Add PKCS #11 support.

[markrad]

Is your feature request related to a problem? Please describe.
Feature request: Many HSMs can be conveniently accessed by a standardized API called PKCS 11. By supporting this in the SDK itself it would allow a much easier path for those wishing to use an HSM that supports this interface. Essentially having out of the box support in the manner of the existing TPM support.

Describe the solution you'd like
See above.

Describe alternatives you've considered
The alternative is making extensive modifications to the SDK code to support the HSM.

[ewertons]

As per offline discussion, we have come to an agreement that the new Azure SDK for Embedded C suite would be the best place for this enhancement to be done.
We filed an internal task to track this request.
Thanks,
Azure IoT SDK Team.

[ronnytittoto]

Hi team, is PKCS #11 support now available?
Thanks!

[CIPop]

@ronnytittoto yes, support has been added for OpenSSL on Linux by supporting OpenSSL ENGINEs. (Windows should already have support if the Windows Certificate Store is used instead of files on disk with a proper HSM/PKCS#11 driver.)

For most cases, we recommend using our SDK in conjunction with Azure Identity Service.
Examples of both Azure Identity Service as well as using a PKCS#11 Engine are available here.

This support has been added in #1798

[kiranpradeep]

@CIPop Is this support (pkcs11 via OpenSSL engine) limited to iothub client or does it equally apply to DPS (provisioning) client? This query is since, as part of #1798, although samples in iothub_client folder have been updated, the samples in provisioning_client were left untouched.

_{Raising this query on a closed issue for completeness}

[CIPop]

@kiranpradeep The feature was added to the common TLS layer but we have only tested it to work with the IoT Hub client and various OpenSSL engines. I don't know of any reason this wouldn't work with DPS although the API would require you to implement a custom HSM module to use the feature.

[kiranpradeep]

@CIPop Thanks. To confirm the understanding, can we provide a string like pkcs11:object=ec-privkey;type=private?pin-value=1234 in custom HSM module API (in custom_hsm_get_alias_key) and expect the openssl engine/pkcs11 integration to take over?

_{Fully understand that this might be untested. Also. this query is only for those who cannot use azure identity service.}

[CIPop]

@kiranpradeep you would also need to configure the type of Key, engine name, etc - similar to the Hub sample and documentation, but yes, in theory it should work.

[Styne13]

Are there any news using SSL Engine support in Provisioning Client?
We also try to achieve this by calling Prov_Device_SetOption(prov_device_handle, OPTION_OPENSSL_ENGINE, opensslEngine); and Prov_Device_SetOption(prov_device_handle, OPTION_OPENSSL_PRIVATE_KEY_TYPE, &x509_key_from_engine); with opensslEngine set to e4sss (our engine_id configured in default openss.cnf in /usr/lib/ssl-1.1/).
Outputs from SSL Engine Plugin are displayed, so it seems that the private key reference read by custom_hsm_get_alias_key is used to access the HSE.
Unfortunately execution stops with free(): invalid pointer Aborted after everything is set up and Prov_Device_Register_Device() is called.

[CIPop]

@Styne13 Creating a sample and testing this at least with SoftHSM and the TPM engine in our backlog but that could take a while as we work on higher pri tasks.
Meanwhile, could you please open another bug and provide full logs?