ThalesGroup · dmjones · May 14, 2019 · Apr 23, 2019 · Apr 23, 2019 · Apr 25, 2019
diff --git a/.travis.yml b/.travis.yml
@@ -1,24 +1,28 @@
-sudo: required
-dist: trusty
-
+dist: xenial
 language: go
 
 go:
- - "1.10.x"
+ - "1.11.x"
  - "master"
 
-# trusty only has softhsmv1
-before_script:
- - sudo add-apt-repository -y ppa:pkg-opendnssec/ppa && sudo apt-get update && sudo apt-get install softhsm2
- - curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
+# Xenial comes with v2.0.0 SoftHSM2, which seems to have issues with ECDSA
+# code points
+addons:
+ apt:
+  sources:
+   - sourceline: 'ppa:pkg-opendnssec/ppa'
+  packages:
+   - softhsm2
+
+env:
+ - GO111MODULE=on
+
 
 script:
  - echo directories.tokendir = `pwd`/tokens > softhsm2.conf
  - echo objecstore.backend = file >> softhsm2.conf
  - cat softhsm2.conf
  - mkdir tokens
  - export SOFTHSM2_CONF=`pwd`/softhsm2.conf
- - softhsm2-util --init-token --slot 0 --label test --so-pin sopassword --pin password
- - cp configs/config.softhsm2 config
- - dep ensure
- - go test -v -bench .
+ - softhsm2-util --init-token --slot 0 --label token1 --so-pin sopassword --pin password
+ - go test -mod readonly -v -bench .
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ Crypto11
 [![GoDoc](https://godoc.org/github.com/ThalesIgnite/crypto11?status.svg)](https://godoc.org/github.com/ThalesIgnite/crypto11)
 [![Build Status](https://travis-ci.com/ThalesIgnite/crypto11.svg?branch=master)](https://travis-ci.com/ThalesIgnite/crypto11)
 
-This is an implementation of the standard Golang hardware crypto interface that
+This is an implementation of the standard Golang crypto interfaces that
 uses [PKCS#11](http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os-complete.html) as a backend. The supported features are:
 
 * Generation and retrieval of RSA, DSA and ECDSA keys.
@@ -15,8 +15,8 @@ uses [PKCS#11](http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/p
 * ECDSA signing.
 * DSA signing.
 * Random number generation.
-* (Experimental) AES and DES3 encryption and decryption.
-* (Experimental) HMAC support.
+* AES and DES3 encryption and decryption.
+* HMAC support.
 
 Signing is done through the
 [crypto.Signer](https://golang.org/pkg/crypto/#Signer) interface and
@@ -25,37 +25,72 @@ decryption through
 
 To verify signatures or encrypt messages, retrieve the public key and do it in software.
 
-See the documentation for details of various limitations.
+See [the documentation](https://godoc.org/github.com/ThalesIgnite/crypto11) for details of various limitations,
+especially regarding symmetric crypto.
 
-There are some rudimentary tests.
-
-There is a demo web server in the `demo` directory, which publishes
-the contents of `/usr/share/doc`.
 
 Installation
 ============
 
-(If you don't have one already) create [a standard Go workspace](https://golang.org/doc/code.html#Workspaces) and set the `GOPATH` environment variable to point to the workspace root.
-
-crypto11 manages it's dependencies via `dep`.  To Install `dep` run:
+Since v1.0.0, crypto11 requires Go v1.11+. Install the library by running:
 
-	go get -u github.com/golang/dep/cmd/dep
+```bash
+go get github.com/ThalesIgnite/crypto11
+```
 
-Clone, ensure deps, and build:
+The crypto11 library needs to be configured with information about your PKCS#11 installation. This is either done programmatically
+(see the `Config` struct in [the documentation](https://godoc.org/github.com/ThalesIgnite/crypto11)) or via a configuration
+file. The configuration file is a JSON representation of the `Config` struct.
 
-    go get github.com/ThalesIgnite/crypto11
-    cd $GOPATH/src/github.com/ThalesIgnite/crypto11
-    dep ensure
-    go build
+A minimal configuration file looks like this:
 
-Edit `config` to taste, and then run the test program:
+```json
+{
+  "Path" : "/usr/lib/softhsm/libsofthsm2.so",
+  "TokenLabel": "token1",
+  "Pin" : "password"
+}
+```
 
-    go test  -count=1
+- `Path` points to the library from your PKCS#11 vendor.
+- `TokenLabel` is the `CKA_LABEL` of the token you wish to use.
+- `Pin` is the password for the `CKU_USER` user.
 
 Testing Guidance
 ================
 
-Testing with nShield
+Testing with SoftHSM2
+---------------------
+
+To set up a slot:
+
+    $ cat softhsm2.conf
+    directories.tokendir = /home/rjk/go/src/github.com/ThalesIgnite/crypto11/tokens
+    objectstore.backend = file
+    log.level = INFO
+    $ mkdir tokens
+    $ export SOFTHSM2_CONF=`pwd`/softhsm2.conf
+    $ softhsm2-util --init-token --slot 0 --label test
+    === SO PIN (4-255 characters) ===
+    Please enter SO PIN: ********
+    Please reenter SO PIN: ********
+    === User PIN (4-255 characters) ===
+    Please enter user PIN: ********
+    Please reenter user PIN: ********
+    The token has been initialized.
+
+The configuration looks like this:
+
+    $ cat config
+    {
+      "Path" : "/usr/lib/softhsm/libsofthsm2.so",
+      "TokenLabel": "test",
+      "Pin" : "password"
+    }
+
+(At time of writing) OAEP is only partial and HMAC is unsupported, so expect test skips.
+
+Testing with nCipher nShield
 --------------------
 
 In all cases, it's worth enabling nShield PKCS#11 log output:
@@ -94,66 +129,6 @@ To protect keys with the module only, use the 'accelerator' token:
 
 (At time of writing) GCM is not implemented, so expect test skips.
 
-Testing with SoftHSM
---------------------
-
-While the aim of the exercise is to use an HSM, it can be convenient
-to test with a software-only provider.
-
-To set up a slot:
-
-    $ cat softhsm.conf
-    0:softhsm0.db
-    $ export SOFTHSM_CONF=`pwd`/softhsm.conf
-    $ softhsm --init-token --slot 0 --label test
-    The SO PIN must have a length between 4 and 255 characters.
-    Enter SO PIN:
-    The user PIN must have a length between 4 and 255 characters.
-    Enter user PIN:
-    The token has been initialized.
-
-Configure as follows:
-
-    $ cat config
-    {
-      "Path" : "/usr/lib/softhsm/libsofthsm.so",
-      "TokenLabel": "test",
-      "Pin" : "password"
-    }
-
-DSA, ECDSA, PSS and OAEP aren't supported, so expect test failures.
-
-Testing with SoftHSM2
----------------------
-
-To set up a slot:
-
-    $ cat softhsm2.conf
-    directories.tokendir = /home/rjk/go/src/github.com/ThalesIgnite/crypto11/tokens
-    objectstore.backend = file
-    log.level = INFO
-    $ mkdir tokens
-    $ export SOFTHSM2_CONF=`pwd`/softhsm2.conf
-    $ softhsm2-util --init-token --slot 0 --label test
-    === SO PIN (4-255 characters) ===
-    Please enter SO PIN: ********
-    Please reenter SO PIN: ********
-    === User PIN (4-255 characters) ===
-    Please enter user PIN: ********
-    Please reenter user PIN: ********
-    The token has been initialized.
-
-The configuration looks like this:
-
-    $ cat config
-    {
-      "Path" : "/usr/lib/softhsm/libsofthsm2.so",
-      "TokenLabel": "test",
-      "Pin" : "password"
-    }
-
-(At time of writing) OAEP is only partial and HMAC is unsupported, so expect test skips.
-
 Limitations
 ===========
 
@@ -168,34 +143,13 @@ but you must call the Close()
 interface (not found in [cipher.BlockMode](https://golang.org/pkg/crypto/cipher/#BlockMode)).
 See [issue #6](https://github.com/ThalesIgnite/crypto11/issues/6) for further discussion.
 
-Wishlist
+Contributions
 ========
 
-* Full test instructions for additional PKCS#11 implementations.
-* A pony.
-
-Copyright
-=========
-
-MIT License.
-
-Copyright 2016-2018 Thales e-Security, Inc
+Contributions are gratefully received. Before beginning work on sizeable changes, please open an issue first to
+discuss.
 
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
+Here are some topics we'd like to cover:
 
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+* Full test instructions for additional PKCS#11 implementations.
+* Move to another resource pool implementation (`github.com/vitessio/vitess` is a big dependency)