nitrokey / nethsm-pkcs11 Goto Github PK
View Code? Open in Web Editor NEWPKCS#11 driver for NetHSM
License: Other
PKCS#11 driver for NetHSM
License: Other
Admin rights will be needed
when pData is null
Secrets should be added as "Generic"
If the data is too short it should wait for more data and then decrypt that block. This is completely optional as it is in the specs and C_Decrypt() is often used instead of C_DecryptUpdate()
With the packages in debian buster it works :
libp11 : 0.4.11-1
OpenSSL : OpenSSL 1.1.1n 15 Mar 2022
Dosen't work with arch packages :
libp11 : 0.4.12-2
OpenSSL : OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)
The error is :
Unable to enumerate private keys
The private key was not found at: pkcs11:object=nginx;type=public
PKCS11_get_private_key returned NULL
Could not read key from org.openssl.engine:pkcs11:pkcs11:object=nginx;type=public
40B7CBBAF97F0000:error:40000065:pkcs11 engine:ERR_ENG_error:object not found:eng_back.c:887:
40B7CBBAF97F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:
When using libp11 from commit 74497e0fa5b69b15790d6697e1ebce13af842d4c
the error is different :
409711B3017F0000:error:068000DE:asn1 encoding routines:asn1_template_ex_i2d:illegal zero content:crypto/asn1/tasn_enc.c:374:
409711B3017F0000:error:020C0100:rsa routines:rsa_priv_encode:malloc failure:crypto/rsa/rsa_ameth.c:154:
409711B3017F0000:error:03000092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:161:
409711B3017F0000:error:04800073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:133:
The current rust generator doesn't fit with our usage of the api, meaning we currently have to apply patches on top of the generated code in order to use the api.
The objective is to have a custom openapi generator where we won't need patches on top of the generated code.
Admin credentials will be needed
Currently only private keys, public keys and secret keys are listed.
The module should try to get the certificate associated to a key from the server and if available store the der-encoded certificate in the CKA_VALUE field and list the certificate.
The hashing will be done on the host machine and not on the NetHSM
return CKR_NEED_TO_CREATE_THREADS if CKF_LIBRARY_CANT_CREATE_OS_THREADS flag is set
when pData is null
A new optional field would be added to the configuration file.
The two implementations should be similar and call /api/v1/keys/generate
Currently we dump the errors as is, a better presentation would be appreciated
I tried building this on Trisquel OS with the build.sh script.
It throws a path error of unable to find pkcs11 in $GOROOT and $GOPATH.
Error in 3rd line of main.go
Since gccgo is more trustworthy, I request a gccgo build script if possible.
The current targets are :
If we don't have any answer from the OpenDNSSEC team we would have to change the implementation to have one unique object Db per Token/Slot.
OpenDNSSEC issue : https://issues.opendnssec.org/browse/SUPPORT-286
when pData is null
Write unit tests for the different parts of the module.
a way to get two passwords is needed, maybe use a separator in the pin string ?
nitropy nethsm --no-verify-tls --host localhost:8443 generate-key --type Curve25519 --length 255 --mechanism "EdDSA_Signature" --key-id FirstEdDSAKey
This command should output the key in ssh form :
ssh-keygen -D ~/git/nethsm-pkcs11/target/debug/libnethsm_pkcs11.so -e
Run build and test on every commit on a pull request and on main
We should match attributes like CKA_PRIVATE, CKA_SIGN ... so we don't send back keys that don't have the capabilities
This issue is here to discuss the next features and functionalities to be implemented.
The use case would be when multiple NetHSMs would have the same keys stored.
Right now this can be achieved by configuring multiple slots in the configuration, but the application will see all the servers as different slots, so the load balancing needs to be done by the application.
The idea would be to list multiple servers with different addresses and credentials and try to balance the usage between each of them.
Looking at the above issue, when a fork after loads a shared library made go, it crashes.
Is this project safe for this issue?
I happens randomly, retrying the tools/test_upload_ec_key.sh
Waits for a NetHSM to come online
If the data is too short it should wait for more data and then encrypt that block.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.