PKCS11js
We make a package called Graphene, it provides a simplistic Object Oriented interface for interacting with PKCS#11 devices, for most people this is the right level to build on. In some cases you may want to interact directly with the PKCS#11 API, if so PKCS11js is the package for you.
PKCS#11 (also known as CryptoKI or PKCS11) is the standard interface for interacting with hardware crypto devices such as Smart Cards and Hardware Security Modules (HSMs).
This was developed to the PKCS#11 2.30 specification, the 2.40 headers were not availible at the time we created this, it should be easy enough to extend it for the new version at a later date.
It has been tested with :
NOTE: For testing purposes it may be easier to work with SoftHSM2 which is a software implementation of PKCS#11 based on OpenSSL or Botan.
Installation
$ npm install pkcs11js
Install SoftHSM2
- For OSX see the instructions here
- For linux instructions here
Examples
Example #1
var pkcs11js = ; var pkcs11 = ;pkcs11; pkcs11; try // Getting info about PKCS11 Module var module_info = pkcs11; // Getting list of slots var slots = pkcs11; var slot = slots0; // Getting info about slot var slot_info = pkcs11; // Getting info about token var token_info = pkcs11; // Getting info about Mechanism var mechs = pkcs11; var mech_info = pkcs11; var session = pkcs11; // Getting info about Session var info = pkcs11; pkcs11; /** * Your app code here */ pkcs11; pkcs11;catche console;finally pkcs11;
Example #2
Generating secret key using AES mechanism
var template = type: pkcs11jsCKA_CLASS value: pkcs11jsCKO_SECRET_KEY type: pkcs11jsCKA_TOKEN value: false type: pkcs11jsCKA_LABEL value: "My AES Key" type: pkcs11jsCKA_VALUE_LEN value: 256 / 8 type: pkcs11jsCKA_ENCRYPT value: true type: pkcs11jsCKA_DECRYPT value: true ;var key = pkcs11;
Example #3
Generating key pair using RSA-PKCS1 mechanism
var publicKeyTemplate = type: pkcs11jsCKA_CLASS value: pkcs11jsCKO_PUBLIC_KEY type: pkcs11jsCKA_TOKEN value: false type: pkcs11jsCKA_LABEL value: "My RSA Public Key" type: pkcs11jsCKA_PUBLIC_EXPONENT value: 1 0 1 type: pkcs11jsCKA_MODULUS_BITS value: 2048 type: pkcs11jsCKA_VERIFY value: true ;var privateKeyTemplate = type: pkcs11jsCKA_CLASS value: pkcs11jsCKO_PRIVATE_KEY type: pkcs11jsCKA_TOKEN value: false type: pkcs11jsCKA_LABEL value: "My RSA Private Key" type: pkcs11jsCKA_SIGN value: true ;var keys = pkcs11;
Example #4
Generating key pair using ECDSA mechanism
var publicKeyTemplate = type: pkcs11jsCKA_CLASS value: pkcs11jsCKO_PUBLIC_KEY type: pkcs11jsCKA_TOKEN value: false type: pkcs11jsCKA_LABEL value: "My EC Public Key" type: pkcs11jsCKA_EC_PARAMS value: "06082A8648CE3D030107" "hex" // secp256r1;var privateKeyTemplate = type: pkcs11jsCKA_CLASS value: pkcs11jsCKO_PRIVATE_KEY type: pkcs11jsCKA_TOKEN value: false type: pkcs11jsCKA_LABEL value: "My EC Private Key" type: pkcs11jsCKA_DERIVE value: true ;var keys = pkcs11;
Example #4
Working with Object
var nObject = pkcs11; // Updating lable of Objectpkcs11; // Getting attribute valuevar label = pkcs11;console; // My custom data!!!console
Example #4
Searching objects
NOTE: If template is not setted for C_FindObjectsInit, then C_FindObjects returns all objects from slot
pkcs11;var hObject = pkcs11;while hObject var attrs = pkcs11; // Output info for objects from token only if attrs1value0 console; hObject = pkcs11;pkcs11;
Example #5
Generating random values
var random = pkcs11;console;
or
var random = 20;pkcs11;console;
Example #6
Digest
pkcs11; pkcs11;pkcs11; var digest = pkcs11; console;
Example #7
Signing data
pkcs11; pkcs11;pkcs11; var signature = pkcs11;
Verifying data
pkcs11; pkcs11;pkcs11; var verify = pkcs11;
Example #8
Encrypting data with AES-CBC mechanism
var cbc_param = pkcs11; pkcs11; var enc = 0;enc = Buffer;enc = Buffer;enc = Buffer; console;
Decrypting data with AES-CBC mechanism
pkcs11; var dec = 0;dec = Buffer;dec = Buffer; console;
Example #9
Deriving key with ECDH mechanism
// Recieve public data from EC public keyvar attrs = pkcs11var ec = attrs0value; var derivedKey = pkcs11;
Example #10
Initializing NSS crypto library
Use options
parameter for C_Initialize
function.
Type
/** * Initializes the Cryptoki library * @param options Initialization options * Supports implementation of standard `CK_C_INITIALIZE_ARGS` and extended NSS format. * - if `options` is null or empty, it calls native `C_Initialize` with `NULL` * - if `options` doesn't have `libraryParameters`, it uses `CK_C_INITIALIZE_ARGS` structure * - if `options` has `libraryParameters`, it uses extended NSS structure */C_Initializeoptions?: InitializationOptions: void;
Code
const mod = ;mod; mod; // Your code here mod;
More info about NSS params for C_Initialize
BIP32 Master and Child Key Pair Derivation
Please see bip32.js for an example of performing BIP32 master and child key pair derivations.
The example requires installing sha256 and bn.js:
$ npm install sha256 bn.js
NOTE: This requires a SafeNet Luna HSM with BIP32 support.
Suitability
At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.
Bug Reporting
Please report bugs either as pull requests or as issues in the issue tracker. Graphene has a full disclosure vulnerability policy. Please do NOT attempt to report any security vulnerability in this code privately to anybody.
Related
- PKCS #11 2.40 Specification
- Many PKCS #11 Specifications
- Attacking and Fixing PKCS#11 Security Tokens
- PERL PKCS #11 binding
- .NET PKCS #11 binding
- Ruby PKCS #11 binding
- OCaml PKCS #11 binding
- OCaml PKCS #11 CLI
- Go PKCS #11 binding
- PKCS #11 Admin
- Node.js Foreign Function Interface
- GOST PKCS#11 constants
- PKCS#11 logging proxy module
- PKCS#11 Proxy
- PKCS#11 Tests
- OpenCryptoKi
- SoftHSM
- SofHSM2 for Windows
- node-pcsc
- PKCS#11 URIs
- Key Length Recommendations