(!) This project is at an experimental stage and is very much a work-in-progress. It should not be used in production deployments at this time. Furthermore the functionality and interfaces offered should be considered unstable.
This Rust application accepts KMIP requests, converts them to PKCS#11 format and executes them against a loaded PKCS#11 library.
The use case for which this application is primarily being developed is to enable Nameshed to make use of a Hardware Security Module (HSM) via a PKCS#11 interface without having to load an untrusted 3rd party PKCS#11 library into its process.
This is particularly important for a Rust application as the PKCS#11 interface exposes the application to code that is likely not protected by the guarantees provided by the Rust compiler, as the PKCS#11 is a foreign function interface beyond which the Rust compiler cannot see.
If the PKCS#11 library experiences a fatal error that may not be reason to exit the parent application, whether or not that is appropriate is highly dependent on the purpose of that application. Any STDOUT and STDERR output produced by the PKCS#11 library may also become mixed with output from the application itself which can be confusing.
This project could potentially act as the basis for a general purpose KMIP to PKCS#11 relay. However, at present and for the foreseeable future we plan only to implement the tiny fraction of the KMIP specification needed by the Nameshed project, and the only KMIP client that will be tested against will be Nameshed.
However, the supported requests cover only the small fraction of the KMIP specificationthis application implements support for only a limited fraction of the entire interface defined by the applicable versions of the KMIP and PKCS#11 specifications, specifically whatever is needed to power our own projects.
This application is possible thanks to the following foundational Rust crates on which it builds:
The code of the keyls tool served as a very useful starting point as it already supported both KMIP and PKCS#11 albeit only as a client and not as a server.
-
A TLS certificate and key such as the example ones available here: https://github.com/rustls/hyper-rustls/blob/main/examples/. Note: This application may be updated in future to use a pre-shared key approach instead.
-
A PKCS#11 library and associated HSM to interact with, either a real hardware device or a virtual HSM such as https://www.softhsm.org/.
This application currently only supports KMIP via the TCP+TLS+TTLV transport. There is no support for the HTTPS+XML or HTTPS+JSON transports defined by the KMIP profiles specification.
The following KMIP operations are supported by this application at present:
| KMIP Operation | PKCS#11 Function | Limitations |
|---|---|---|
| Activate | N/A | Returns with success as PKCS#11 has no notion of object activation. |
| Create Key Pair | C_GenerateKeyPair | Only supports RSA and ECDSA at present. |
| Get | C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal & C_GetAttributeValue | |
| Sign | C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal, C_SignInit, C_Sign & C_SignFinal |
$ nameshed-hsm-relay
error: the following required arguments were not provided:
--server-cert <SERVER_CERT_PATH>
--server-key <SERVER_KEY_PATH>
--lib-path <LIB_PATH>
Usage: kmip2pkcs11 --server-cert <SERVER_CERT_PATH> --server-key <SERVER_KEY_PATH> --lib-path <LIB_PATH>
For more information, try '--help'.