botan icon indicating copy to clipboard operation
botan copied to clipboard

Published 20 hours ago verified publisher icon randombit

cli: symmetric encryption provider support

Open bgermann opened this issue 3 years ago • 10 comments

Please add provider support for the "botan encryption" command and implement the needed AES operations with PKCS#11. I could not find any command line tool that I can use for that. OpenSSL's PKCS#11 engine does not support AES either.

bgermann avatar Sep 19 '20 21:09 bgermann

This would be nice to have. I don't have a ton of free time right now but would be happy to accept patches for this.

Actually though I think our current PKCS11 wrapper doesn't support symmetric algorithms? @neusdan can you confirm this is the case? If so how hard would it be to add AES etc to the wrapper?

randombit avatar Sep 19 '20 23:09 randombit

Yes, that's correct. There is no support for symmetric algorithms in the PKCS11 wrapper at the moment.

Haven't used PKCS#11 with symmetric algorithms to date, but i think the addition to the PKCS#11 wrapper itself should be quite easy and straightforward. I think the harder part will be the integration with the existing symmetric algorithm interfaces. For example SymmetricAlgorithm::set_key() takes a SymmetricKey which is (at the moment) declared final.

neusdan avatar Sep 28 '20 09:09 neusdan

Hi, may I look into this issue?

prashanttholia avatar Dec 01 '20 03:12 prashanttholia

@prashanttholia Absolutely. If you have questions or etc feel free to open an issue or leave them here.

randombit avatar Dec 01 '20 11:12 randombit

Thanks @randombit. I'll surely ask questions when I have any doubts or concerns.

prashanttholia avatar Dec 02 '20 11:12 prashanttholia

Hi @randombit, I'm extremely apologetic for my disappearance from the thread. I would still like to contribute to the issue. I assure that it will not be a repeat behavior. May I still make a contribution?

prashanttholia avatar Jan 06 '21 21:01 prashanttholia

@prashanttholia of course

randombit avatar Jan 07 '21 16:01 randombit

Thanks a lot, @randombit! I'll post an update soon.

prashanttholia avatar Jan 09 '21 00:01 prashanttholia

@randombit @neusdan, I have a few doubts/queries. I request you to advise me on them -

  1. How to derive from SymmetricKey class for use in PKCS11 wrapper's secret key class? Will wrapping the SymmetricKey class inside the PKCS11 wrapper be a good solution?
  2. How to provide PKCS11 module path so as to be able to use it through "botan encryption" command?
  3. I'm using SoftHSM2 as the HSM module. I understand it itself uses botan. I thought it may not be an issue. Please let me know if I should be using some other alternative.

Thanks.

prashanttholia avatar Jan 11 '21 21:01 prashanttholia

Related: OpenSC's pkcs11-tool has a proposed implementation now: https://github.com/OpenSC/OpenSC/pull/2268

bgermann avatar Sep 13 '21 13:09 bgermann

... which just arrived in a release candidate.

bgermann avatar Oct 11 '22 12:10 bgermann