feat: HSM support #344

bgrieder · 2024-11-26T15:00:59Z

The main goal of this PR is to add support for the Proteccio HSM.
It provides both

the ability to perform the Create, Destroy, Export, Encrypt, and Decrypt operations on the HSM
the ability to create keys in the KMS which are wrapped by a key in the HSM

This leads to significant refactoring of the database and encryption/decryption (wrap/unwrap) components to add flexibility for supporting additional hardware (or external software) in the future. In particular:

the database components are now in a separate crate server_database. They are now split in 2 implementations: Objects store and Permissions store
a new interfaces crate gathers interfaces to be implemented by new external components. Interfaces include:
- Object Store
- Permissions Store
- Encryption Oracle

Key unique identifiers now support prefixes. Object Stores, Permissions stores, and Encryption Oracles can be registered against the prefixes.

Support for the Sensitive Attribute in addition to the ability to wrap a key by another key has been added to all keys creations

Manuthor

review in progress

crate/cli/src/tests/certificates/encrypt.rs

crate/cli/src/tests/cover_crypt/encrypt_decrypt.rs

crate/cli/src/tests/hsm/encrypt_decrypt.rs

crate/cli/src/tests/hsm/mod.rs

crate/cli/src/tests/hsm/encrypt_decrypt.rs

crate/pkcs11/module/Cargo.toml

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

bgrieder and others added 4 commits November 28, 2024 13:25

added ignore seesions parameter

a1ba737

ci: skip hsm and cloudproof tests

2fd0721

fix: clippy lints

ca3e72f

chore: rebase with develop

e4ee59e

Manuthor force-pushed the pkcs11 branch from 39f275f to e4ee59e Compare November 28, 2024 13:00

Manuthor changed the title ~~WIP: HSM support~~ feat: HSM support Nov 28, 2024

chore: reset 4 space indents to 2

35dfe2c

Manuthor reviewed Nov 28, 2024

View reviewed changes

bgrieder and others added 9 commits November 28, 2024 17:46

lints

1e3130c

rebasing

9b558b9

typo

fe6e721

dyn trait coercion error

30bc3b4

fix(windows): clippy lints

932612f

Merge branch 'pkcs11' of github.com:Cosmian/kms into pkcs11

14b6c7c

fix: recommit from linux

32d8849

fix(windows): proteccio clippy lints

af7e293

fix: ignore dumpbin error code

24bdd68

bgrieder assigned Manuthor Nov 29, 2024

bgrieder and others added 12 commits November 29, 2024 12:07

Update crate/cli/src/tests/certificates/encrypt.rs

3daa3c4

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/cli/src/tests/hsm/encrypt_decrypt.rs

822a5ea

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/pkcs11/module/Cargo.toml

2ca7356

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/pkcs11/module/Cargo.toml

6a442a2

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/pkcs11/module/Cargo.toml

e15a324

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/pkcs11/module/Cargo.toml

45e3f6d

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/pkcs11/module/Cargo.toml

994236f

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/cli/src/tests/hsm/revoke_destroy.rs

bbe79c3

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

fix(build openssl): cleanup

dd39e2c

Update crate/cli/src/tests/hsm/wrap_with_hsm_key.rs

48617f0

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/cli/src/tests/hsm/wrap_with_hsm_key.rs

4a3d018

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/cli/src/tests/hsm/wrap_with_hsm_key.rs

dc0067b

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

bgrieder and others added 6 commits November 29, 2024 12:41

Update crate/interfaces/src/encryption_oracle.rs

8af5e3a

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/interfaces/src/hsm/encryption_oracle_impl.rs

8b3e17c

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update crate/interfaces/src/hsm/interface.rs

b2df094

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

Update documentation/docs/authorization.md

7df2e9d

Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>

removed hard-coded conf

896ac02

async trait fix

bf3af52

This was referenced Nov 29, 2024

Improve performance of objects retrieval for KMIP operations #93

Closed

make list_shared_objects use of find instead of having dedicated request functions #34

Closed

Refactoring of the KMIP crate #340

Closed

bgrieder and others added 2 commits November 29, 2024 15:51

ckms documentation fix

9b13675

fix(server_database): fix some lints

865df2e

Manuthor merged commit c660254 into develop Nov 30, 2024
71 checks passed

Manuthor deleted the pkcs11 branch November 30, 2024 05:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: HSM support #344

feat: HSM support #344

bgrieder commented Nov 26, 2024 •

edited

Loading

Manuthor left a comment

feat: HSM support #344

feat: HSM support #344

Conversation

bgrieder commented Nov 26, 2024 • edited Loading

Manuthor left a comment

Choose a reason for hiding this comment

bgrieder commented Nov 26, 2024 •

edited

Loading