Bug#1113986: ITP: nethsm-pkcs11 -- PKCS#11 module for Nitrokey NetHSM
On September 5, 2025 1:35:55 AM GMT+02:00, Tobias Deiminger <tobias.deiminger@posteo.de> wrote:
>Package: wnpp
>Severity: wishlist
>Owner: Tobias Deiminger <tobias.deiminger@posteo.de>
>X-Debbugs-Cc: debian-devel@lists.debian.org, debian-rust@lists.debian.org
>
>* Package name : nethsm-pkcs11
> Version : 1.7.2
> Upstream Contact: Technical support support@nitrokey.com
>* URL : https://github.com/Nitrokey/nethsm-pkcs11
>* License : Apache 2.0
> Programming Lang: Rust
> Description : PKCS#11 module for Nitrokey NetHSM
>
>nethsm-pkcs11 is an open source PKCS#11 module written in Rust and
>published by Nitrokey to use their NetHSM hardware [1] as a backend for
>PKCS#11 operations. As such it's comparable to yubihsm-pkcs11 which is
>already in Debian. Unlike most other Rust crates, the build output is a
>shared library implementing the Cryptoki C API [2].
>
>I've walked through the packaging process locally to see what it takes
>and was able to build and use the resulting .deb to connect to a NetHSM
>and perform code signing operations. Only minor patching will be needed,
>mostly dropping/relaxing dependencies.
>
>At least following changes are required in Debian:
>
>- nethsm-pkcs11 1.7.2, new
>- nethsm-sdk-rs 2.0.0, new
>- multipart 0.18.0 new, enable only client features to avoid more dependencies
>- x509-cert 0.2.5 new
>- merge, merge_derive 0.1.0 -> 0.2.0
>- tex-fmt 0.5.2, rdep to merge, bump merge to 0.2.0
>
>I should be able to maintain the new packages in my spare- and working
>time and hope to find a sponsor from the Rust team initially.
Feel free to ping me for review and/or sponsorship, or if you
do run into issues. While I don't have the HW in question, I
have some familiarity with pkcs#11 and know my way around
Rust (packaging) :)
>
>[1] https://www.nitrokey.com/de/produkte/nethsm
>[2] https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
>
Reply to: