Add PKCS#11 certificate generation tool

[rolandshoemaker]

Tested against relevant hardware for generating both RSA and ECDSA roots and intermediates with keys generated using gen-key.

Also this makes a few changes to the gen-key tool after further experience with the HSM and more reading of the PCKS#11 specification. Main change is the removal of compatMode, which was intended to provide support for two naming schemes for EC used in subsequent PKCS#11 drafts. It turns out these schemes were changes in name only and the underlying structs/ints were the exact same (i.e. CKA_ECDSA_PARAMS == CKA_EC_PARAMS and CKM_ECDSA_KEY_PAIR_GEN == CKM_EC_KEY_PAIR_GEN) and just allowed using one of the two names based on preference. This meant with compatMode enabled or disabled the tool did the exact same thing.

Fixes #3697.

[cpu]

I think cmd/gen-ca/main.go would benefit from some godoc comments on the types & functions defined within.

Overall this branch looks pretty good to me. I'd like to do another 🔍 after I've refreshed my memory on some of the PKCS11 details in use here. I flagged a few small nits from a first pass.

[cpu]

😲 Are you using vscode for Boulder & friends regularly?

[rolandshoemaker]

...yes, visual code studio is great ❤️.

[cpu]

Would it be clearer if this said "matching provided template"?

[cpu]

I think this const serialLength and the const dateLayout above could be put inside of the constructCert function scope instead of being global.

[cpu]

Is there a default for this that we can set for the Linux distro we expect to use this on?

[rolandshoemaker]

The PKCS#11 module you use is dependent on the hardware/software you are communicating with. I think putting any defaults here would leak more information about things we use than we are probably comfortable with.

[cpu]

Is there an expected format for the hex input? 0xAAAAAA vs AAAAAA?

[rolandshoemaker]

This led me down a rabbit hole of trying to figure out if there are canonical names/specs for the different textual encoding formats for hexadecimal. Apparently there aren't really any.

[cpu]

typo: "a intermediate" -> "an intermediate"

[cpu]

typo: "Verifed" -> "Verified"

[cpu]

Can you add some Godoc comments for this type & its functions?

[cpu]

I think this function deserves a short comment describing its use/purpose.

[jsha]

Can you rewrite this comment? It doesn't really make sense to me. I think something like "constructs an x509Signer based on the PKCS#11 private key object with the provided label and ID."

Also, why do we take both label and ID? It seems like it would make more sense to just take label, and find the ID based on that label.

[rolandshoemaker]

This is mainly a spec thing, CKA_LABEL is not meant to be unique and CKA_ID is intended to differentiate objects in that case (as well as to identify key pairs).

[jsha]

Any reason not to use time.RFC3339 for this? It's a bit annoying since it requires us to write out seconds and time zone, but probably better to be explicit and formal than to not be. Also, the format of these date fields should be documented somewhere. Maybe on the certProfile struct, and make that an exported type so it becomes part of the godoc?

[rolandshoemaker]

I think using RFC3339 is a bit of a footgun given it allows input of timezone, which will always need to be ignored/normalized to UTC to conform with 5280. We could use a truncated form of 3339 that just omits the timezone, but at that point we're just adding a T between the date and time for no real reason.

Given any format will need to be documented somewhere for people to know how to use it anyway I think going with this is simplest solution (and easier for humans to read in general).

[jsha]

Alright, works for me so long as it is well documented.

[jsha]

This should probably called makeTemplate or something since it doesn't actually do the signing.

[jsha]

The indentation here is weird. It doesn't line up with the line above. How does this past our gofmt test?

[rolandshoemaker]

golang/go#7819

[jsha]

Wow, that is weird. /shrug

[jsha]

I think IssuerURL will be absent for a self-signed root, right? So we should specially handle the case where it's empty.

Relatedly, for each value we interpolate here we should ensure it's non-empty / non-default.

[jsha]

*certTemplate

[jsha]

Can you add to the PR description explaining why compatMode is removed?

[jsha]

As long as you're touching this line, let's split it into one line per argument.

[jsha]

Did you mean to keep this log line?

[rolandshoemaker]

Yup.

[jsha]

The exported types in this file need documentation.

Seeing this factored out, it really does feel like it duplicates a lot of pkcs11key. Are you sure you wouldn't rather just use the library? It has the benefit that it's used somewhat more, so people are more likely to find bugs.

[rolandshoemaker]

I went back and forth about whether to use pkcs11key or not and landed here. I think there are a handful of reasons not to, the largest among them being that it makes testing a bit more painful and and requires either a number of changes to how the ceremony process works or changes to pkcs11key that would only be used in this specific context (which means we're back to it not getting touched by (many) other people in order to find bugs).

I think on the whole I eventually came down on the side of just writing the code here. It allows the gen-ca and gen-key packages to be somewhat more easy to audit, in terms of how they work, and have restricted interfaces in terms of what they can do and what signature formats etc that they support and what kinds of objects they can extract.

[cpu]

Only a few tiny cosmetic changes to request.

[cpu]

s/CommonName/Organization/

[cpu]

s/CommonName/Country/

[cpu]

s/OCSPURL/CRLURL/

[cpu]

🎉