Skip to content

Commit

Permalink
backport of commit 3026f87 (hashicorp#19801)
Browse files Browse the repository at this point in the history 
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
  • Loading branch information
@hc-github-team-secure-vault-core @victorr
hc-github-team-secure-vault-core and victorr committed Mar 28, 2023
1 parent 4be90be commit 0dfb8df
Showing 1 changed file with 147 additions and 34 deletions.
181 changes: 147 additions & 34 deletions website/content/docs/enterprise/pkcs11-provider/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,58 +212,168 @@ The Vault PKCS#11 provider implements the following PKCS#11 provider profiles:
- [Baseline](http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/os/pkcs11-profiles-v2.40-os.html#_Toc416960548)
- [Extended](http://docs.oasis-open.org/pkcs11/pkcs11-profiles/v2.40/os/pkcs11-profiles-v2.40-os.html#_Toc416960554)
The following mechanisms are currently supported, as of Vault 1.12:
The following key genration mechanisms are currently supported:
| Name | Mechanism Number |Provider Version|Vault Version|
| ------------------ | ---------------- |----------------|-------------|
| RSA-PKCS | `0x0000` | 0.2.0 | 1.13 |
| AES key generation | `0x1080` | 0.1.0 | 1.12 |
The following encryption mechanisms are currently supported:
| Name | Mechanism Number |Provider Version|Vault Version|
| ------------------ | ---------------- |----------------|-------------|
| RSA-PKCS | `0x0001` | 0.2.0 | 1.13 |
| RSA-PKCS-OAEP | `0x0009` | 0.2.0 | 1.13 |
| AES-ECB | `0x1081` | 0.2.0 | 1.13 |
| AES-CBC | `0x1082` | 0.1.0 | 1.12 |
| AES-CBC Pad | `0x1085` | 0.1.0 | 1.12 |
| AES-CTR | `0x1086` | 0.1.0 | 1.12 |
| AES-GCM | `0x1087` | 0.1.0 | 1.12 |
| AES-OFB | `0x2104` | 0.2.0 | 1.13 |
| AES-CFB128 | `0x2107` | 0.2.0 | 1.13 |
The following signing mechanisms are currently supported:
| Name | Mechanism Number |Provider Version|Vault Version|
| ------------------ | ---------------- |----------------|-------------|
| RSA-PKCS | `0x0001` | 0.2.0 | 1.13 |
| SHA256-RSA-PKCS | `0x0040` | 0.2.0 | 1.13 |
| SHA384-RSA-PKCS | `0x0041` | 0.2.0 | 1.13 |
| SHA512-RSA-PKCS | `0x0042` | 0.2.0 | 1.13 |
| SHA224-RSA-PKCS | `0x0046` | 0.2.0 | 1.13 |
| SHA512-224-HMAC | `0x0049` | 0.2.0 | 1.13 |
| SHA512-256-HMAC | `0x004D` | 0.2.0 | 1.13 |
| SHA256-HMAC | `0x0251` | 0.2.0 | 1.13 |
| SHA224-HMAC | `0x0256` | 0.2.0 | 1.13 |
| SHA384-HMAC | `0x0261` | 0.2.0 | 1.13 |
| SHA512-HMAC | `0x0271` | 0.2.0 | 1.13 |
<Tabs>
<Tab heading="Supported PKCS#11 Functions (version 0.2)">
Here is the list of supported and unsupported PKCS#11 functions:
| Name | Mechanism Number |
| ------------------ | ---------------- |
| AES key generation | `0x1080` |
| AES-CBC | `0x1082` |
| AES-CBC Pad | `0x1085` |
| AES-CTR | `0x1086` |
| AES-GCM | `0x1087` |
- Encryption and decryption
- [X] `C_EncryptInit`
- [X] `C_Encrypt`
- [X] `C_EncryptUpdate`
- [X] `C_EncryptFinal`
- [X] `C_DecryptInit`
- [X] `C_Decrypt`
- [X] `C_DecryptUpdate`
- [X] `C_DecryptFinal`
- Key management
- [X] `C_GenerateKey`
- [X] `C_GenerateKeyPair`
- [ ] `C_WrapKey`
- [ ] `C_UnwrapKey`
- [ ] `C_DeriveKey`
- Objects
- [X] `C_CreateObject`
- [X] `C_DestroyObject`
- [X] `C_GetAttributeValue`
- [X] `C_FindObjectsInit`
- [X] `C_FindObjects`
- [X] `C_FindObjectsFinal`
- [ ] `C_SetAttributeValue`
- [ ] `C_CopyObject`
- [ ] `C_GetObjectSize`
- Management
- [X] `C_Initialize`
- [X] `C_Finalize`
- [X] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided)
- [X] `C_Logout`
- [X] `C_GetInfo`
- [X] `C_GetSlotList`
- [X] `C_GetSlotInfo`
- [X] `C_GetTokenInfo`
- [X] `C_GetMechanismList`
- [X] `C_GetMechanismInfo`
- [X] `C_OpenSession`
- [X] `C_CloseSession`
- [X] `C_CloseAllSessions`
- [X] `C_GetSessionInfo`
- [ ] `C_InitToken`
- [ ] `C_InitPIN`
- [ ] `C_SetPIN`
- [ ] `C_GetOperationState`
- [ ] `C_SetOperationState`
- [ ] `C_GetFunctionStatus`
- [ ] `C_CancelFunction`
- [ ] `C_WaitForSlotEvent`
- Signing
- [X] `C_SignInit`
- [X] `C_Sign`
- [X] `C_SignUpdate`
- [X] `C_SignFinal`
- [ ] `C_SignRecoverInit`
- [ ] `C_SignRecover`
- [X] `C_VerifyInit`
- [X] `C_Verify`
- [X] `C_VerifyUpdate`
- [X] `C_VerifyFinal`
- [ ] `C_VerifyRecoverInit`
- [ ] `C_VerifyRecover`
- Digests
- [ ] `C_DigestInit`
- [ ] `C_Digest`
- [ ] `C_DigestUpdate`
- [ ] `C_DigestKey`
- [ ] `C_DigestFinal`
- [ ] `C_DigestEncryptUpdate`
- [ ] `C_DecryptDigestUpdate`
- [ ] `C_SignEncryptUpdate`
- [ ] `C_DecryptVerifyUpdate`
- Random Number Generation (see note below)
- [X] `C_SeedRandom`
- [X] `C_GenerateRandom`
</Tab>
<Tab heading="Supported PKCS#11 Functions (version 0.1)">
Here is the list of supported and unsupported PKCS#11 functions:
- Encryption and decryption
- [x] `C_EncryptInit`
- [x] `C_Encrypt`
- [X] `C_EncryptInit`
- [X] `C_Encrypt`
- [ ] `C_EncryptUpdate`
- [ ] `C_EncryptFinal`
- [x] `C_DecryptInit`
- [x] `C_Decrypt`
- [X] `C_DecryptInit`
- [X] `C_Decrypt`
- [ ] `C_DecryptUpdate`
- [ ] `C_DecryptFinal`
- Key management
- [x] `C_GenerateKey`
- [X] `C_GenerateKey`
- [ ] `C_GenerateKeyPair`
- [ ] `C_WrapKey`
- [ ] `C_UnwrapKey`
- [ ] `C_DeriveKey`
- Objects
- [x] `C_CreateObject`
- [x] `C_DestroyObject`
- [x] `C_GetAttributeValue`
- [x] `C_FindObjectsInit`
- [x] `C_FindObjects`
- [x] `C_FindObjectsFinal`
- [X] `C_CreateObject`
- [X] `C_DestroyObject`
- [X] `C_GetAttributeValue`
- [X] `C_FindObjectsInit`
- [X] `C_FindObjects`
- [X] `C_FindObjectsFinal`
- [ ] `C_SetAttributeValue`
- [ ] `C_CopyObject`
- [ ] `C_GetObjectSize`
- Management
- [x] `C_Initialize`
- [x] `C_Finalize`
- [x] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided)
- [x] `C_Logout`
- [x] `C_GetInfo`
- [x] `C_GetSlotList`
- [x] `C_GetSlotInfo`
- [x] `C_GetTokenInfo`
- [x] `C_GetMechanismList`
- [x] `C_GetMechanismInfo`
- [x] `C_OpenSession`
- [x] `C_CloseSession`
- [x] `C_CloseAllSessions`
- [x] `C_GetSessionInfo`
- [X] `C_Initialize`
- [X] `C_Finalize`
- [X] `C_Login` (PIN is used as a passphrase for the TLS encryption key, if provided)
- [X] `C_Logout`
- [X] `C_GetInfo`
- [X] `C_GetSlotList`
- [X] `C_GetSlotInfo`
- [X] `C_GetTokenInfo`
- [X] `C_GetMechanismList`
- [X] `C_GetMechanismInfo`
- [X] `C_OpenSession`
- [X] `C_CloseSession`
- [X] `C_CloseAllSessions`
- [X] `C_GetSessionInfo`
- [ ] `C_InitToken`
- [ ] `C_InitPIN`
- [ ] `C_SetPIN`
Expand Down Expand Up @@ -299,6 +409,9 @@ Here is the list of supported and unsupported PKCS#11 functions:
- [X] `C_SeedRandom`
- [X] `C_GenerateRandom`
</Tab>
</Tabs>
## Limitations and Notes
Due to the nature of Vault, the KMIP Secrets Engine, and PKCS#11, there are some other limitations to be aware of:
Expand All @@ -310,4 +423,4 @@ Due to the nature of Vault, the KMIP Secrets Engine, and PKCS#11, there are some
Multiple sessions can be safely used simultaneously though, and a single Vault server node has been tested as supporting thousands of ongoing sessions.
- The object attribute cache is valid only for a single object per session, and will be cleared when another object's attributes are queried.
- The random number generator function, `C_GenerateRandom`, is currently implemented in software in the library by calling out to Go's [`crypto/rand`](https://pkg.go.dev/crypto/rand) package,
and does **not** call Vault.
and does **not** call Vault.

0 comments on commit 0dfb8df

Please sign in to comment.