Bug #75446 Support for PKCS#11 (token/smartcard) in mysql client
Submitted: 8 Jan 2015 10:31 Modified: 13 Jan 2018 11:06
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.7 OS:Any
Assigned to: Harin Vadodaria CPU Architecture:Any
Tags: cryptoki, hsm, MS-CAPI, opensc, pkcs11, smartcard, token

[8 Jan 2015 10:31] Daniël van Eeden 
Description:
It would be nice if I could use a token like the Feitian ePass2003 to store the private key which is used to login to MySQL.

This would be similar to how this is used for SSH:
https://nilsschneider.net/2013/06/20/epass2003-quickstart.html

How to repeat:
See description
[17 Jul 2015 13:47] Georgi Kodinov 
Thank you for the reasonable feature request.
We currently are linking the community binaries with yaSSL for licensing reasons. 
But you can try linking with openssl and install OpenSC's pkcs11 engine (https://github.com/OpenSC/engine_pkcs11). This looks like it should work.
And please share the results back to us.
[28 Aug 2015 8:20] Daniël van Eeden 
There are multiple uses of PKCS#11 for MySQL I can think of:
- Storing the server private key in a HSM token, But I don't think that makes much sense
- Storing the client private key in a USB device. This does make sense.

The interface for the client should:
- Allow you to specify a PKCS #11 URI [1]
- Allow you to enter a PIN
- Load the OpenSSL engine [2] with ENGINE_by_id() and ENGINE_init()
- Get the key from the device with ENGINE_load_private_key()

Example interface:
$ mysql -h securedb.example.com -u myuser --ssl-key='pkcs11:id=%12%f2%32%67%87'

This is how OpenSSH looks 
$ ssh -I opensc-pkcs11.so secureshell.example.com
Enter PIN for 'ePass2003 (User Pin)':

This is how OpenSSL looks
$ openssl s_client -engine pkcs11 -key 'pkcs11:id=%12%f2%32%67%87' -keyform e -connect secureweb.example.com:443
PKCS#11 token PIN:

For Firefox the interface is:
- Preferences→Advanced→Certifictes→Security Devices and then click load and enter '/usr/lib64/opensc-pkcs11.so'.
- After that everything works just like 'regular' client certificates.

I found the GnuTLS utility p11tool very useful to get the PKCS #11 uri. Note that PKCS #11 uri's can be much longer than this example.

NLnet Labs has some examples in their publication [3].

[1] https://tools.ietf.org/html/rfc7512
[2] https://www.openssl.org/docs/manmaster/crypto/engine.html
[3] https://www.nlnetlabs.nl/downloads/publications/hsm/
[13 Jan 2018 11:06] Daniël van Eeden 
Related:
Bug #31039 	Smartcard (PKCS#11) support for MySQL client