pvpkcs11 consists of an input validation library we call core and a set of PKCS#11 implementations that wrap operating system and browser cryptographic and certificate store implementations.
We wanted a solution that provides unified access to the underlying certificate stores and associated cryptographic implementations. PKCS#11 was a natural choice for an API to enable this scenario given its broad adoption.
To make the development on these platforms and user agents easier and to ensure their runtime behavior is uniform, we utilize core to perform input validation. This is similar to how we architected node-webcrypto-ossl, node-webcrypto-p11 and webcrypto-liner where we share webcrypto-core.
With this one library you will be able to access many different underlying cryptographic implementations and certificate stores:
- Each implementation will be compiled into one library, pvpkcs11.dll/.so, and each one will be exposed via its own slot.
- RSA keys, ECDSA keys, X509 certificates, and PKCS10's can be persisted.
- Certificate store operations will be exposed as CKO_X509
- Certificate requests will be stored via CKO_DATA.
- Both CKO_X509 and CKO_DATA will be manageable via C_CreateObject, C_DestroyObject, C_CloneObject.
- AES keys will only be supported as session objects.
- Basic certificate store management enabling access of certificates, and certificate requests as well as installation and removal.
- Basic cryptographic operations where supported by underlying cryptographic and certificate store implementation (typically RSA PKCS1, RSA-PSS, ECDSA, ECDH, and AES).
- Where ECC is supported only secp256r1, secp384r1 and secp521r1 are supported.
- Where RSA is supported only RSA 1024, 2048, 3072 and 4096 are supported.
- Where AES is supported key lengths of 128, 192 and 256 are supported.
At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.
- At this time only MSCAPI and CommonCrypto (OSX) support is implemented.
- At this time only building on Windows and OSX is supported.
- The package does not have a build script at this time.
To build you need Visual Studio and you follow the following steps:
- build.bat
- open build/binding.sln
- Run build
- Install dependencies
npm install --ignore-scripts
- Run tests
npm test
| Name | Type | Description |
|---|---|---|
PV_PKCS11_ERROR |
any | Prints to stdout additional information about errors from PKCS#11 module |
PV_PKCS11_ERROR_LEVEL |
number | Combination of flags for different types of messages |
| Name | Value |
|---|---|
INFO |
1 |
WARN |
2 |
ERROR |
4 |
DEBUG |
8 |
TRACE |
16 |
| Function | Algorithms |
|---|---|
| Hash | SHA1; SHA2; SHA384; SHA512 |
| Sign | RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2 |
| Exchange | |
| Encryption | RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB |
| Function | Algorithms |
|---|---|
| Hash | SHA1; SHA2; SHA384; SHA512 |
| Sign | RSA /w SHA1; RSA PKCS1 /w SHA1, SHA2; RSA PSS /w SHA1, SHA2; ECDSA /w SHA1, SHA2 |
| Exchange | ECDH /w SHA1 |
| Encryption | RSA OAEP; AES modes CBC, CBC-PAD, GCM, and ECB |