKeyStore)
 	return
-
 }
 
 // HardwareImport is a wrapper around the HardwareStore that allows us to import private

diff --git a/trustmanager/pkcs11/opencryptoki/non_pkcs11.go b/trustmanager/pkcs11/opencryptoki/non_pkcs11.go
@@ -0,0 +1,9 @@
+// go list ./... and go test ./... will not pick up this package without this
+// file, because go ? ./... does not honor build tags.
+
+// e.g. "go list -tags pkcs11 ./..." will not list this package if all the
+// files in it have a build tag.
+
+// See https://github.com/golang/go/issues/11246
+
+package opencryptoki