search

larskanis / pkcs11

PKCS #11/Ruby Interface
http://rubyforge.org/projects/pkcs11/
MIT License
53 stars 12 forks source link

adding safenet specific attributes #2

Closed nathanvda closed 12 years ago

nathanvda commented 13 years ago

Hi,

we want to work with safenet specific attributes, like CKA_EXPORTABLE, CKA_PRIVATE, ... These attributes are now not defined inside this pkcs11 gem.

Is this something you would add to the pkcs11 gem? I mean: is this the logical place to define them (to me it seems so, but i am not sure). If so, i will fork and add the definitions. Or do you think should we keep them to our own program? (as these are vendor-specific and the rest of the gem is generic).

We foresee to be working with a few different HSM's so i expect to add a few vendor-specific attributes. I think it would be useful to add them here, but not sure how you feel. I could also define inside our own program or inside a specific gem (an extension).

What is your opinion?

larskanis commented 13 years ago

Hi Nathan,

thanks for your response. That's is an open topic at the current todo list...

Current gem covers all v2.2 functions, constants and structs defined in the standard. For now, the only way is to define vendor attributes in your application and handle attribute values and structs as binary Strings. But this is not very convenient.

So yes, I would like to have the vendor specific additions in the pkcs11.gem or even better in pkcs11-safenet.gem.

There are several things to consider:

  1. Different vendors use the same numbers for different things. So we can not just add these constants to the current lists. The library has to "know" which vendor is used because returned exceptions should be kind of CKR_VENDOR_ERROR. Returned attribute values should get probably casted. And the Hash in lib/pkcs11/helper.rb used to find parameter-struct to given mechanism must be different, too, for different vendors.
  2. Most of the functions, constants and structs are extracted form PKCS#11-header files to hold the library more maintainable. Vendor header files has to be handled under the copyright of the vendor. I'm currently not sure, if safenet allows its use.
  3. It should be possible to connect to two different types of HSMs at the same time.

The way I think about is something like:

require "pkcs11" lib=PKCS11.load("mylib.so", {}, :safenet) # loads "pkcs11-safenet.gem" internally p PKCS11::Safenet.constants # => [CKA_EXPORTABLE, ...]

We are also working with safenet HSMs, so a better solution for vendor additions would be equally interesting for us.

larskanis commented 12 years ago

The pkcs11_protect_server gem is out, so the issue is solved, now.