summaryrefslogtreecommitdiff
path: root/doc/p11p-design.md
blob: d16dddf4da0bc1d3b28030f4c9e6c7030cdef912 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

# p11p design

## Overview and design criterias

    User application --(dlopen)-->
    p11p-client.so --(<our-protocol>-over-unix-socket)-->
    p11p-daemon --(fork+exec, stdin/stdout)-->
    p11p-helper --(dlopen)-->
	$vendor.so --(vendor-specific)-->
	PKCS #11 token

- Typical sequence of events
  - User application dlopens `p11p-client.so` as a "Cryptoki library"
  - `p11p-client.so` connects to `p11p-daemon` running on the same
    system, over a unix socket (AF_UNIX).
  - `p11p-daemon` forks a process and executes `p11p-helper`
  - `p11p-helper` dlopens the appropriate Cryptoki library from
    $vendor and forwards the Cryptoki calls there

- The daemon, `p11p-daemon`, handles both load balancing and failover,
  according to configuration per (set of) token(s).
- Run on reasonable Linux and BSD systems.
- Somewhat isolating (and potentially constraining) the running of
  vendor solibs by forking before loading them.
- The Cryptoki stub library, `p11p-client.so`, is implemented in
  C. TBD: Use code from p11-kit for this? p11-kit-client.so uses
  libffi and its own serialisation code (rpc-message.c),
  both of which might be unnecessarily complex, but for a PoC might
  be a good choice.
- The daemon, `p11p-daemon`, is implemented in something not too
  crazy, like Erlang or Rust, taking the deployment story into
  account -- being self-contained is a worthwhile goal.
- The daemon child, `p11p-helper`, is an executable program using
  the Cryptoki API, implemented in C (or possibly another language
  that can dlopen and call into the vendor solib).
- Wire protocol between `p11p-client.so` and `p11p-daemon` is TBD but
  should be designed for simple parsing in C. It runs over an AF_UNIX
  socket and needs only serialisation of Cryptoki calls -- no
  addressing and minimal framing (like a message length). TBD:
  Serialise (using Trunnel) and use an end-of-record sequence instead?

### PKCS #11

#### Supported PKCS #11 mechanisms

TBD

## Configuration

TODO

## External dependencies

TODO

## External documentation

- [OASIS PKCS 11 TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11)
generated by cgit v1.1 at 2025-12-02 02:12:30 +0000