From 0e9bc8f2d0341172bb190315d12163ce0f96efc6 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 2 Dec 2024 14:52:01 -0800 Subject: [PATCH] Add max-sessions parameter on pkcs11 kms This commit adds the max-sessions parameter to limit the maximum number of open sessions that we will keep with the HSM before reusing a previous one. It defaults to the crypto11 default, 1024. --- kms/pkcs11/pkcs11.go | 11 ++++++++++- kms/pkcs11/pkcs11_test.go | 8 ++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/kms/pkcs11/pkcs11.go b/kms/pkcs11/pkcs11.go index eecb4ff1..da80be63 100644 --- a/kms/pkcs11/pkcs11.go +++ b/kms/pkcs11/pkcs11.go @@ -59,12 +59,14 @@ type PKCS11 struct { // - pkcs11:serial=1a2b3c4d5e6f?pin-source=/path/to/pin.txt // - pkcs11:slot-id=5?pin-value=password // - pkcs11:module-path=/path/to/module.so;token=smallstep?pin-value=password +// - pkcs11:token=smallstep;max-sessions=100?pin-value=password // // The scheme is "pkcs11"; "token", "serial", or "slot-id" defines the // cryptographic device to use. "module-path" is the path of the PKCS#11 module // to use. It will default to the proxy module of the p11-kit project if none is // specified (p11-kit-proxy.so). "pin-value" provides the user's PIN, and -// "pin-source" defines a file that contains the PIN. +// "pin-source" defines a file that contains the PIN. "max-sessions" defines the +// maximum number of PKCS#11 sessions, it defaults to 1024. // // A cryptographic key or object is identified by its "id" or "object" // attributes. The "id" is the key identifier for the object, it's a hexadecimal @@ -96,6 +98,13 @@ func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) { } config.SlotNumber = &n } + if v := u.Get("max-sessions"); v != "" { + n, err := strconv.Atoi(v) + if err != nil { + return nil, errors.Wrap(err, "kms uri 'max-sessions' is not valid") + } + config.MaxSessions = n + } // Get module or default to use p11-kit-proxy.so. // diff --git a/kms/pkcs11/pkcs11_test.go b/kms/pkcs11/pkcs11_test.go index 6f0a7d50..7684e96b 100644 --- a/kms/pkcs11/pkcs11_test.go +++ b/kms/pkcs11/pkcs11_test.go @@ -64,6 +64,10 @@ func TestNew(t *testing.T) { Type: "pkcs11", URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;slot-id=0?pin-value=password", }}, k, false}, + {"ok with max-sessions", args{context.Background(), apiv1.Options{ + Type: "pkcs11", + URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test;max-sessions=100?pin-value=password", + }}, k, false}, {"ok with pin", args{context.Background(), apiv1.Options{ Type: "pkcs11", URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test", @@ -110,6 +114,10 @@ func TestNew(t *testing.T) { Type: "pkcs11", URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;slot-id=x?pin-value=password", }}, nil, true}, + {"fail max-sessions", args{context.Background(), apiv1.Options{ + Type: "pkcs11", + URI: "pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test;max-sessions=0F?pin-value=password", + }}, nil, true}, {"fail scheme", args{context.Background(), apiv1.Options{ Type: "pkcs11", URI: "foo:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=pkcs11-test?pin-value=password",