Add a PKCS 11 provider #68
Conversation
|
Depends on parallaxsecond/parsec-client-test#13 and parallaxsecond/parsec-interface-rs#8 When those two PRs are merged, I will need to push the |
|
Has been tested using all of our tests (normal integration tests, persistence integration tests and stress tests) using the SoftHSMv2 library and the Nitrokey HSM with the OpenSC library. |
| || op.key_attributes.algorithm != Algorithm::sign(SignAlgorithm::RsaPkcs1v15Sign, None) | ||
| { | ||
| error!("The PKCS 11 provider currently only supports creating RSA key pairs for signing and verifying."); | ||
| return Err(ResponseStatus::UnsupportedOperation); |
There was a problem hiding this comment.
Would ResponseStatus::PsaErrorInvalidArgument work better?
There was a problem hiding this comment.
It is a valid option as well. However, those arguments would be valid for another provider for example, it is just that this one does not support them.
src/providers/pkcs11_provider/mod.rs
Outdated
| Err(ResponseStatus::PsaErrorHardwareFailure) | ||
| } | ||
| } | ||
| .or_else(|err| { |
There was a problem hiding this comment.
Why not do the processing from this closure in the block after Err(e) on line 559?
There was a problem hiding this comment.
Yes, that would be less convoluted. Will change here and elsewhere if I do the same.
| priv_template | ||
| .push(CK_ATTRIBUTE::new(pkcs11::types::CKA_TOKEN).with_bool(&pkcs11::types::CK_TRUE)); | ||
|
|
||
| pub_template |
There was a problem hiding this comment.
Do we need to pin the public exponent by setting CKA_PUBLIC_EXPONENT (preferably to 65537)? e.g. mbed crypto does it https://github.com/ARMmbed/mbed-crypto/blob/150d5777802834f0b7084fad95b32ebbc1e75d16/include/psa/crypto.h#L3728
There was a problem hiding this comment.
Good point! I checked that the implementation I was working on (SoftHSM) does that by default but it would be more correct indeed to fix it to 0x010001. Will change.
src/providers/pkcs11_provider/mod.rs
Outdated
|
|
||
| let key = self | ||
| .find_key(session.session_handle(), key_id, KeyPairType::PublicKey) | ||
| .or_else(|err| { |
There was a problem hiding this comment.
Is this needed? You have logging messages before most failures in find_key (apart from line 449), don't think there's a need to log something here as well
src/providers/pkcs11_provider/mod.rs
Outdated
| { | ||
| Ok(_) => Ok(ResultAsymVerify {}), | ||
| Err(e) => match e { | ||
| pkcs11::errors::Error::Pkcs11(ck_rv) if ck_rv == CKR_SIGNATURE_INVALID => { |
There was a problem hiding this comment.
pkcs11::errors::Error::Pkcs11(CKR_SIGNATURE_INVALID) => { ...
There was a problem hiding this comment.
I tried that before but got an error but now it seems that it works 😕 Will change!
| @@ -19,17 +19,23 @@ mod tests { | |||
| use parsec_interface::requests::Result; | |||
| use std::collections::HashSet; | |||
|
|
|||
| //TODO: put those two first tests in a separate target which is executed with an | |||
src/providers/pkcs11_provider/mod.rs
Outdated
|
|
||
| let mut template: Vec<CK_ATTRIBUTE> = Vec::new(); | ||
|
|
||
| let key_test: RsaPublicKey = serde_asn1_der::from_bytes(&op.key_data).unwrap(); |
There was a problem hiding this comment.
I'm guessing this isn't a "test" key here
This provider will interface with a PKCS 11 dynamic library to communicate with a PKCS 11 device. Add PKCS 11 configuration for the user to enter the path of the dynamic PKCS 11 library to load, the slot number where the device is and the user pin of that device. Removes provider-dependant information in the tests: they shoudl be generic no matter what provider is currently used. The PKCS 11 provider currently only supports RSA Key pair generation, importing and exporting public keys, signing and verifying with those RSA keys. Co-authored-by: Paul Howard <[email protected]> Signed-off-by: Hugues de Valon <[email protected]>
This provider will interface with a PKCS 11 dynamic library to
communicate with a PKCS 11 device.
Add PKCS 11 configuration for the user to enter the path of the dynamic
PKCS 11 library to load, the slot number where the device is and the
user pin of that device.
Removes provider-dependant information in the tests: they shoudl be
generic no matter what provider is currently used.
The PKCS 11 provider currently only supports RSA Key pair generation,
importing and exporting public keys, signing and verifying with those
RSA keys.
Co-authored-by: Paul Howard [email protected]
Signed-off-by: Hugues de Valon [email protected]