Overriding sign function
elad opened this issue · 2 comments
Hello,
I'm trying to use ocspbuilder in an environment where keys are stored in an HSM. The private keys aren't available to me, and signing is a function that is provided by an API.
It would be great if one could override the sign function instead of assume keys are available on disk.
If you're receptive to such a change I could work on a PR.
Related discussion is available at wbond/asn1crypto#6.
In short, yes I would like to make this possible for the modularcrypto libraries. I think the main blocker is probably determining how to deal with package dependencies and usability. Right now users can install *builder and get a reasonable solution. It obviously installs oscrypto, which itsn't useful for some users.
I haven't dealt with optional pip dependencies, or anything like that. Without knowing the possibilities, I'd love users to install ocspbuilder and get oscrypto by default. But optionally be able to install ocspbuilder with (a theoretical at this point) package named pluggablecrypto or abstractcrypto which contained some abstract base classes there RSA/ECDSA signing and verification could be implemented. In that situation, I would expect oscrypto to not be installed.
Are you familiar with options in this area related to pip?
For the base crypto package, I'd like to keep things with a very simple API without lots of parameters. The approach I've taken so far with oscrypto is to make functions specific to viable combinations of ciphers, padding, etc to help prevent bad combinations, and to make it easy to search a codebase for certain constructs.
I have experience with using external HSMs, let's move the discussion to the referenced issue.