Commit Graph

9 Commits

Author SHA1 Message Date
Carter Perez 21741e0906
Merge pull request #286 from CarterPerez-dev/project/ja3-ja4-tls-fingerprinting
Project/ja3 ja4 tls fingerprinting
2026-06-18 19:38:51 -04:00
CarterPerez-dev c7e4f7572c feat(hsm-emulator): materialize default key-usage attributes per object class
materializeDefaults now sets CKA_ENCRYPT/DECRYPT/SIGN/VERIFY/SIGN_RECOVER/VERIFY_RECOVER/WRAP/UNWRAP/DERIVE (plus ALWAYS_AUTHENTICATE for private keys) to CK_FALSE when absent, per CKO_PUBLIC_KEY/PRIVATE_KEY/SECRET_KEY; smoke sets the RSA wrap and recover usage flags.
2026-06-16 03:07:03 -04:00
Carter Perez e8fe3c18c1
Update README.md 2026-06-02 08:37:58 -04:00
Carter Perez d57b17004b
Update README.md 2026-06-02 08:32:26 -04:00
CarterPerez-dev d03b9a37ad fix(hsm-emulator): install.sh builds and validates the ReleaseSafe artifact
build_module printed (ReleaseSafe) but ran plain 'zig build', which is Debug here (preferred_optimize_mode only ships ReleaseSafe with --release). It left a 20M Debug .so labeled as the shipped build, and 'zig build smoke' would reinstall Debug over any ReleaseSafe artifact via its install-step dependency.

Run build + test + smoke with --release=safe so the script produces and validates the real 5.9M shipped artifact end to end. Kept check-only (no dependency auto-install): missing deps still hard-fail/warn with the exact apt command.

Verified: ./install.sh exits 0 on a clean tree, final zig-out/lib/libhsm.so is 5.9M ReleaseSafe, tests + smoke pass, pkcs11-tool loads it.
2026-06-02 08:01:48 -04:00
CarterPerez-dev 53fd886ed8 docs(hsm-emulator): M12 learn track + README flip
learn/: add 00-OVERVIEW, 01-CONCEPTS, 02-ARCHITECTURE, 03-IMPLEMENTATION, 04-CHALLENGES, and MECHANICS (the byte-by-byte crypto deep-dive). CONFORMANCE shipped in M11. Real-breach grounding, function/file code refs (no line numbers), no AI voice.

Project README: flip M0-stale to real M0-M11 (21 mechanisms, std.Io.randomSecure, roadmap done through M12, learn/ link table).

Root README: graduate HSM to a completed project (Full Source Code 32->33, C badge -> Zig, title + footer now link to source and learn/).

Verified docs-only: zig build test and zig build smoke both exit 0, smoke mechanisms=21, objdump -T shows only C_GetFunctionList. No source changed.
2026-06-02 07:28:08 -04:00
CarterPerez-dev f70ca3f32c feat(hsm-emulator): M10 crypto-surface, M11 conformance, deep-audit hardening
M10 (crypto-surface): RUP-safe buffered AES-GCM streaming (16 MiB cap),
DigestEncrypt/SignEncrypt/DecryptDigest/DecryptVerify dual functions
(decrypt-side CBC-only), RSA C_SignRecover/C_VerifyRecover (CKM_RSA_PKCS),
digest-only Get/SetOperationState.

M11 (conformance): spec-correct C_WaitForSlotEvent (DONT_BLOCK->CKR_NO_EVENT,
blocking->FUNCTION_NOT_SUPPORTED, pReserved->ARGUMENTS_BAD) + CKF_DONT_BLOCK;
public learn/CONFORMANCE.md documenting every deliberate N/A with its OASIS
v2.40 section and exact return code.

Deep project audit (5 read-only dimension agents, 0 Critical/High):
- fix: C_Finalize-vs-fast-path use-after-free race -- replace lockless
  state.current() with state.acquire() (lock + verify-live atomically)
  across all ~57 entry points
- fix: enforce CKR_PIN_LEN_RANGE on the new PIN in InitToken/InitPIN/SetPIN
- fix: clear a stale sealed flag on Object.set replace (login-unseal wedge)
- harden: zeroize CBC plaintext stack temporaries; Debug leak-assert at
  C_Finalize turns smoke into an API-layer leak gate
- test: ABI layout-check PSS/OAEP param structs; +sealed-flag regression

Proven: 76/76 unit (Debug + ReleaseSafe), in-process smoke (with PIN-length
asserts), cross-process pkcs11-tool (init/pin/RSA keygen+sign/wrong-pin).
.so exports only C_GetFunctionList.
2026-06-02 06:48:25 -04:00
CarterPerez-dev 0b8f8df8a3 feat(hsm-emulator): M9 key management — wrap/unwrap, derive, digest-key
- C_WrapKey/C_UnwrapKey: CKM_AES_KEY_WRAP (RFC 3394) + CKM_RSA_PKCS_OAEP, secret keys only
- new AES-KEY-WRAP primitive in cipher.zig (RFC 3394 KAT-verified, fail-closed, zeroized temps)
- C_DeriveKey: factor shared secret-key-object builder; accept raw SEC1 or DER peer point
- C_DigestKey: secret-key class + sealed-guard (CKR_KEY_INDIGESTIBLE / CKR_USER_NOT_LOGGED_IN)
- advertise CKM_ECDH1_DERIVE + CKM_AES_KEY_WRAP; add WRAP/UNWRAP to RSA-PKCS-OAEP
- 9 OASIS-exact CKR_* wrap/unwrap/digest error codes
- 70/70 tests; proven via in-process smoke + cross-process pkcs11-tool (OpenSSL + RFC 3394 oracles)
2026-06-01 23:03:53 -04:00
CarterPerez-dev ccb1b40a15 feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7)
Software HSM that compiles to a real Cryptoki (PKCS#11) v2.40 shared
object, loadable by pkcs11-tool / OpenSSL like a smartcard. SoftHSM2-style
three-layer split: C-ABI facade -> typed core state -> crypto + persistence.

- M0  hand-written v2.40 ABI + build-time OASIS cross-check; exports only C_GetFunctionList
- M1  sessions, login, Argon2id PIN, lockout
- M2  objects + find, CKA_PRIVATE gating, persisted token store
- M3  RNG, SHA-2 digest, HMAC, AES-CBC/CBC-PAD/GCM
- M4  ECDSA P-256/P-384 keygen + sign/verify (std.crypto)
- M5  RSA 2048-4096 via libcrypto: PKCS#1 v1.5 / PSS sign-verify, PKCS#1 / OAEP enc-dec
- M6  encrypted-at-rest store: selective AES-256-GCM envelope, master key wrapped under Argon2id(User-PIN)
- M7  hardening (session-secret zeroization, fail-closed relock, heap-leak scrub, ubsan-free ABI) + Docker

Verified three ways: 65/65 unit tests, in-process dlopen smoke, and
cross-process OpenSC pkcs11-tool (token keys survive process restart).

Also excludes vendor/pkcs11 from the trailing-whitespace / end-of-file
pre-commit hooks so the vendored OASIS headers keep their documented
SHA-256 provenance.
2026-06-01 20:35:48 -04:00