Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS #11 support request #341

Open
vanrein opened this issue Aug 13, 2021 · 1 comment
Open

PKCS #11 support request #341

vanrein opened this issue Aug 13, 2021 · 1 comment

Comments

@vanrein
Copy link

vanrein commented Aug 13, 2021

Would you consider adding PKCS #11 support to acmetool? Though it would be possible to import the generated keys afterwards, it beats the purpose of using this private-key-protective API.

Apache supports use of PKCS #11 private keys and even certificates via PKCS #11, which generally is helpful to avoid that private keys are ever revealed. It remains an operational choice what implementation of the PKCS #11 API to use; it could be a software implementation, a simple USB token or a more advanced rack-mounted redundant key management solution for tens of thousands of dollars. With PKCS #11, key management quality is a choice.

This range of operational choices is why we use it in our TLS Pool project, which additionally separates TLS handling from the application process via file descriptor passing and reduces TLS implementation to one API call, fd = starttls_client (fd, ...). We intend to use that in security/privacy projects like Keyful Identity Protocol and Realm Crossover for Kerberos.

Just ask if you want to learn more about PKCS #11. These are a few speciication links that you might find interesting:

@vanrein
Copy link
Author

vanrein commented Aug 19, 2021

I can see two ways of adding PKCS #11 support that might work without building it into acmetool.

  • You might allow want notation that installs a public key and (something that handles like) a private key. In case of PKCS #11, the latter could for example be a pkcs11: URI. I am assuming that the private key is not actually used by acmetool, but merely passed as a blob after it was generated.
  • You might allow a hook for keypair generation, in which case rollovers of key pairs are possible even when PKCS #11 is used.

If my suspicion is correct, then PKCS #11 could be "hacked in" with the target file's request.key but it feels that would be blasphemic, and possibly unstable. Tool integration, even as lightweight as above, is preferred. Or is it merely a matter of documenting this use case? I am unsure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant