-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Underlying library access / vendor extensions #115
Comments
Hey, thanks for getting in touch here as well 😄 And happy new year! I think one other way to approach it would be to simply expose that bit of the interface gated under a Cargo feature (say, |
Hmmmmmmmm... On closer inspection following the conversation in #113 , I noticed that on the Entrust PKCS11 documentation page:
However, 2.40 does not mention EdDSA as a supported mechanism. At the same time, our header file - which is also, presumably, v2.40 - also contains an EdDSA constant. What. |
Their documentation isn't exactly the best. Ha, well I didn't expect you to support a flavor for the vendor. I meant that I would have made a secondary library to support my use-case backed by cryptoki and that I needed cryptoki to expose the internals. I didn't expect you to support this vendor (or any). |
If you create a separate library, would you run the CI straight against your HSM (or some simulator for it) to test the functionality? If so, then maybe that's a bonus point for that approach. But if not, and all testing is done manually or through some workload running somewhere separately from the "official" CI, then I don't think there's much of a difference between the two approaches.
It places some of the maintenance burden on us 😉 but ultimately it will come down to the users of that HSM to identify and fix the bugs in good faith, we could only check that it builds, via CI. I can see a case being made either way, feel free to go down whichever route you think would be easier to use. And PRs are welcome, of course. |
I don't have a simulator. All of it is tested by hand :( Will definitely send a PR! |
First of all, thanks for this great crate / api! again!
Second, merry Christmas to those of you who celebrate!
My HSM vendor (entrust) has extensions to the standard PKCS#11 to support K/N authentication mechanisms with the HSM.
Those are documented here:
https://nshielddocs.entrust.com/api-generic/12.80/pkcs11#nshield-specific-pkcs11-api-extensions
My current idea is to implement an
cryptoki::context::Pkcs11::unsafe_deref()
method to that would return the underlying thelibloading::Library
so I could grab the missing symbols from there (This is exposed in the symbols of the ELF, no idea how it could be exposed in theC_GetFunctionList
).I'll take care of having a cbindgen wrapper for those methods.
Opening this issue to gather ideas/suggestions on that, and see if you would be open for the usecase and a PR.
It doesn't look like this is related to #105 (but I might be missing something), feel free to close as duplicate if so.
The text was updated successfully, but these errors were encountered: