Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HSM 3: PKCS#11 walking skeleton #727

Merged
merged 153 commits into from
Nov 23, 2021
Merged

HSM 3: PKCS#11 walking skeleton #727

Show file tree
Hide file tree
Changes from 144 commits
Commits
Show all changes
153 commits
Select commit Hold shift + click to select a range
5571271
Support multiple signers of different types behind a HSM feature flag…
ximon18 Sep 23, 2021
1f2c9ee
Added some developer docs.
ximon18 Sep 23, 2021
0fb9c91
Merge branch 'dev' into issue-539-support-multiple-signers
ximon18 Sep 24, 2021
870a102
- Bump to v0.3.1 of the kmip-protocol crate.
ximon18 Oct 5, 2021
b849f66
Avoid potential race conditions: Check for expected state, and retain…
ximon18 Oct 5, 2021
4e759aa
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Oct 5, 2021
431b54d
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Oct 5, 2021
9b788ae
Always dump the PyKMIP log so that we can see evidence of Krill using…
ximon18 Oct 5, 2021
5322233
FIX: Signer dispatching must always be routed to the appropriate sign…
ximon18 Oct 5, 2021
5e359b3
Additional architecture docs regarding signing.
ximon18 Oct 5, 2021
369d00a
Remove commented out code.
ximon18 Oct 5, 2021
280ccc4
Remove unnecessary Arc<RwLock<..>> and naming cleanup.
ximon18 Oct 6, 2021
f9d7c4f
WIP: Add a SignerMapper that is used to map from KeyIdentifier to Sig…
ximon18 Oct 12, 2021
36b1dc7
Test both in normal HSM usage mode (use OpenSSL for one-off keys) and…
ximon18 Oct 12, 2021
3c6907d
Uncomment temporarily commented out test.
ximon18 Oct 12, 2021
29c07c8
(Temporary work around) Wait longer in the suspend test so that slowe…
ximon18 Oct 12, 2021
af44866
Added some notes about the signer mapper design.
ximon18 Oct 12, 2021
f825f87
Drop comments about signer identity verification, the functionality w…
ximon18 Oct 12, 2021
04ae949
Refactor signer dispatching related structs into their own modules un…
ximon18 Oct 12, 2021
198dde6
Clippy.
ximon18 Oct 12, 2021
bb97234
Tweaked some comments.
ximon18 Oct 12, 2021
512a477
Removed some unnecessary Clone, Arc and unused fn arguments.
ximon18 Oct 12, 2021
e7a6a66
Minor comment tweaks and naming improvements.
ximon18 Oct 12, 2021
f59431b
Module export and visibility cleanup.
ximon18 Oct 13, 2021
5b93ec7
cargo fmt.
ximon18 Oct 13, 2021
4f55ad1
Lots of tweaks, depends on locally modified unreleased kmip-protocol …
ximon18 Oct 14, 2021
3995b31
Bump kmip-protocol crate dependency to v0.4.0 to get new ItemNotFound…
ximon18 Oct 14, 2021
397e503
Use a local fork of rpki-rs which depends on bcder 0.6.1-dev instead …
ximon18 Oct 14, 2021
c68d50f
Compilation fixes now that Signer no longer uses &mut.
ximon18 Oct 14, 2021
866e71c
More mut removal.
ximon18 Oct 14, 2021
38fd8d1
More mut removal. Replace RwLocks around SignerProviders with a much …
ximon18 Oct 14, 2021
502e10e
Create empty PKCS#11 signer shell.
ximon18 Oct 14, 2021
c0cf4f9
Split the PKCS#11 provider into separate files in its own module.
ximon18 Oct 18, 2021
0bb4300
Broken: cannot make KrillSigner async because CertAuth::process_comma…
ximon18 Oct 18, 2021
a774c31
Rename feature flag hsm-tests to hsm-tests-kmip and add feature flag …
ximon18 Oct 20, 2021
0ce2af0
FIX: Accidentally inverted meaning of ignore missing capabilities flag.
ximon18 Oct 20, 2021
e746119
Rename SignerError::SignerUnavailable and SignerError::SignerUnusable…
ximon18 Oct 20, 2021
29db34d
Rename the flag for whether or not a KMIP signer has support for gene…
ximon18 Oct 20, 2021
894cd29
Sort error variants alphabetically.
ximon18 Oct 20, 2021
930dbff
Simplify type specification to be consistent with nearby code.
ximon18 Oct 20, 2021
5bacab6
Use the same arg name as the OpenSslSigner both because it better say…
ximon18 Oct 20, 2021
055fd67
Extract getting the pool connection out to a helper fn in preparation…
ximon18 Oct 20, 2021
f2190b1
Added and tweaked some comments.
ximon18 Oct 20, 2021
ede4dff
Temporary hack to indicate which signer failed. Should handle this be…
ximon18 Oct 20, 2021
ac52c1c
WIP: Incomplete initial PKCS#11 functionality based on a mix of lates…
ximon18 Oct 20, 2021
1864b85
Removed unused trait impl.
ximon18 Oct 20, 2021
4662b92
WIP:
ximon18 Oct 20, 2021
b8930b2
Use a second signer configuration (OpenSSL instead of PKCS#11) when c…
ximon18 Oct 20, 2021
d08e8cc
PKCS#11 updates:
ximon18 Oct 21, 2021
8dfa760
PKCS#11: Rename handle to session_handle and cargo fmt.
ximon18 Oct 21, 2021
3d72fc8
PKCS#11: Add support for deleting key pairs.
ximon18 Oct 21, 2021
8dbc7b1
More / tweaked comments.
ximon18 Oct 21, 2021
a476c14
Fix build when hsm feature is not enabled.
ximon18 Oct 23, 2021
a8155a7
Factor out the KMIP/PKCS#11 common server probing code into a new pro…
ximon18 Oct 23, 2021
26bc03d
Remove unused code.
ximon18 Oct 23, 2021
6c9f829
Fix typo in comment.
ximon18 Oct 23, 2021
652297a
Add PKCS#11 support for generating random numbers.
ximon18 Oct 23, 2021
3aaca1c
cargo fmt
ximon18 Oct 23, 2021
32ce607
Use published fork of rpki-rs instead of a local only copy so that GH…
ximon18 Oct 23, 2021
8f5b4d4
Fix compilation when the hsm-tests-kmip feature is active.
ximon18 Oct 23, 2021
a452c77
Fix compilation when only the hsm feature is active.
ximon18 Oct 23, 2021
ff3b18a
First attempt at a GitHub Actions CI job for testing the PKCS#11 supp…
ximon18 Oct 23, 2021
3a32923
Fix apt install fail in GH Actions by using sudo.
ximon18 Oct 23, 2021
31e9e64
Try and give the running user rights as the softhsm group.
ximon18 Oct 23, 2021
b92d0fc
Try a different way to get softhsm group permission.
ximon18 Oct 23, 2021
dcfe4e5
Use published fork of rpki-rs instead of a local only copy so that GH…
ximon18 Oct 23, 2021
3becfdb
Revert "Broken: cannot make KrillSigner async because CertAuth::proce…
ximon18 Oct 23, 2021
aab3a20
Merge branch 'test-integration-of-rpki-rs-163-async-signing-of-reposi…
ximon18 Oct 23, 2021
fd42610
PKCS#11 context module doc string improvements.
ximon18 Oct 24, 2021
a0c2a99
Re-order some PKCS#11 signer functions for easier comparison with the…
ximon18 Oct 24, 2021
f49b712
Re-order some OpenSSL signer functions for easier comparison with the…
ximon18 Oct 24, 2021
ce33dfe
Migrated a useful comment from the prototype code.
ximon18 Oct 25, 2021
6789249
Updated the architecture doc for the HSM work.
ximon18 Oct 25, 2021
ce41fd6
Fix broken compilation due to missing import.
ximon18 Oct 25, 2021
7da0cdf
Removed/mark unused functions.
ximon18 Oct 26, 2021
c2627b6
Additional comments.
ximon18 Oct 26, 2021
ca3ecab
Removed/mark unused functions.
ximon18 Oct 26, 2021
6702aec
Add a mock signer in test builds only and a happy flow test which exe…
ximon18 Oct 26, 2021
23a19d2
Fix compilation failure when hsm feature is not enabled.
ximon18 Oct 27, 2021
475f303
Fix compilation failure when hsm feature is not enabled.
ximon18 Oct 27, 2021
c28e16e
Fix compilation failure when hsm feature is not enabled.
ximon18 Oct 27, 2021
0aa287f
Use base64 encoding instead of hex for the signer identity public key…
ximon18 Oct 27, 2021
758248b
Use UUIDs as signer handles, not combined KeyIdentifier+private inte…
ximon18 Oct 27, 2021
eadda4b
Add an example of the data stored for a signer.
ximon18 Oct 27, 2021
bf7aba1
Minor improvements to the SignerRouter test.
ximon18 Oct 27, 2021
abb2a16
Fix test: call counters should always be incremented.
ximon18 Oct 28, 2021
b13ab67
More logging during signer registration.
ximon18 Oct 28, 2021
aab013b
Add unhappy flow tests for signer registration and binding.
ximon18 Oct 28, 2021
4e8f2ff
cargo fmt.
ximon18 Oct 28, 2021
568cd27
Detect PKCS#11 tokens "inserted " after the PKCS#11 library is first …
ximon18 Oct 28, 2021
abb0128
Log something about being between probe attempts.
ximon18 Oct 28, 2021
4d5c2ab
Correct some comments and add a test for registration of a temporaril…
ximon18 Oct 28, 2021
7cdecae
cargo fmt.
ximon18 Oct 28, 2021
83a3bd1
Disable compiler optimizations for the pkcs11 crate to workaround a `…
ximon18 Oct 30, 2021
2a0fe69
FIX: Actually compile on Rust 1.47.
ximon18 Oct 30, 2021
e5fb41d
Update to use released bcder 0.6.1.
ximon18 Oct 30, 2021
97791b5
Merge branch 'dev' into issue-547-pkcs11-walking-skeleton
ximon18 Oct 30, 2021
1548efd
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Oct 30, 2021
bcc4d1b
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Oct 30, 2021
9129caa
Merge branch 'hsm-persistent-signer-key-mappings' into test-integrati…
ximon18 Oct 30, 2021
495b324
Merge branch 'test-integration-of-rpki-rs-163-async-signing-of-reposi…
ximon18 Oct 30, 2021
d74521f
Fix compilation failure caused by recent merge.
ximon18 Oct 30, 2021
cc1a5da
Use machine architecture independent path for softhsm.so as it works …
ximon18 Oct 31, 2021
38c5b79
Log the signer mapper handle that a signer "binds" to.
ximon18 Nov 1, 2021
dd705df
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Nov 1, 2021
6356797
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 1, 2021
82cf643
Merge branch 'hsm-persistent-signer-key-mappings' into test-integrati…
ximon18 Nov 1, 2021
cbed508
Merge branch 'issue-547-pkcs11-walking-skeleton' of github.com:NLnetL…
ximon18 Nov 1, 2021
36843b3
Merge branch 'test-integration-of-rpki-rs-163-async-signing-of-reposi…
ximon18 Nov 1, 2021
3c96561
Use newly released bcder and rpki-rs official releases instead of per…
ximon18 Nov 1, 2021
25a6373
Merge branch 'test-integration-of-rpki-rs-163-async-signing-of-reposi…
ximon18 Nov 1, 2021
3e6c0cb
Apply crate upgrade and signer 'de-mut' changes that were made in suc…
ximon18 Nov 3, 2021
90de083
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Nov 3, 2021
00e93ce
Merge fix.
ximon18 Nov 3, 2021
57ab685
Apply crate upgrade and signer 'de-mut' changes that were made in suc…
ximon18 Nov 3, 2021
80c0e32
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 3, 2021
9095794
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 3, 2021
34c8742
Merge fix.
ximon18 Nov 3, 2021
f9e3541
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 3, 2021
dcde4dc
cargo fmt.
ximon18 Nov 3, 2021
248caf7
Alias/wrap verbose types and don't fail if the PKCS#11 library can't …
ximon18 Nov 3, 2021
4f7c24d
Log the signer handle to which a signer is bound.
ximon18 Nov 3, 2021
ef22a5c
Log the signer handle to which a signer is bound.
ximon18 Nov 3, 2021
a1c39f7
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Nov 9, 2021
7421ebd
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 9, 2021
4a424ee
Merge branch 'hsm-persistent-signer-key-mappings' of github.com:NLnet…
ximon18 Nov 9, 2021
9bcd929
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 9, 2021
e217717
Wait longer to "fix" brittle test when using a slower signer (PyKMIP …
ximon18 Nov 9, 2021
964f03f
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 9, 2021
778ae64
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 9, 2021
5ceba33
Merge branch 'dev' into issue-566-implement-krill-kmip-based-signer-i…
ximon18 Nov 10, 2021
c0f1136
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 10, 2021
3ad1106
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 10, 2021
7feffe1
Review feedback: KmipSigner doesn't needt o implement the Signer trait.
ximon18 Nov 14, 2021
40bafc3
Review feedback: SignerProvider doesn't need to implement the Signer …
ximon18 Nov 15, 2021
5a3fcad
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 15, 2021
f69c53f
cargo fmt
ximon18 Nov 15, 2021
8e9cda8
OpenSslSigner no longer needs to implement the Signer trait.
ximon18 Nov 15, 2021
073b843
Merge branch 'issue-566-implement-krill-kmip-based-signer-implementat…
ximon18 Nov 15, 2021
19cede0
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 15, 2021
333ab6a
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 15, 2021
6f03e4d
Additional code comments for the SIgnerRouter.
ximon18 Nov 15, 2021
d3aa487
Review feedback: remove redundant drop.
ximon18 Nov 15, 2021
94b8a7b
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 15, 2021
9a4a3b3
Review feedback: merge Option<SlotId> and Option<SlotLabel> into new …
ximon18 Nov 17, 2021
0daee00
Review feedback: use the PublicKey directly, only de/encode when (de)…
ximon18 Nov 17, 2021
0027fb4
Review feedback: move `signer.rs` into `internal.rs`, and rename `_re…
ximon18 Nov 18, 2021
2ca582e
Review feedback: Don't keep a context object for a bad path. This was…
ximon18 Nov 18, 2021
905506e
cargo fmt
ximon18 Nov 18, 2021
5e9bc55
Merge branch 'hsm-persistent-signer-key-mappings' into issue-547-pkcs…
ximon18 Nov 18, 2021
7bc195e
Merge branch 'hsm' into issue-547-pkcs11-walking-skeleton
ximon18 Nov 23, 2021
f054193
Test in the HSM specific CI job on the same Rust versions as the non-…
ximon18 Nov 23, 2021
7b97639
Rename `internal.rs` to `signer.rs`.
ximon18 Nov 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
79 changes: 79 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,82 @@ jobs:
name: cypress-ui-test-captures ${{ matrix.os }} ${{ matrix.rust }}
path: target/ui/
if-no-files-found: ignore

pykmip-test:
name: pykmip-test
runs-on: ubuntu-18.04
strategy:
matrix:
features: ["hsm", "hsm,hsm-tests-kmip"]
steps:
- name: Checkout repository
uses: actions/checkout@v1

- name: Install Rust
uses: hecrj/setup-rust-action@v1
with:
rust-version: stable

- uses: actions/setup-python@v2
with:
python-version: '3.x'

- name: Install PyKMIP
uses: BSFishy/pip-action@v1
with:
packages: pykmip

- name: Compile the tests
run: |
cargo build --tests --no-default-features --features ${{ matrix.features }}

- name: Run the tests against the PyKMIP server
run: |
cd test-resources/pykmip
python run-server.py &
sleep 5s
openssl s_client -connect 127.0.0.1:5696 || true
cd -
cargo test --no-default-features --features ${{ matrix.features }} -- --test-threads=1 2>&1

- name: Dump the PyKMIP log
if: always()
working-directory: test-resources/pykmip
run: |
ls -la
cat server.log

softhsm2-test:
name: softhsm2-test
runs-on: ubuntu-20.04
strategy:
matrix:
features: ["hsm,hsm-tests-pkcs11"]
steps:
- name: Checkout repository
uses: actions/checkout@v1

- name: Install Rust
uses: hecrj/setup-rust-action@v1
with:
rust-version: stable

- name: Install SoftHSM2
run: |
sudo apt update
sudo apt install -y softhsm2
sudo usermod -aG softhsm $(whoami)
sg softhsm -c "softhsm2-util --init-token --slot 0 --label \"My token 1\" --pin 1234 --so-pin 1234"

- name: Compile the tests
run: |
cargo build --tests --no-default-features --features ${{ matrix.features }}

- name: Run the tests against SoftHSM2
run: |
sg softhsm -c "cargo test --no-default-features --features ${{ matrix.features }} -- --test-threads=1 2>&1"

- name: Dump the SoftHSM2 log
if: always()
run: |
cat /var/log/syslog
173 changes: 171 additions & 2 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.