Add PKCS#11 library support

dylrich commented 5 months ago

We use this library to sign Nuget packages with certificates stored in Azure Key Vault. However, we'd prefer to not directly talk to Azure Key Vault, but instead use a PKCS#11 library to request signatures from Azure Key Vault. Our PKCS#11 library serves as a standardized authentication and management layer for keys and certificates that we use for other, non-nuget signatures. If this tool supported PKCS#11, we could use this interface for all types of signing. Additionally, it would allow users to sign packages in a wider range of HSM backends beyond just Azure Key Vault, though this isn't the main motivation for us.

Would this project consider accepting a Pull Request that contained a PKCS#11 implementation? It seems like it would need to satisfy these two interfaces if we're reading the code correctly.

clairernovotny commented 5 months ago

Hi @dylrich

We would certainly consider it, can you please provide some additional information about your proposed implementation? We are also refactoring that will make this easier to start once they're merged: https://github.com/dotnet/sign/pull/700 & https://github.com/dotnet/sign/pull/703

Is the implementation entirely managed or is there native code too? If there's native code, what platforms are supported?
What are the required parameters needed to configure the provider?
Any other details about the implementation? Is it new code or is it coming from an existing source.

dylrich commented 5 months ago

Hi @clairernovotny , thanks for the fast response!

We're not sure about the answers to your questions yet and are still working out details about what this might look like. We were mostly curious about if this effort would even be desired upstream! I'll let you know as soon as possible once we have more answers about what exactly we were thinking about.

dylrich commented 5 months ago

Hi @clairernovotny,

We were planning on using https://github.com/Pkcs11Interop/Pkcs11Interop to allow talking to unmanaged PKCS#11 libraries.
Users would either need to pass in a PKCS#11 URI and PIN or the path to a PKCS#11 library, key identifier and PIN.
We would write new code to glue this library to the above Pkcs11Interop library

How would you and the team feel about this approach?

spilkercompra commented 4 months ago

We use https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store to talk to a SafeNet eToken and to SoftHSM with this library. For our inhouse use case this is working flawlessly.

jariq commented 1 month ago

Hello all, author of Pkcs11Interop here 👋🏻

Instead of using complex Pkcs11Interop library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Store which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces.

Let me know if you need any help, code review or anything else.

spilkercompra commented 1 month ago

Jaroslav, helped me out. Great Library. What an amount of work.

[cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg]

Ihre Ansprechpartner für ERPhttps://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur, ECMhttps://www.eevolution.de/produkte/elo/?utm_medium=email-signatur, E-Commercehttps://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur und Cloudhttps://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur.

Marco Spilker | @.**@.> |

[cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur https://www.eevolution.de/entdecke-eevolution/econnect/

Folgen Sie uns aufhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg Social Media: LinkedInhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg | @.***> | Instagramhttps://www.instagram.com/eevo_gmbh/

Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen.

This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

From: Jaroslav Imrich @.> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign @.> Cc: Marco Spilker @.>; Comment @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Hello all, author of Pkcs11Interop here 👋🏻

Instead of using complex Pkcs11Interophttps://github.com/Pkcs11Interop/Pkcs11Interop library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Storehttps://github.com/Pkcs11Interop/Pkcs11Interop.X509Store which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces.

Let me know if you need any help, code review or anything else.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/sign/issues/707#issuecomment-2389518400, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA. You are receiving this because you commented.Message ID: @.***>

spilkercompra commented 1 month ago

Fire and forget is important for us litte Guys. I integrated the great Java Implementierung when i faced our build server was 2012. you all should team up.

[cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg]

Ihre Ansprechpartner für ERPhttps://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur, ECMhttps://www.eevolution.de/produkte/elo/?utm_medium=email-signatur, E-Commercehttps://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur und Cloudhttps://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur.

Marco Spilker | @.**@.> |

[cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur https://www.eevolution.de/entdecke-eevolution/econnect/

Folgen Sie uns aufhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg Social Media: LinkedInhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg | @.***> | Instagramhttps://www.instagram.com/eevo_gmbh/

Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen.

This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

From: Marco Spilker (eEvolution) @.> Sent: Wednesday, October 2, 2024 9:38:59 PM To: dotnet/sign @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Jaroslav, helped me out. Great Library. What an amount of work.

From: Jaroslav Imrich @.> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign @.> Cc: Marco Spilker @.>; Comment @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Hello all, author of Pkcs11Interop here 👋🏻

Instead of using complex Pkcs11Interophttps://github.com/Pkcs11Interop/Pkcs11Interop library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Storehttps://github.com/Pkcs11Interop/Pkcs11Interop.X509Store which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces.

Let me know if you need any help, code review or anything else.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/sign/issues/707#issuecomment-2389518400, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA. You are receiving this because you commented.Message ID: @.***>

spilkercompra commented 1 month ago

If i knew before: JSign has IT all. 2012 for me.

[cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg]

Ihre Ansprechpartner für ERPhttps://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur, ECMhttps://www.eevolution.de/produkte/elo/?utm_medium=email-signatur, E-Commercehttps://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur und Cloudhttps://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur.

Marco Spilker | @.**@.> |

[cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur https://www.eevolution.de/entdecke-eevolution/econnect/

Folgen Sie uns aufhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg Social Media: LinkedInhttps://www.linkedin.com/company/eevolution-gmbh-&-co-kg | @.***> | Instagramhttps://www.instagram.com/eevo_gmbh/

Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen.

This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

From: Marco Spilker (eEvolution) @.> Sent: Wednesday, October 2, 2024 9:57:36 PM To: dotnet/sign @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Fire and forget is important for us litte Guys. I integrated the great Java Implementierung when i faced our build server was 2012. you all should team up.

From: Marco Spilker (eEvolution) @.> Sent: Wednesday, October 2, 2024 9:38:59 PM To: dotnet/sign @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Jaroslav, helped me out. Great Library. What an amount of work.

From: Jaroslav Imrich @.> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign @.> Cc: Marco Spilker @.>; Comment @.> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707)

Hello all, author of Pkcs11Interop here 👋🏻

Instead of using complex Pkcs11Interophttps://github.com/Pkcs11Interop/Pkcs11Interop library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Storehttps://github.com/Pkcs11Interop/Pkcs11Interop.X509Store which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces.

Let me know if you need any help, code review or anything else.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/sign/issues/707#issuecomment-2389518400, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA. You are receiving this because you commented.Message ID: @.***>

dtivel commented 3 weeks ago

https://github.com/dotnet/sign/issues/639 is the first step in solving this. After that, it would be up to whoever wants to implement a PKCS#11 signature provider for Sign CLI. I don't think there's any work here for Sign CLI beyond implementing https://github.com/dotnet/sign/issues/639.

dotnet / sign

Add PKCS#11 library support #707