| Hi, Please see attached an early draft PKCS#11 module for consideration. I’ve tested this with the Google CloudHSM PKCS#11 module and it functions as one would expect. The key management is identical to that of using the latchset PKCS#11 provider/engine for OpenSSL (https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#pkcs11-provider). Currently the patch has holes within it (mostly testing). But should be good for early feedback on the design and whether this is something that would be appropriate to merge in to HAProxy. The implementation currently only functions with BoringSSL and AWS-LC and is behind the build option USE_PKCS11=1. It would be fairly easy to extend the implementation to call the functions within OpenSSL to register a provider/engine and provide a unified interface. I’m not entirely sure, but I believe that the latchset implementation is blocking and therefore will stall the HAProxy event threads. Thanks, Chris. |
pkcs11.patch
Description: Binary data
