#pkcs11 #pkcs #native #cross-platform #native-pkcs11 #module #certificate

native-pkcs11-core

Shared cross-platform PKCS#11 module logic for native-pkcs11

14 releases

0.2.17 Mar 13, 2024
0.2.15 Nov 14, 2023
0.2.12 Jun 21, 2023
0.2.7 Mar 22, 2023

#1446 in Cryptography

Download history 9/week @ 2024-01-01 88/week @ 2024-02-12 1/week @ 2024-02-19 10/week @ 2024-02-26 96/week @ 2024-03-11 15/week @ 2024-03-18

121 downloads per month
Used in native-pkcs11

Apache-2.0

1MB
25K SLoC

native-pkcs11

pkcs11 module for native credential stores

native-pkcs11 is a crate for building PKCS#11 modules. Its primary use-case is authenticating with client certificates. native-pkcs11 aims to support native certificate stores (MacOS Keychain, Windows Platform Key Provider) out of the box. It can also be extended with a custom backend (see this section).

Host Software Compatibility

Software compatibility is a core goal of native-pkcs11. It is currently tested with

  • openssh
  • openvpn
  • Chrome
  • Firefox

If a native-pkcs11 module does not work for your software, please file an issue.

Building a Custom Backend

The native_pkcs11_traits::Backend trait can be implemented to add support for a new credential store. Backends are registered in the exported C_GetFunctionList function. In order to register your own backend, enable the custom-function-list feature on native-pkcs11 and export the method from your crate. For example:

use native_pkcs11::{CKR_OK, CK_FUNCTION_LIST_PTR_PTR, CK_RV, FUNC_LIST};
#[no_mangle]
pub extern "C" fn C_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
    native_pkcs11_traits::register_backend(Box::new(backend::MyBackend {}));
    unsafe { *ppFunctionList = &mut FUNC_LIST };
    return CKR_OK;
}

Dependencies

~4–33MB
~457K SLoC