Applied PKCS#11

The most involved thing I’ve had to learn this year is how to actually use PKCS #11 to talk to crypto hardware. It’s actually not that clear. Most of the examples are buried in random bits of C from vendors like Oracle or IBM; and the spec itself is pretty dense. Especially when it comes to understanding how you actually use it, and what all the bits and pieces do.

In honour of our Prime Minister saying he should have NOBUS access into our cryptography, which is why we should all start using hardware encryption modules (did you know you can use your TPM) and thus in order to save the next girl 6 months of poking around on a piece of hardware she doesn’t really *get*, I started a document: Applied PKCS#11.

The later sections refer to the API exposed by python-pkcs11, but the first part is generally relevant. Hopefully it makes sense, I’m super keen to get feedback if I’ve made any huge logical leaps etc.

Author: Danielle

Danielle is an Australian software engineer, computer scientist and feminist. She doesn't really work on GNOME any more (sadly). Opinions and writing are solely her own and so not represent her employer, the GNOME Foundation, or anyone else but herself.

2 thoughts on “Applied PKCS#11”

  1. Thank you so much for writing this!

    I’ve tried to wrestle my way though the strange and unconnected bits of PKCS documentation once or twice, but this finally made it all “click”. :)

  2. You’re welcome. It’s all really remarkably appallingly documented. I’ve spent who knows how much time trawling through standards, RFCs and bits my Oracle and IBM to put all this together. Especially how to do bits like stream large files through the device (seriously I feel like everyone’s library RSA signs Hello World and leaves it there). I felt a bit like calling it applied PKCS #11 is a bit extravagant since it hides most of the detail away in the module but I’m quite happy with how clean the code has turned out, so it wouldn’t be too hard for someone to go a step further.

Leave a Reply

Your email address will not be published. Required fields are marked *