Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource: add PKCS11 resource back-end #533

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

resource: add PKCS11 resource back-end #533

wants to merge 1 commit into from
+178 −2

Conversation

fitzthum
Copy link
Member

Some very basic PKCS11 support for resources. There are some limitations to what we can do with the current design. See commit message for more info.

I will be OOO for the rest of the week, but I will add a test when I get back. This will probably need a rebase after the plugins PR goes in.

@fitzthum
resource: add PKCS11 resource back-end
ed692d5 
PKCS11 is a generic interface for carrying-out cryptographic
operations using devices like HSMs. This commit adds very
basic support for storing KBS resources in an HSM with PKCS11

One of the many things supported by PKCS11 is storing keys
in a device. Usually these keys are wrapped and/or generated
by the device itself, which is not a good fit for the KBS
resource model.

Instead, we use one particular generic secret key type
that allows the KBS to read and write the plaintext secret value.
This might not capture the full potential of an HSM, but keep in
mind that the default backend simply stores the secrets in the
filesystem. To fully take advantage of key wrapping, we will need to add
PKCS11 support to the CDH or possibly introduce a plugin.

This backend allows users to provision keys to the HSM as well. In fact,
it is more reliable to use this interface than it is to provision keys
separately.

The cryptoki api is not thread safe so a Mutex is used. This backend
might not be as performant as the file system backend, especially when
using a real HSM.

Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>
@fitzthum fitzthum requested a review from a team as a code owner October 15, 2024 22:16
@fitzthum fitzthum marked this pull request as draft October 15, 2024 22:16
Xynnn007
Xynnn007 reviewed Oct 16, 2024
View reviewed changes
kbs/src/resource/pkcs11.rs

/// The index of the slot to be used
/// If not provided, the first slot will be used.
slot_index: Option<u8>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want this to be a config item, String or i64 might be better?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xynnn007 Xynnn007 Xynnn007 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fitzthum @Xynnn007