From b4c31dfdb873a4e7a639c281a5fff88134e0d1f5 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Tue, 11 Jun 2019 16:54:28 +0200 Subject: more notes --- p11p.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 8 deletions(-) diff --git a/p11p.md b/p11p.md index 0f97adb..aaff8ba 100644 --- a/p11p.md +++ b/p11p.md @@ -32,7 +32,7 @@ ASCII art time! * Provide failover and load balancing between cryptographic devices. * Put some ground between a Cryptoki application and a Cryptoki - library. + library from vendor. ## Non-goals @@ -74,14 +74,16 @@ ASCII art time! - Somewhat isolating (and potentially constraining) the running of token solibs by forking before loading them. - The Cryptoki stub library, `p11p-client.so`, is implemented in - C. TBD: Use code from p11-kit for this? It uses libffi (virtual.c) - and its own serialisation code (rpc-message.c), both of which sounds - unnecessary unsafe, but for a PoC might be good enough. + C. TBD: Use code from p11-kit for this? p11-kit-client.so uses + libffi (virtual.c) and its own serialisation code (rpc-message.c), + both of which sounds unnecessary unsafe, but for a PoC might be good + enough. - The daemon, `p11p-daemon`, is implemented in something not too crazy, like Erlang or Rust, taking the deployment story into account -- being self-contained is a worthwhile goal. - The daemon children, `p11p-helper`, are executable programs using - the Cryptoki API, implemented in C. + the Cryptoki API, implemented in C (or possibly another language + that can dlopen and run the solib from vendor). - Wire protocol between `p11p-client.so` and `p11p-daemon` is TBD but should be designed for simple parsing in C. It runs over an AF_UNIX socket and needs only serialisation of Cryptoki calls -- no @@ -90,18 +92,56 @@ ASCII art time! ### PKCS #11 -#### Supported mechanisms +#### Supported PKCS #11 mechanisms TBD ## Use cases -- Migrating from one kind of HSM to another kind of HSM. +- When vendor library is not so great at TCP and the network between + the host running the application and the cryptographic device is + killing TCP sessions, catch the failure (f.ex. by timing out) and + retry the operation behind the back of the application. + +- Migrating from one kind of HSM to another kind of HSM. p11p-daemon + can be configured to use more than one HSM. As long as they provide + the same funtcions using the same key(s), p11p-daemon can provide + fall back functionality between different HSM's from different + vendors. + + +## configuration + +## configuration + + = [a-z]+[a-z0-9_]* + = [,] + = unix: | tcp:[:] + +### config common to Client and Server sections + Name = + Address = + +### client config + [Client] + Mode = proxy | forward + + [Server] + + +### server config + [Server] + Mode = proxy | forward + + [Client] + + [Token] + SOPath = + Groups = ## NOTES -- apt install p11-kit libp11-dev ## External dependencies -- cgit v1.1