How to use openssl with distant keys, accessible via KMIP or REST API?

Question

I need to use openssl with keys stored on a distant KMS.
How can I do this?

I've seen specific projects about openssl using AWS keys (1) or Google cloud keys (2).
Stil I found no KMIP-generic solution.
(1) https://github.com/nakedible/openssl-engine-kms
(2) https://cloud.google.com/kms/docs/reference/pkcs11-openssl

So far I built pkcs11 and libp11 DLLs from OpenSC/libp11 project (https://github.com/OpenSC/libp11).
Openssl loads the pkcs11 engine.
I feel I'm getting nearer...
... but I'm lacking a pkcs11 driver that would use kmip as a backend.

Does such a driver exist?

-- or --
The KMS also has a REST API.
Are there solutions to bridge an existing openssl engine with a rest API?

Precisions:

• this is for use on a windows11 system
• the targetted KMS is OVH KMS (OVH responded they dont have a dedicated driver for now), but I think the problematic is wider than just a specific KMS provider.

Answer 1

There are many PKCS#11-over-the-network implementations by the way of an openssl 'engine'. Each HSM manufacturer has its own and each HSM on cloud provider has one too. I recently test the Thales Luna implementation of their .so library as an engine. Ok, it never worked (pb of symbols) but it should work.

But the real blocking point was the price: 25 k/year for 1 key (at the beginning) that's unreasonable. That's nearly the price of a standalone rackable HSM (~30-40k). Ok, we generally need 2 HSM as-a-box for redundancy.

I don't want to use AWS nor Azure for sovereignty considerations. The KMS system and KMIP protocol is a decent proposal. Alas, there is NO openssl implementation of KMIP, yet.

db