C++ gRPC with PKCS#11

63 views
Skip to first unread message

GoogleUser Zak

unread,
Sep 9, 2023, 5:29:20 PMSep 9
to grpc.io
Hi,
I am looking for a GRPC library implementation/version where a C++ gRPC client, namely CreateChannel(),  can refer to the mTLS private key using PKCS#11 URI, and therefore the private key doesn't need to be read in the user space, and will stay in the HSM secure memory.

Is there a way to use openSSL with pkcs11 engine in the gRPC library? If so, any pointers about how to create that gRPC library?

Thanks
--
Hakim
 

Luwei Ge

unread,
Sep 13, 2023, 3:59:35 PMSep 13
to grpc.io
Hi,

I assume you are building gRPC with OpenSSL.

1. We do have some support for the Engine APIs (https://github.com/grpc/grpc/blob/6534f0a6bfc1cfae6db931f9ee16f480de980374/src/core/tsi/ssl_transport_security.cc#L568) of OpenSSL 1.0.2. Unfortunately, because the feature was implemented quite a while ago, the test (https://github.com/grpc/grpc/blob/3717ff04bafd18504d8613d753d4605927305de3/test/core/end2end/h2_ssl_cert_test.cc#L263) has been broken and yet to be fixed. Regardless of the test, if we assume this still works, would it accommodate your use case? Note that you'd be locked into OpenSSL 1.0.2.

2. If the option 1 above is not viable but OpenSSL Engine APIs will indeed solve your problem. Would you be interested in contributing to supporting this feature for more recent OpenSSL versions (namely, OpenSSL 3)?

Please let us know if you got any questions.

Best,
Luwei

GoogleUser Zak

unread,
Sep 18, 2023, 9:00:10 AMSep 18
to Luwei Ge, grpc.io
As a user of C++ gRPC standard library, I have hard time to understand why this pkcs#11 access to TLS credentials is not provided as part of the standard gRPC API. This way the user will not have to worry about re building the library. 

Therefore,  regarding which openssl version to use, if it is packaged inside the grpc library, then it will just depend on which version of grpc lib is being used.
So, moving to a new openssl version would just require the user to upgrade their grpc library to a new grpc version. 

Unless the community position is to let the users themselves build the grpc lib with whatever opssl version they prefer.

If someone can shed some light on this, it would be greatly appreciated.

Thanks


--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com.

Luwei Ge

unread,
Sep 19, 2023, 5:51:03 PMSep 19
to GoogleUser Zak, grpc.io
Unless the community position is to let the users themselves build the grpc lib with whatever opssl version they prefer.
 
gRPC only builds with BoringSSL with Bazel and can build with a list of supported OpenSSL versions with CMake. The OpenSSL is not packaged inside the library.

As a user of C++ gRPC standard library, I have hard time to understand why this pkcs#11 access to TLS credentials is not provided as part of the standard gRPC API.

I think the simple answer is that we don't see many use cases or requests for this. And external contributions are always welcomed.



Reply all
Reply to author
Forward
0 new messages