[Cryptography-dev] Looking to sign certificates with pkcs11 key

[Terje Elde]

Hi!

I’m looking to set up a solution where an intermediate CA signs certificates using a pkcs11-accessible private key.

Doing this without pkcs11 seems pretty straight forward thanks to pyca/cryptography, which is surprisingly comfortable to use.  There’s no native support for pkcs11 (yet) though, which sends me looking at hybrid solutions, doing most of the work with the cryptography package, but looking elsewhere for the actual pkcs11-operations.

I can easily enough grab the public key for the intermediate CA, build up the cert etc, but when it’s time to sign it, things get more difficult.

The cryptography package often wraps openssl at a fairly high level, so the actual signing call in `create_x509_certificate` expects an openssl structure and a private key as input.  That’s a bit of a challenge, since I don’t actually have the private key, that being about half the point of pkcs11.

One possible way to go could perhaps be to:
 - Subclass Backend, replacing the `create_x509_certificate`-method
 - In “my” version, replace the `self._lib.X509_sign`-operation with simply DER-encoding the cert, allowing use of the pkcs11-module for the actual signing
 - Bring the signature back into the cert structure

In order to do that though, I’d probably need `ASN1_item_i2d` or similar, which doesn’t seem to be exposed in cryptography.


Would be interesting to hear if any of you have any good suggestions for solving this either using cryptography or another package.

Terje Elde