OpenSSL Conference

PKCS#11 is a standard defining a unified API for accessing smart cards and Hardware Security Modules. It is widely supported by different cryptographic libraries so they can (to some extent) transparently offload cryptographic operations to hardware, protecting the private key material from potential attackers, effectively preventing heartbleed-type attacks.

Recent publication of the PKCS#11 3.2 specification brought up support for common Post-Quantum Cryptography algorithms as well as new needed APIs or validation API, opening a way for the tokens to signal FIPS certification to the applications.

OpenSSL does not support using PKCS#11 directly, so we implemented pkcs11-provider, de-facto standard pkcs11 provider for OpenSSL over last three years, releasing version 1.0 early this year. But we do not stop here and version 2.0 plans to support PQC cryptography, SKEY API and much more.

Working with a standard API defined in a document that is several hundred pages long is hard as implementers might understand all the requirements differently, leading to interoperability issues. Therefore through the development of the pkcs11-provider, we focused a lot of testing with different software tokens in our CI. This lead us to the last bit, kryoptic project.

Kryoptic is a software PKCS#11 module, written in rust, implementing the latest PKCS#11 standard, using OpenSSL for the cryptographic primitives. This allows us to properly test the pkcs11-provider and effectively instruct OpenSSL to offload cryptographic operations to ... OpenSSL :)

Another side outcome is that we wrote lightweight OpenSSL bindings for rust, that work well with OpenSSL 3 API, as we did not find any existing that would suit our needs.

Kryoptic has one more feature though. It can statically link directly to the OpenSSL fips provider, technically exposing the FIPS certified API to other applications that can now use it via the PKCS#11 API.