Providing SSL Connections in Python using PKCS#11

左心房为你撑大大i 提交于 2019-12-20 14:30:52

问题


I have to implement a Python based web server on a Linux based firmware for an embedded system component:

class WebServer(http.server.HTTPServer)
...
...

To enable ssl connections a ssl context is created within the server by

self.ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
self.ssl_context.load_cert_chain(certfile=cert, keyfile=key)
self.ssl_context.verify_mode = ssl.CERT_REQUIRED
self.ssl_context.load_verify_locations(verifyCert)

Note: cert is a file path to the certificate, keyfile is the path to the private key.

Upon a request the method get_request is called:

def get_request(self):
    request = self.socket.accept()
    if self.ssl_context:
        req_socket, addr = request
        connstream = self.ssl_context.wrap_socket(req_socket, server_side=True)
        return connstream, addr
    else:
        return request

The wrap_socket method is used to wrap the original socket into a ssl socket, which is returned instead. That is all to provide a ssl connection.

Now the question:

The solution is a first implementation and not secure. We are oblidged to use a given hardware security module (HSM) to create and store certificates and private keys. Any private keys are completely hidden and will never leave the module. All cryptographic primitives have to be executed directly within the module. The interface to the HSM is PKCS#11, for which a vendor supplied dynamic middle-ware library exists.

How can I use the module instead of the original ssl for setup of the ssl context under python? I know already, that ssl is based on openSSL, for which a PKCS#11 engine exists (libarary opensc-pkcs11.so). The middleware from the vendor provides the PKCS#11 API.

Unfortunately, I have no plan how the PKCS#11 engine is to be integrated into python's ssl/openSSL and how to tie all things together. Is it even possible to transparently use PKCS#11 instead of the native implementation, and if yes, how do I activate it from python? Moreover, how would I have to pass the arguments "certfile" and "keyfile", because both are not available anymore as plain files? In fact I have no access to the private key directly; there are only URL-based references to objects within the HSM used to operate on it.

Can PyKCS11 be a solution instead of ssl?

I just need to know the basic path to solving such problem. I can find all the details on my own.

来源:https://stackoverflow.com/questions/41170977/providing-ssl-connections-in-python-using-pkcs11

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!