Use cases for OpenSSL with PKCS#11
Read about use cases how to connect OpenSSL to either a PKCS#11 provider or a PKCS#11 engine.
The PKCS#11 standard defines a platform-independent API called Cryptoki to interact with cryptographic modules, that is, with devices that hold cryptographic information and perform cryptographic functions. Cryptoki follows a simple object based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token. These tokens then perform the operations on keys that are opaque to the user.
Two use cases are presented that demonstrate how to connect PKCS#11 with OpenSSL.
For information about PKCS#11 and the use of openCryptoki, which is an open source implementation of a C/C++ API defined by the PKCS#11 standard, called Cryptoki, refer to openCryptoki - An Open Source Implementation of PKCS #11.
Prerequisites
Certain software prerequisites must be fulfilled if you want to exploit PKCS#11 together with OpenSSL (either by an engine or a provider):
- a Cryptoki library, for example, the openCryptoki library libopencryptoki.so
- a PKCS#11 token (for example, a Soft token or an EP11 token)
- tools for PKCS#11 key management, for example, the p11sak utility
- a working configuration for the above items
- OpenSSL version 3.0 or later for providers or OpenSSL up to version 1.1.1 for engines only
- an OpenSSL-ready application.
The following use cases are presented: