1# PKCS#11
2
3This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom where
4it makes sense. It has been tested with SoftHSM.
5
6## SoftHSM
7
8 * Make it use a custom configuration file `export SOFTHSM_CONF=$PWD/softhsm.conf`
9
10 * Then use `softhsm` to init it
11
12 ~~~
13 softhsm --init-token --slot 0 --label test --pin 1234
14 ~~~
15
16 * Then use `libsofthsm2.so` as the pkcs11 module:
17
18 ~~~ go
19 p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
20 ~~~
21
22## Examples
23
24A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
25
26~~~ go
27p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
28err := p.Initialize()
29if err != nil {
30 panic(err)
31}
32
33defer p.Destroy()
34defer p.Finalize()
35
36slots, err := p.GetSlotList(true)
37if err != nil {
38 panic(err)
39}
40
41session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
42if err != nil {
43 panic(err)
44}
45defer p.CloseSession(session)
46
47err = p.Login(session, pkcs11.CKU_USER, "1234")
48if err != nil {
49 panic(err)
50}
51defer p.Logout(session)
52
53p.DigestInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_SHA_1, nil)})
54hash, err := p.Digest(session, []byte("this is a string"))
55if err != nil {
56 panic(err)
57}
58
59for _, d := range hash {
60 fmt.Printf("%x", d)
61}
62fmt.Println()
63~~~
64
65Further examples are included in the tests.
66
67To expose PKCS#11 keys using the [crypto.Signer interface](https://golang.org/pkg/crypto/#Signer),
68please see [github.com/thalesignite/crypto11](https://github.com/thalesignite/crypto11).
View as plain text