Skip to content

Cryptoki etas integration#49

Open
oeweda wants to merge 16 commits into
eclipse-score:mainfrom
Valeo-S-CORE-Organization:cryptoki_etas_integration
Open

Cryptoki etas integration#49
oeweda wants to merge 16 commits into
eclipse-score:mainfrom
Valeo-S-CORE-Organization:cryptoki_etas_integration

Conversation

@oeweda

@oeweda oeweda commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Key Changes:

Your Reviews will be appreciated @ChansAlive @PandaeDo @masc2023 @schreibwsag @OliverHeilwagen

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

License Check Results

🚀 The license check job ran with the Bazel command:

bazel run --lockfile_mode=error //:license-check

Status: ⚠️ Needs Review

Click to expand output
[License Check Output]
Extracting Bazel installation...
Starting local Bazel server (8.3.0) and connecting to it...
INFO: Invocation ID: d6600a39-6f03-440e-9460-63f927a42cce
Computing main repo mapping: 
Computing main repo mapping: 
DEBUG: Rule 'abseil-cpp+' indicated that a canonical reproducible form can be obtained by modifying arguments integrity = "sha256-m3oGQwXp/ZTRJP+mzDWFkutCtdpYj7TgfQklSqQAhts="
DEBUG: Repository abseil-cpp+ instantiated at:
  <builtin>: in <toplevel>
Repository rule http_archive defined at:
  /home/runner/.bazel/external/bazel_tools/tools/build_defs/repo/http.bzl:394:31: in <toplevel>
Computing main repo mapping: 
DEBUG: Rule 'protobuf+' indicated that a canonical reproducible form can be obtained by modifying arguments integrity = "sha256-w6Cp7OiTLjHDtzbi2xixxC5wcM2biBOIsm0BqnHiTKI="
DEBUG: Repository protobuf+ instantiated at:
  <builtin>: in <toplevel>
Repository rule http_archive defined at:
  /home/runner/.bazel/external/bazel_tools/tools/build_defs/repo/http.bzl:394:31: in <toplevel>
Computing main repo mapping: 
DEBUG: Rule 'grpc+' indicated that a canonical reproducible form can be obtained by modifying arguments integrity = "sha256-CvN7gAlTEwtHwHW1ZoPuYL3D7aPDf8YAQZP1tWl1ggQ="
DEBUG: Repository grpc+ instantiated at:
  <builtin>: in <toplevel>
Repository rule http_archive defined at:
  /home/runner/.bazel/external/bazel_tools/tools/build_defs/repo/http.bzl:394:31: in <toplevel>
Computing main repo mapping: 
WARNING: For repository 'score_rust_policies', the root module requires module version score_rust_policies@0.0.4, but got score_rust_policies@0.0.5 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'score_crates', the root module requires module version score_crates@0.0.7, but got score_crates@0.0.9 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'score_tooling', the root module requires module version score_tooling@1.1.2, but got score_tooling@1.2.0 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'aspect_rules_lint', the root module requires module version aspect_rules_lint@1.5.3, but got aspect_rules_lint@2.0.0 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
Computing main repo mapping: 
Loading: 
Loading: 1 packages loaded
Loading: 1 packages loaded
    currently loading: 
Loading: 1 packages loaded
    currently loading: 
WARNING: Target pattern parsing failed.
ERROR: Skipping '//:license-check': no such target '//:license-check': target 'license-check' not declared in package '' defined by /home/runner/work/inc_security_crypto/inc_security_crypto/BUILD
ERROR: no such target '//:license-check': target 'license-check' not declared in package '' defined by /home/runner/work/inc_security_crypto/inc_security_crypto/BUILD
INFO: Elapsed time: 17.712s
INFO: 0 processes.
ERROR: Build did NOT complete successfully
ERROR: Build failed. Not running target

Comment thread docs/crypto/architecture/index.rst
Comment thread docs/crypto/architecture/index.rst Outdated
Comment thread docs/crypto/architecture/dynamic_architecture.rst Outdated
Comment thread docs/crypto/architecture/dynamic_architecture.rst Outdated
@PandaeDo

Copy link
Copy Markdown
Contributor

80k lines. Sorry, but I'm not able to review that. Is it possible to create smaller, readable PR's?

@ChansAlive

Copy link
Copy Markdown
Contributor

Kindly check the PR again and resolve the merge conflicts.
It may then reflect the actual changes that is being brought in.
It currently shows the source code that is already present in the main as incoming changes.
Thanks

@oeweda oeweda force-pushed the cryptoki_etas_integration branch 4 times, most recently from 4d92606 to cc51b96 Compare June 17, 2026 04:36
@schreibwsag

Copy link
Copy Markdown
Contributor

test_pkcs11_provider fails when compiled with USE_RUST_PKCS11 ("C_InitToken failed: 160").
test_pkcs11_provider tries to initialize the token which is apparently necessary for the SoftHSM2
case, but not for libcryptoki. Proposal: to get test_pkcs11_provider running, do the initialization
parts only if USE_RUST_PKCS11 is not defined. Then test_pkcs11_provider will run:

./bazel-bin/tests/provider_test/test_pkcs11_provider
[==========] Running 4 tests from 1 test suite.
[----------] Global test environment set-up.
[----------] 4 tests from Pkcs11ProviderHashTest
[ RUN ] Pkcs11ProviderHashTest.SHA256SingleShotHash
mw::log initialization error: Error No logging configuration files could be found. occurred with context information: Failed to load configuration files. Fallback to console logging.
mw::log initialization error: Error No logging configuration files could be found. occurred with context information: Failed to load configuration files. Fallback to console logging.
2026/06/18 05:17:33.9853564 2801418324 000 ECU1 NONE DFLT log warn verbose 4 [PKCS#11] Warning: token label autodetect failed for ' SoftHSM '. Falling back to first present slot id= 0
[ OK ] Pkcs11ProviderHashTest.SHA256SingleShotHash (126 ms)
[ RUN ] Pkcs11ProviderHashTest.SHA256StreamingHash
2026/06/18 05:17:33.9853692 2801419597 000 ECU1 NONE DFLT log warn verbose 4 [PKCS#11] Warning: token label autodetect failed for ' SoftHSM '. Falling back to first present slot id= 0
[ OK ] Pkcs11ProviderHashTest.SHA256StreamingHash (122 ms)
[ RUN ] Pkcs11ProviderHashTest.StreamStateViolation
2026/06/18 05:17:33.9853802 2801420698 000 ECU1 NONE DFLT log warn verbose 4 [PKCS#11] Warning: token label autodetect failed for ' SoftHSM '. Falling back to first present slot id= 0
[ OK ] Pkcs11ProviderHashTest.StreamStateViolation (110 ms)
[ RUN ] Pkcs11ProviderHashTest.TrueConcurrentStreamingOnSeparateSessions
2026/06/18 05:17:33.9853925 2801421927 000 ECU1 NONE DFLT log warn verbose 4 [PKCS#11] Warning: token label autodetect failed for ' SoftHSM '. Falling back to first present slot id= 0
[ OK ] Pkcs11ProviderHashTest.TrueConcurrentStreamingOnSeparateSessions (123 ms)
[----------] 4 tests from Pkcs11ProviderHashTest (482 ms total)

[----------] Global test environment tear-down
[==========] 4 tests from 1 test suite ran. (482 ms total)
[ PASSED ] 4 tests.

@oeweda oeweda force-pushed the cryptoki_etas_integration branch 4 times, most recently from 4e95a25 to 0f08964 Compare June 22, 2026 09:41
@github-actions

Copy link
Copy Markdown

The created documentation from the pull request is available at: docu-html

@ShoroukRamzy ShoroukRamzy force-pushed the cryptoki_etas_integration branch 2 times, most recently from cf44556 to f305820 Compare July 7, 2026 13:32
@ShoroukRamzy ShoroukRamzy force-pushed the cryptoki_etas_integration branch 4 times, most recently from 0710419 to ab068a8 Compare July 7, 2026 14:27
@ShoroukRamzy ShoroukRamzy force-pushed the cryptoki_etas_integration branch from ab068a8 to 09800f7 Compare July 7, 2026 14:31
@sunildevda sunildevda requested a review from ChansAlive July 8, 2026 08:30

@ChansAlive ChansAlive left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review done on the daemon changes as part of integrating the rust pkcs11 provider

":use_rust_pkcs11": [
"//score/cryptoki:cryptoki_cdylib",
"//score/cryptoki:cryptoki_headers",
"//third_party/openssl",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this would any way be a transitive dependency when depending on cryptoki_cdylib right?

Comment on lines 18 to +23

#include <cryptoki.h>
#include <pkcs11.h>
#ifdef USE_RUST_PKCS11
#include <pkcs11.h>
#else
#include <cryptoki.h>
#endif

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it was unnecessary to include the cryptoki.h header in the first place.
You may ignore this comment, I will raise a separate fix later.

Comment on lines +141 to +160
#ifdef USE_RUST_PKCS11
{
CK_ULONG slot_count{0U};
CK_FUNCTION_LIST* const fl = m_module->GetFunctionList();
CK_RV rv = fl->C_GetSlotList(CK_TRUE, nullptr, &slot_count);
if ((rv == CKR_OK) && (slot_count > 0U))
{
std::vector<CK_SLOT_ID> slots(slot_count);
rv = fl->C_GetSlotList(CK_TRUE, slots.data(), &slot_count);
if ((rv == CKR_OK) && !slots.empty())
{
m_config.slotId = slots.front();
score::mw::log::LogWarn() << "[PKCS#11] Warning: token label autodetect failed for '"
<< m_config.tokenLabel
<< "'. Falling back to first present slot id=" << m_config.slotId;
return true;
}
}
}
#endif

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What would be the rationale behind this callback?

The intention would be to use the correct token represented by the label (plus Model).

The overall idea of identifying the correct provider would be based on the provider name which is then mapped to the token label in the config to match with the pkcs11 token. If this is not honored, how can we ensure that we are communicating with the correct token when multiple tokens are present in the pkcs11 module?

Comment on lines +74 to +91
#ifdef USE_RUST_PKCS11
{
// Hack to modify slot entries since GetSlotEntries returns const
auto& slot_entries = const_cast<std::vector<score::crypto::daemon::config::KeyConfig::KeySlotEntry>&>(
config.GetKeyConfig().GetSlotEntries()
);
for (auto& slot : slot_entries)
{
for (auto& provider_name : slot.provider_names)
{
if (provider_name == "SOFTHSM")
{
provider_name = "SCORE_CRYPTO_PROVIDER";
}
}
}
}
#endif

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not the right way to use the keyslots for the rust pkcs11 provider. Infact there are three better alternatives

  1. Use a common provider name for both softhsm and cryptoki. You can then change the pkcs11_token_config.cpp
  2. Second option is to switch the integration_test_config.json (https://github.com/eclipse-score/inc_security_crypto/blob/main/tests/test_vectors/config/integration_test_config.json) in the BUILD file to use the modified keyslot entries.
  3. Add new keyslot entries in the existing json. Adapt the test to use the new keyslot resource identifier when rust pkcs11 is selected.

}
auto& km = km_result.value();

auto slot_result = ctx->ResolveResource("HMAC_SHA256_IntegrationTestKey_SoftHSM", ResourceType::kKeySlot);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we want to choose either softHSM or cryptoki, it may be better to rename the keyslot resourceId to have a generic name. Else it is bit confusing. The change requires updating the config json.

Comment thread third_party/patches/BUILD

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these patch files really required to be merged?

@ShoroukRamzy ShoroukRamzy force-pushed the cryptoki_etas_integration branch from 09800f7 to 2811e99 Compare July 16, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Have only one version of OpenSSL on target Integrate PKCS11 (Cryptoki) to SCORE

7 participants