#pkcs11 #back-end #module #credentials #native #key #pkcs


Cross-platform PKCS#11 module written in rust. Can be extended with custom credential backends.

18 releases

0.2.17 Mar 13, 2024
0.2.15 Nov 14, 2023
0.2.12 Jun 21, 2023
0.2.7 Mar 22, 2023
0.1.0 Nov 24, 2022

#205 in Cryptography

Download history 3/week @ 2023-12-28 19/week @ 2024-02-15 19/week @ 2024-02-22 4/week @ 2024-02-29 39/week @ 2024-03-07 51/week @ 2024-03-14 4/week @ 2024-03-21

100 downloads per month


27K SLoC


pkcs11 module for native credential stores

native-pkcs11 is a crate for building PKCS#11 modules. Its primary use-case is authenticating with client certificates. native-pkcs11 aims to support native certificate stores (MacOS Keychain, Windows Platform Key Provider) out of the box. It can also be extended with a custom backend (see this section).

Host Software Compatibility

Software compatibility is a core goal of native-pkcs11. It is currently tested with

  • openssh
  • openvpn
  • Chrome
  • Firefox

If a native-pkcs11 module does not work for your software, please file an issue.

Building a Custom Backend

The native_pkcs11_traits::Backend trait can be implemented to add support for a new credential store. Backends are registered in the exported C_GetFunctionList function. In order to register your own backend, enable the custom-function-list feature on native-pkcs11 and export the method from your crate. For example:

pub extern "C" fn C_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
    native_pkcs11_traits::register_backend(Box::new(backend::MyBackend {}));
    unsafe { *ppFunctionList = &mut FUNC_LIST };
    return CKR_OK;


~547K SLoC