The keyspec provided as input to the hsm generate command includes an id value that uniquely identifies the key in the HSM. If the id value from the keyspec is already in use by the HSM then the command will fail / refuse to create the key. We currently manage this by carefully selecting id values but it's still a bit of a pitfall. The HSM can / will dynamically assign ids for us though https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#id178 and we should use this feature to generate key ids for us.
This seems pretty straight forward at first glance will require that we:
- make the
KeySpec.id field an Option<Id>
- when we
hsm generate a key we must catch the Id produced by the HSM and set it in the KeySpec before persisting it in the ca-state
- ensure that this field is
Some when other commands use a KeySpec that should / must have an Id
The
keyspecprovided as input to thehsm generatecommand includes anidvalue that uniquely identifies the key in the HSM. If theidvalue from thekeyspecis already in use by the HSM then the command will fail / refuse to create the key. We currently manage this by carefully selectingidvalues but it's still a bit of a pitfall. The HSM can / will dynamically assignids for us though https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#id178 and we should use this feature to generate key ids for us.This seems pretty straight forward at first glance will require that we:
KeySpec.idfield anOption<Id>hsm generatea key we must catch theIdproduced by the HSM and set it in theKeySpecbefore persisting it in theca-stateSomewhen other commands use aKeySpecthat should / must have anId