diff --git a/hsm-conf.yml b/hsm-conf.yml index f04c697..f769116 100644 --- a/hsm-conf.yml +++ b/hsm-conf.yml @@ -21,10 +21,9 @@ general: nac: 3 gpg: 4 codesign: 5 - ssh_user: 6 - ssh_host: 7 - password_derivation: 8 - encryption: 9 + ssh: 6 + password_derivation: 7 + encryption: 8 x509_defaults: ca: true @@ -129,7 +128,7 @@ admin: user_keys: - label: user_john.doe id: 0xE001 - domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh_user', 'ssh_host', 'password_derivation', 'encryption'] + domains: ['tls', 'nac', 'gpg', 'codesign', 'ssh', 'password_derivation', 'encryption'] capabilities: - sign-ssh-certificate # For SSH certificate creation - sign-hmac # For password derivation @@ -579,12 +578,12 @@ codesign: # OpenSSH certificates are in proprietary format, so these are not signed by the X.509 root CAs. ssh: default_user_ca: 0x0720 - default_host_ca: 0x0721 + default_host_ca: 0x0720 # You could separate these, but given the HSM, having to change one but not the other is unlikely root_ca_keys: - - label: ssh-rsa-user-ca-root-key + label: ssh-rsa-ca-root-key id: 0x0710 - domains: ['ssh_user'] + domains: ['ssh'] algorithm: rsa4096 capabilities: - sign-ssh-certificate @@ -592,46 +591,18 @@ ssh: - sign-pkcs - exportable-under-wrap - - label: ssh-ed25519-user-ca-root-key + label: ssh-ed25519-ca-root-key id: 0x0720 - domains: ['ssh_user'] + domains: ['ssh'] algorithm: ed25519 capabilities: - sign-ssh-certificate - sign-eddsa - exportable-under-wrap - - label: ssh-ecp384-user-ca-root-key + label: ssh-ecp384-ca-root-key id: 0x0730 - domains: ['ssh_user'] - algorithm: ecp384 - capabilities: - - sign-ssh-certificate - - sign-ecdsa - - exportable-under-wrap - - - label: ssh-rsa-host-ca-root-key - id: 0x0711 - domains: ['ssh_host'] - algorithm: rsa4096 - capabilities: - - sign-ssh-certificate - - sign-pss - - sign-pkcs - - exportable-under-wrap - - - label: ssh-ed25519-host-ca-root-key - id: 0x0721 - domains: ['ssh_host'] - algorithm: ed25519 - capabilities: - - sign-ssh-certificate - - sign-eddsa - - exportable-under-wrap - - - label: ssh-ecp384-host-ca-root-key - id: 0x0731 - domains: ['ssh_host'] + domains: ['ssh'] algorithm: ecp384 capabilities: - sign-ssh-certificate diff --git a/hsm_secrets/config.py b/hsm_secrets/config.py index d7479ed..55effa6 100644 --- a/hsm_secrets/config.py +++ b/hsm_secrets/config.py @@ -128,7 +128,7 @@ def algorithm_from_name(algo: Union['AsymmetricAlgorithm', 'SymmetricAlgorithm', HSMKeyID = Annotated[int, Field(strict=True, gt=0, lt=0xFFFF)] HSMKeyLabel = Annotated[str, Field(max_length=40)] HSMDomainNum = Annotated[int, Field(strict=True, gt=0, lt=17)] -HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh_user", "ssh_host", "password_derivation", "encryption"] +HSMDomainName = Literal["all", "x509", "tls", "nac", "gpg", "codesign", "ssh", "password_derivation", "encryption"] class HSMDomains(NoExtraBaseModel): x509: HSMDomainNum @@ -136,8 +136,7 @@ class HSMDomains(NoExtraBaseModel): nac: HSMDomainNum gpg: HSMDomainNum codesign: HSMDomainNum - ssh_user: HSMDomainNum - ssh_host: HSMDomainNum + ssh: HSMDomainNum password_derivation: HSMDomainNum encryption: HSMDomainNum diff --git a/run-tests.sh b/run-tests.sh index eed9266..8b2f06a 100755 --- a/run-tests.sh +++ b/run-tests.sh @@ -104,14 +104,14 @@ EOF local count=$(run_cmd -q hsm compare | grep -c '\[x\]') assert_success - [ "$count" -eq 39 ] || { echo "Expected 39 objects, but found $count"; return 1; } + [ "$count" -eq 36 ] || { echo "Expected 36 objects, but found $count"; return 1; } # Remove default admin key run_cmd hsm default-admin-disable assert_success local count=$(run_cmd -q hsm compare | grep -c '\[x\]') assert_success - [ "$count" -eq 38 ] || { echo "Expected 38 objects, but found $count"; return 1; } + [ "$count" -eq 35 ] || { echo "Expected 35 objects, but found $count"; return 1; } } test_tls_certificates() {