openpgp-pkcs11-sequoia
| Crates.io | openpgp-pkcs11-sequoia |
| lib.rs | openpgp-pkcs11-sequoia |
| version | 0.2.0 |
| source | src |
| created_at | 2023-06-15 17:19:35.848704 |
| updated_at | 2023-06-22 07:39:22.762204 |
| description | A library for using PKCS #11 devices in an OpenPGP context. |
| homepage | |
| repository | https://codeberg.org/heiko/openpgp-pkcs11 |
| max_upload_size | |
| id | 891282 |
| size | 45,898 |
Heiko Schaefer (hko-s)
documentation
README
openpgp-pkcs11-sequoia
A library to use PKCS #11 devices in an OpenPGP context.
PKCS #11 refers to a programming interface to create and manipulate cryptographic tokens.
(See openpgp-pkcs11-tools for a CLI tool based on this library.)
PKCS #11 specification
PKCS #11 v2.20: Cryptographic Token Interface Standard, RSA Laboratories, 28 June 2004
PKCS #11 access libraries
Accessing PKCS #11 devices requires a (typically vendor-specific)
PKCS #11 dynamic library implementation ("module").
For example, to access the Yubikey PIV application on a Yubikey 5,
/usr/lib64/libykcs11.so can be used.
The code in this repository uses cryptoki, a "high-level, Rust idiomatic wrapper crate for PKCS #11" as a wrapper for these modules:
graph TD
A[openpgp-pkcs11-sequoia] --> B(cryptoki Rust crate)
B -->|uses| C[vendor-specific PKCS#11 library]
click B "https://crates.io/crates/cryptoki"
Devices and software implementations
YubiKey 4/5 (ykcs11)
Key upload limitation
The YubiKey PKCS #11 driver
(ykcs11) appears
to not implement the required functionality to upload key material
(uploading CKO_PUBLIC_KEY objects is unsupported, but would be needed).
Thus, keys can currently only be uploaded to these cards via the PIV interface.
Nitrokey HSM 2 / SmartCard-HSM-4K
https://www.smartcard-hsm.com/opensource.html
"The SmartCard-HSM is supported by OpenSC, a PKCS#11 and CSP Minidriver middleware for various operating systems."
(https://support.nitrokey.com/t/differences-between-nitrokey-hsm2-smartcard-hsm-4k-usb-token/1985)
YubiHSM 2
https://developers.yubico.com/YubiHSM2/Usage_Guides/YubiHSM_quick_start_tutorial.html
Nitrokey NetHSM
Available as container image (no security features, just for testing purposes!):
https://hub.docker.com/r/nitrokey/nethsm
PKCS #11 driver: https://github.com/Nitrokey/nethsm-pkcs11
"This driver is still an early Proof of Concept implementation that only implements the functions that are necessary for operating TLS servers"
Utimaco SecurityServer simulator
https://utimaco.com/downloads/simulators-and-sdks/securityserver-simulator
(Presumably under a non-free license; so, possibly can't be used in CI openly (?))
SoftHSM2
A software implementation of PKCS #11.