diff options
| author | Linus Nordberg <linus@sunet.se> | 2019-06-11 16:54:28 +0200 |
|---|---|---|
| committer | Linus Nordberg <linus@sunet.se> | 2019-06-11 16:54:28 +0200 |
| commit | b4c31dfdb873a4e7a639c281a5fff88134e0d1f5 (patch) | |
| tree | 6f13301d49f9d7fe2a2111589df38a2e2723d5aa | |
| parent | 2c2f5456f1277eb431ba6662eeb3de74415fc6ef (diff) | |
more notes
| -rw-r--r-- | p11p.md | 56 |
1 files changed, 48 insertions, 8 deletions
@@ -32,7 +32,7 @@ ASCII art time! * Provide failover and load balancing between cryptographic devices. * Put some ground between a Cryptoki application and a Cryptoki - library. + library from vendor. ## Non-goals @@ -74,14 +74,16 @@ ASCII art time! - Somewhat isolating (and potentially constraining) the running of token solibs by forking before loading them. - The Cryptoki stub library, `p11p-client.so`, is implemented in - C. TBD: Use code from p11-kit for this? It uses libffi (virtual.c) - and its own serialisation code (rpc-message.c), both of which sounds - unnecessary unsafe, but for a PoC might be good enough. + C. TBD: Use code from p11-kit for this? p11-kit-client.so uses + libffi (virtual.c) and its own serialisation code (rpc-message.c), + both of which sounds unnecessary unsafe, but for a PoC might be good + enough. - The daemon, `p11p-daemon`, is implemented in something not too crazy, like Erlang or Rust, taking the deployment story into account -- being self-contained is a worthwhile goal. - The daemon children, `p11p-helper`, are executable programs using - the Cryptoki API, implemented in C. + the Cryptoki API, implemented in C (or possibly another language + that can dlopen and run the solib from vendor). - Wire protocol between `p11p-client.so` and `p11p-daemon` is TBD but should be designed for simple parsing in C. It runs over an AF_UNIX socket and needs only serialisation of Cryptoki calls -- no @@ -90,18 +92,56 @@ ASCII art time! ### PKCS #11 -#### Supported mechanisms +#### Supported PKCS #11 mechanisms TBD ## Use cases -- Migrating from one kind of HSM to another kind of HSM. +- When vendor library is not so great at TCP and the network between + the host running the application and the cryptographic device is + killing TCP sessions, catch the failure (f.ex. by timing out) and + retry the operation behind the back of the application. + +- Migrating from one kind of HSM to another kind of HSM. p11p-daemon + can be configured to use more than one HSM. As long as they provide + the same funtcions using the same key(s), p11p-daemon can provide + fall back functionality between different HSM's from different + vendors. + + +## configuration + +## configuration + + <name> = [a-z]+[a-z0-9_]* + <names> = <name>[,<names>] + <endpoint> = unix:<path> | tcp:<dns-name>[:<integer>] + +### config common to Client and Server sections + Name = <name> + Address = <endpoint> + +### client config + [Client] + Mode = proxy | forward + + [Server] + + +### server config + [Server] + Mode = proxy | forward + + [Client] + + [Token] + SOPath = <path> + Groups = <names> ## NOTES -- apt install p11-kit libp11-dev ## External dependencies |