Skip to content

Add support for PKCS#11 3.2 validation objects #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Add support for PKCS#11 3.2 validation objects #306

wants to merge 13 commits into from

Conversation

Jakuje
Copy link
Collaborator

@Jakuje Jakuje commented Aug 18, 2025

The PKCS#11 3.2 introduces a way to query the session for the validation flags of the last operation. This is done with the new API C_GetSessionValidationFlags which is being exposed now also to the users of this crate.

It also defines the new attribute specifying if the given object is matching the requirements for the validation.

Last but not least there is new validation object exposing information about the validation itself.

There is currenly almost no coverage for these, as this is implemented only by kryoptic (as far as I know) and not enabled in the default build we are using in CI.

Opening as draft as it depends on some fixes in kryoptic (latchset/kryoptic#315) as well its based on other code changes here (#304).

@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from de1c46f to 5ad9e90 Compare August 18, 2025 16:40
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from 5ad9e90 to abebfe3 Compare September 9, 2025 09:37
@Jakuje Jakuje mentioned this pull request Sep 9, 2025
Merged
wiktor-k
wiktor-k reviewed Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I left the same nits as in other PRs so... please bear with me 😅

@Jakuje Jakuje mentioned this pull request Sep 12, 2025
Open
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch 3 times, most recently from c4eba0f to dce5711 Compare September 12, 2025 09:46
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch 3 times, most recently from 9080717 to a5db2de Compare September 19, 2025 14:10
@Jakuje Jakuje marked this pull request as ready for review September 19, 2025 14:21
hug-dev
hug-dev previously approved these changes Oct 2, 2025
View reviewed changes
Copy link
Member

@hug-dev hug-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

.github/workflows/kryoptic-fips.yml
@@ -0,0 +1,137 @@
---
name: Test kryoptic FIPS module
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall I add it to the required workflow to pass for a PR?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think now this can be done using the "Check if all checks succeeded (pull_request)" job, thus, Jakub can adjust it himself.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if it would not need to be in the same workflow file to work though to be able to use in the "check if all checks succeeded". Given that how large this workflow is, I did not want to mess the main ci.yml with it for now.

I hope this job will be stable, but I would rather keep it for some time non-mandatory and add it to the required just after some time we will see it will work as expected to avoid working around some required jobs.

@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from a5db2de to b5e82e5 Compare October 2, 2025 09:41
Jakuje added 10 commits October 2, 2025 11:50
@Jakuje
tests: Test ValidationFlags
65ee21c 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Use more complex pins to make Kryoptic FIPS module happy
be8f57d 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Generate larger keys for compatibility with FIPS Mode
4fc5d1d 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Be less strict about error type when doing SetAttribute
5b59dfc 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Skip RSA PKCS#1 encryption with FIPS tokens
d8e8453 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Skip RSA PKCS#1 wrapping/unwrapping with FIPS tokens
def57c8 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
KBKDF: Use FIPS/OpenSSL compatible params
7c43d9f 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Use 16 byte IV for KBKDF for OpenSSL compatibility
8c04992 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Add wrap/unwrap test with RSA-OAEP
f095a90 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
Add CI job with kryoptic FIPS module
90b7ad9 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from b5e82e5 to 90b7ad9 Compare October 2, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiktor-k wiktor-k wiktor-k left review comments

@hug-dev hug-dev hug-dev approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Jakuje @wiktor-k @hug-dev