(!) This project is at an experimental stage and is very much a work-in-progress. It should not be used in production deployments at this time. Furthermore the functionality and interfaces offered should be considered unstable.
This Rust application accepts KMIP requests, converts them to PKCS#11 format and executes them against a loaded PKCS#11 library.
The use case for which this application is primarily being developed is to enable an application that wishes to make use of a Hardware Security Module (HSM) via a PKCS#11 interface to do so without having to load an untrusted 3rd party PKCS#11 library into its process.
This is particularly important for a Rust application as the PKCS#11 interface exposes the application to code that is likely not protected by the guarantees provided by the Rust compiler, as the PKCS#11 is a foreign function interface beyond which the Rust compiler cannot see.
If the PKCS#11 library experiences a fatal error that may not be reason to exit the parent application, whether or not that is appropriate is highly dependent on the purpose of that application. Any STDOUT and STDERR output produced by the PKCS#11 library may also become mixed with output from the application itself which can be confusing.
This application may also be of interest as a general purpose solution for enabling a KMIP capable application to communicate with a PKCS#11 only capable HSM.
Note however that at the time of writing, and for the foreseeable future, this application implements support for only a limited fraction of the entire interface defined by the applicable versions of the KMIP and PKCS#11 specifications, specifically whatever is needed to power our own projects.
This application also currently only supports KMIP via the TCP+TLS+TTLV transport. There is no support for the HTTPS+XML or HTTPS+JSON transports defined by the KMIP profiles specification.
This application is possible thanks to the following foundational Rust crates on which it builds:
The code of the keyls tool served as a very useful starting point as it already supported both KMIP and PKCS#11 albeit only as a client and not as a server.
-
A TLS certificate and key such as the example ones available here: https://github.com/rustls/hyper-rustls/blob/main/examples/. Note: This application may be updated in future to use a pre-shared key approach instead.
-
A PKCS#11 library and associated HSM to interact with, either a real hardware device or a virtual HSM such as https://www.softhsm.org/.
The following operations are supported by this application at present:
| KMIP Operation | PKCS#11 Function | Limitations |
|---|---|---|
| Locate | C_FindObjects() |
KMIP request payload fields are currently ignored. Will locate PKCS#11 objects having class PUBLIC_KEY or PRIVATE_KEY. |
$ kmip2pkcs11
error: the following required arguments were not provided:
--server-cert <SERVER_CERT_PATH>
--server-key <SERVER_KEY_PATH>
--lib-path <LIB_PATH>
Usage: kmip2pkcs11 --server-cert <SERVER_CERT_PATH> --server-key <SERVER_KEY_PATH> --lib-path <LIB_PATH>
For more information, try '--help'.