colek42
commented
1 week ago We support pkcs#11 in the enterprise version of Witness, but it requires CGO. We would support it in the open source if the contribution was pure go.
Open axi92 opened 1 week ago
colek42
commented
1 week ago We support pkcs#11 in the enterprise version of Witness, but it requires CGO. We would support it in the open source if the contribution was pure go.
axi92
commented
1 week ago Are there prices for the enterprise version? I was not able to find anything for that.
colek42
commented
5 days ago @axi92 send me an email cole@testifysec.com and I can get you that info.
Describe the solution you'd like:
We are switching to a YubiHSM 2 so we don't use files for certs or keys anymore. The access to the HSM is made through a connector listening over the network.
User value:
Code signing possible from HSM.
Expected behavior:
Use pkcs#11 to connect to the HSM.
Proposed solution:
I only know it from osslsigncode. We use it to connect to the pkcs#11 interface from the YubiHSM 2 and sign software with our code signing cert stored on the HSM. Maybe it is possible to go a similar way?
Anything else you would like to add:
In this docs there is a lot of help that might be helpful. https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/index.html
There is an image with the connection stack explained https://support.yubico.com/hc/en-us/articles/360017607439-Top-practical-considerations-when-implementing-the-YubiHSM-2
Testing changes required:
I don't know how to test this, maybe a softhsm can be used?
Documentation changes required:
For sure, I am glad to help on docs since I am not able to help on the coding with go.