Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proof-of-concept: HSM support for keys (#21) #512

Closed
wants to merge 43 commits into from
Closed

Proof-of-concept: HSM support for keys (#21) #512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
7ddeac4
WIP: Add PKCS#11 signer support.
ximon18 Apr 22, 2021
4ef974e
PKCS#11 WIP: tests pass, but no config based selection of a pluggable…
ximon18 Apr 29, 2021
1f6f598
Factor pkcs11 support out.
ximon18 Apr 29, 2021
cb2e445
Apply cargo fmt to the crypto related files.
ximon18 Apr 29, 2021
4215209
First steps to dynamic signer selection: make the hsm feature gate le…
ximon18 Apr 29, 2021
b675d52
The PKCS#11 signer is now selectable at runtime and configurable via …
ximon18 Apr 30, 2021
60a8c3c
Use forked versions of the bcder and rpki crates until they are accep…
ximon18 May 4, 2021
a73893f
Follow fn renames in the bcder changes.
ximon18 May 4, 2021
e9474fc
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 May 4, 2021
176c183
Fix compile failure resulting from the merge.
ximon18 May 4, 2021
e637f1c
Initial support for KMIP 1.0-1.3 TTLV over TLS.
ximon18 May 12, 2021
82b8d86
Sync with latest dev branch changes.
ximon18 May 12, 2021
2b0fc5b
Update to use newer rpki-rs as used by the dev and main branches now.
ximon18 May 12, 2021
44fd9d6
Fix for PKCS#11 with AWS CloudHSM.
ximon18 May 12, 2021
16a0613
Hack; Add support for AWS CloudHSM by assigning keys a random identif…
ximon18 May 19, 2021
2d36518
Persist the mapping of Signer generated key ID to X.509 KeyIdentifier…
ximon18 May 20, 2021
57cfcc8
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 May 20, 2021
39faf69
Remove debug statement.
ximon18 May 20, 2021
c0255c1
Fix the upgrade test by reusing the existing KrillSigner, as a second…
ximon18 May 20, 2021
4adf8d9
Fix building and testing without the hsm feature enabled.
ximon18 May 20, 2021
edb3824
Replace Sled with a simple HashMap and append-log-on-disk. Also make …
ximon18 May 25, 2021
3be3fc8
Include signer name and signer key id in REST API CA info response.
ximon18 May 25, 2021
ac65eee
Remove legacy commented code.
ximon18 May 25, 2021
bfff359
Fix PKCS#11 failure to delete one-off key pair, and improve related l…
ximon18 May 25, 2021
1080039
Log KMIP provider details on startup.
ximon18 May 25, 2021
202b13b
Update the KMIP dependency to reference the GitHub published version.
ximon18 May 25, 2021
f29cf0b
Update krill-pkcs11.conf, add KMIP configuration instructions and ren…
ximon18 May 26, 2021
33b599b
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 May 26, 2021
549a122
Add support for selecting a PKCS#11 slot by label instead of by ID.
ximon18 Jun 8, 2021
dcdbb40
FIX: Ensure the key map DB parent directory exists.
ximon18 Jun 8, 2021
58f9520
Log more info about which signer is being initialized.
ximon18 Jun 8, 2021
8612269
Log more infor about the PKCS#11 token and slot being used.
ximon18 Jun 8, 2021
3e15f5c
Initial changes to use our own KMIP library. Note: Not all operations…
ximon18 Aug 24, 2021
44a8958
Sync with latest dev branch.
ximon18 Aug 25, 2021
7a5cfcd
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 Aug 25, 2021
5f63f04
Follow dependency rename.
ximon18 Aug 25, 2021
7c73672
Bump to newer KMIP crates to fix issue with PyKMIP PKCS8 key material…
ximon18 Aug 26, 2021
56358cc
Bump to latest revision of bcder PR.
ximon18 Aug 30, 2021
9ee7a25
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 Aug 30, 2021
9997012
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 Aug 30, 2021
8c6b83a
Switch to the released version of the kmip-protocol crate.
ximon18 Aug 30, 2021
1c042ce
Merge branch 'dev' into issue-21-hsm-support-for-keys
ximon18 Aug 30, 2021
01c63bd
Upgrade to kmip-protocol v0.2.1.
ximon18 Sep 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
183 changes: 164 additions & 19 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 6 additions & 3 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ build = "build.rs"
[dependencies]
base64 = "^0.13"
basic-cookies = { version = "^0.1", optional = true }
bcder = "^0.6"
bcder = { version = "0.6.1-dev", git = "https://github.com/nlnetlabs/bcder.git", branch = "unsigned-from-slice" }
bytes = "1.0"
chrono = { version = "^0.4", features = ["serde"] }
clap = "^2.33"
Expand All @@ -35,17 +35,19 @@ hex = "^0.4"
hyper = { version = "^0.14", features = ["server"] }
intervaltree = "0.2.6"
jmespatch = { version = "^0.3", features = ["sync"], optional = true }
kmip = { version = "0.2.1", package = "kmip-protocol", features = ["tls-with-rustls"], optional = true }
libflate = "^1.0"
log = "^0.4"
once_cell = { version = "^1.7.2", optional = true }
openidconnect = { version = "^2.0.0", optional = true, default_features = false }
openssl = { version = "^0.10", features = ["v110"] }
oso = { version = "^0.12", optional = true, default_features = false }
pkcs11 = { version = "^0.5", optional = true }
regex = { version = "^1.4", optional = true, default_features = false, features = ["std"] }
reqwest = { version = "0.11", features = ["json"] }
reqwestblocking = { version = "0.9.24", optional = true, package = "reqwest" }
rpassword = { version = "^5.0", optional = true }
# rpki = { version = "0.11.1-dev", features = [ "repository", "rrdp", "serde" ], git = "https://github.com/NLnetLabs/rpki-rs.git" }
rpki = { version = "0.12.2", features = [ "repository", "rrdp", "serde" ] }
rpki = { version = "0.12.4", features = [ "repository", "rrdp", "serde" ], git = "https://github.com/ximon18/rpki-rs.git", branch = "0.12.3-unsigned-from-slice" }
scrypt = { version = "^0.6", optional = true, default-features = false }
serde = { version = "^1.0", features = ["derive"] }
serde_json = "^1.0"
Expand All @@ -72,6 +74,7 @@ functional-tests = []
ui-tests = []
extra-debug = [ "rpki/extra-debug" ]
static-openssl = [ "openssl/vendored" ]
hsm = [ "once_cell", "pkcs11", "kmip" ]

# Make sure that Krill crashes on panics, rather than losing threads and
# limping on in a bad state.
Expand Down
Loading