Open
Conversation
Manuthor
force-pushed
the
fix/improve_tde
branch
from
5c21bf0 to
35b4d58
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Features
PKCS#11
cosmian_pkcs11_verifydiagnostic binary (crate/clients/pkcs11/loader) that dynamically loadslibcosmian_pkcs11.sovialibloadingand validatesckms.tomlloading and KMS server reachability through the standard PKCS#11 C API (C_GetFunctionList→C_Initialize→C_GetSlotList→C_OpenSession→C_FindObjectsper class →C_Finalize)cosmian_pkcs11deb/rpm packaging with a signed cross-platform ZIP archive (cosmian-pkcs11-<variant>-<link-suffix>_<version>_<os>-<arch>.zip) containinglibcosmian_pkcs11.{so,dylib},cosmian_pkcs11_verify, and the public signing key; ZIP is built by.github/scripts/package/package_pkcs11_zip.sh, signed with GPG, and published topackage.cosmian.comvia thepkcs11-zippackage type in the CI matrixcosmian_pkcs11_verify: passing--token <JWT>causes aC_Login(CKU_USER, pin=<JWT>)call afterC_OpenSession, enabling verification of KMS servers configured withpkcs11_use_pin_as_access_token = true; the token may also be supplied via theCOSMIAN_PKCS11_TOKENenvironment variableCKF_WRITE_PROTECTEDfrom the token info flags inC_GetTokenInfo(Oracle checks this flag before callingC_GenerateKeyduringADMINISTER KEY MANAGEMENT SET ENCRYPTION KEY … MIGRATE); addCKM_AES_KEY_GEN,CKM_AES_CBC,CKM_AES_CBC_PADto the supported mechanism list; return correct flags inC_GetMechanismInfo(CKF_GENERATEforCKM_AES_KEY_GEN,CKF_ENCRYPT | CKF_DECRYPTfor AES-CBC variants)