Skip to content

pvpkcs11 consists of a input validation library and a set of PKCS#11 implementations that wrap operating system and browser cryptographic implementations.

License

Notifications You must be signed in to change notification settings

PeculiarVentures/pvpkcs11

Repository files navigation

pvpkcs11

License

pvpkcs11 consists of an input validation library we call core and a set of PKCS#11 implementations that wrap operating system and browser cryptographic and certificate store implementations.

We wanted a solution that provides unified access to the underlying certificate stores and associated cryptographic implementations. PKCS#11 was a natural choice for an API to enable this scenario given its broad adoption.

To make the development on these platforms and user agents easier and to ensure their runtime behavior is uniform, we utilize core to perform input validation. This is similar to how we architected node-webcrypto-ossl, node-webcrypto-p11 and webcrypto-liner where we share webcrypto-core.

With this one library you will be able to access many different underlying cryptographic implementations and certificate stores:

image

Approach

  • Each implementation will be compiled into one library, pvpkcs11.dll/.so, and each one will be exposed via its own slot.
  • RSA keys, ECDSA keys, X509 certificates, and PKCS10's can be persisted.
  • Certificate store operations will be exposed as CKO_X509
  • Certificate requests will be stored via CKO_DATA.
  • Both CKO_X509 and CKO_DATA will be manageable via C_CreateObject, C_DestroyObject, C_CloneObject.
  • AES keys will only be supported as session objects.

Capabilities

  • Basic certificate store management enabling access of certificates, and certificate requests as well as installation and removal.
  • Basic cryptographic operations where supported by underlying cryptographic and certificate store implementation (typically RSA PKCS1, RSA-PSS, ECDSA, ECDH, and AES).
  • Where ECC is supported only secp256r1, secp384r1 and secp521r1 are supported.
  • Where RSA is supported only RSA 1024, 2048, 3072 and 4096 are supported.
  • Where AES is supported key lengths of 128, 192 and 256 are supported.

Class Design

image

WARNING

At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.

Using

Building

  • At this time only MSCAPI and CommonCrypto (OSX) support is implemented.
  • At this time only building on Windows and OSX is supported.
  • The package does not have a build script at this time.

To build you need Visual Studio and you follow the following steps:

  • build.bat
  • open build/binding.sln
  • Run build

Testing

  • Install dependencies
npm install --ignore-scripts
  • Run tests
npm test

Enviroment Variables

Name Type Description
PV_PKCS11_ERROR any Prints to stdout additional information about errors from PKCS#11 module
PV_PKCS11_ERROR_LEVEL number Combination of flags for different types of messages
Name Value
INFO 1
WARN 2
ERROR 4
DEBUG 8
TRACE 16

Supported Algorithms

MSCAPI

Function Algorithms
Hash SHA1; SHA2; SHA384; SHA512
Sign RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2
Exchange ECDH /w SHA1
Encryption RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB

OSX

Function Algorithms
Hash SHA1; SHA2; SHA384; SHA512
Sign RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2
Exchange ECDH /w SHA1
Encryption RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB

Related

About

pvpkcs11 consists of a input validation library and a set of PKCS#11 implementations that wrap operating system and browser cryptographic implementations.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •