/pkcs11-provider

PKCS #11 provider library and software HSM implementation in Go.

Primary LanguageCMIT LicenseMIT

PKCS #11 Provider

This project implements the PKCS #11 Cryptographic Token Interface Base Specification Version 3.0 API and provides an RPC interface over Unix domain sockets to communicate with the token implementation. The implementation has the following components:

  • library implements the PKCS #11 interface as a shared library. The PKCS #11 functions are defined in .rpc files and they are translated into .c files with the RPC compiler.

  • RPC Compiler which is used to generated the PKCS #11 stub functions from the RPC definitions. The RPC Compiler is implemented in Go programming language.

  • Software Token implementing PKCS #11 operations. The token is implemented in Go and (will) support all modern PKCS #11 cryptographic operations.

  • Java PKCS #11 Test to test the PKCS #11 interface from Java.

Example Usage

Start token:

$ cd cmd/token
$ ./token

Run pkcs11-testing test program:

$ cd ~/work/pkcs11-testing
$ ./pkcs11-testing --module ~/go/src/github.com/markkurossi/pkcs11-provider/library/libvpkcs11.so --slot 0 --pin 1111 --test-all

Java's SunPKCS11 provider:

$ cd java
$ javac PKCS11Test
$ java PKCS11Test

AWS CloudHSM examples:

$ cd aws-cloudhsm-pkcs11-examples
$ make
$ make test

TODO

  • Framework:
    • Launch token from libvpkcs11.so
    • Non-volatile token storage
    • Token configuration file
    • Test compatibility with Firefox
  • Test compatibility with aws-cloudhsm-pkcs11-examples
    • tools/import_pub_key.c
    • tools/wrap_with_imported_rsa_key.c
    • derivation/ecdh.c
    • derivation/hmac_kdf.c
    • wrapping/unwrap_with_template.c
    • wrapping/aes_wrapping.c
    • wrapping/rsa_wrapping.c
    • wrapping/aes_gcm_wrapping.c
    • wrapping/wrap_with_template.c
    • wrapping/aes_no_padding_wrapping.c
    • wrapping/aes_zero_padding_wrapping.c
    • encrypt/des_ecb.c
  • Crypto provider with Go:
    • Ed25519 public key algorithm
    • Message sign and verify
    • Dual function
  • RPC compiler (ugly but it works):
    • Cleanup field input/output handling and types
    • Remove old unused input/output code

Documentation