Hi all,
In this new installment of "let's discuss ideas for Mbed TLS 3.0" [1]: should we remove pkcs11.c from the code base?
[1]: https://developer.trustedfirmware.org/w/mbed-tls/tech-plans-3.0/
The X.509 library currently includes a module called "pkcs11", excluded from the default build, which provides a few wrappers around libpkcs11-helper [2], a library that "simplifies the interaction with PKCS#11 providers for end-user applications". In practice, it supports the use of X.509 certificates associated with an RSA key (not ECDSA) managed by libpkcs11-helper.
[2]: https://github.com/OpenSC/pkcs11-helper
We'd like to drop this module and remove it from the code base entirely for the following reasons:
- It has limited functionality, and soon PSA Crypto will provide more flexible support for secure management of private keys (not just RSA, and not just associated with X.509 certificates).
- It currently has not automated tests so we're not even sure if it still works properly.
- The documentation is scarce and no member of the current maintenance team knows for sure how it's supposed to work.
- We never receive any support request about it so we're not sure if anyone is still using it. (As a weaker signal in the same direction, we deprecated it in 2.21.0, released 2020-02-20, and nobody complained so far.)
If you're using MBEDTLS_PKCS11_C or know someone who does, or if for any other reason you think we shouldn't drop it in Mbed TLS 3.0, please speak up now!
Regards, Manuel. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.