Allow supplying external crypto.Signer for TLS signature

[salrashid123]

Summary

Allow users to supply a crypto.Signer implementation instead of an actual private key to dtls.v2.Config.

This would allow an abstration allowing customers to use keys embedded into hardware (TPM) or KMS systems that implement that interface.

Motivation

Right now users have to supply the raw private key to Config but with TPM, KMS or PKCS-11 systems, the key is not extractactable but is 'available' for use sometimes through a a crypto.signer interface:

eg for TPM

• go-tpm-tools
• salrashid123/signer - example

with this feature, a client on a device can use its embedded key for dtls connections

Additional context

some additional refernces (untested at scale)

• JWT:

  • https://github.com/salrashid123/golang-jwt-signer
  • https://github.com/salrashid123/golang-jwt-pkcs11

• mTLS

  • https://github.com/salrashid123/go_tpm_https_embed
  • https://github.com/salrashid123/mtls_pkcs11

[daenney]

Hiya! Thanks for raising this. I think this makes a lot of sense. I'd like to retain the "pass key directly" functionality though since that's what everyone is already using and is a very common way to use the tls library from stdlib too.

But I'm happy for something like this to be added and be tried before falling back to whatever may have been passed in the config for the raw key.

[salrashid123]

got it, yeah adding the Signer capability is what i meant (vs breaking change)

fwiw, if i'm not mistaken, even the privatekeys implements Singer too so there maybe a path to converge/collapse internally

• https://pkg.go.dev/crypto/ecdsa@go1.20#PrivateKey.Sign
• https://pkg.go.dev/crypto/rsa@go1.20#PrivateKey.Sign

• https://github.com/golang/go/blob/master/src/crypto/rsa/rsa.go#L152

---

and fyi, atleast in go, the tls negotations uses SignatureAlgorithm: x509.SHA256WithRSAPSS for TLS but that'll be the responsiblity of the Signer thats passed (eg, for tpm singer i have (atleast for tls1.3 which i do't know even applies here)