Skip to content

Add PKCS#11 3.2 attribute to NSSDB storage #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add PKCS#11 3.2 attribute to NSSDB storage #310

wants to merge 1 commit into from

Conversation

simo5
Copy link
Member

@simo5 simo5 commented Jul 31, 2025

Description

This catches up nssdb to the changes happenning in NSS upstream

Fixes #307

Checklist

  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

@simo5 simo5 requested a review from Jakuje July 31, 2025 13:16
Jakuje
Jakuje reviewed Jul 31, 2025
View reviewed changes
@simo5
Add PKCS#11 3.2 attribute to NSSDB storage
7bed5e7 
This catches up nssdb to the changes happenning in NSS upstream

Signed-off-by: Simo Sorce <[email protected]>
Jakuje
Jakuje reviewed Jul 31, 2025
View reviewed changes
Copy link
Contributor

@Jakuje Jakuje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering how the PQC algorithm tests worked before this with the NSS DB when the new attributes like Encapsulate, ParamSet and others could not have been stored in the database ....

src/storage/nssdb/mod.rs
* attributes and if so just fail immediately.
* Do this only for private objects otherwise we incorrectly
* match attributes like CKA_VALUE in public objects. */
if do_private && is_sensitive_attribute(attr.type_) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we have a simple regression test for this to make sure this works in both db backends correctly?

@simo5
Copy link
Member Author

simo5 commented Jul 31, 2025

I am wondering how the PQC algorithm tests worked before this with the NSS DB when the new attributes like Encapsulate, ParamSet and others could not have been stored in the database ....

Good q, I think they simply always use the sqlite database, we'll have to figure out how to make sure most test are also tried on nssdb, perhaps a build target that has only the nssdb ?

@Jakuje
Copy link
Contributor

Jakuje commented Jul 31, 2025

I am wondering how the PQC algorithm tests worked before this with the NSS DB when the new attributes like Encapsulate, ParamSet and others could not have been stored in the database ....

Good q, I think they simply always use the sqlite database, we'll have to figure out how to make sure most test are also tried on nssdb, perhaps a build target that has only the nssdb ?

Thats not how I wrote that. When nssdb is enabled, it should default to NSSDB, unless something changed since I did this:

kryoptic/src/tests/mod.rs

Line 191 in 461010b

fn get_default_db(name: &str) -> (&'static str, String) {

@simo5
Copy link
Member Author

simo5 commented Jul 31, 2025

I think I changed that because at some point all CI jobs included nssdb, and that means sqlite was never tested, so I think I change something and then forgot about it.

Maybe we should open a separate issue to follow up on this?

@simo5 simo5 marked this pull request as draft August 1, 2025 07:12
@simo5
Copy link
Member Author

simo5 commented Aug 1, 2025

Marking this as draft because I think we need to add at least a test that will upgrade a database with the new attributes and work correctly after doing that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jakuje Jakuje Jakuje left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update NSSDB code to include new pkcs#11 3.2 attributes
2 participants
@simo5 @Jakuje