Test branch for HSM support

kushaldas commented 7 months ago

How to try this branch?

Follow instructions to install the HSM related modules.

ca commands

cd ca

Next create a local_settings.yaml file for HSM usage.

DEBUG: true
SECRET_KEY: dummy
ALLOWED_HOSTS:
  - localhost

# django-ca configuration
CA_DEFAULT_HOSTNAME: "localhost:8000"
CA_ENABLE_ACME: true
CA_ENABLE_REST_API: true

# Set to true if you want to use Celery
CA_USE_CELERY: false
CA_KEY_BACKENDS:
  default:
    BACKEND: django_ca.key_backends.hsm.HSMBackend
    OPTIONS:
      storage_alias: django-ca

python manage.py migrate
python manage.py init_ca --path-length=1 --subject-format=rfc4514 Root CN=Root --key_label root_key_hype --hsm_key_type rsa_4096

Open questions

How to reuse the current command line flags for key type and key length?
Right now choosing any other key type will trouble in various different commands as the algorithm is wrong. It should be sha256 for RSA20248 and None in other cases. How to fix this?

mathiasertl commented 7 months ago

How to reuse the current command line flags for key type and key length?

Two very good questions, with two answers:

The key type: you already can! create_private_key() already receives the key_type parameter. that's exactly that.
The key length: This is the same as for the EC curve and the password. The CLI arguments currently come from the storages backend (unlike key type, which is added by the command class itself). So currently you cannot reuse them!

I'm a bit torn on if I should move key length, EC curve and maybe even password back to the command class. The upside would be a simpler CLI interface. The downside is that you cannot influence the parameters anymore in a custom backend. What if your backend supports a different set of EC curves then cryptography - as seems to be the case here? The "shared" CLI argument would still have to allow all curves (in case you choose the cryptography backend), but of course you could still throw an error in case of an unsupported curve.

What do you think?

Right now choosing any other key type will trouble in various different commands as the algorithm is wrong. It should be sha256 for RSA20248 and None in other cases. How to fix this?

That's easy to fix! raise django_ca.management.base.CommandError in get_create_private_key_options(). Ideally, you also add proper model validation in your Pydantic model.

mathiasertl commented 6 months ago

FTR, this is curently blocked by SUNET/python_x509_pkcs11#24 being merged.

mathiasertl commented 2 months ago

closing this, as the effort was eventually resolved in other PRs.

Thank you so much for contributing this, a lot of this eventually went into the codebase.

mathiasertl / django-ca