[spec] PKCS#11 Mechanism List
Change-Id: I35370fe3d442a4f8660e5f6ef6eeb2f486861abf
This commit is contained in:
Douglas Mendizábal
parent
e4f47c6e05
commit
037746f8c7
|
|
@ -0,0 +1,131 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
======================
|
||||
PKCS#11 Mechanism List
|
||||
======================
|
||||
|
||||
https://blueprints.launchpad.net/barbican/+spec/pkcs11-mechanism-list
|
||||
|
||||
To help with PKCS#11 backend configuration, barbican-manage cli tool should
|
||||
provide a command to list all mechanisms available in the PKCS#11 device that
|
||||
can be used in Barbican.
|
||||
|
||||
Problem Description
|
||||
===================
|
||||
|
||||
The PKCS#11 plugin backend allows for the configuration of the encryption and
|
||||
hmac algorithms that will be used by specifying the PKCS#11 mechanism to be
|
||||
used.
|
||||
|
||||
Currently, there is no standard way of figuring out what mechanisms are
|
||||
supported by the device since each vendor will have different documentation
|
||||
and/or tools to find this information
|
||||
|
||||
Proposed Change
|
||||
===============
|
||||
|
||||
The PKCS#11 standard does provide a method to list mechanisms. A new command
|
||||
will be added to barbican-manage to use this method to list the mechanisms
|
||||
available in the configured PKCS#11 device (e.g. HSM).
|
||||
|
||||
barbican-manage hsm mechanism_list
|
||||
|
||||
This command output will list mechanisms that are both a) available in the
|
||||
device and b) supported by Barbican. For example, the tool would output both
|
||||
CKM_AES_CBC and CKM_AES_GCM for devices that support both, but no additional
|
||||
mechanisms that are supported by the device but not Barbican.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications & Audit Impact
|
||||
----------------------------
|
||||
|
||||
N/A
|
||||
|
||||
Python and Command Line Client Impact
|
||||
-------------------------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Douglas Mendizábal <dmendiza@redhat.com>
|
||||
|
||||
Other contributors:
|
||||
TBD
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* Implement C_GetMechanismList in pkcs11 module
|
||||
* Use pkcs11 module implementation for C_GetMechanismList in the
|
||||
barbican-manage cli to retrieve mechanisms from the HSM and compare that
|
||||
list to the mechanisms supported by Barbican.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Functional testing can be done with SoftHSM
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
This new command will be documented in the pluging backend configuration
|
||||
section of the docsd.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
||||
Loading…
Reference in New Issue