Crates.io | openpgp-pkcs11-sequoia |
lib.rs | openpgp-pkcs11-sequoia |
version | 0.2.0 |
source | src |
created_at | 2023-06-15 17:19:35.848704 |
updated_at | 2023-06-22 07:39:22.762204 |
description | A library for using PKCS #11 devices in an OpenPGP context. |
homepage | |
repository | https://codeberg.org/heiko/openpgp-pkcs11 |
max_upload_size | |
id | 891282 |
size | 45,898 |
A library to use PKCS #11 devices in an OpenPGP context.
PKCS #11 refers to a programming interface to create and manipulate cryptographic tokens.
(See openpgp-pkcs11-tools for a CLI tool based on this library.)
PKCS #11 v2.20: Cryptographic Token Interface Standard, RSA Laboratories, 28 June 2004
Accessing PKCS #11 devices requires a (typically vendor-specific)
PKCS #11 dynamic library implementation ("module").
For example, to access the Yubikey PIV application on a Yubikey 5,
/usr/lib64/libykcs11.so
can be used.
The code in this repository uses cryptoki, a "high-level, Rust idiomatic wrapper crate for PKCS #11" as a wrapper for these modules:
graph TD
A[openpgp-pkcs11-sequoia] --> B(cryptoki Rust crate)
B -->|uses| C[vendor-specific PKCS#11 library]
click B "https://crates.io/crates/cryptoki"
The YubiKey PKCS #11 driver
(ykcs11
) appears
to not implement the required functionality to upload key material
(uploading CKO_PUBLIC_KEY
objects is unsupported, but would be needed).
Thus, keys can currently only be uploaded to these cards via the PIV interface.
https://www.smartcard-hsm.com/opensource.html
"The SmartCard-HSM is supported by OpenSC, a PKCS#11 and CSP Minidriver middleware for various operating systems."
(https://support.nitrokey.com/t/differences-between-nitrokey-hsm2-smartcard-hsm-4k-usb-token/1985)
https://developers.yubico.com/YubiHSM2/Usage_Guides/YubiHSM_quick_start_tutorial.html
Available as container image (no security features, just for testing purposes!):
https://hub.docker.com/r/nitrokey/nethsm
PKCS #11 driver: https://github.com/Nitrokey/nethsm-pkcs11
"This driver is still an early Proof of Concept implementation that only implements the functions that are necessary for operating TLS servers"
https://utimaco.com/downloads/simulators-and-sdks/securityserver-simulator
(Presumably under a non-free license; so, possibly can't be used in CI openly (?))
A software implementation of PKCS #11.