Juju Charm - SoftHSM2 plugin for Barbican
Go to file
Ghanshyam Mann 7a44dcaf25 Moving IRC network reference to OFTC
Change-Id: I85e4074b867e050f0d36dcec94fb719e3a6c3deb
2021-07-08 18:30:11 -05:00
src Add impish to metadata.yaml 2021-06-03 11:02:50 +02:00
unit_tests Stop to use the __future__ module. 2020-06-02 19:37:04 +02:00
.gitignore Ensure that venv is used 2017-11-17 10:33:04 +00:00
.gitreview OpenDev Migration Patch 2019-04-19 19:33:02 +00:00
.stestr.conf Replace ostestr with stestr in testing framework. 2019-03-07 17:01:04 -05:00
.zuul.yaml [ussuri][goal] Updates for python 2.7 drop 2020-03-25 08:42:01 +00:00
LICENSE Charm with unit tests 2016-07-12 16:53:46 +00:00
README.md Moving IRC network reference to OFTC 2021-07-08 18:30:11 -05:00
rebuild Rebuild with udpated charm-tools 2.8.2 2021-02-01 14:06:54 -08:00
requirements.txt Updates to pin charm-tools to 2.8.3 2021-02-18 14:42:16 +00:00
test-requirements.txt Updates to flip all libraries back to master 2021-05-04 09:41:58 +01:00
tox.ini 21.04 libraries freeze for charms on master branch 2021-04-03 20:20:43 +01:00

README.md

Barbican SoftHSM2 Plugin

WARNING: DO NOT USE OR CONTRIBUTE. THIS CHARM IS DEPRECATED.

This charm exists to provide an example back-end for Barbican, for the purpose of test and reference. It is not intended for production use in any case.

Barbican + SoftHSM2 + OpenSSL < 1.0.2h is broken

This charm cannot be used at present as Barbican expects a mechanism in the PKCS#11 library that SoftHSM2 + OpenSSL < 1.0.2h does not support.

However, this charm can still be used as a basis for implementing actual hardward HSM charms, along with the interface-barbican-hsm interface.

Barbican is a REST API designed for the secure storage, provisioning and management of secrets. It is aimed at being useful for all environments, including large ephemeral Clouds. (see Barbican Charm for details on Barbican)

The Barbican SoftHSM2 Plugin is EXPERIMENTAL and not for use in Production Systems. It is intended to provide a example on how to plug an HSM into Barbican.

In particular, the SoftHSM2 plugin charm (as a subordinate) implements the barbican-hsm interface which transfers the credentials to the Barbican charm to be able to access the HSM.

From the GitHub page:

OpenDNSSEC handles and stores its cryptographic keys via the PKCS#11 interface. This interface specifies how to communicate with cryptographic devices such as HSM:s (Hardware Security Modules) and smart cards. The purpose of these devices is, among others, to generate cryptographic keys and sign information without revealing private-key material to the outside world. They are often designed to perform well on these specific tasks compared to ordinary processes in a normal computer.

A potential problem with the use of the PKCS#11 interface is that it might limit the wide spread use of OpenDNSSEC, since a potential user might not be willing to invest in a new hardware device. To counter this effect, OpenDNSSEC is providing a software implementation of a generic cryptographic device with a PKCS#11 interface, the SoftHSM. SoftHSM is designed to meet the requirements of OpenDNSSEC, but can also work together with other cryptographic products because of the PKCS#11 interface.

If you have a technical question about this Charm, you can send an email to the OpenStack General mailing list at openstack@lists.openstack.org with the prefix [barbican] in the subject, or ask in the #openstack-charms on OFTC..

To file a bug, use our bug tracker on Launchpad.

How it works

Barbican communicates with HSM devices via a local (to Barbican) PKCS11 library. Thus an HSM plugin needs to be local to the unit that a Barbican is installed on, and so a plugin charm is subordinate to the Barbican charm. A plugin provides the barbican-hsm interface that provides sufficient details to the Barbican charm to be able to configure barbican to access the HSM's PKCS11 libary.

The barbican-hsm interface transfers login, slot_id and library_path parameters to the Barbican charm, which uses them to configure Barbican to access the PKCS11 compliant library of the HSM.

Barbican assumes that the slot & token are configured and that with the login (or pin) that Barbican will be able to access the token to store keys, etc. In this case of softhsm2, this charm initialises the token, creates the login and provides those details across the relation.