corePKCS11

Introduction

corePKCS11 is a software based mock implementation of a subset of the PKCS #11 application programming interface (API). It is provided to enable hardware independent rapid prototyping and development before switching to a security hardware specific implementation in production devices.

PKCS #11 is a standardised and widely used API for manipulating common cryptographic objects. It is important because the functions it specifies allow application software to use, create, modify, and delete cryptographic objects without ever exposing those objects to the application's memory. For example, FreeRTOS AWS reference integrations use a small subset of the PKCS #11 API to, among other things, access the secret (private) key necessary to create a network connection that is authenticated and secured by the Transport Layer Security (TLS) protocol - without the application ever 'seeing' the key. PKCS #11 is maintained by the OASIS PKCS#11 Technical Committee.

Generally vendors for secure cryptoprocessors such as Trusted Platform Module (TPM), Hardware Security Module (HSM), Secure Element, or any other type of secure hardware enclave, distribute a PKCS #11 implementation with the hardware. The purpose of the corePKCS11 software only mock is therefore to provide a hardware independent PKCS #11 implementation for development use before switching to a security hardware specific implementation in production devices. Since the PKCS #11 interface is defined as part of the PKCS #11 specification replacing this library with another implementation should require little porting effort, as the interface will not change. The system tests distributed with corePKCS #11 can be leveraged to verify your hardware specific PKCS #11 implementation behaves the same as corePKCS11.