Closed lumjjb closed 3 years ago
I sent a PR today (#19 ) that does the following:
module-name=softhsm2
to describe /path/to/libsofthsm2.so since this would allow for system-independent support for picking a client shared library (as described in RFC 7512)I do NOT think that the encrypted packet format (the JSON it creates) will be backed by PKCS11 but this would have to be our extension. Ideally pkcs11 support would be part of the pkcs7 or JWE implementation...
My suggestion is to base the higher level code, such as that from #18 on top of #19 or modify it so that it does.
As the commit message there states, parts of the code was reused from @Gsealy.
In the future we will likely need to extend the code there to support pkcs11 libraries for HSM devices for example that may not have the same restrictions as SoftHSM does, such as OAEP with SHA1 hash algorithm only. We may need to extend it with listing features the device supports and picking the best one, possibly writing the parameters 'somewhere' in case the Decrypt function needs them...
Can close this (for now)?
This thread contains discussion and implementation/design direction for PKCS#11 support for ocicrypt. This was started from https://github.com/containers/ocicrypt/pull/18 created by @Gsealy, and initial discussions from @stefanberger @jejb @jamjoom @lumjjb
The overall plan is to have the feature be experimental, and be formed based on usecases and features requested through discussions of the community. Once it is reached a more stable state, it will become part of the spec. Until then, it is not an officially supported protocol.
Below are some points from discussions within the PRs + side conversations.
Initial experimental prototype
org.opencontainers.image.enc.keys.experimental.pkcs11
Experimental prototype iteration
EncryptWith
andDecryptWith
passing a PKCS11 URI, this will provideDecryptConfig
and the role of consumersMore iterations including other features as asks/discussion create
Future: