Skip to content

Add support for PKCS#11 3.2 validation objects #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 16, 2025
Merged

Add support for PKCS#11 3.2 validation objects #306

merged 13 commits into from
Oct 16, 2025

Conversation

Jakuje
Copy link
Collaborator

@Jakuje Jakuje commented Aug 18, 2025

The PKCS#11 3.2 introduces a way to query the session for the validation flags of the last operation. This is done with the new API C_GetSessionValidationFlags which is being exposed now also to the users of this crate.

It also defines the new attribute specifying if the given object is matching the requirements for the validation.

Last but not least there is new validation object exposing information about the validation itself.

There is currenly almost no coverage for these, as this is implemented only by kryoptic (as far as I know) and not enabled in the default build we are using in CI.

Opening as draft as it depends on some fixes in kryoptic (latchset/kryoptic#315) as well its based on other code changes here (#304).

@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from de1c46f to 5ad9e90 Compare August 18, 2025 16:40
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from 5ad9e90 to abebfe3 Compare September 9, 2025 09:37
@Jakuje Jakuje mentioned this pull request Sep 9, 2025
Merged
wiktor-k
wiktor-k reviewed Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I left the same nits as in other PRs so... please bear with me 😅

@Jakuje Jakuje mentioned this pull request Sep 12, 2025
Open
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch 3 times, most recently from c4eba0f to dce5711 Compare September 12, 2025 09:46
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch 3 times, most recently from 9080717 to a5db2de Compare September 19, 2025 14:10
@Jakuje Jakuje marked this pull request as ready for review September 19, 2025 14:21
hug-dev
hug-dev previously approved these changes Oct 2, 2025
View reviewed changes
Copy link
Member

@hug-dev hug-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

.github/workflows/kryoptic-fips.yml
@@ -0,0 +1,137 @@
---
name: Test kryoptic FIPS module
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall I add it to the required workflow to pass for a PR?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think now this can be done using the "Check if all checks succeeded (pull_request)" job, thus, Jakub can adjust it himself.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if it would not need to be in the same workflow file to work though to be able to use in the "check if all checks succeeded". Given that how large this workflow is, I did not want to mess the main ci.yml with it for now.

I hope this job will be stable, but I would rather keep it for some time non-mandatory and add it to the required just after some time we will see it will work as expected to avoid working around some required jobs.

@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch 2 times, most recently from b5e82e5 to 90b7ad9 Compare October 2, 2025 09:50
hug-dev
hug-dev previously approved these changes Oct 2, 2025
View reviewed changes
@hug-dev hug-dev requested a review from wiktor-k October 16, 2025 08:22
@wiktor-k wiktor-k enabled auto-merge October 16, 2025 09:10
wiktor-k
wiktor-k reviewed Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it looks very nice 👌 Just a couple of clarifying questions... if you don't mind 😅

Jakuje added 10 commits October 16, 2025 11:20
@Jakuje
Fix type for the CKV_ constants
2f70830 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
objects: Add support for validation attributes
e8759ed 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
Add support to get session validation flags
ab7cbd8 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Test ValidationFlags
e2ecc76 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Use more complex pins to make Kryoptic FIPS module happy
5b5a42e 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Generate larger keys for compatibility with FIPS Mode
b307ba4 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Be less strict about error type when doing SetAttribute
f40d5a3 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Skip RSA PKCS#1 encryption with FIPS tokens
41ff9f5 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
tests: Skip RSA PKCS#1 wrapping/unwrapping with FIPS tokens
a8d4939 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje
KBKDF: Use FIPS/OpenSSL compatible params
27b06d1 
Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje Jakuje force-pushed the pkcs11-3.2-validation branch from 90b7ad9 to 5ba8ec2 Compare October 16, 2025 09:54
wiktor-k
wiktor-k approved these changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@wiktor-k wiktor-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 thanks!

@wiktor-k wiktor-k merged commit f137d48 into parallaxsecond:main Oct 16, 2025
43 of 44 checks passed
@Jakuje
Copy link
Collaborator Author

Jakuje commented Oct 16, 2025

Thanks! That was fast. Lest hope the CI with FIPS kryoptic will work :) Otherwise expect follow-up PR :)

@Jakuje
Copy link
Collaborator Author

Jakuje commented Oct 16, 2025

Thanks! That was fast. Lest hope the CI with FIPS kryoptic will work :) Otherwise expect follow-up PR :)

    derive_key_concatenation_key_and_data
    derive_key_concatenation_two_keys
    derive_key_extract_from_key
    derive_key_xor_key_and_data

Oh, I see these are the new tests that are fixed in main, but not in the kryoptic . Should be fixed with #318

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiktor-k wiktor-k wiktor-k approved these changes

@hug-dev hug-dev hug-dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Jakuje @wiktor-k @hug-dev