support of HSM signing (#6)

**What this PR does / why we need it**:

Add support for PKCS#11 based signing supporting hardware signing
modules.

Additionally, ~the vendoring is removed~ and the Go version is bumped to
1.23.
**Which issue(s) this PR fixes**:
Fixes #

**Special notes for your reviewer**:

**Release note**:
<!--  Write your release note:
1. Enter your release note in the below block.
2. If no release note is required, just write "NONE" within the block.

Format of block header: <category> <target_group>
Possible values:
- category:       breaking|feature|bugfix|doc|other
- target_group:   user|operator|developer|dependency
-->
```feature operator
Support of PKCS#11 Signing
```

fix #10

---------

Co-authored-by: jakobmoellerdev <[email protected]>
Co-authored-by: Jakob Möller <[email protected]>

Dockerfile

@@ -1,13 +1,14 @@
-FROM golang:1-alpine AS builder
+FROM golang:1.23-bookworm AS builder
 
 WORKDIR /app
 
 COPY go.mod go.sum ./
 COPY vendor/ vendor/
+RUN go mod verify
 COPY pkg/ pkg/
 COPY cmd/signing-server/ ./cmd/signing-server
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -mod vendor -a -o signing-server cmd/signing-server/main.go
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o signing-server cmd/signing-server/main.go
 
 FROM alpine:3.16.0
 
@@ -32,4 +33,4 @@ COPY --from=builder app/signing-server /
 # Use an unprivileged user.
 USER ${USER}:${USER}
 
-CMD ["/signing-server"]
+CMD ["/signing-server"]

Makefile

@@ -1,3 +1,5 @@
+REGISTRY := github.com/open-component-model/signing-server
+
 ifeq ($(OS),Windows_NT)
     REPO_ROOT := $(CURDIR)
     VERSION := $(shell cat VERSION)
@@ -16,7 +18,7 @@ CA_CERTS_CM_NAME := ca-certs
 
 .PHONY: go-build
 go-build:
-	@go build -mod vendor -o signing-server cmd/signing-server/main.go
+	@go build -o signing-server ./cmd/signing-server/main.go
 
 .PHONY: docker-build
 docker-build:

README.md

@@ -39,9 +39,23 @@ Common Signing Options:
         supported formats are:
         - PKCS#1 (.der, .pem)
         - PKCS#8 (.pem)
-        - PKCS#12 (.pfx)
+        - PKCS#12 (.pfx) (Password required in environment SIGNING_PFX_PASSWORD)
+  --hsm-keyid string
+        [OPTIONAL] hsm key id
+  --hsm-keylabel string
+        [OPTIONAL] hsm key label
+  --hsm-module string
+        [OPTIONAL] path to HSM library
+  --hsm-pass string
+        [OPTIONAL] HSM passphrase (@... from file, =... from arg)
+  --hsm-slot int
+        [OPTIONAL] hsm slot (default -1)
+  --hsm-tokenlabel string
+        [OPTIONAL] HSM token label
+
   --stdout string
         redirect log, regular output and error output to given file
+  --supportedAlgorithms strings   [OPTIONAL] supported algorithms for signing server
 ```
 
 Signing Tool Options:
@@ -84,12 +98,34 @@ Signing Server Options:
       path to a file which contains the server private key
 ```
 
-## Signing tool
+
+## HSM Signing
+
+Using the *hsm* signing mode signing is switched to hardware-based
+signing, no private key is required anymore. The signing algorithms are
+the same. This mode is enabled by using the `--hsm-module` option.
+
+With `--hsm-module` the path to the HSM shared library is specified. This
+library is specific for your hardware signing module, which should be used
+for signing. For testing, you can use the `softhsm` library (for common
+Linux distributions this is typically `/usr/lib/softhsm/libsofthsm2.so`,
+other Unix-like systems use other paths)
+
+Additionally, the pass phrase and the id or label of the private key has to
+be specified. The slot is optional, by default, the first reported slot is
+used.
+
+## Usage Modes
+
+The executable can be used as signing command line tool to sign content
+given by option to the tool, or a signing server, which accepts signing requests via REST call.
+
+### Signing tool
 
 If called without the `--server` option it can be used as command line tool to sign hashes.
 It accepts options for the content encoding (`--encoding`), the data (`--data`, *<filename>* or *stdin*), the hash algorithm (`--hash`) and the desired output format (`--format`)
 
-## Server
+### Signing Server
 
 If called with option `--server` an http(s) server
 is started able to serve signing requests.
@@ -99,7 +135,7 @@ signed by the server certificate.
 
 It requires a server certificate with optional certificate authority certificate for the web server and a certificate authority certificate for the validation of client certificates if the client authorization is not disabled.
 
-### Sign with RSASSA-PKCS1-V1_5
+#### Sign with RSASSA-PKCS1-V1_5
 
 Sign an arbitrary bytestream that is sent via the request body with the [RSASSA-PKCS1-V1_5](https://datatracker.ietf.org/doc/html/rfc3447#section-8.2) signature algorithm.
 
@@ -147,7 +183,7 @@ Sign an arbitrary bytestream that is sent via the request body with the [RSASSA-
 
 - **Request Body**
 
-  The data that should be signed.
+  The digest that should be signed.
 
 - **Success Response:**
 
@@ -157,6 +193,22 @@ Sign an arbitrary bytestream that is sent via the request body with the [RSASSA-
     ```text
     // Response format depends on the chosen format in the Accept header
     ```
+    
+#### Sign with RSASSA-PSS
+
+Sign a digest that is sent via the request body with the [RSASSA-PSS](https://datatracker.ietf.org/doc/html/rfc3447#section-8.1) signature algorithm.
+
+- **URL**
+
+  /sign/rsassa-pss
+
+- **Request Body**
+
+  similar ro RSASSA-PKCS1-V1_5.
+
+- **Success Response:**
+
+  similar ro RSASSA-PKCS1-V1_5.
 
 ## Setup