Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7073

PKCS#11 key and trust manager providers should allow custom keystore types

    Details

    • Type: Improvement
    • Status: QA Backlog
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 6.5.3, 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: security
    • Labels:
      None

      Description

      There are broadly speaking 2 types of keystore:

      • file-based: requiring a file, password and configurable keystore type
      • PKCS#11: no file, password and keystore type "PKCS#11".

      However, it appears that some PKCS#11 providers use alternative keystore types (see OPENAM-14783), so we should allow the keystore type to be configurable.

      In addition, HSMs that don't implement the PKCS#11 interface fall into one of the two categories above, except that they obviously use a custom keystore type identifier like "CloudHSM". Therefore, allowing the keystore type to be configurable for PKCS#11 key/trust managers will allow us to support some non-PKCS#11 HSMs. With that in mind, we may want to consider renaming the PKCS#11 providers to "HsmXxxManagerProvider" instead.

      Suggested fix:

      • add a new "key-store-type" configuration option to both the PKCS11 key and trust manager providers. The configuration options can be copied over from their file-based counterparts
      • consider renaming PKCS#11 key/trust manager providers to HSM key/trust manager providers. This will require an upgrade task.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ludo Ludovic Poitou
                Reporter:
                matthew Matthew Swift
                Dev Assignee:
                Ludovic Poitou
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: