Add PKCS#11 library support

[dylrich]

We use this library to sign Nuget packages with certificates stored in Azure Key Vault. However, we'd prefer to not directly talk to Azure Key Vault, but instead use a PKCS#11 library to request signatures from Azure Key Vault. Our PKCS#11 library serves as a standardized authentication and management layer for keys and certificates that we use for other, non-nuget signatures. If this tool supported PKCS#11, we could use this interface for all types of signing. Additionally, it would allow users to sign packages in a wider range of HSM backends beyond just Azure Key Vault, though this isn't the main motivation for us.

Would this project consider accepting a Pull Request that contained a PKCS#11 implementation? It seems like it would need to satisfy these two interfaces if we're reading the code correctly.

[clairernovotny]

Hi @dylrich

We would certainly consider it, can you please provide some additional information about your proposed implementation? We are also refactoring that will make this easier to start once they're merged: #700 & #703

• Is the implementation entirely managed or is there native code too? If there's native code, what platforms are supported?
• What are the required parameters needed to configure the provider?
• Any other details about the implementation? Is it new code or is it coming from an existing source.

[dylrich]

Hi @clairernovotny , thanks for the fast response!

We're not sure about the answers to your questions yet and are still working out details about what this might look like. We were mostly curious about if this effort would even be desired upstream! I'll let you know as soon as possible once we have more answers about what exactly we were thinking about.

[dylrich]

Hi @clairernovotny,

1. We were planning on using https://github.com/Pkcs11Interop/Pkcs11Interop to allow talking to unmanaged PKCS#11 libraries.
2. Users would either need to pass in a PKCS#11 URI and PIN or the path to a PKCS#11 library, key identifier and PIN.
3. We would write new code to glue this library to the above Pkcs11Interop library

How would you and the team feel about this approach?

[spilkercompra]

We use https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store to talk to a SafeNet eToken and to SoftHSM with this library. For our inhouse use case this is working flawlessly.

[jariq]

Hello all, author of Pkcs11Interop here 👋🏻

Instead of using complex Pkcs11Interop library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Store which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces.

Let me know if you need any help, code review or anything else.

[spilkercompra]

Jaroslav, helped me out. Great Library. What an amount of work. [cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg] Ihre Ansprechpartner für ERP<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur>, ECM<https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur>, E-Commerce<https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> und Cloud<https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur>. Marco Spilker | ***@***.******@***.***> | eEvolution Vertrieb GmbH | Speicherstraße 9 | 31134 Hildesheim +49 5121 7486-02<tel:+49%205121%207486-02> | ***@***.******@***.***> | www.eEvolution.de<https://eevolution.de?utm_medium=email-signatur> Amtsgericht Hildesheim | HRB 200118 | Geschäftsführer Alexander Schmidt, Stefan Strauss [cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur> [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] <https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur> [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] <https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] <https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur> <https://www.eevolution.de/entdecke-eevolution/econnect/> Folgen Sie uns auf<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> Social Media: LinkedIn<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> | ***@***.***> | Instagram<https://www.instagram.com/eevo_gmbh/>

…

________________________________________________ Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen. This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

________________________________ From: Jaroslav Imrich ***@***.***> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign ***@***.***> Cc: Marco Spilker ***@***.***>; Comment ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Hello all, author of Pkcs11Interop here 👋🏻 Instead of using complex Pkcs11Interop<https://github.com/Pkcs11Interop/Pkcs11Interop> library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Store<https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store> which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces. Let me know if you need any help, code review or anything else. — Reply to this email directly, view it on GitHub<#707 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA>. You are receiving this because you commented.Message ID: ***@***.***>

[spilkercompra]

Fire and forget is important for us litte Guys. I integrated the great Java Implementierung when i faced our build server was 2012. you all should team up. [cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg] Ihre Ansprechpartner für ERP<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur>, ECM<https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur>, E-Commerce<https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> und Cloud<https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur>. Marco Spilker | ***@***.******@***.***> | eEvolution Vertrieb GmbH | Speicherstraße 9 | 31134 Hildesheim +49 5121 7486-02<tel:+49%205121%207486-02> | ***@***.******@***.***> | www.eEvolution.de<https://eevolution.de?utm_medium=email-signatur> Amtsgericht Hildesheim | HRB 200118 | Geschäftsführer Alexander Schmidt, Stefan Strauss [cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur> [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] <https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur> [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] <https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] <https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur> <https://www.eevolution.de/entdecke-eevolution/econnect/> Folgen Sie uns auf<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> Social Media: LinkedIn<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> | ***@***.***> | Instagram<https://www.instagram.com/eevo_gmbh/>

…

________________________________________________ Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen. This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

________________________________ From: Marco Spilker (eEvolution) ***@***.***> Sent: Wednesday, October 2, 2024 9:38:59 PM To: dotnet/sign ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Jaroslav, helped me out. Great Library. What an amount of work.

________________________________ From: Jaroslav Imrich ***@***.***> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign ***@***.***> Cc: Marco Spilker ***@***.***>; Comment ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Hello all, author of Pkcs11Interop here 👋🏻 Instead of using complex Pkcs11Interop<https://github.com/Pkcs11Interop/Pkcs11Interop> library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Store<https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store> which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces. Let me know if you need any help, code review or anything else. — Reply to this email directly, view it on GitHub<#707 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA>. You are receiving this because you commented.Message ID: ***@***.***>

[spilkercompra]

If i knew before: JSign has IT all. 2012 for me. [cid:eevolutionclaimlogo_mailsignatur_1f3b4da4-b887-429a-99d7-a0ccaa7fdf6b.jpg] Ihre Ansprechpartner für ERP<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur>, ECM<https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur>, E-Commerce<https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> und Cloud<https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur>. Marco Spilker | ***@***.******@***.***> | eEvolution Vertrieb GmbH | Speicherstraße 9 | 31134 Hildesheim +49 5121 7486-02<tel:+49%205121%207486-02> | ***@***.******@***.***> | www.eEvolution.de<https://eevolution.de?utm_medium=email-signatur> Amtsgericht Hildesheim | HRB 200118 | Geschäftsführer Alexander Schmidt, Stefan Strauss [cid:eevolution_11b14a61-d862-41c9-a1ed-7820a4014dcd.jpg]<https://www.eevolution.de/produkte/eevolution-erp/?utm_medium=email-signatur> [cid:elobusinesspartner_6d27fc70-f35c-4544-859d-b55f89ec5e7b.jpg] <https://www.eevolution.de/produkte/elo/?utm_medium=email-signatur> [cid:shopwarebronzepartner_6719bfbe-5549-4b90-9f26-0f870999dd83.jpg] <https://www.eevolution.de/produkte/shopware/?utm_medium=email-signatur> [cid:hosting_447b2b14-dbc4-4c6d-a116-2f5c997b3875.jpg] <https://www.eevolution.de/produkte/it-services/hosting-cloud-services/?utm_medium=email-signatur> <https://www.eevolution.de/entdecke-eevolution/econnect/> Folgen Sie uns auf<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> Social Media: LinkedIn<https://www.linkedin.com/company/eevolution-gmbh-&-co-kg> | ***@***.***> | Instagram<https://www.instagram.com/eevo_gmbh/>

…

________________________________________________ Diese E-Mail sowie sämtliche Anlagen sind streng vertraulich. Der Inhalt ist ausschließlich für die oben genannten Person(en) oder entsprechenden Gesellschaften bestimmt. Wenn Sie nicht der genannte oder beabsichtigte Empfänger sind, bitten wir um sofortige Benachrichtigung des Absenders. Ebenso bitten wir Sie, den Inhalt Dritten gegenüber vertraulich zu behandeln und ihn nicht zu irgendwelchen Zwecken oder zur Speicherung oder zum Kopieren auf einem Medium gleich welcher Art zu nutzen. This e-mail and any attachments is confidential and privileged. The information is intended to be for the use of the individual(s) or relevant entity named above. If you are not the named or intended recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium.

________________________________ From: Marco Spilker (eEvolution) ***@***.***> Sent: Wednesday, October 2, 2024 9:57:36 PM To: dotnet/sign ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Fire and forget is important for us litte Guys. I integrated the great Java Implementierung when i faced our build server was 2012. you all should team up.

________________________________ From: Marco Spilker (eEvolution) ***@***.***> Sent: Wednesday, October 2, 2024 9:38:59 PM To: dotnet/sign ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Jaroslav, helped me out. Great Library. What an amount of work.

________________________________ From: Jaroslav Imrich ***@***.***> Sent: Wednesday, October 2, 2024 9:27:58 PM To: dotnet/sign ***@***.***> Cc: Marco Spilker ***@***.***>; Comment ***@***.***> Subject: Re: [dotnet/sign] Add PKCS#11 library support (Issue #707) Hello all, author of Pkcs11Interop here 👋🏻 Instead of using complex Pkcs11Interop<https://github.com/Pkcs11Interop/Pkcs11Interop> library which requires strong understanding of underlying standards, I would definitely recommend using more developer friendly Pkcs11Interop.X509Store<https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store> which provides implementation of System.Security.Cryptography.RSA and System.Security.Cryptography.ECDsa interfaces. Let me know if you need any help, code review or anything else. — Reply to this email directly, view it on GitHub<#707 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AN53KD3B3DY3HD3SR2AZJ6TZZRCL5AVCNFSM6AAAAABJGY4URCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBZGUYTQNBQGA>. You are receiving this because you commented.Message ID: ***@***.***>

[dtivel]

#639 is the first step in solving this. After that, it would be up to whoever wants to implement a PKCS#11 signature provider for Sign CLI. I don't think there's any work here for Sign CLI beyond implementing #639.