Merged
Conversation
'Daemon' can be used to reliably launch 'kmip2pkcs11' using SoftHSMv2 from a regular integration test. With this little bit of setup effort, it eliminates the need for containerized testing, and allows multiple tests to execute in parallel with a single daemon. An initial attempt used the regular test harness and put the daemon in a 'LazyLock' static; but this would prevent dropping and cleaning up the temporary directory. Instead, the test harness was omitted, and tests will have to be parallelized manually.
'kmip2pkcs11's dependencies have been adjusted to avoid the 'sync' vs. 'async' feature flag problem, caused by 'kmip-protocol' and 'kmip-ttlv's use of 'maybe-async'. A minor frustration: 'kmip-protocol' needlessly enables 'ring' on 'rustls'. Due to the complex dependency tree, 'rustls' now has both 'ring' and 'aws_lc_rs' backends enabled, but *only during tests*. This conflicts weirdly with Rust's incremental engine: it only retains compilation state from the immediately prior compilation. 'cargo test' will enable the 'ring' feature, then 'cargo build --bin' (inside the test) will disable it. This causes 'ring', 'rustls', and all crates depending on them to get repeatedly recompiled. While this is really a Rust compiler problem, we want to prevent 'kmip-protocol' from adding the 'ring' feature anyway.
Different crates depending on 'rustls' were using 'aws-lc-rs' and 'ring'. Ideally, the choice should be left to the top-level application (i.e. here), but 'kmip-protocol' currently enables 'ring'. For simplicity, the remaining crates have been stopped from enabling 'aws-lc-rs', so now 'ring' is the only enabled crypto provider.
ximon18
reviewed
Jan 20, 2026
ximon18
approved these changes
Jan 20, 2026
At the moment, 'kmip2pkcs11' only supports RSA-SHA256 and ECDSAP256SHA256, so those are the only ones we test.
We rely on it unconditionally in 'main.rs'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a full system test for
kmip2pkcs11, by spawning the daemon (configured with SoftHSMv2) and querying it viadomain-kmip. It's relatively simple (no containerization, should be usable from CI) and well-isolated (careful use of temporary directories). Hopefully, it can serve as a nice way to systematically testkmip2pkcs11as a whole.It merges onto #29, where I wanted it to check that KMIP request parsing still works properly. It has already helped me catch one bug (missing
buffer.drain(), which I amended into #29).