Add support for PKCS #11 KMS.

The implementation works with YubiHSM2. Unit tests are still pending. Fixes #301
2026-01-27 10:18:34 +00:00 · 2021-01-26 20:03:53 -08:00
parent c61222de1d
commit 8dca652bc7
10 changed files with 602 additions and 13 deletions
--- a/11
+++ b/11
@@ -6,6 +6,8 @@ AWSKMS_BINNAME?=step-awskms-init
 AWSKMS_PKG?=github.com/smallstep/certificates/cmd/step-awskms-init
 YUBIKEY_BINNAME?=step-yubikey-init
 YUBIKEY_PKG?=github.com/smallstep/certificates/cmd/step-yubikey-init
+PKCS11_BINNAME?=step-pkcs11-init
+PKCS11_PKG?=github.com/smallstep/certificates/cmd/step-pkcs11-init

 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
@@ -76,7 +78,7 @@ GOFLAGS := CGO_ENABLED=0
 download:
 	$Q go mod download

-build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME)
+build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME) $(PREFIX)bin/$(PKCS11_BINNAME)
 	@echo "Build Complete!"

 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
@@ -95,6 +97,10 @@ $(PREFIX)bin/$(YUBIKEY_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(YUBIKEY_BINNAME) $(LDFLAGS) $(YUBIKEY_PKG)

+$(PREFIX)bin/$(PKCS11_BINNAME): download $(call rwildcard,*.go)
+	$Q mkdir -p $(@D)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(PKCS11_BINNAME) $(LDFLAGS) $(PKCS11_PKG)
+
 # Target to force a build of step-ca without running tests
 simple: build

@@ -171,6 +177,9 @@ endif
 ifneq ($(YUBIKEY_BINNAME),"")
 	$Q rm -f bin/$(YUBIKEY_BINNAME)
 endif
+ifneq ($(PKCS11_BINNAME),"")
+	$Q rm -f bin/$(PKCS11_BINNAME)
+endif

 .PHONY: clean