Skip to main content

kipuka_hsm/providers/
utimaco.rs

1//! Utimaco CryptoServer HSM provider.
2//!
3//! The Utimaco CryptoServer family provides high-performance cryptographic
4//! operations with flexible firmware-based key management.
5//!
6//! # Platform-specific Library Paths
7//!
8//! - Linux: `/usr/lib/libcs_pkcs11_R3.so` (or `/opt/utimaco/...` for custom installs)
9//! - Windows: `C:\Program Files\Utimaco\CryptoServer\Lib\cs_pkcs11_R3.dll`
10//!
11//! # Firmware Slot Configuration
12//!
13//! CryptoServer uses firmware "slots" which are logical partitions within
14//! the HSM. Each slot has:
15//! - Independent key storage and access control
16//! - Configurable PIN policies
17//! - Per-slot mechanism enablement
18//!
19//! Slot 0 is typically the administrator slot; user slots start at 1.
20//!
21//! # Key Wrapping Support
22//!
23//! Utimaco supports both AES Key Wrap and RSA-OAEP for key transport:
24//! - CKM_AES_KEY_WRAP (RFC 3394)
25//! - CKM_AES_KEY_WRAP_PAD (RFC 5649) for non-aligned key lengths
26//! - CKM_RSA_PKCS_OAEP for RSA-based wrapping
27
28use crate::HsmProvider;
29use crate::providers::HsmProviderConfig;
30use cryptoki::mechanism::MechanismType;
31
32/// Default PKCS#11 library path for Linux.
33pub fn default_library_path() -> &'static str {
34    #[cfg(target_os = "linux")]
35    return "/usr/lib/libcs_pkcs11_R3.so";
36
37    #[cfg(target_os = "windows")]
38    return "C:\\Program Files\\Utimaco\\CryptoServer\\Lib\\cs_pkcs11_R3.dll";
39
40    #[cfg(not(any(target_os = "linux", target_os = "windows")))]
41    return "/usr/lib/libcs_pkcs11_R3.so";
42}
43
44/// Mechanisms supported by Utimaco CryptoServer.
45pub fn supported_mechanisms() -> Vec<MechanismType> {
46    vec![
47        // RSA
48        MechanismType::RSA_PKCS,
49        MechanismType::RSA_PKCS_KEY_PAIR_GEN,
50        MechanismType::SHA256_RSA_PKCS,
51        MechanismType::SHA384_RSA_PKCS,
52        MechanismType::SHA512_RSA_PKCS,
53        MechanismType::RSA_PKCS_PSS,
54        MechanismType::SHA256_RSA_PKCS_PSS,
55        MechanismType::SHA384_RSA_PKCS_PSS,
56        MechanismType::SHA512_RSA_PKCS_PSS,
57        MechanismType::RSA_PKCS_OAEP,
58        // ECDSA
59        MechanismType::ECDSA,
60        MechanismType::ECDSA_SHA256,
61        MechanismType::ECDSA_SHA384,
62        MechanismType::ECDSA_SHA512,
63        MechanismType::ECC_KEY_PAIR_GEN,
64        // AES
65        MechanismType::AES_KEY_GEN,
66        MechanismType::AES_ECB,
67        MechanismType::AES_CBC,
68        MechanismType::AES_GCM,
69        MechanismType::AES_KEY_WRAP,
70        MechanismType::AES_KEY_WRAP_PAD,
71        // Hashing
72        MechanismType::SHA256,
73        MechanismType::SHA384,
74        MechanismType::SHA512,
75    ]
76}
77
78/// Get the default provider configuration for Utimaco.
79pub fn provider_config() -> HsmProviderConfig {
80    HsmProviderConfig {
81        provider: HsmProvider::Utimaco,
82        library_path: default_library_path().to_string(),
83        supported_mechanisms: supported_mechanisms(),
84        notes: vec![
85            "Firmware slot configuration required before use".to_string(),
86            "Slot 0 is typically admin; user slots start at 1".to_string(),
87            "Full support for AES_KEY_WRAP and AES_KEY_WRAP_PAD".to_string(),
88            "RSAES-OAEP fully supported for key wrapping".to_string(),
89        ],
90    }
91}
92
93#[cfg(test)]
94mod tests {
95    use super::*;
96
97    #[test]
98    fn test_library_path_not_empty() {
99        assert!(!default_library_path().is_empty());
100    }
101
102    #[test]
103    fn test_mechanisms_include_key_wrap() {
104        let mechanisms = supported_mechanisms();
105        assert!(mechanisms.contains(&MechanismType::AES_KEY_WRAP));
106        assert!(mechanisms.contains(&MechanismType::AES_KEY_WRAP_PAD));
107        assert!(mechanisms.contains(&MechanismType::RSA_PKCS_OAEP));
108    }
109}