diff options
| author | Linus Nordberg <linus@sunet.se> | 2019-06-07 15:28:49 +0200 |
|---|---|---|
| committer | Linus Nordberg <linus@sunet.se> | 2019-06-07 15:28:49 +0200 |
| commit | 04edb7f04bc181c8149ebd4fee2a5bc9815a42f8 (patch) | |
| tree | d522ca3d0da08800e581f2e1b3f0793d5a95bd6b | |
update notes with new design criterias
add (some) PKCS #11 specs
| -rw-r--r-- | doc/pkcs11-base-v2.40-os.pdf | bin | 0 -> 1040993 bytes | |||
| -rw-r--r-- | doc/pkcs11-curr-v2.40.pdf | bin | 0 -> 2081878 bytes | |||
| -rw-r--r-- | p11proxy.md | 79 |
3 files changed, 79 insertions, 0 deletions
diff --git a/doc/pkcs11-base-v2.40-os.pdf b/doc/pkcs11-base-v2.40-os.pdf Binary files differnew file mode 100644 index 0000000..bd8573b --- /dev/null +++ b/doc/pkcs11-base-v2.40-os.pdf diff --git a/doc/pkcs11-curr-v2.40.pdf b/doc/pkcs11-curr-v2.40.pdf Binary files differnew file mode 100644 index 0000000..bde1d24 --- /dev/null +++ b/doc/pkcs11-curr-v2.40.pdf diff --git a/p11proxy.md b/p11proxy.md new file mode 100644 index 0000000..cf291b6 --- /dev/null +++ b/p11proxy.md @@ -0,0 +1,79 @@ +# p11p -- PKCS #11 proxy performing failover and load balancing + +p11p is a shared library and a daemon, both running on the same host +as a Cryptoki application, intercepting the communication with a +cryptographic device (typically a HSM) with the goal of dealing with +error handling and load balancing between devices. + +ASCII art time! + + +------------------------------------=--------------+ + | PC/server/laptop | + | | + | +----------------------------+ | + | | application (process) | +---------------+ | + | | | | p11pd | | + | | +------------------------+ | | | | + | | | p11p-client.so (solib) |--->| +-----------+ | | + | | +------------------------+ | | | vendor.so | | | + | +----------------------------+ | +-----------+ | | + | +------|------- + | + +----------------------------------------|----------+ + v + +-----+ + | HSM | + +-----+ + +## Goals + +* Detect when a Cryptoki library operation fails and retry the + operation, possibly on another cryptographic device. + +* Provide failover and load balancing between cryptographic devices. + +* Put some ground between a Cryptoki application and a Cryptoki + library. + +## Non-goals + +* Take control over the TCP session between a Cryptoki application and + a cryptographic device. + + Could be accomplished by providing proxying / forwarding of PKCS #11 + sessions to a system with access to a PKCS #11 aware cryptographic + device. + +## Functionality + + + +## Inspiration + +- [p11-kit https://github.com/p11-glue/p11-kit/] + +## Specification + + + +### PKCS #11 + +#### Supported mechanisms + +TBD + +## Use cases + +- Migrating from one kind of HSM to another kind of HSM. + + +## NOTES + +- apt install p11-kit libp11-dev + +## External dependencies + +TBD + +## External documentation + +- [OASIS PKCS 11 TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11) |