Package Usage: go: github.com/ThalesIgnite/crypto11
Package crypto11 enables access to cryptographic keys from PKCS#11 using Go crypto API.
PKCS#11 tokens are accessed via Context objects. Each Context connects to one token.
Context objects are created by calling Configure or ConfigureFromFile.
In the latter case, the file should contain a JSON representation of
a Config.
There is support for generating DSA, RSA and ECDSA keys. These keys
can be found later using FindKeyPair. All three key types implement
the crypto.Signer interface and the RSA keys also implement crypto.Decrypter.
RSA keys obtained through FindKeyPair will need a type assertion to be
used for decryption. Assert either crypto.Decrypter or SignerDecrypter, as you
prefer.
Symmetric keys can also be generated. These are found later using FindKey.
See the documentation for SecretKey for further information.
Note that PKCS#11 session handles must not be used concurrently
from multiple threads. Consumers of the Signer interface know
nothing of this and expect to be able to sign from multiple threads
without constraint. We address this as follows.
1. When a Context is created, a session is created and the user is
logged in. This session remains open until the Context is closed,
to ensure all object handles remain valid and to avoid repeatedly
calling C_Login.
2. The Context also maintains a pool of read-write sessions. The pool expands
dynamically as needed, but never beyond the maximum number of r/w sessions
supported by the token (as reported by C_GetInfo). If other applications
are using the token, a lower limit should be set in the Config.
3. Each operation transiently takes a session from the pool. They
have exclusive use of the session, meeting PKCS#11's concurrency
requirements. Sessions are returned to the pool afterwards and may
be re-used.
Behaviour of the pool can be tweaked via Config fields:
- PoolWaitTimeout controls how long an operation can block waiting on a
session from the pool. A zero value means there is no limit. Timeouts
occur if the pool is fully used and additional operations are requested.
- MaxSessions sets an upper bound on the number of sessions. If this value is zero,
a default maximum is used (see DefaultMaxSessions). In every case the maximum
supported sessions as reported by the token is obeyed.
The PKCS1v15DecryptOptions SessionKeyLen field is not implemented
and an error is returned if it is nonzero.
The reason for this is that it is not possible for crypto11 to guarantee the constant-time behavior in the specification.
See https://github.com/thalesignite/crypto11/issues/5 for further discussion.
Symmetric crypto support via cipher.Block is very slow.
You can use the BlockModeCloser API
but you must call the Close() interface (not found in cipher.BlockMode).
See https://github.com/ThalesIgnite/crypto11/issues/6 for further discussion.
12 versions
Latest release: almost 4 years ago
341 dependent packages
View more package details: https://packages.ecosystem.code.gouv.fr/registries/proxy.golang.org/packages/github.com/ThalesIgnite/crypto11