blob: cf291b687ac8d93a7dcf1486a6adbd49a08a7fd1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
# p11p -- PKCS #11 proxy performing failover and load balancing
p11p is a shared library and a daemon, both running on the same host
as a Cryptoki application, intercepting the communication with a
cryptographic device (typically a HSM) with the goal of dealing with
error handling and load balancing between devices.
ASCII art time!
+------------------------------------=--------------+
| PC/server/laptop |
| |
| +----------------------------+ |
| | application (process) | +---------------+ |
| | | | p11pd | |
| | +------------------------+ | | | |
| | | p11p-client.so (solib) |--->| +-----------+ | |
| | +------------------------+ | | | vendor.so | | |
| +----------------------------+ | +-----------+ | |
| +------|------- + |
+----------------------------------------|----------+
v
+-----+
| HSM |
+-----+
## Goals
* Detect when a Cryptoki library operation fails and retry the
operation, possibly on another cryptographic device.
* Provide failover and load balancing between cryptographic devices.
* Put some ground between a Cryptoki application and a Cryptoki
library.
## Non-goals
* Take control over the TCP session between a Cryptoki application and
a cryptographic device.
Could be accomplished by providing proxying / forwarding of PKCS #11
sessions to a system with access to a PKCS #11 aware cryptographic
device.
## Functionality
## Inspiration
- [p11-kit https://github.com/p11-glue/p11-kit/]
## Specification
### PKCS #11
#### Supported mechanisms
TBD
## Use cases
- Migrating from one kind of HSM to another kind of HSM.
## NOTES
- apt install p11-kit libp11-dev
## External dependencies
TBD
## External documentation
- [OASIS PKCS 11 TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11)
|
