Nitrokey
diff --git a/‎rstcheck.toml
Lines changed: 7 additions & 3 deletions b/‎rstcheck.toml
Lines changed: 7 additions & 3 deletions
diff --git a/‎source/components/nethsm/apache.rst
Lines changed: 34 additions & 35 deletions b/‎source/components/nethsm/apache.rst
Lines changed: 34 additions & 35 deletions
diff --git a/‎source/components/nethsm/container/container-hardware-restriction.rst.inc
Lines changed: 0 additions & 6 deletions b/‎source/components/nethsm/container/container-hardware-restriction.rst.inc
Lines changed: 0 additions & 6 deletions
diff --git a/‎source/components/nethsm/container/image-feature-restrictions.rst
Lines changed: 10 additions & 0 deletions b/‎source/components/nethsm/container/image-feature-restrictions.rst
Lines changed: 10 additions & 0 deletions
diff --git a/‎source/components/nethsm/container/index.rst
Lines changed: 1 addition & 0 deletions b/‎source/components/nethsm/container/index.rst
Lines changed: 1 addition & 0 deletions
diff --git a/‎source/components/nethsm/container/production-image.rst
Lines changed: 2 additions & 2 deletions b/‎source/components/nethsm/container/production-image.rst
Lines changed: 2 additions & 2 deletions
diff --git a/‎source/components/nethsm/container/test-image.rst
Lines changed: 2 additions & 2 deletions b/‎source/components/nethsm/container/test-image.rst
Lines changed: 2 additions & 2 deletions
diff --git a/‎source/components/nethsm/ejbca.rst
Lines changed: 13 additions & 10 deletions b/‎source/components/nethsm/ejbca.rst
Lines changed: 13 additions & 10 deletions
diff --git a/‎source/components/nethsm/nginx.rst
Lines changed: 50 additions & 48 deletions b/‎source/components/nethsm/nginx.rst
Lines changed: 50 additions & 48 deletions
@@ -5,7 +5,11 @@ ignore_directives = [
     "faq",
     "product-table",
 ]
-# ignore-messages is needed due to links being used in directives, which
-# are not visible by rstcheck as these directives are ignored (mostly faq)
-ignore_messages = "faq(.*)Hyperlink target(.*)is not referenced"
+ignore_messages = [
+    # Hyperlinks are not visible by rstcheck as there directives are ignored (mostly faq).
+    "faq(.*)Hyperlink target(.*)is not referenced",
+    # Docutils raises this warning even when an explicit target link is set.
+    # In case it is linked to, it will concert to an error.
+    "Duplicate implicit target name: .*",
+]
 
@@ -17,48 +17,48 @@ Httpd Configuration
 
 Add the following lines to your ``httpd.conf`` :
 
-.. code-block:: 
+.. code-block:: apache
   
-  Listen 443
-  #...
-  LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
-  LoadModule ssl_module modules/mod_ssl.so
-  #...
-
-  <VirtualHost *:443>
-      DocumentRoot /usr/local/apache2/htdocs
-      SSLEngine on
-      SSLCertificateFile /certs/certificate.pem
-      SSLCertificateKeyFile "pkcs11:object=webserver"   
-      ErrorLog /tmp/a-error.log
-      CustomLog /tmp/a-access.log combined
-  </VirtualHost>
+   Listen 443
+   #...
+   LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+   LoadModule ssl_module modules/mod_ssl.so
+   #...
+
+   <VirtualHost *:443>
+       DocumentRoot /usr/local/apache2/htdocs
+       SSLEngine on
+       SSLCertificateFile /certs/certificate.pem
+       SSLCertificateKeyFile "pkcs11:object=webserver"   
+       ErrorLog /tmp/a-error.log
+       CustomLog /tmp/a-access.log combined
+   </VirtualHost>
 
 The ``SSLCertificateFile`` must point to a certificate file on the disk.
-
 The ``SSLCertificateKeyFile`` should be a PKCS#11 `URI <https://www.rfc-editor.org/rfc/rfc7512>`__ pointing to the private key in the NetHSM.
 
-.. note:: 
-  You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don't match httpd won't start.
+.. note::
+   You must generate the certificate separately and then upload it to the NetHSM.
+   If the certificate on disk and the key in the NetHSM don't match httpd won't start.
 
 libnethsm_pkcs11 Configuration
 ------------------------------
 
 .. code-block:: yaml
 
-  slots:
-    - label: LocalHSM
-      description: Local HSM (docker)
-      url: "https://192.168.3.161:8443/api/v1"
-      operator:
-        username: "operator"
-        password: "opPassphrase"
+   slots:
+     - label: LocalHSM
+       description: Local HSM (docker)
+       url: "https://192.168.3.161:8443/api/v1"
+       operator:
+         username: "operator"
+         password: "opPassphrase"
 
 To secure the password you can provide it via an environment variable (see `Passwords <pkcs11-setup.html#passwords>`__) or provide it in the httpd configuration:
 
-.. code-block::
+.. code-block:: apache
 
-    SSLCertificateKeyFile "pkcs11:object=webserver;type=private;pin=opPassphrase";
+   SSLCertificateKeyFile "pkcs11:object=webserver;type=private;pin=opPassphrase";
 
 
 Example
@@ -67,8 +67,7 @@ Example
 If you want to experiment with the `given example <https://github.com/Nitrokey/nethsm-pkcs11/tree/main/container/apache>`__ use git to clone the `nethsm-pkcs11 repository <https://github.com/Nitrokey/nethsm-pkcs11>`__ and run the following commands:
 
 .. warning:: 
-
-  Running the generate script deletes the ``webserver`` key and replaces it.
+   Running the generate script deletes the ``webserver`` key and replaces it.
 
 1. Configure a NetHSM, either a real one or a container. See the `getting-started guide <getting-started.html>`__ for more information. Besides an administrator, you are going to need an operator account.
 2. Download and install the latest version of the nethsm-pkcs11 driver `available from here <https://github.com/Nitrokey/nethsm-pkcs11/releases>`__.
@@ -78,20 +77,20 @@ If you want to experiment with the `given example <https://github.com/Nitrokey/n
 6. Update the PKCS11 configuration in ``container/apache/p11nethsm.conf`` with your NetHSMs URL and valid operator credentials. 
 7. Generate the certificate and key.
 
-  .. code-block:: bash
+   .. code-block:: bash
    
-    ./container/apache/generate.sh
+      ./container/apache/generate.sh
 
 8. Build the container.
 
-  .. code-block:: bash
+   .. code-block:: bash
     
-    docker build -f container/apache/Dockerfile . -t pkcs-httpd
+      docker build -f container/apache/Dockerfile . -t pkcs-httpd
 
 9. Run the container.
 
-  .. code-block:: bash
+   .. code-block:: bash
     
-    docker run -p 9443:443 -p 9080:80 pkcs-httpd
+      docker run -p 9443:443 -p 9080:80 pkcs-httpd
   
 The Apache test page will be available at `https://localhost:9443/ <https://localhost:9443/>`__. Note that your browser, hopefully, will warn you that the websites certificate is self-signed.
@@ -0,0 +1,10 @@
+Image Feature Restrictions
+--------------------------
+
+Compared to the NetHSM hardware the following functions are not implemented at the software container's REST API:
+
+- Network configuration
+- Factory reset
+- Reboot
+- Software update
+
@@ -7,5 +7,6 @@ Please refer to the following chapters to learn more about the NetHSM container
    :maxdepth: 1
    :glob:
 
+   image-feature-restrictions.rst
    production-image.rst
    test-image.rst
@@ -6,13 +6,13 @@ It requires an external etcd key-value store which is connected through an encry
 The NetHSM process can be executed with hardware-based separation (KVM) and device-specific encryption.
 The image is distributed as OCI image and can be run locally with a compatible executor such as Docker and Podman.
 
-.. include:: container-hardware-restriction.rst.inc
+The image is subject to some feature restrictions in comparison to the NetHSM hardware.
+Please refer to chapter `Image Feature Restrictions <image-feature-restrictions.html>`__ to learn more.
 
 The NetHSM production container is a product for paying customers only and can be purchased `here <https://www.nitrokey.com/contact>`__.
 The image can be obtained from `Nitrokey NetHSM registry <https://registry.git.nitrokey.com/distribution/nethsm>`_ using the credentials provided after purchase.
 
 .. warning::
-
    The security of the NetHSM software container strongly depends on the platform's security.
    A compromised platform could easily compromise a NetHSM software container it executes.
    In addition the TRNG is not existent so that the entropy used and provided by the NetHSM depends on the platform's entropy. 
 
@@ -6,12 +6,12 @@ It does not offer to run the NetHSM process with hardware-based separation (KVM)
 The connection between the NetHSM process and the integrated key-value store is unencrypted.
 The image is distributed as OCI image and can be run locally with a compatible executor such as Docker and Podman.
 
-.. include:: container-hardware-restriction.rst.inc
+The image is subject to some feature restrictions in comparison to the NetHSM hardware.
+Please refer to chapter `Image Feature Restrictions <image-feature-restrictions.html>`__ to learn more.
 
 The image can be obtained from `Docker Hub <https://hub.docker.com/r/nitrokey/nethsm>`_.
 
 .. warning::
-
    Do not use the test image under any circumstances for production data and use cases.
    For production environments with high security demands you must use the production image.
 
 
@@ -7,19 +7,22 @@ To be able to use NetHSM with EJBCA you need to `setup <pkcs11-setup.html>`__ th
 
 Then configure EJBCA to use the NetHSM PKCS#11 module by adding an entry in the ``/etc/ejbca/conf/web.properties`` file:
 
-.. code-block:: 
+.. code-block:: cfg
 
-  cryptotoken.p11.lib.418.name=NetHSM
-  cryptotoken.p11.lib.418.file=/usr/lib/nitrokey/libnethsm_pkcs11.so
+   cryptotoken.p11.lib.418.name=NetHSM
+   cryptotoken.p11.lib.418.file=/usr/lib/nitrokey/libnethsm_pkcs11.so
 
 
-.. note:: The ``418`` in the name is an index that must be unique for each PKCS#11 module in the configuration file.
+.. note::
+   The ``418`` in the name is an index that must be unique for each PKCS#11 module in the configuration file.
 
 To be able to generate keys from the interface you need to set the ``enable_set_attribute_value`` option to true in the ``p11nethsm.conf`` file.
 
-.. warning:: Because of some integration problems with the Sun PKCS11 provider, keys generated from EJBCA will have a random name instead of the name given in the interface.
+.. warning::
+   Because of some integration problems with the Sun PKCS11 provider, keys generated from EJBCA will have a random name instead of the name given in the interface.
 
-After restarting EJBCA you can add a new Crypto Token in the EJBCA Admin GUI ``https://mycahostname/ejbca/adminweb/cryptotoken/cryptotokens.xhtml``. The Crypto Token type is ``PKCS#11 Crypto Token`` and the Crypto Token name is ``NetHSM``.
+After restarting EJBCA you can add a new Crypto Token in the EJBCA Admin GUI ``https://mycahostname/ejbca/adminweb/cryptotoken/cryptotokens.xhtml``.
+The Crypto Token type is ``PKCS#11 Crypto Token`` and the Crypto Token name is ``NetHSM``.
 
 
 Executing The Example
@@ -31,14 +34,14 @@ If you want to experiment with the given example you can use git to clone the `n
 - Change the libnethsm_pkcs11 configuration to match your NetHSM in ``container/ejbca/p11nethsm.conf``.
 - Build the container.
 
-  .. code-block:: bash
+  .. code-block:: shell-session
     
-    docker build -f container/ejbca/Dockerfile . -t pkcs-ejbca
+     docker build -f container/ejbca/Dockerfile . -t pkcs-ejbca
 
 - Run the container.
 
-  .. code-block:: bash
+  .. code-block:: shell-session
     
-    docker run --rm -it -p 9443:8443 -p 9080:8080 -h mycahostname -e TLS_SETUP_ENABLED="simple" pkcs-ejbca
+     docker run --rm -it -p 9443:8443 -p 9080:8080 -h mycahostname -e TLS_SETUP_ENABLED="simple" pkcs-ejbca
   
 The container will be available at `https://localhost:9443/ <https://localhost:9443/>`__.
@@ -15,85 +15,86 @@ Set up the OpenSSL engine by following the `OpenSSL Engine  setup guide <openssl
 Providers aren't supported yet by Nginx.
 
 .. note:: 
-  Using the libp11 OpenSSL engine version 0.4.12 or older and a NetHSM with a lot of key will make the initial loading of Nginx slow (more than a minute for 1 thousand keys). It is recommended to use version 0.4.13 or newer or to build the engine from `source <https://github.com/OpenSC/libp11>`__.
+   Using the libp11 OpenSSL engine version 0.4.12 or older and a NetHSM with a lot of key will make the initial loading of Nginx slow (more than a minute for 1 thousand keys). It is recommended to use version 0.4.13 or newer or to build the engine from `source <https://github.com/OpenSC/libp11>`__.
 
 Nginx Configuration
 -------------------
 
-.. code-block:: 
+.. code-block:: nginx
 
-  ssl_engine pkcs11;
+   ssl_engine pkcs11;
 
-  server {
-      listen       443 ssl;
-      server_name  localhost;
+   server {
+       listen       443 ssl;
+       server_name  localhost;
 
-      ssl_certificate      /certs/certificate.pem;
+       ssl_certificate      /certs/certificate.pem;
 
-      ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";
+       ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";
 
-      ssl_session_cache    shared:SSL:1m;
-      ssl_session_timeout  10s;
-      ssl_session_tickets off;
+       ssl_session_cache    shared:SSL:1m;
+       ssl_session_timeout  10s;
+       ssl_session_tickets off;
 
-      ssl_protocols TLSv1.3;
-      ssl_prefer_server_ciphers  off;
+       ssl_protocols TLSv1.3;
+       ssl_prefer_server_ciphers  off;
 
-      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-      add_header Strict-Transport-Security "max-age=63072000" always;
+       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+       add_header Strict-Transport-Security "max-age=63072000" always;
 
-      # OCSP stapling
-      ssl_stapling on;
-      ssl_stapling_verify on;
+       # OCSP stapling
+       ssl_stapling on;
+       ssl_stapling_verify on;
 
-      location / {
-          root   /usr/share/nginx/html;
-          index  index.html index.htm;
-      }
+       location / {
+           root   /usr/share/nginx/html;
+           index  index.html index.htm;
+       }
      
-      error_page   500 502 503 504  /50x.html;
-      location = /50x.html {
-          root   /usr/share/nginx/html;
-      }
-  }
+       error_page   500 502 503 504  /50x.html;
+       location = /50x.html {
+           root   /usr/share/nginx/html;
+       }
+   }
 
 The ``ssl_certificate`` must point to a certificate file on the disk.
 
 The ``ssl_certificate_key`` can be an OpenSSL configuration. Here we use the OpenSSL engine with the PKCS#11 module and select the private key with the label/ID ``webserver`` and the key type ``private``.
 
-``ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";``
+.. code-block:: nginx
+
+   ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";
 
 .. note:: 
-  You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don't match nginx won't start.
+   You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don't match nginx won't start.
 
 libnethsm_pkcs11 Configuration
 ------------------------------
 
 .. code-block:: yaml
 
-  slots:
-    - label: LocalHSM
-      description: Local HSM (docker)
-      url: "https://192.168.3.161:8443/api/v1"
-      operator:
-        username: "operator"
-        password: "opPassphrase"
+   slots:
+     - label: LocalHSM
+       description: Local HSM (docker)
+       url: "https://192.168.3.161:8443/api/v1"
+       operator:
+         username: "operator"
+         password: "opPassphrase"
 
 To secure the password you can provide it via an `environment variable <pkcs11-setup.html#passwords>`__) or provide it in the nginx configuration:
 
-.. code-block::
+.. code-block:: nginx
 
-    ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private;pin=opPassphrase";
+   ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private;pin=opPassphrase";
 
 
 Example
 -------
 
 If you want to experiment with the `given example <https://github.com/Nitrokey/nethsm-pkcs11/tree/main/container/nginx>`__ use git to clone the `nethsm-pkcs11 repository <https://github.com/Nitrokey/nethsm-pkcs11>`__ and run the following commands:
 
-.. warning:: 
-
-  Running the generate script deletes the ``webserver`` key and replaces it.
+.. warning::
+   Running the generate script deletes the ``webserver`` key and replaces it.
 
 1. Configure a NetHSM, either a real one or a container. See the `getting-started guide <getting-started.html>`__ for more information. Besides an administrator, you are going to need an operator account.
 2. Download and install the latest version of the nethsm-pkcs11 driver `available from here <https://github.com/Nitrokey/nethsm-pkcs11/releases>`__.
@@ -103,20 +104,21 @@ If you want to experiment with the `given example <https://github.com/Nitrokey/n
 6. Update the PKCS11 configuration in ``container/nginx/p11nethsm.conf`` with your NetHSMs URL and valid operator credentials. 
 7. Generate the certificate and key.
 
-  .. code-block:: bash
+   .. code-block:: shell-session
    
-    ./container/nginx/generate.sh
+      ./container/nginx/generate.sh
 
 8. Build the container.
 
-  .. code-block:: bash
+   .. code-block:: shell-session
     
-    docker build -f container/nginx/Dockerfile . -t pkcs-nginx 
+      docker build -f container/nginx/Dockerfile . -t pkcs-nginx 
 
 9. Run the container.
 
-  .. code-block:: bash
+   .. code-block:: shell-session
     
-    docker run -p 9443:443 -p 9080:80 pkcs-nginx
+      docker run -p 9443:443 -p 9080:80 pkcs-nginx
   
-The NGINX test page will be available at `https://localhost:9443/ <https://localhost:9443/>`__. Note that your browser, hopefully, will warn you that the websites certificate is self-signed.
+The NGINX test page will be available at `https://localhost:9443/ <https://localhost:9443/>`__.
+Note that your browser, will warn you that the websites certificate is self-signed.