A KMIP to PKCS#11 Relay
Warning
This project is at an experimental stage and is very much a work-in-progress. It should not be used in production deployments at this time. Furthermore, the functionality and interfaces offered should be considered unstable.
This Rust application accepts KMIP requests, converts them to PKCS#11 format and executes them against a loaded PKCS#11 library.
Installing or building
As the KMIP to PKCS#11 relay (cascade-hsm-bridge) is currently only intended for use with Cascade, please refer to the installation or building instructions of Cascade here.
Use Cases
Shielding Cascade against an untrusted PKCS#11 library (intended use case)
The use case for which this application is primarily being developed is to enable Cascade to make use of a Hardware Security Module (HSM) via a PKCS#11 interface without having to load an untrusted 3rd party PKCS#11 library into its process.
This is particularly important for a Rust application as the PKCS#11 interface exposes the application to code that is likely not protected by the guarantees provided by the Rust compiler, as the PKCS#11 is a foreign function interface beyond which the Rust compiler cannot see.
If the PKCS#11 library experiences a fatal error that may not be reason to exit the parent application, whether that is appropriate is highly dependent on the purpose of that application. Any STDOUT and STDERR output produced by the PKCS#11 library may also become mixed with output from the application itself which can be confusing.
Other use cases
This project could potentially act as the basis for a general purpose KMIP to PKCS#11 relay. However, at present and for the foreseeable future we plan only to implement the tiny fraction of the KMIP specification needed by the Cascade project, and the only KMIP client that will be tested against will be Cascade.
Technical foundations
This application is possible thanks to the following foundational Rust crates on which it builds:
Supported protocols
This application currently only supports a subset of KMIP 1.2 via the TCP+TLS+TTLV transport. There is no support for the HTTPS+XML or HTTPS+JSON transports defined by the KMIP profiles specification.
The loaded PKCS#11 module should conform to the PKCS#11 v2.40 specification.
Supported operations
KMIP Operation |
PKCS#11 Function |
Limitations |
|---|---|---|
N/A |
Returns with success as PKCS#11 has no notion of object activation. |
|
Only supports RSA and ECDSA at present. |
||
Discover Versions |
N/A |
|
C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal & C_GetAttributeValue |
||
C_SetAttributeValue |
||
C_GetSlotInfo, C_GetTokenInfo |
||
C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal, C_SignInit, C_Sign & C_SignFinal |
||
N/A |
C_GetFunctionList, C_GetInfo, C_Initialize |