Skip to content

feat: PKCS11 support EC SECP384R1 and SECP521R1 keys #3631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 23, 2025
Merged

feat: PKCS11 support EC SECP384R1 and SECP521R1 keys #3631

merged 2 commits into from
May 23, 2025

Conversation

Bravo555
Copy link
Member

@Bravo555 Bravo555 commented May 19, 2025
edited
Loading

TODO

  • tests
  • impl

Proposed changes

Currently we support only EC keys using curve SECP256R1, as during initial development we confirmed that C8y, Azure and AWS all offered ecdsa_secp256r1_sha256 sigscheme. However, if that ever changes, or if a user simply wishes to use a bigger key, it is impossible to connect. Therefore we should support the other sizes of EC keys.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@Bravo555 Bravo555 self-assigned this May 19, 2025
@Bravo555 Bravo555 added theme:security Theme: Security related topics theme:hsm Hardware Security Module related topics labels May 19, 2025
@Bravo555 Bravo555 had a problem deploying to Test Pull Request May 19, 2025 13:45 — with GitHub Actions Failure
@codecov Codecov
Copy link

codecov bot commented May 19, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 61.53846% with 15 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/extensions/tedge-p11-server/src/pkcs11.rs 61.53% 15 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Bravo555 Bravo555 changed the title feat: PKCS11 support EC SECP384R1 and SECP521R keys feat: PKCS11 support EC SECP384R1 and SECP521R1 keys May 20, 2025
@Bravo555 Bravo555 force-pushed the feat/pkcs11-ecdsa-keys branch from d57a27b to c387147 Compare May 20, 2025 15:15
@Bravo555 Bravo555 temporarily deployed to Test Pull Request May 20, 2025 15:15 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 20, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
635 0 3 635 100 1h48m17.533708999s

@Bravo555 Bravo555 force-pushed the feat/pkcs11-ecdsa-keys branch from c387147 to 452dd9f Compare May 20, 2025 15:57
@Bravo555 Bravo555 temporarily deployed to Test Pull Request May 20, 2025 15:57 — with GitHub Actions Inactive
@Bravo555 Bravo555 mentioned this pull request May 21, 2025
Merged
11 tasks
@Bravo555 Bravo555 force-pushed the feat/pkcs11-ecdsa-keys branch from 452dd9f to cd32558 Compare May 21, 2025 16:30
@Bravo555 Bravo555 had a problem deploying to Test Pull Request May 21, 2025 16:30 — with GitHub Actions Failure
@Bravo555 Bravo555 mentioned this pull request May 21, 2025
Merged
11 tasks
@Bravo555 Bravo555 removed their assignment May 21, 2025
@Bravo555 Bravo555 force-pushed the feat/pkcs11-ecdsa-keys branch from cd32558 to 381060b Compare May 22, 2025 08:13
@Bravo555 Bravo555 temporarily deployed to Test Pull Request May 22, 2025 08:13 — with GitHub Actions Inactive
Bravo555 added 2 commits May 23, 2025 09:00
@Bravo555
test: Connect to C8y using all TLS1.3 ECDSA curves
2d5d81e 
This test is part of adding support to ECDSA384 and ECDSA521 keys.
Currently we only support ECDSA256, because ecdsa_secp256r1_sha256
scheme is offered by C8y, as well as the others. But this can change in
the future, so we should support all of the EC schemes, with the bonus
that users that wish to use bigger keys can do so.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
feat: Support NISTP384 and NISTP521 EC curves
29a1927 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 force-pushed the feat/pkcs11-ecdsa-keys branch from 381060b to 29a1927 Compare May 23, 2025 09:01
@Bravo555 Bravo555 temporarily deployed to Test Pull Request May 23, 2025 09:01 — with GitHub Actions Inactive
@Bravo555 Bravo555 marked this pull request as ready for review May 23, 2025 09:01
@Bravo555 Bravo555 requested a review from a team as a code owner May 23, 2025 09:01
didier-wenzek
didier-wenzek approved these changes May 23, 2025
View reviewed changes
Copy link
Contributor

@didier-wenzek didier-wenzek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Bravo555 Bravo555 added this pull request to the merge queue May 23, 2025
Merged via the queue into thin-edge:main with commit 2609c72 May 23, 2025
34 checks passed
@Bravo555 Bravo555 deleted the feat/pkcs11-ecdsa-keys branch May 23, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek didier-wenzek approved these changes

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

Assignees
No one assigned
Labels
theme:hsm Hardware Security Module related topics theme:security Theme: Security related topics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Bravo555 @didier-wenzek