[
https://issues.apache.org/jira/browse/PROTON-2594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898446#comment-17898446
]
ASF subversion and git services commented on PROTON-2594:
---------------------------------------------------------
Commit af0124ef969a474d7a8c43bd68f3fdad2a3465ef in qpid-proton's branch
refs/heads/main from Ahmad Fatoum
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=af0124ef9 ]
PROTON-2594: [C++] add test for newly added PKCS#11 support
Existing tests hardcode paths to PEM files. For easily testing PKCS#11 usage
for client certificates on the target, we want to pass in dynamically
PKCS#11 URIs identifying the certificates and keys to use without
requiring recompilation.
Enable doing that by consulting a set of new environment variables:
PKCS11_CLIENT_CERT: URI of client certificate
PKCS11_CLIENT_KEY: URI of client private key
PKCS11_SERVER_CERT: URI of server certificate
PKCS11_SERVER_KEY: URI of server private key
PKCS11_CA_CERT: URI of CA certificate
These variables are populated and exported by sourcing the new
scripts/prep-pkcs11_test.sh script prior to executing the test.
The script uses SoftHSM, which is an implementation of a cryptographic store
accessible through a PKCS #11 interface without requiring an actual
Hardware Security Module (HSM).
We load into the SoftHSM both client and server keys and certificates.
As the server key exists only in encrypted form, we decrypt
server-private-key-lh.pem, so we need not handle passphrase input when
the PEM file is processed by pkcs11-tool.
When the script is not sourced, none of the environment variables will
be set and the test will be skipped without being marked as error.
> Use of HSM for crypto opterations with the private key of a TLS certificate
> ---------------------------------------------------------------------------
>
> Key: PROTON-2594
> URL: https://issues.apache.org/jira/browse/PROTON-2594
> Project: Qpid Proton
> Issue Type: New Feature
> Components: cpp-binding, proton-c
> Reporter: Franz Hollerer
> Priority: Major
> Attachments: pn2594.c
>
>
> We use a Hardware Security Module with PKCS#11 Interface (to be more
> specific: OP-TEE) as key store. This key store holds the public and private
> key for a TLS certificate for the purpose of client authentication.
> Is there a way to instruct proton-qpid to use the HSM for cryptographic
> operations with the private key?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
