Lib.rs

Cryptography
#pkcs11 #hsm #api-bindings #rsa-key

cryptoki

Rust-native wrapper around the PKCS #11 API

by Wiktor Kwapisiewicz, Hugues de Valon, Ionuț Mihalcea, parallaxsecond and 2 contributors

14 releases (7 breaking)

0.8.0 Nov 14, 2024
0.7.0 Jun 18, 2024
0.6.2 Mar 8, 2024
0.6.1 Oct 17, 2023
0.1.1 Mar 31, 2021

#74 in Cryptography

Download history 2163/week @ 2024-08-20 2348/week @ 2024-08-27 2457/week @ 2024-09-03 1913/week @ 2024-09-10 1881/week @ 2024-09-17 2509/week @ 2024-09-24 2511/week @ 2024-10-01 2502/week @ 2024-10-08 2700/week @ 2024-10-15 2957/week @ 2024-10-22 3186/week @ 2024-10-29 2758/week @ 2024-11-05 3909/week @ 2024-11-12 4660/week @ 2024-11-19 3141/week @ 2024-11-26 3591/week @ 2024-12-03

15,772 downloads per month
Used in 9 crates (7 directly)

Apache-2.0

4.5MB
136K SLoC

Cryptoki Rust Wrapper

Crates.io Code documentation

This is the high-level, Rust idiomatic wrapper crate for PKCS #11.

The items in this crate only expose idiomatic and safe Rust types and functions to interface with the PKCS11 API. All the PKCS11 items might not be implemented but everything that is implemented is safe.

Example

The following example initializes an empty token and generates a new RSA key.

# fn main() -> testresult::TestResult {
use cryptoki::object::Attribute;
use cryptoki::context::{CInitializeArgs, Pkcs11};
use cryptoki::session::UserType;
use cryptoki::types::AuthPin;
use cryptoki::mechanism::Mechanism;

// initialize a new Pkcs11 object using the module from the env variable
let pkcs11 = Pkcs11::new(std::env::var("PKCS11_SOFTHSM2_MODULE")?)?;

pkcs11.initialize(CInitializeArgs::OsThreads)?;

let slot = pkcs11.get_slots_with_token()?[0];

// initialize a test token
let so_pin = AuthPin::new("abcdef".into());
pkcs11.init_token(slot, &so_pin, "Test Token")?;

let user_pin = AuthPin::new("fedcba".into());

// initialize user PIN
{
  let session = pkcs11.open_rw_session(slot)?;
  session.login(UserType::So, Some(&so_pin))?;
  session.init_pin(&user_pin)?;
}

// login as a user, the token has to be already initialized
let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::User, Some(&user_pin))?;

// template of the public key
let pub_key_template = vec![
    Attribute::Token(true),
    Attribute::Private(false),
    Attribute::PublicExponent(vec![0x01, 0x00, 0x01]),
    Attribute::ModulusBits(1024.into()),
];

let priv_key_template = vec![Attribute::Token(true)];

// generate an RSA key according to passed templates
let (public, private) = session.generate_key_pair(&Mechanism::RsaPkcsKeyPairGen, &pub_key_template, &priv_key_template)?;
# Ok(()) }

Conformance Notes

Throughout this crate, many functions and other items include additional "Conformance" notes. These notes may provide guarantees about behavior or additional, contextual information. In all cases, such items pertain to information from the PKCS#11 standard and are contingent on the provider being accessed through this crate conforming to that standard. That is, this crate is permitted to assume these guarantees, and is does not necessarily check for or enforce them itself.

License

This project is licensed under the Apache License, Version 2.0.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.

Copyright 2021 Contributors to the Parsec project.

Dependencies

~0.3–2.4MB
~35K SLoC