kipuka_hsm/providers/
entrust.rs

1//! Entrust nShield HSM provider.
2//!
3//! The Entrust nShield HSM family (formerly nCipher) provides hardware-backed
4//! cryptographic operations with support for Security Worlds and OCS card sets.
5//!
6//! # Platform-specific Library Paths
7//!
8//! - Linux: `/opt/nfast/toolkits/pkcs11/libcknfast.so`
9//! - macOS: `/opt/nfast/toolkits/pkcs11/libcknfast.dylib`
10//! - Windows: `C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll`
11//!
12//! # Security World and OCS
13//!
14//! nShield HSMs use a "Security World" model where keys are protected by:
15//! - Administrator Card Sets (ACS) - for initial setup
16//! - Operator Card Sets (OCS) - for routine key access
17//!
18//! The PKCS#11 interface requires OCS cards to be presented before accessing
19//! protected keys. In automated environments, this is typically handled via:
20//! - Softcards (passphrase-protected software OCS)
21//! - Remote Operator (network-based OCS)
22//! - Preload (OCS loaded during system boot)
23//!
24//! # Mechanism Support
25//!
26//! nShield supports all standard PKCS#11 mechanisms including:
27//! - RSA signing and encryption (PKCS#1 v1.5, PSS, OAEP)
28//! - ECDSA signing (P-256, P-384, P-521)
29//! - AES Key Wrap (CKM_AES_KEY_WRAP) via nCore
30//!
31//! Note: Some mechanisms may require specific firmware versions or nCore modules.
32
33use crate::HsmProvider;
34use crate::providers::HsmProviderConfig;
35use cryptoki::mechanism::MechanismType;
36
37/// Default PKCS#11 library path for Linux.
38pub fn default_library_path() -> &'static str {
39    #[cfg(target_os = "linux")]
40    return "/opt/nfast/toolkits/pkcs11/libcknfast.so";
41
42    #[cfg(target_os = "macos")]
43    return "/opt/nfast/toolkits/pkcs11/libcknfast.dylib";
44
45    #[cfg(target_os = "windows")]
46    return "C:\\Program Files\\nCipher\\nfast\\toolkits\\pkcs11\\cknfast.dll";
47
48    #[cfg(not(any(target_os = "linux", target_os = "macos", target_os = "windows")))]
49    return "/opt/nfast/toolkits/pkcs11/libcknfast.so";
50}
51
52/// Mechanisms supported by nShield HSMs.
53pub fn supported_mechanisms() -> Vec<MechanismType> {
54    vec![
55        // RSA
56        MechanismType::RSA_PKCS,
57        MechanismType::RSA_PKCS_KEY_PAIR_GEN,
58        MechanismType::SHA256_RSA_PKCS,
59        MechanismType::SHA384_RSA_PKCS,
60        MechanismType::SHA512_RSA_PKCS,
61        MechanismType::RSA_PKCS_PSS,
62        MechanismType::SHA256_RSA_PKCS_PSS,
63        MechanismType::SHA384_RSA_PKCS_PSS,
64        MechanismType::SHA512_RSA_PKCS_PSS,
65        MechanismType::RSA_PKCS_OAEP,
66        // ECDSA
67        MechanismType::ECDSA,
68        MechanismType::ECDSA_SHA256,
69        MechanismType::ECDSA_SHA384,
70        MechanismType::ECDSA_SHA512,
71        MechanismType::ECC_KEY_PAIR_GEN,
72        // AES
73        MechanismType::AES_KEY_GEN,
74        MechanismType::AES_ECB,
75        MechanismType::AES_CBC,
76        MechanismType::AES_GCM,
77        MechanismType::AES_KEY_WRAP,
78        MechanismType::AES_KEY_WRAP_PAD,
79        // Hashing
80        MechanismType::SHA256,
81        MechanismType::SHA384,
82        MechanismType::SHA512,
83    ]
84}
85
86/// Get the default provider configuration for Entrust nShield.
87pub fn provider_config() -> HsmProviderConfig {
88    HsmProviderConfig {
89        provider: HsmProvider::Entrust,
90        library_path: default_library_path().to_string(),
91        supported_mechanisms: supported_mechanisms(),
92        notes: vec![
93            "Requires Security World setup with OCS card sets".to_string(),
94            "CKM_AES_KEY_WRAP supported via nCore but may need explicit mechanism mapping"
95                .to_string(),
96            "Softcard passphrase required for automated key access".to_string(),
97            "Check firmware version for PSS and OAEP support".to_string(),
98        ],
99    }
100}
101
102#[cfg(test)]
103mod tests {
104    use super::*;
105
106    #[test]
107    fn test_library_path_not_empty() {
108        assert!(!default_library_path().is_empty());
109    }
110
111    #[test]
112    fn test_mechanisms_include_rsa_and_ecdsa() {
113        let mechanisms = supported_mechanisms();
114        assert!(mechanisms.contains(&MechanismType::RSA_PKCS));
115        assert!(mechanisms.contains(&MechanismType::ECDSA));
116        assert!(mechanisms.contains(&MechanismType::AES_KEY_WRAP));
117    }
118
119    #[test]
120    fn test_config_populated() {
121        let config = provider_config();
122        assert_eq!(config.provider, HsmProvider::Entrust);
123        assert!(!config.notes.is_empty());
124    }
125}
kipuka_hsm/providers/entrust.rs

kipuka_hsm/providers/
entrust.rs
