Add command to generate keypair on a PKCS#11 token #551
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ZoltanFridrich
changed the title
ueno
reviewed
Sep 6, 2023
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
0fe9025 to
dce5ace
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
dce5ace to
adf6c50
Compare
ueno
reviewed
Sep 7, 2023
There was a problem hiding this comment.
I guess one tricky thing is that, if we want to support EC keys, we need to encode ECParamters in ASN.1 and the tool would probably need to link to libtasn1, which is currently an optional build dependency for the trust module. I guess some tweak in the build infrastructure is needed, e.g., check libtasn1 is available, and if yes, link p11-kit tool to it; otherwise we shouldn't but we can still support RSA.
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
adf6c50 to
c31e6fa
Compare
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
c31e6fa to
8e63d40
Compare
ueno
reviewed
Sep 8, 2023
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
3 times, most recently
from
4bb00eb to
6ae757c
Compare
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
6 times, most recently
from
cb54855 to
a5ef9d2
Compare
ueno
requested changes
Sep 13, 2023
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
3 times, most recently
from
e0700dc to
7cb7f2f
Compare
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
40cfc9d to
e2c22b1
Compare
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
2 times, most recently
from
27e0129 to
04fc3e5
Compare
ueno
reviewed
Sep 14, 2023
ueno
reviewed
Sep 14, 2023
ueno
reviewed
Sep 14, 2023
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
04fc3e5 to
38696f7
Compare
| } | ||
|
|
||
| int | ||
| p11_kit_generate_keypair (int argc, |
Check warning
Code scanning / CodeQL
Poorly documented large function
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
38696f7 to
d041b02
Compare
Signed-off-by: Zoltan Fridrich <[email protected]>
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
d041b02 to
938d349
Compare
ueno
approved these changes
Sep 15, 2023
ZoltanFridrich
changed the title
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
fd03086 to
3238000
Compare
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
3238000 to
938d349
Compare
Signed-off-by: Zoltan Fridrich <[email protected]>
Signed-off-by: Zoltan Fridrich <[email protected]>
ZoltanFridrich
force-pushed
the
zfridric_devel2
branch
from
938d349 to
3fbf587
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When the user builds a solution around PKCS#11, such as setting up an HTTPS server with NGINX or Apache HTTPD, they first would need to create a key pair on a PKCS#11 token, where the private key can be used to sign the certificate and TLS handshake.
The generate-keypair subcommand has been added to generate a private key and the corresponding public key. This takes a PKCS#11 URI of a token, where the generated keys are stored, and a label through the --label option. It can also take other options, such as --type to specify the key type and --bits to specify the key size.