[
https://issues.apache.org/jira/browse/PROTON-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17873030#comment-17873030
]
Clifford Jansen commented on PROTON-2594:
-----------------------------------------
Sorry for the delay in responding. I feel the suggested patch is useful and
clear in its goal and implementation. Many thanks for your submission.
+1 for using the provider api.
I would like to comment on the pull request, however I am having difficulty
running a simple C test program. No doubt it is due to my lack of familiarity
with the standard, as well as with the layers of tooling to simulate HSM in
software for testing. From getting this program to run I hope to better
understand the implications of the patch for installed package requirements,
documentation changes, CI issues, and other differences (e.g. user password
prompts?).
I have tried using the pkcs11-provider-qpid-proton-bug-reproduction project as
a template to initialize softhsm, populate data with pkcs11-tool along with the
OPENSSL_CONF and SOFTHSM2_CONF. I cannot yet get it to run using Fedora 40,
which should be new enough to work with your patch.
I have also tried your suggested C++ program, but the setup stage hangs at the
"openssl storeutl", no matter what pin/password I supply, before even
exercising your code. A further indication that I get tripped up merely taking
baby steps with pkcs11.
I have attached the C program I am trying to use (pn2594.c). It simply makes
one client and one server connection. It allows you to specify each argument
to the OpenSSL domain setup routines for each side. For example, if run with
these arguments from qpid-proton/cpp/testdata/certs you can run with mutual TLS
(two ways), server side TLS, or no TLS:
/path/to/pn2594 amqps "client-certificate.pem" "client-private-key.pem"
"client-password" "ca-certificate.pem" "server-certificate.pem"
"server-private-key.pem" "server-password" "ca-certificate.pem"
/pat/to/pn2594 amqps "client-certificate.pem"
"client-private-key-no-password.pem" "" "ca-certificate.pem"
"server-certificate.pem" "server-private-key.pem" "server-password"
"ca-certificate.pem"
/path/to/pn2594 amqps "" "" "" "ca-certificate.pem" "server-certificate.pem"
"server-private-key.pem" "server-password" ""
/path/to/pn2594 amqp "" "" "" "" "" "" "" ""
I am trying to replace the first two examples "client private key" and "client
password" with a pkcs11 URI and PIN, i.e.
pkcs11-tool --module=/usr/lib64/libsofthsm2.so --token-label clitest --pin
tclientpw --label test --id 4444 --write-object
/r4/amqp/p/pkcs11/cj/cjcerts/cj-client-private-key-no-password.pem --type
privkey --usage-sign
pn2594 amqps "client-certificate.pem" "pkcs11:token=clitest;id=%44%44"
"tclientpw" "ca-certificate.pem" "server-certificate.pem"
"server-private-key.pem" "server-password" "ca-certificate.pem"
I would appreciate if you can confirm you can run this test with your pkcs11
patch and get it to work in the way you think it should be run (i.e. not
"fixing" my command usage or config files).
Step by step commands (or a captured terminal session) to reproduce would be
appreciated. Preferably starting with an empty softhsm, initializing it,
creating/loading the slot+token.
Hopefully from this exercise I can help you get the patch integrated.
Thanks.
> Use of HSM for crypto opterations with the private key of a TLS certificate
> ---------------------------------------------------------------------------
>
> Key: PROTON-2594
> URL: https://issues.apache.org/jira/browse/PROTON-2594
> Project: Qpid Proton
> Issue Type: New Feature
> Components: cpp-binding, proton-c
> Reporter: Franz Hollerer
> Priority: Major
> Attachments: pn2594.c
>
>
> We use a Hardware Security Module with PKCS#11 Interface (to be more
> specific: OP-TEE) as key store. This key store holds the public and private
> key for a TLS certificate for the purpose of client authentication.
> Is there a way to instruct proton-qpid to use the HSM for cryptographic
> operations with the private key?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
