Cryptoki etas integration#49
Conversation
License Check Results🚀 The license check job ran with the Bazel command: bazel run --lockfile_mode=error //:license-checkStatus: Click to expand output |
|
80k lines. Sorry, but I'm not able to review that. Is it possible to create smaller, readable PR's? |
|
Kindly check the PR again and resolve the merge conflicts. |
4d92606 to
cc51b96
Compare
|
test_pkcs11_provider fails when compiled with USE_RUST_PKCS11 ("C_InitToken failed: 160"). ./bazel-bin/tests/provider_test/test_pkcs11_provider [----------] Global test environment tear-down |
4e95a25 to
0f08964
Compare
|
The created documentation from the pull request is available at: docu-html |
Co-authored-by: Copilot <copilot@github.com>
Fix the static library link order for OpenSSL (libssl before libcrypto) to resolve undefined symbols during linking. Additionally, apply missing Eclipse Foundation copyright headers to newly added Cryptoki source files to pass the copyright checker.
cf44556 to
f305820
Compare
0710419 to
ab068a8
Compare
ab068a8 to
09800f7
Compare
ChansAlive
left a comment
There was a problem hiding this comment.
Review done on the daemon changes as part of integrating the rust pkcs11 provider
| ":use_rust_pkcs11": [ | ||
| "//score/cryptoki:cryptoki_cdylib", | ||
| "//score/cryptoki:cryptoki_headers", | ||
| "//third_party/openssl", |
There was a problem hiding this comment.
I believe this would any way be a transitive dependency when depending on cryptoki_cdylib right?
|
|
||
| #include <cryptoki.h> | ||
| #include <pkcs11.h> | ||
| #ifdef USE_RUST_PKCS11 | ||
| #include <pkcs11.h> | ||
| #else | ||
| #include <cryptoki.h> | ||
| #endif |
There was a problem hiding this comment.
I think it was unnecessary to include the cryptoki.h header in the first place.
You may ignore this comment, I will raise a separate fix later.
| #ifdef USE_RUST_PKCS11 | ||
| { | ||
| CK_ULONG slot_count{0U}; | ||
| CK_FUNCTION_LIST* const fl = m_module->GetFunctionList(); | ||
| CK_RV rv = fl->C_GetSlotList(CK_TRUE, nullptr, &slot_count); | ||
| if ((rv == CKR_OK) && (slot_count > 0U)) | ||
| { | ||
| std::vector<CK_SLOT_ID> slots(slot_count); | ||
| rv = fl->C_GetSlotList(CK_TRUE, slots.data(), &slot_count); | ||
| if ((rv == CKR_OK) && !slots.empty()) | ||
| { | ||
| m_config.slotId = slots.front(); | ||
| score::mw::log::LogWarn() << "[PKCS#11] Warning: token label autodetect failed for '" | ||
| << m_config.tokenLabel | ||
| << "'. Falling back to first present slot id=" << m_config.slotId; | ||
| return true; | ||
| } | ||
| } | ||
| } | ||
| #endif |
There was a problem hiding this comment.
What would be the rationale behind this callback?
The intention would be to use the correct token represented by the label (plus Model).
The overall idea of identifying the correct provider would be based on the provider name which is then mapped to the token label in the config to match with the pkcs11 token. If this is not honored, how can we ensure that we are communicating with the correct token when multiple tokens are present in the pkcs11 module?
| #ifdef USE_RUST_PKCS11 | ||
| { | ||
| // Hack to modify slot entries since GetSlotEntries returns const | ||
| auto& slot_entries = const_cast<std::vector<score::crypto::daemon::config::KeyConfig::KeySlotEntry>&>( | ||
| config.GetKeyConfig().GetSlotEntries() | ||
| ); | ||
| for (auto& slot : slot_entries) | ||
| { | ||
| for (auto& provider_name : slot.provider_names) | ||
| { | ||
| if (provider_name == "SOFTHSM") | ||
| { | ||
| provider_name = "SCORE_CRYPTO_PROVIDER"; | ||
| } | ||
| } | ||
| } | ||
| } | ||
| #endif |
There was a problem hiding this comment.
I think this is not the right way to use the keyslots for the rust pkcs11 provider. Infact there are three better alternatives
- Use a common provider name for both softhsm and cryptoki. You can then change the pkcs11_token_config.cpp
- Second option is to switch the integration_test_config.json (https://github.com/eclipse-score/inc_security_crypto/blob/main/tests/test_vectors/config/integration_test_config.json) in the BUILD file to use the modified keyslot entries.
- Add new keyslot entries in the existing json. Adapt the test to use the new keyslot resource identifier when rust pkcs11 is selected.
| } | ||
| auto& km = km_result.value(); | ||
|
|
||
| auto slot_result = ctx->ResolveResource("HMAC_SHA256_IntegrationTestKey_SoftHSM", ResourceType::kKeySlot); |
There was a problem hiding this comment.
Since we want to choose either softHSM or cryptoki, it may be better to rename the keyslot resourceId to have a generic name. Else it is bit confusing. The change requires updating the config json.
There was a problem hiding this comment.
Are these patch files really required to be merged?
09800f7 to
2811e99
Compare
Key Changes:
Integrated the cryptoki module natively into the score_crypto.
Moved the cryptoki provider to score/crypto/daemon/provider/pkcs11/cryptoki.
Updated all Bazel build configurations, Cargo dependencies, and lockfiles to correctly map to the new path.
Verified that the daemon, integration tests, and multi-provider demos build and pass successfully with the new provider location.
Use a single source for openssl (ETAS provided version) found under third_party/openssl
Integrate SCORE Logger into Cryptoki code
closes Integrate PKCS11 (Cryptoki) to SCORE #29 (children tasks PKCS11 (Cryptoki) Integration with SCORE #31 and Integration of PKCS11 (Cryptoki) With ETAS Architecture #32)
closes Have only one version of OpenSSL on target #30 (child task Selecting One OpenSSL Version for the Security Code #33)
Your Reviews will be appreciated @ChansAlive @PandaeDo @masc2023 @schreibwsag @OliverHeilwagen