where private keys as embedded inside:
Google Cloud KMS
Trusted Platform Module (TPM)
Basically, you will get a crypto.Signer
interface where the private keys are saved on those platform.
Use the signer to create a TLS session, sign CA/CSRs, generate signed url or just sign anything.
Some implementations:
-
kms/
: Sample that implementscrypto.Signer
using Google Cloud KMS. -
tpm/
: Sample that implementscrypto.Signer
usinggo-tpm
library for Trusted Platform Module This internally uses go-tpm-tools.client.GetSigner() -
util/certgen/
: Library that generates a self-signed x509 certificate for the KMS and TPM based signers above -
util/csrgen/
: Library that generates a CSR using the key in KMS or TPM
see the example/ folder for more information.
Initialize a signer and directly use .sign()
as shown in this sample for GCS SignedURL:
- for tpm see mTLS with TPM bound private key
- for kms see mTLS with Google Cloud KMS
see example/sign_verify*
folders
The default output signature format for ECC based keys is ASN1 format as described in ecdsa.SignASN1
If you need the raw output format, set ECCRawOutput: true
in the config.
See the examples folder for usage
see util/
go run certgen/certgen.go -cn server.domain.com
see util/csrgen/
go run certgen/certgen.go -cn server.domain.com
For TPM Signer, there are two modes of operation:
-
managed externally
The TPM device is managed externally outside of the signer. You have to instantiate the TPM device ReadWriteCloser and client.Key outside of the library and pass that in.
The advantage of this is you control it opening and closing. You must close the key and closer before calling another signing operation
-
managed by library
This is the preferred mode: you just pass the uint32 handle for the key and the path to the tpm device as string and the library opens/closes it as needed.
If the device is busy or the TPM is in use during invocation, the operation will fail.
TODO use a backoff retry similar to tpmrand to prevent contention.
Please note that we are persisting the handle here for easy access. The more formal way is to save the entire chain of keys (which is a TODO)
A limitation of using persistent handles is that its limited on a TPM (typically 7 slots). You have to evict (i.,e delete) one before loading a new one.
If you just want to issue JWT's, see