Does iot-sdk-python support PKCS#11?
devcopilot opened this issue · 3 comments
PKCS#11 is supported in azure-iot-sdk-c. I read the documentation and sample codes of iot-sdk-python but did not find information about PKCS#11 support.
Does azure-iot-sdk-python support PKCS#11 to use the private keys stored in a HSM(not TPM) ?
Thanks for answering my question :)
The short answer is "no". The longer answer is "you can do anything in Python if you're ready to hack enough." :)
azure-iot-sdk-python uses standard Python TLS stack which uses a library called OpenSSL. This library does not support PKCS #11. There is a proposal to add this, but it has gone stale.
I don't know if pyOpenSSL supports PKCS #11, but it may be possible to use pyOpenSSL with azure-iot-sdk-python. This would only work if pyOpenSSL can create an SSLContext object. We would also have to add an API to manually set the SSLContext on a azure-iot-sdk-python client object.
Depending on your HSM, another option might be to use python-mbedtls. This would also need an API to manually set the SSLContext. I did some playing around with this a few years ago -- enough to do a POC, -- but it was ugly and the project changed direction before I could finish it.
Thanks a lot for the suggestions :) It is good enough for me to know currently it is not supported.
I see azure-sdk-c supports pkcs11. I will use that library.
Hi @BertKleewein,
Apologies for the direct ping, but I was wondering if you could share the "enough to do a POC" details. This would be incredibly helpful for us to potentially finalize the work you've started.
Thanks,