Support import certificate using softhsm2-util #612
Conversation
|
Thank you for your contribution, I have some things to consider before merging: Certificate import may be slightly more complex, since certificates are often associated with keys. Different applications link @halderen your opinion would be welcome. If we do decide to proceed with this, I think the following changes/features would be necessary:
|
alonbl
force-pushed
the
import-cert
branch
2 times, most recently
from
b5aab9a to
547eaad
Compare
|
Hi, Thank you for the review. I altered the implementation and added For the matching between key and certificate, as far as I know the best practice is to match the I have been around for years in PKCS#11 domain and never saw a setup in which the CKA_ID is not used for matching. If you ACK I will update the man page and try to hack the botan as well. Regards, |
alonbl
changed the title
|
The botan part was actually simpler than I thought, so I applied the botan part and the man part. |
alonbl
force-pushed
the
import-cert
branch
3 times, most recently
from
8876f7b to
53e6299
Compare
|
Thanks, looks good, one small request: the PR is still essentially deprecating the current mode of use of
Again, thanks for your contribution, I think with the changes above we'd be good to go for a review by @halderen and a merge. |
|
Hi,
I left the —aes in the man page, just removed it from the first line. And
added depreciation notice in parameter usage, so I do not think anything is
missing... just less endorsement for the parameter. :)
The past addition of the —aes was very confusing, I only realized it’s
usage when reading the code.
For the stderr messages, I do not like it, it may break existing scripts.
As long as we support backward compatibility, I thing the risk of breakage
due to output is wrong. I believe documentation should be sufficient.
What do you think?
Thanks,
Alon
|
|
I think I agree, I'm going to ask @halderen to review and merge. Thanks! |
|
ping? |
|
Hi @halderen, |
|
+1 on the feature. This can be accomplished by using opensc/pkcs11-tool but it would be easier to rely on one single tool for both tasks. Another possible feature could be to allow importing a p12/pfx directly without the need of breaking it up in 2 different files and it would handle everything internally. |
|
Rebased. Hi @halderen, |
|
Hi @halderen, |
|
ping? |
|
Hello @halderen, can you please look at this patch? It would be great if we can use the softhsm2-util to import certificates for unit tests without additional software. |
|
@halderen: I would also appreciate this PR very much, could you please consider merging. |
|
Rebased. @halderen: can you please review? this is super handy utility for unittest of PKCS#11 enabled application. |
|
Please rebase on develop and mark as ready when ready. |
alonbl
force-pushed
the
import-cert
branch
2 times, most recently
from
e7e576d to
cc9d83f
Compare
Hi @jschlyter, |
|
Hello @jschlyter, is there anything more I can do to push this forward? |
jschlyter
changed the title
|
I think we're good, but I'd appreciate if @bjosv could take a look as well. |
The softhsm2-util already support importing keys, why not also import certificates? Useful for test scripts that require both keys and certificates. Add --import-type <type> parameter, depreciate the --aes parameter. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
@bjosv thank you for spotting this leftover! I hope all is good now. |
|
One more thing @alonbl, could you add a test case for the import function in a separate PR? |
|
Hello @jschlyter, I do not see any test cases for the usage of the utilities. Thanks, |
The softhsm2-util already support importing keys, why not also import
certificates?
Useful for test scripts that require both keys and certificates.
Add --import-type parameter, depreciate the --aes parameter.
Signed-off-by: Alon Bar-Lev alon.barlev@gmail.com