On Tue, Apr 08, 2025 at 05:09:23PM +0100, Christopher Staite wrote: > Hi, > > Please see attached an early draft PKCS#11 module for consideration. I’ve > tested this with the Google CloudHSM > PKCS#11 module and it functions as one would expect. The key management is > identical to that of using the latchset > PKCS#11 provider/engine for OpenSSL > (https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#pkcs11-provider). > > Currently the patch has holes within it (mostly testing). But should be good > for early feedback on the design and > whether this is something that would be appropriate to merge in to HAProxy. > > The implementation currently only functions with BoringSSL and AWS-LC and is > behind the build option USE_PKCS11=1. > > It would be fairly easy to extend the implementation to call the functions > within OpenSSL to register a > provider/engine and provide a unified interface. I’m not entirely sure, but > I believe that the latchset > implementation is blocking and therefore will stall the HAProxy event threads. > > Thanks, Chris. >
Hello Chistopher, Thanks for your contribution, this will take some time to review and test. I'm currently busy with finishing things for the 3.2 release and I'll come back to you after that. Regards, -- William Lallemand
