Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Per best practice don't permit PKCS#11 private keys to be modified (fixes #1018). #1020

Merged
merged 8 commits into from
Apr 12, 2023
Merged

Per best practice don't permit PKCS#11 private keys to be modified (fixes #1018). #1020

merged 8 commits into from
Apr 12, 2023

Conversation

ximon18
Copy link
Member

@ximon18 ximon18 commented Feb 28, 2023
edited

(This description has been updated following re-work of the PR as described in the comments below)

This PR adds krill.conf configuration settings that give operators control (per #1018) over some of the PKCS#11 attributes set on new public and private keys that Krill creates, rather than assume in Krill that we know what the best defaults / hard-coded values are.

The existing default behaviour is preserved for backward compatibility, i.e. these new settings do nothing if not used.

@ximon18 ximon18 marked this pull request as ready for review February 28, 2023 15:43
@ximon18 ximon18 requested a review from timbru February 28, 2023 15:43
@ximon18 ximon18 added enhancement New feature or request hsm Relates to adding HSM support to Krill labels Feb 28, 2023
@timbru timbru added this to In progress in Krill 0.13.x via automation Mar 8, 2023
@ximon18 ximon18 linked an issue Mar 8, 2023 that may be closed by this pull request
Mark PKCS#11 private keys as unmodifiable #1018
Open
@ximon18 ximon18 marked this pull request as draft March 21, 2023 14:13
@ximon18
Copy link
Member Author

ximon18 commented Mar 21, 2023

Per the discussion on #1018 I'll re-work this PR to give operators control over key attributes rather than assume in Krill that we know what the best defaults / hard-coded values are.

@ximon18 ximon18 marked this pull request as ready for review April 4, 2023 18:42
@ximon18 ximon18 mentioned this pull request Apr 4, 2023
Open
timbru
timbru approved these changes Apr 12, 2023
View reviewed changes
Copy link
Contributor

@timbru timbru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

Krill 0.13.x automation moved this from In progress to Reviewer approved Apr 12, 2023
@ximon18 ximon18 merged commit 3a5a120 into prep-0.13.0 Apr 12, 2023
Krill 0.13.x automation moved this from Reviewer approved to Done Apr 12, 2023
@ximon18 ximon18 mentioned this pull request Apr 14, 2023
Merged
@ximon18
Copy link
Member Author

ximon18 commented Apr 14, 2023

@timbru: I think these new settings also need mentioning in the HSM part of the Krill manual, but I haven't done that yet.

@timbru timbru deleted the 1018-mark-pkcs11-private-keys-as-unmodifiable branch April 24, 2023 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timbru timbru timbru approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request hsm Relates to adding HSM support to Krill
Projects
No open projects
Krill 0.13.x
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Mark PKCS#11 private keys as unmodifiable
2 participants
@ximon18 @timbru