Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS#11 support (targetting nShield HSMs and SoftHSM) #1369

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

PKCS#11 support (targetting nShield HSMs and SoftHSM) #1369

wants to merge 4 commits into from

Conversation

optnfast
Copy link

This PR adds a new pkcs11 key store. I have tested with nShield and SoftHSM. Usage is described in trustmanager/p11store/pkcs11.md.

Overview

  • The new key store appears last in the list so will not be used by default.
  • New command-line options control key generation using a PKCS#11 token.
  • It supports root, targets, timestamp and snapshot keys.
  • No build-time configuration is required.

Discussion

I originally raised this project on one of the other PKCS#11-related issues, with my original plan here.

The only discussion arising was that Florian suggested supporting multiple classes of HSM concurrently. I've not done this since it's not a use case I have, but I'd be happy to retest against nShield if someone needs this idea enough to implement it.

In the end I didn't attempt to share code with the existing PKCS#11 implementation. I felt that the differing assumptions about (for example) the number of slots on the token and the interpretation of CKA_ID made this impractical.

Availability

Unfortunately I will have poor availability in the next week or two (i.e. early July 2018) - so I apologise in advance if I'm slow to respond to any feedback.

Richard Kettlewell added 4 commits June 26, 2018 16:13
p11store: new KeyStore.Generate method
680a25d 
Necessary because HSM users expect key to be generated by HSM,
not generated on host and imported.

`notary key generate` and `rotate` can take `--keystore` and `--token`.
These are intended to control key generation on an HSM (concrete support
for a real HSM isn't in this commit).

Signed-off-by: Richard Kettlewell <Richard.Kettlewell@thales-esecurity.net>
p11store: Pkcs11Store key store type
47598b5 
This is added (finally) to key store lists. Instead of expecting it to
automatically claim suitable keys the user must specify this key store;
otherwise they will get software keys.

Signed-off-by: Richard Kettlewell <Richard.Kettlewell@thales-esecurity.net>
p11store: support targets and/or snapshot key in HSM.
486c286 
Signed-off-by: Richard Kettlewell <Richard.Kettlewell@thales-esecurity.net>
p11store: signer can use HSM
ada4114 
The signer has a new storage backend, pkcs11.

signer.Dockerfile switches to a Debian base, because the nShield
PKCS#11 provider needs some Glibc symbols (at least in my build of it).

Signed-off-by: Richard Kettlewell <Richard.Kettlewell@thales-esecurity.net>
@docker-jenkins
Copy link

Can one of the admins verify this patch?

SchreiverJ
SchreiverJ reviewed Jul 27, 2018
View reviewed changes
Copy link

@SchreiverJ SchreiverJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be possible to pass keystore and token via ENV variables to support operations like docker push using the PKCS11 keystore.

trustmanager/p11store/pkcs11.md

This key store appears (by default) last in the list of supported key stores.
So by default keys will be created in software and no HSM used.
To enable use of an HSM, the new `--keystore` and `--token` arguments must be used
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--keystore and --token are mentioned as required but not used in any examples.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In examples used -K / -T respectively.

@vklindukh
Copy link

@optnfast Hello.
I tried this PR with AWS CloudHSM and got stuck with token. What is it in term of CLoudHSM?

@stafwag
Copy link

stafwag commented Sep 18, 2020

@optnfast are you still available?

I'd really like to see support for other HSM's than just the yubikey. Supporting more HSM vendor/types ( like the yubihsm2) is important.

@vikstrous Normally you should be able to find the token with p11tool from gnutls.
'p11tool --list-tokens' you might need to set provider library to the lib ofyour HSM. e.g. p11tool --list-tokens --provider=/path/to/pkcs11-lib.so (just my 5 cents)

This was referenced Sep 18, 2020
Open
Open
@optnfast
Copy link
Author

@stafwag Things have changed here and I don't have an immediate use case for TUF. So while more HSM integrations are a good thing from my perspective, there's a fairly low limit on how much time I could realistically spend on this PR in the foreseeable future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SchreiverJ SchreiverJ SchreiverJ left review comments

@vklindukh vklindukh vklindukh left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@optnfast @docker-jenkins @vklindukh @stafwag @SchreiverJ