cli: support for authenticating with private keys and certificates stored in PKCS #11 backend#771
Merged
Merged
Conversation
✅ Deploy Preview for marblerun-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
daniel-weisse
force-pushed
the
dw/cli/pkcs11-certs
branch
from
82ec72a to
8d743be
Compare
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
daniel-weisse
force-pushed
the
dw/cli/pkcs11-certs
branch
from
8d743be to
eae2c34
Compare
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
daniel-weisse
force-pushed
the
dw/cli/pkcs11-certs
branch
from
eae2c34 to
bc3d398
Compare
thomasten
requested changes
Dec 4, 2024
thomasten
reviewed
Dec 4, 2024
Member
There was a problem hiding this comment.
Alternatively, we could forgo the need for a config file and instead let users provide flags
I'd stick with config file approach
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
daniel-weisse
force-pushed
the
dw/cli/pkcs11-certs
branch
from
727eeb0 to
b7fa903
Compare
thomasten
approved these changes
Dec 9, 2024
| } | ||
| ``` | ||
|
|
||
| Assuming the key and certificate have the label `marblerun-key` and `marblerun-cert` respectively, invoked the CLI as follows: |
Member
There was a problem hiding this comment.
Suggested change
| Assuming the key and certificate have the label `marblerun-key` and `marblerun-cert` respectively, invoked the CLI as follows: | |
| Assuming the key and certificate have the label `marblerun-key` and `marblerun-cert` respectively, invoke the CLI as follows: |
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
daniel-weisse
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Allow users to authenticate themselves with private keys and certificates stored in a PKCS#11 compatible backend.
This removes the need for storing private keys on disk, and instead manage them in a HSM, YubiKey, or any other PKCS#11 compatible device.
Support is implemented through the crypto11 library by Thales.
To initialize the PKCS#11 library, a configuration file with the Token Label/Serial/Slot, Pin of the token, and path to the PKCS#11 library has to be provided.
Additionally, users have to specify the ID and/or label of the key and certificate stored in the token to use for authentication.
Additional info