secure-systems-lab · lukpueh · Dec 13, 2022 · Nov 30, 2022 · Dec 2, 2022 · Dec 5, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -52,5 +52,26 @@ jobs:
           python -m pip install --upgrade pip
           pip install --upgrade tox
 
+      - name:  Install system dependencies
+        shell: bash
+        run: |
+          if [ "$RUNNER_OS" == "Linux" ]; then
+            sudo apt-get install -y softhsm2
+            echo "PYKCS11LIB=/usr/lib/softhsm/libsofthsm2.so" >> $GITHUB_ENV
+
+          elif [ "$RUNNER_OS" == "macOS" ]; then
+            brew install softhsm
+            echo "PYKCS11LIB=$(brew --prefix softhsm)/lib/softhsm/libsofthsm2.so" >> $GITHUB_ENV
+
+          # TODO: Uncomment when testing on Windows
+          # elif [ "$RUNNER_OS" == "Windows" ]; then
+          #   choco install softhsm.install
+          #   echo "PYKCS11LIB=C:\SoftHSM2\lib\softhsm2-x64.dll" >> $GITHUB_ENV
+
+          else
+              echo "$RUNNER_OS not supported"
+              exit 1
+          fi
+
       - name: Run tox
         run: tox -e ${{ matrix.toxenv }}
diff --git a/mypy.ini b/mypy.ini
@@ -12,4 +12,11 @@ follow_imports = silent
 
 # let's not install typeshed annotations for GCPSigner
 [mypy-google.*]
-ignore_missing_imports = True
+ignore_missing_imports = True
+
+# Suppress error messages for non-annotating dependencies
+[mypy-PyKCS11.*]
+ignore_missing_imports = True
+
+[mypy-asn1crypto.*]
+ignore_missing_imports = True
diff --git a/pylintrc b/pylintrc
@@ -51,3 +51,4 @@ check-quote-consistency=yes
 
 [TYPECHECK]
 generated-members=shake_128s.*
+ignored-modules=PyKCS11
diff --git a/pyproject.toml b/pyproject.toml
@@ -47,6 +47,8 @@ crypto = ["cryptography>=37.0.0"]
 gcpkms = ["google-cloud-kms"]
 pynacl = ["pynacl>1.2.0"]
 PySPX = ["PySPX==0.5.0"]
+asn1 = ["asn1crypto"]
+pykcs11 = ["PyKCS11"]
 
 [tool.setuptools]
 include-package-data = true

diff --git a/requirements-pinned.txt b/requirements-pinned.txt
@@ -1,6 +1,23 @@
-cffi==1.15.1              # via cryptography, pynacl
-cryptography==38.0.3
-pycparser==2.21           # via cffi
+#
+# This file is autogenerated by pip-compile with python 3.8
+# To update, run:
+#
+#    pip-compile --output-file=requirements-pinned.txt requirements.txt
+#
+asn1crypto==1.5.1
+    # via -r requirements.txt
+cffi==1.15.1
+    # via
+    #   cryptography
+    #   pynacl
+    #   pyspx
+cryptography==38.0.3 ; python_version >= "3"
+    # via -r requirements.txt
+pycparser==2.21
+    # via cffi
+pykcs11==1.5.11
+    # via -r requirements.txt
 pynacl==1.5.0
-six==1.16.0               # via pynacl
-PySPX==0.5.0
+    # via -r requirements.txt
+pyspx==0.5.0
+    # via -r requirements.txt
diff --git a/requirements.txt b/requirements.txt
@@ -34,3 +34,5 @@
 cryptography >= 37.0.0; python_version >= '3'
 pynacl
 PySPX
+PyKCS11
+asn1crypto
diff --git a/securesystemslib/signer/__init__.py b/securesystemslib/signer/__init__.py
@@ -5,6 +5,7 @@
 Some implementations are provided by default but more can be added by users.
 """
 from securesystemslib.signer._gcp_signer import GCPSigner
+from securesystemslib.signer._hsm_signer import HSMSigner
 from securesystemslib.signer._key import KEY_FOR_TYPE_AND_SCHEME, Key, SSlibKey
 from securesystemslib.signer._signature import GPGSignature, Signature
 from securesystemslib.signer._signer import (
@@ -21,6 +22,7 @@
         SSlibSigner.ENVVAR_URI_SCHEME: SSlibSigner,
         SSlibSigner.FILE_URI_SCHEME: SSlibSigner,
         GCPSigner.SCHEME: GCPSigner,
+        HSMSigner.SCHEME: HSMSigner,
     }
 )
Original file line number	Diff line number	Diff line change
Expand Up		@@ -51,3 +51,4 @@ check-quote-consistency=yes

		[TYPECHECK]
		generated-members=shake_128s.*
		ignored-modules=PyKCS11
-Original file line number
+Diff line change
@@ Expand Up / @@ -34,3 +34,5 @@ @@
     cryptography >= 37.0.0; python_version >= '3'
     pynacl
     PySPX
+    PyKCS11
+    asn1crypto