Does iot-sdk-python support PKCS#11?

[devcopilot]

PKCS#11 is supported in azure-iot-sdk-c. I read the documentation and sample codes of iot-sdk-python but did not find information about PKCS#11 support.

Does azure-iot-sdk-python support PKCS#11 to use the private keys stored in a HSM(not TPM) ?

Thanks for answering my question :)

[BertKleewein]

The short answer is "no". The longer answer is "you can do anything in Python if you're ready to hack enough." :)

azure-iot-sdk-python uses standard Python TLS stack which uses a library called OpenSSL. This library does not support PKCS #11. There is a proposal to add this, but it has gone stale.

https://discuss.python.org/t/allow-ssl-client-certificate-private-key-verification-to-be-delegated-to-a-hsm/6942

I don't know if pyOpenSSL supports PKCS #11, but it may be possible to use pyOpenSSL with azure-iot-sdk-python. This would only work if pyOpenSSL can create an SSLContext object. We would also have to add an API to manually set the SSLContext on a azure-iot-sdk-python client object.

Depending on your HSM, another option might be to use python-mbedtls. This would also need an API to manually set the SSLContext. I did some playing around with this a few years ago -- enough to do a POC, -- but it was ugly and the project changed direction before I could finish it.

[devcopilot]

Thanks a lot for the suggestions :) It is good enough for me to know currently it is not supported.

I see azure-sdk-c supports pkcs11. I will use that library.

[IniterWorker]

Hi @BertKleewein,

Apologies for the direct ping, but I was wondering if you could share the "enough to do a POC" details. This would be incredibly helpful for us to potentially finalize the work you've started.

Thanks,