Skip to main content

kipuka_hsm/providers/
thales_csp.rs

1//! Thales Luna Cloud HSM (CSP) provider.
2//!
3//! The Thales Luna Cloud HSM provides network-attached hardware security modules
4//! with high-availability (HA) group support and partition-based multi-tenancy.
5//!
6//! # Platform-specific Library Paths
7//!
8//! - Linux: `/usr/safenet/lunaclient/lib/libCryptoki2_64.so`
9//! - Windows: `C:\Program Files\SafeNet\LunaClient\cryptoki.dll`
10//!
11//! # HA Group Configuration
12//!
13//! Luna CSP supports High Availability groups where multiple HSM partitions
14//! appear as a single virtual HSM:
15//! - Automatic failover between members
16//! - Load balancing across partitions
17//! - Synchronous or asynchronous replication
18//!
19//! HA groups are configured via `vtl` command-line tool.
20//!
21//! # Partition Management
22//!
23//! Each Luna HSM can be partitioned into multiple logical HSMs:
24//! - Independent key storage and access control per partition
25//! - Partition-level PIN authentication
26//! - Separate PKCS#11 slots per partition
27//!
28//! # Key Wrapping Support
29//!
30//! Luna CSP fully supports:
31//! - CKM_AES_KEY_WRAP (RFC 3394)
32//! - CKM_AES_KEY_WRAP_PAD (RFC 5649) for non-aligned keys
33//! - CKM_RSA_PKCS_OAEP for RSA-based wrapping
34//!
35//! All mechanisms are hardware-accelerated.
36
37use crate::HsmProvider;
38use crate::providers::HsmProviderConfig;
39use cryptoki::mechanism::MechanismType;
40
41/// Default PKCS#11 library path for Luna CSP.
42pub fn default_library_path() -> &'static str {
43    #[cfg(target_os = "linux")]
44    return "/usr/safenet/lunaclient/lib/libCryptoki2_64.so";
45
46    #[cfg(target_os = "windows")]
47    return "C:\\Program Files\\SafeNet\\LunaClient\\cryptoki.dll";
48
49    #[cfg(not(any(target_os = "linux", target_os = "windows")))]
50    return "/usr/safenet/lunaclient/lib/libCryptoki2_64.so";
51}
52
53/// Mechanisms supported by Luna CSP.
54pub fn supported_mechanisms() -> Vec<MechanismType> {
55    vec![
56        // RSA
57        MechanismType::RSA_PKCS,
58        MechanismType::RSA_PKCS_KEY_PAIR_GEN,
59        MechanismType::SHA256_RSA_PKCS,
60        MechanismType::SHA384_RSA_PKCS,
61        MechanismType::SHA512_RSA_PKCS,
62        MechanismType::RSA_PKCS_PSS,
63        MechanismType::SHA256_RSA_PKCS_PSS,
64        MechanismType::SHA384_RSA_PKCS_PSS,
65        MechanismType::SHA512_RSA_PKCS_PSS,
66        MechanismType::RSA_PKCS_OAEP,
67        // ECDSA
68        MechanismType::ECDSA,
69        MechanismType::ECDSA_SHA256,
70        MechanismType::ECDSA_SHA384,
71        MechanismType::ECDSA_SHA512,
72        MechanismType::ECC_KEY_PAIR_GEN,
73        // AES
74        MechanismType::AES_KEY_GEN,
75        MechanismType::AES_ECB,
76        MechanismType::AES_CBC,
77        MechanismType::AES_GCM,
78        MechanismType::AES_KEY_WRAP,
79        MechanismType::AES_KEY_WRAP_PAD,
80        // Hashing
81        MechanismType::SHA256,
82        MechanismType::SHA384,
83        MechanismType::SHA512,
84    ]
85}
86
87/// Get the default provider configuration for Thales Luna CSP.
88pub fn provider_config() -> HsmProviderConfig {
89    HsmProviderConfig {
90        provider: HsmProvider::ThalesCsp,
91        library_path: default_library_path().to_string(),
92        supported_mechanisms: supported_mechanisms(),
93        notes: vec![
94            "Supports HA group configuration for failover and load balancing".to_string(),
95            "Partition management via vtl command-line tool".to_string(),
96            "CKM_AES_KEY_WRAP fully supported".to_string(),
97            "CKM_AES_KEY_WRAP_PAD available for non-aligned key lengths".to_string(),
98            "RSAES-OAEP fully supported and hardware-accelerated".to_string(),
99            "Network-attached; requires Luna Client installation".to_string(),
100        ],
101    }
102}
103
104#[cfg(test)]
105mod tests {
106    use super::*;
107
108    #[test]
109    fn test_library_path_not_empty() {
110        assert!(!default_library_path().is_empty());
111    }
112
113    #[test]
114    fn test_mechanisms_include_key_wrap() {
115        let mechanisms = supported_mechanisms();
116        assert!(mechanisms.contains(&MechanismType::AES_KEY_WRAP));
117        assert!(mechanisms.contains(&MechanismType::AES_KEY_WRAP_PAD));
118        assert!(mechanisms.contains(&MechanismType::RSA_PKCS_OAEP));
119    }
120
121    #[test]
122    fn test_config_has_ha_notes() {
123        let config = provider_config();
124        assert!(config.notes.iter().any(|n| n.contains("HA group")));
125    }
126}