pvpkcs11 consists of a input validation library and a set of PKCS#11 implementations that wrap operating system and browser cryptographic implementations.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
diagrams
src
test
.gitignore
LICENSE
OSX.md
README.md
build.bat
build.sh
config.gyp
package.json
tsconfig.json

README.md

pvpkcs11

License

pvpkcs11 consists of an input validation library we call core and a set of PKCS#11 implementations that wrap operating system and browser cryptographic and certificate store implementations.

We wanted a solution that provides unified access to the underlying certificate stores and associated cryptographic implementations. PKCS#11 was a natural choice for an API to enable this scenario given its broad adoption.

To make the development on these platforms and user agents easier and to ensure their runtime behavior is uniform, we utilize core to perform input validation. This is similar to how we architected node-webcrypto-ossl, node-webcrypto-p11 and webcrypto-liner where we share webcrypto-core.

With this one library you will be able to access many different underlying cryptographic implementations and certificate stores:

image

Approach

  • Each implementation will be compiled into one library, pvpkcs11.dll/.so, and each one will be exposed via its own slot.
  • RSA keys, ECDSA keys, X509 certificates, and PKCS10's can be persisted.
  • Certificate store operations will be exposed as CKO_X509
  • Certificate requests will be stored via CKO_DATA.
  • Both CKO_X509 and CKO_DATA will be manageable via C_CreateObject, C_DestroyObject, C_CloneObject.
  • AES keys will only be supported as session objects.

Capabilities

  • Basic certificate store management enabling access of certificates, and certificate requests as well as installation and removal.
  • Basic cryptographic operations where supported by underlying cryptographic and certificate store implementation (typically RSA PKCS1, RSA-PSS, ECDSA, ECDH, and AES).
  • Where ECC is supported only secp256r1, secp384r1 and secp521r1 are supported.
  • Where RSA is supported only RSA 1024, 2048, 3072 and 4096 are supported.
  • Where AES is supported key lengths of 128, 192 and 256 are supported.

Class Design

image

WARNING

At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.

Using

Building

  • At this time only MSCAPI and CommonCrypto (OSX) support is implemented.
  • At this time only building on Windows and OSX is supported.
  • The package does not have a build script at this time.

To build you need Visual Studio and you follow the following steps:

  • build.bat
  • open build/binding.sln
  • Run build

Testing

  • Install dependencies
npm install
  • Run tests
npm test

Enviroment Variables

Name Type Description
PV_PKCS11_ERROR any Prints to stdout additional information about errors from PKCS#11 module
PV_PKCS11_ERROR_LEVEL number Combination of flags for different types of messages
Name Value
INFO 1
WARN 2
ERROR 4
DEBUG 8
TRACE 16

Supported Algorithms

MSCAPI

Function Algorithms
Hash SHA1; SHA2; SHA384; SHA512
Sign RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2
Exchange ECDH /w SHA1
Encryption RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB

OSX

Function Algorithms
Hash SHA1; SHA2; SHA384; SHA512
Sign RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2
Exchange ECDH /w SHA1
Encryption RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB

Related