parallaxsecond
Compatiblity layer with RustCrypto
This is another take on #158
The purpose is to bring a compatibility layer with rustcrypto and use the tools developed there (x509 signing, pkcs7/CMS, ocsp, ...) with a pkcs#11-backed HSM
Amazing amount of work 🤯 thank you for the patch, I'll do a deep-dive when I get a bit of time.
One thing I'm wondering is if it makes more sense to have the extra functionality as a new crate, or as a module in the existing crate. We have something similar in tss-esapi with the abstractions module - not really sure which way is better, tbh, they both have advantages.
EDIT: if we keep it as a separate crate maybe we can frame it as a generic abstractions crate as well - if we want to implement other nice-to-have functionality in the future, we can just chuck it in the same one, as a separate mod.
I don't really have an opinion whether to make it a module (behind a feature flag) or an additional crate. What I know is that this is going to end up pulling a chunky part of rust-crypto and that dependency management is going to be tedious. I tend to believe this is going to be slightly easier with an external crate, but I'm fine either way.
I do intend to bring a similar abstraction over to tss-esapi.
For the background story of this effort, nixos folks (this includes @RaitoBezarius who chimed in earlier) are doing secureboot work, and intend to use rust to sign build artifacts (with both HSM and TPM, depending on the use-case).
We have a PE signer (https://github.com/RaitoBezarius/goblin-signing) that consumes a signatures::Signer.
I (/me pulls the professional hat) am deploying a similar effort at work (secureboot efforts as well as PKI work).
I do intend to continue supporting this in the foreseeable future.
Happy new year! Anything we can do on our side to make this PR gets in a nice state for merge? :)
