[spec] PKCS#11 Mechanism List
Change-Id: I35370fe3d442a4f8660e5f6ef6eeb2f486861abf
This commit is contained in:
parent
e4f47c6e05
commit
037746f8c7
|
@ -0,0 +1,131 @@
|
||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
======================
|
||||||
|
PKCS#11 Mechanism List
|
||||||
|
======================
|
||||||
|
|
||||||
|
https://blueprints.launchpad.net/barbican/+spec/pkcs11-mechanism-list
|
||||||
|
|
||||||
|
To help with PKCS#11 backend configuration, barbican-manage cli tool should
|
||||||
|
provide a command to list all mechanisms available in the PKCS#11 device that
|
||||||
|
can be used in Barbican.
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
The PKCS#11 plugin backend allows for the configuration of the encryption and
|
||||||
|
hmac algorithms that will be used by specifying the PKCS#11 mechanism to be
|
||||||
|
used.
|
||||||
|
|
||||||
|
Currently, there is no standard way of figuring out what mechanisms are
|
||||||
|
supported by the device since each vendor will have different documentation
|
||||||
|
and/or tools to find this information
|
||||||
|
|
||||||
|
Proposed Change
|
||||||
|
===============
|
||||||
|
|
||||||
|
The PKCS#11 standard does provide a method to list mechanisms. A new command
|
||||||
|
will be added to barbican-manage to use this method to list the mechanisms
|
||||||
|
available in the configured PKCS#11 device (e.g. HSM).
|
||||||
|
|
||||||
|
barbican-manage hsm mechanism_list
|
||||||
|
|
||||||
|
This command output will list mechanisms that are both a) available in the
|
||||||
|
device and b) supported by Barbican. For example, the tool would output both
|
||||||
|
CKM_AES_CBC and CKM_AES_GCM for devices that support both, but no additional
|
||||||
|
mechanisms that are supported by the device but not Barbican.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Data model impact
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
REST API impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Security impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Notifications & Audit Impact
|
||||||
|
----------------------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Python and Command Line Client Impact
|
||||||
|
-------------------------------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Other end user impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Other deployer impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Developer impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Primary assignee:
|
||||||
|
Douglas Mendizábal <dmendiza@redhat.com>
|
||||||
|
|
||||||
|
Other contributors:
|
||||||
|
TBD
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
* Implement C_GetMechanismList in pkcs11 module
|
||||||
|
* Use pkcs11 module implementation for C_GetMechanismList in the
|
||||||
|
barbican-manage cli to retrieve mechanisms from the HSM and compare that
|
||||||
|
list to the mechanisms supported by Barbican.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
N/A
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Functional testing can be done with SoftHSM
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
This new command will be documented in the pluging backend configuration
|
||||||
|
section of the docsd.
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
N/A
|
Loading…
Reference in New Issue