Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
attempt to add HSM support directly
Browse files Browse the repository at this point in the history
mathiasertl committed Jul 29, 2024
1 parent ac38f1c commit 625ed2f
Showing 24 changed files with 1,578 additions and 18 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/tests.yml
Original file line number Diff line number Diff line change
@@ -24,7 +24,7 @@ jobs:
name: Python ${{ matrix.python-version }}, Django ${{ matrix.django-version }}, cryptography ${{ matrix.cryptography-version }}, pydantic ${{ matrix.pydantic-version }}
steps:
- name: Install APT dependencies
run: sudo apt-get install -y firefox
run: sudo apt-get install -y firefox softhsm2

- name: Acquire sources
uses: actions/[email protected]
20 changes: 20 additions & 0 deletions ca/ca/test_settings.py
Original file line number Diff line number Diff line change
@@ -14,8 +14,12 @@
"""Test settings for the django-ca project."""

import json
import os
from datetime import datetime, timezone
from pathlib import Path

from django.utils.crypto import get_random_string

# Base paths in this project
BASE_DIR = Path(__file__).resolve().parent.parent # ca/

@@ -186,6 +190,14 @@
_fixture_data = json.load(stream)


# PKCS11 settings
_timestamp = datetime.now(tz=timezone.utc).strftime("%Y%m%d%H%M%S")
PKCS11_PATH = os.environ.get("PKCS11_LIBRARY", "/usr/lib/softhsm/libsofthsm2.so")
PKCS11_TOKEN_LABEL = f"pytest.{_timestamp}.{get_random_string(8)}"
PKCS11_SO_PIN = "so-pin-1234"
PKCS11_USER_PIN = "user-pin-1234"


CA_KEY_BACKENDS = {
"default": {
"BACKEND": "django_ca.key_backends.storages.StoragesBackend",
@@ -195,6 +207,14 @@
"BACKEND": "django_ca.key_backends.storages.StoragesBackend",
"OPTIONS": {"storage_alias": "secondary"},
},
"hsm": {
"BACKEND": "django_ca.key_backends.hsm.HSMBackend",
"OPTIONS": {
"module": PKCS11_PATH,
"token": PKCS11_TOKEN_LABEL,
"user_pin": PKCS11_USER_PIN,
},
},
}

# Custom settings
11 changes: 11 additions & 0 deletions ca/django_ca/constants.py
Original file line number Diff line number Diff line change
@@ -574,6 +574,17 @@ class ExtendedKeyUsageOID(_ExtendedKeyUsageOID):
ed448.Ed448PublicKey,
rsa.RSAPublicKey,
)
PUBLIC_KEY_TYPE_MAPPING: MappingProxyType[ParsableKeyType, type[CertificateIssuerPublicKeyTypes]] = (
MappingProxyType(
{
"DSA": dsa.DSAPublicKey,
"EC": ec.EllipticCurvePublicKey,
"Ed25519": ed25519.Ed25519PublicKey,
"Ed448": ed448.Ed448PublicKey,
"RSA": rsa.RSAPublicKey,
}
)
)

#: Tuple of supported private key types.
PRIVATE_KEY_TYPES: tuple[type[CertificateIssuerPrivateKeyTypes], ...] = (
5 changes: 2 additions & 3 deletions ca/django_ca/key_backends/base.py
Original file line number Diff line number Diff line change
@@ -213,13 +213,12 @@ def get_use_parent_private_key_options(

@abc.abstractmethod
def get_use_private_key_options(
self, ca: Optional["CertificateAuthority"], options: dict[str, Any]
self, ca: "CertificateAuthority", options: dict[str, Any]
) -> UsePrivateKeyOptionsTypeVar:
"""Get options to use the private key of a certificate authority.
The returned model will be used for the certificate authority `ca`. You can pass it as extra context
to influence model validation. If `ca` is ``None``, it indicates that the CA is currently being
created via :command:`manage.py init_ca`.
to influence model validation.
`options` is the dictionary of arguments to :command:`manage.py init_ca` (including default values).
The key backend is expected to be able to sign certificates and CRLs using the options provided here.
18 changes: 18 additions & 0 deletions ca/django_ca/key_backends/hsm/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# This file is part of django-ca (https://github.com/mathiasertl/django-ca).
#
# django-ca is free software: you can redistribute it and/or modify it under the terms of the GNU General
# Public License as published by the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# django-ca is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along with django-ca. If not, see
# <http://www.gnu.org/licenses/>.

"""HSM backend module."""

from django_ca.key_backends.hsm.backend import HSMBackend

__all__ = ("HSMBackend",)
Loading

0 comments on commit 625ed2f

Please sign in to comment.