From 0dfb8df6276cd519a6e2d122ced55b3174977791 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 28 Mar 2023 16:12:44 -0400 Subject: [PATCH] backport of commit 3026f87b7b8aec4ae98c5ccd24cab886fd4e1116 (#19801) Co-authored-by: Victor Rodriguez --- .../docs/enterprise/pkcs11-provider/index.mdx | 181 ++++++++++++++---- 1 file changed, 147 insertions(+), 34 deletions(-) diff --git a/website/content/docs/enterprise/pkcs11-provider/index.mdx b/website/content/docs/enterprise/pkcs11-provider/index.mdx index 1109a3e29459..3ecbc02f4780 100644 --- a/website/content/docs/enterprise/pkcs11-provider/index.mdx +++ b/website/content/docs/enterprise/pkcs11-provider/index.mdx @@ -212,58 +212,168 @@ The Vault PKCS#11 provider implements the following PKCS#11 provider profiles: - [Baseline](http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/os/pkcs11-profiles-v2.40-os.html#_Toc416960548) - [Extended](http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/os/pkcs11-profiles-v2.40-os.html#_Toc416960554) -The following mechanisms are currently supported, as of Vault 1.12: +The following key genration mechanisms are currently supported: + +| Name | Mechanism Number |Provider Version|Vault Version| +| ------------------ | ---------------- |----------------|-------------| +| RSA-PKCS | `0x0000` | 0.2.0 | 1.13 | +| AES key generation | `0x1080` | 0.1.0 | 1.12 | + + +The following encryption mechanisms are currently supported: + +| Name | Mechanism Number |Provider Version|Vault Version| +| ------------------ | ---------------- |----------------|-------------| +| RSA-PKCS | `0x0001` | 0.2.0 | 1.13 | +| RSA-PKCS-OAEP | `0x0009` | 0.2.0 | 1.13 | +| AES-ECB | `0x1081` | 0.2.0 | 1.13 | +| AES-CBC | `0x1082` | 0.1.0 | 1.12 | +| AES-CBC Pad | `0x1085` | 0.1.0 | 1.12 | +| AES-CTR | `0x1086` | 0.1.0 | 1.12 | +| AES-GCM | `0x1087` | 0.1.0 | 1.12 | +| AES-OFB | `0x2104` | 0.2.0 | 1.13 | +| AES-CFB128 | `0x2107` | 0.2.0 | 1.13 | + +The following signing mechanisms are currently supported: + +| Name | Mechanism Number |Provider Version|Vault Version| +| ------------------ | ---------------- |----------------|-------------| +| RSA-PKCS | `0x0001` | 0.2.0 | 1.13 | +| SHA256-RSA-PKCS | `0x0040` | 0.2.0 | 1.13 | +| SHA384-RSA-PKCS | `0x0041` | 0.2.0 | 1.13 | +| SHA512-RSA-PKCS | `0x0042` | 0.2.0 | 1.13 | +| SHA224-RSA-PKCS | `0x0046` | 0.2.0 | 1.13 | +| SHA512-224-HMAC | `0x0049` | 0.2.0 | 1.13 | +| SHA512-256-HMAC | `0x004D` | 0.2.0 | 1.13 | +| SHA256-HMAC | `0x0251` | 0.2.0 | 1.13 | +| SHA224-HMAC | `0x0256` | 0.2.0 | 1.13 | +| SHA384-HMAC | `0x0261` | 0.2.0 | 1.13 | +| SHA512-HMAC | `0x0271` | 0.2.0 | 1.13 | + + + + +Here is the list of supported and unsupported PKCS#11 functions: -| Name | Mechanism Number | -| ------------------ | ---------------- | -| AES key generation | `0x1080` | -| AES-CBC | `0x1082` | -| AES-CBC Pad | `0x1085` | -| AES-CTR | `0x1086` | -| AES-GCM | `0x1087` | +- Encryption and decryption + - [X] `C_EncryptInit` + - [X] `C_Encrypt` + - [X] `C_EncryptUpdate` + - [X] `C_EncryptFinal` + - [X] `C_DecryptInit` + - [X] `C_Decrypt` + - [X] `C_DecryptUpdate` + - [X] `C_DecryptFinal` +- Key management + - [X] `C_GenerateKey` + - [X] `C_GenerateKeyPair` + - [ ] `C_WrapKey` + - [ ] `C_UnwrapKey` + - [ ] `C_DeriveKey` +- Objects + - [X] `C_CreateObject` + - [X] `C_DestroyObject` + - [X] `C_GetAttributeValue` + - [X] `C_FindObjectsInit` + - [X] `C_FindObjects` + - [X] `C_FindObjectsFinal` + - [ ] `C_SetAttributeValue` + - [ ] `C_CopyObject` + - [ ] `C_GetObjectSize` +- Management + - [X] `C_Initialize` + - [X] `C_Finalize` + - [X] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided) + - [X] `C_Logout` + - [X] `C_GetInfo` + - [X] `C_GetSlotList` + - [X] `C_GetSlotInfo` + - [X] `C_GetTokenInfo` + - [X] `C_GetMechanismList` + - [X] `C_GetMechanismInfo` + - [X] `C_OpenSession` + - [X] `C_CloseSession` + - [X] `C_CloseAllSessions` + - [X] `C_GetSessionInfo` + - [ ] `C_InitToken` + - [ ] `C_InitPIN` + - [ ] `C_SetPIN` + - [ ] `C_GetOperationState` + - [ ] `C_SetOperationState` + - [ ] `C_GetFunctionStatus` + - [ ] `C_CancelFunction` + - [ ] `C_WaitForSlotEvent` +- Signing + - [X] `C_SignInit` + - [X] `C_Sign` + - [X] `C_SignUpdate` + - [X] `C_SignFinal` + - [ ] `C_SignRecoverInit` + - [ ] `C_SignRecover` + - [X] `C_VerifyInit` + - [X] `C_Verify` + - [X] `C_VerifyUpdate` + - [X] `C_VerifyFinal` + - [ ] `C_VerifyRecoverInit` + - [ ] `C_VerifyRecover` +- Digests + - [ ] `C_DigestInit` + - [ ] `C_Digest` + - [ ] `C_DigestUpdate` + - [ ] `C_DigestKey` + - [ ] `C_DigestFinal` + - [ ] `C_DigestEncryptUpdate` + - [ ] `C_DecryptDigestUpdate` + - [ ] `C_SignEncryptUpdate` + - [ ] `C_DecryptVerifyUpdate` +- Random Number Generation (see note below) + - [X] `C_SeedRandom` + - [X] `C_GenerateRandom` + + Here is the list of supported and unsupported PKCS#11 functions: - Encryption and decryption - - [x] `C_EncryptInit` - - [x] `C_Encrypt` + - [X] `C_EncryptInit` + - [X] `C_Encrypt` - [ ] `C_EncryptUpdate` - [ ] `C_EncryptFinal` - - [x] `C_DecryptInit` - - [x] `C_Decrypt` + - [X] `C_DecryptInit` + - [X] `C_Decrypt` - [ ] `C_DecryptUpdate` - [ ] `C_DecryptFinal` - Key management - - [x] `C_GenerateKey` + - [X] `C_GenerateKey` - [ ] `C_GenerateKeyPair` - [ ] `C_WrapKey` - [ ] `C_UnwrapKey` - [ ] `C_DeriveKey` - Objects - - [x] `C_CreateObject` - - [x] `C_DestroyObject` - - [x] `C_GetAttributeValue` - - [x] `C_FindObjectsInit` - - [x] `C_FindObjects` - - [x] `C_FindObjectsFinal` + - [X] `C_CreateObject` + - [X] `C_DestroyObject` + - [X] `C_GetAttributeValue` + - [X] `C_FindObjectsInit` + - [X] `C_FindObjects` + - [X] `C_FindObjectsFinal` - [ ] `C_SetAttributeValue` - [ ] `C_CopyObject` - [ ] `C_GetObjectSize` - Management - - [x] `C_Initialize` - - [x] `C_Finalize` - - [x] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided) - - [x] `C_Logout` - - [x] `C_GetInfo` - - [x] `C_GetSlotList` - - [x] `C_GetSlotInfo` - - [x] `C_GetTokenInfo` - - [x] `C_GetMechanismList` - - [x] `C_GetMechanismInfo` - - [x] `C_OpenSession` - - [x] `C_CloseSession` - - [x] `C_CloseAllSessions` - - [x] `C_GetSessionInfo` + - [X] `C_Initialize` + - [X] `C_Finalize` + - [X] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided) + - [X] `C_Logout` + - [X] `C_GetInfo` + - [X] `C_GetSlotList` + - [X] `C_GetSlotInfo` + - [X] `C_GetTokenInfo` + - [X] `C_GetMechanismList` + - [X] `C_GetMechanismInfo` + - [X] `C_OpenSession` + - [X] `C_CloseSession` + - [X] `C_CloseAllSessions` + - [X] `C_GetSessionInfo` - [ ] `C_InitToken` - [ ] `C_InitPIN` - [ ] `C_SetPIN` @@ -299,6 +409,9 @@ Here is the list of supported and unsupported PKCS#11 functions: - [X] `C_SeedRandom` - [X] `C_GenerateRandom` + + + ## Limitations and Notes Due to the nature of Vault, the KMIP Secrets Engine, and PKCS#11, there are some other limitations to be aware of: @@ -310,4 +423,4 @@ Due to the nature of Vault, the KMIP Secrets Engine, and PKCS#11, there are some Multiple sessions can be safely used simultaneously though, and a single Vault server node has been tested as supporting thousands of ongoing sessions. - The object attribute cache is valid only for a single object per session, and will be cleared when another object's attributes are queried. - The random number generator function, `C_GenerateRandom`, is currently implemented in software in the library by calling out to Go's [`crypto/rand`](https://pkg.go.dev/crypto/rand) package, - and does **not** call Vault. \ No newline at end of file + and does **not** call Vault.