The use case would be when multiple NetHSMs would have the same keys stored.

Right now this can be achieved by configuring multiple slots in the configuration, but the application will see all the servers as different slots, so the load balancing needs to be done by the application.

The idea would be to list multiple servers with different addresses and credentials and try to balance the usage between each of them.

Secrets should be added as "Generic"

• run nethsm container
• configure keys and users
• build the binary
• run test scripts

Currently we dump the errors as is, a better presentation would be appreciated

Run build and test on every commit on a pull request and on main

With the packages in debian buster it works :
libp11 : 0.4.11-1
OpenSSL : OpenSSL 1.1.1n 15 Mar 2022

Dosen't work with arch packages :
libp11 : 0.4.12-2
OpenSSL : OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)

The error is :

Unable to enumerate private keys
The private key was not found at: pkcs11:object=nginx;type=public
PKCS11_get_private_key returned NULL
Could not read key from org.openssl.engine:pkcs11:pkcs11:object=nginx;type=public
40B7CBBAF97F0000:error:40000065:pkcs11 engine:ERR_ENG_error:object not found:eng_back.c:887:
40B7CBBAF97F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:79:

When using libp11 from commit 74497e0fa5b69b15790d6697e1ebce13af842d4c the error is different :

409711B3017F0000:error:068000DE:asn1 encoding routines:asn1_template_ex_i2d:illegal zero content:crypto/asn1/tasn_enc.c:374:
409711B3017F0000:error:020C0100:rsa routines:rsa_priv_encode:malloc failure:crypto/rsa/rsa_ameth.c:154:
409711B3017F0000:error:03000092:digital envelope routines:EVP_PKEY2PKCS8:private key encode error:crypto/evp/evp_pkey.c:161:
409711B3017F0000:error:04800073:PEM routines:do_pk8pkey:error converting private key:crypto/pem/pem_pk8.c:133:

a way to get two passwords is needed, maybe use a separator in the pin string ?

nitropy nethsm --no-verify-tls --host localhost:8443 generate-key --type Curve25519 --length 255 --mechanism "EdDSA_Signature"  --key-id FirstEdDSAKey 

This command should output the key in ssh form :

ssh-keygen -D ~/git/nethsm-pkcs11/target/debug/libnethsm_pkcs11.so -e

The current targets are :

• Ubuntu 22.04
• Debian 12
• Alpine 3.18

I tried building this on Trisquel OS with the build.sh script.
It throws a path error of unable to find pkcs11 in $GOROOT and $GOPATH.

Error in 3rd line of main.go

Since gccgo is more trustworthy, I request a gccgo build script if possible.

golang/go#16855

Looking at the above issue, when a fork after loads a shared library made go, it crashes.

Is this project safe for this issue?

The current rust generator doesn't fit with our usage of the api, meaning we currently have to apply patches on top of the generated code in order to use the api.

The objective is to have a custom openapi generator where we won't need patches on top of the generated code.

The two implementations should be similar and call /api/v1/keys/generate

Admin credentials will be needed

Admin rights will be needed

If the data is too short it should wait for more data and then encrypt that block.

This issue is here to discuss the next features and functionalities to be implemented.

1. OpenDNSSEC compatibility : #57 It seems unlikely that the OpenDNSSEC implementation will change in the next month, so if we want to support it this year, we will need to adapt to it.
2. WIP : Openapi generation : Currently I applied a bunch of patches on top of the generated crate, I would need to either create a repeatable patch or customise the openapi code generator.
3. Concurrency : currently everything is blocking, but there's a concurrency option in the PKCS11 specification and not supporting it may cause problems ?
4. Key listing is slow : currently we fetch one key at a time because of the blocking architecture and the NetHSM api that list keys only returns the names. One solution would be to do concurrent api calls.
5. State management : C_GetOperationState and C_SetOperationState are functions that can be used to pause and resume cryptographic operations. This could be implemented but would require some design on how we store all this information (serialisation).
6. Notify : the PKCS11 spec as a field where you can pass a function to be called back when certain events happen. This would require polling the NetHSM regularly to check for events.
7. C_WaitForSlotEvent : same as 6.
8. Certificates : Currently I'm trying for every key to get the certificate and adding it to the list of keys when it works. Should I look for certificates only when a request for certificate objects is made ? This may break some programs.
9. Need to figure out how to do unit testing of the functions.
10. Proper handling of the CKF_LIBRARY_CANT_CREATE_OS_THREADS, currently we can't support this flag so CKR_NEED_TO_CREATE_THREADS should be returned. We could become compatible by using ureq.

The hashing will be done on the host machine and not on the NetHSM

when pData is null

If the data is too short it should wait for more data and then decrypt that block. This is completely optional as it is in the specs and C_Decrypt() is often used instead of C_DecryptUpdate()

I happens randomly, retrying the tools/test_upload_ec_key.sh

Write unit tests for the different parts of the module.

return CKR_NEED_TO_CREATE_THREADS if CKF_LIBRARY_CANT_CREATE_OS_THREADS flag is set

when pData is null

If we don't have any answer from the OpenDNSSEC team we would have to change the implementation to have one unique object Db per Token/Slot.

OpenDNSSEC issue : https://issues.opendnssec.org/browse/SUPPORT-286

A new optional field would be added to the configuration file.

Waits for a NetHSM to come online

• New dedicated documentation page for OpenSSL
• use PKCS11SPY=/usr/lib64/nethsm-pkcs11-v0.1.1-fedora.38.so openssl pkey -engine pkcs11 -inform ENGINE -in "pkcs11:object=nginx;type=public" -pubout to only request the public components of the key.
• Usage as OpenSSL's provider (probably as an option but not exclusively because OpenSSL 1 is still around) https://github.com/latchset/pkcs11-provider

We should match attributes like CKA_PRIVATE, CKA_SIGN ... so we don't send back keys that don't have the capabilities

when pData is null

Currently only private keys, public keys and secret keys are listed.

The module should try to get the certificate associated to a key from the server and if available store the der-encoded certificate in the CKA_VALUE field and list the certificate.