// Note: The AWS CloudHSM Known Issues for the PKCS#11 Library states:
// https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html#ki-pkcs11-7
//
// Issue: You could not hash more than 16KB of data
// For larger buffers, only the first 16KB will be hashed and returned. The excess data would have been
// silently ignored.
// Resolution status: Data less than 16KB in size continues to be sent to the HSM for hashing. We have added
// capability to hash locally, in software, data between 16KB and 64KB in size. The client and the SDKs will
// explicitly fail if the data buffer is larger than 64KB. You must update your client and SDK(s) to version
// 1.1.1 or higher to benefit from the fix.
//
// TODO: if data is larger than 16KB we should hash locally and only use the HSM for signing, not for hashing.
// Should we enable this behaviour based on detection of an AWS CloudHSM or a config flag or ??? As an example,
// Oracle enables an AWS CloudHSM specific workaround by detecting a CLOUDHSM_IGNORE_CKA_MODIFIABLE_FALSE
// environment variable.
Does Krill ever need to sign > 64 KB at once? If so we should we work around this issue or specifically detect and report nicely about this specific error case?
The nic.br manifest is currently 92kB, so yes.. we need to be prepared to sign larger. But this is with 1100+ signed certificates in the publication point. For now this should work for small CAs.
In the PKCS#11
signer.rs
code there is the following comment:Does Krill ever need to sign > 64 KB at once? If so we should we work around this issue or specifically detect and report nicely about this specific error case?