PKCS #11 modules in Go without cgo

Go Reference

This project implements p11-kit RPC server protocol, allowing Go
programs to act as a PKCS #11 module without the need for cgo. Clients load the shared library, then communicate over RPC to the Go server.

       | client (e.g. Chrome) |
     (PKCS #11 - shared library)
        | |
        (RPC over unix socket)
| |


The example directory contains a demo server that reads keys and certificates
from disk and serves them on a unix socket. To build and start the server, run
the following commands:

go build -o bin/example-p11-kit-server ./example/example-p11-kit-server
./bin/example-p11-kit-server --priv example/priv.pem --pub example/pub.pem --cert example/cert.pem

The server will print out an environment variable to set similar to:

export P11_KIT_SERVER_ADDRESS=unix:path=/tmp/1056705225/p11kit.sock

In another shell, export the environment variable, and use
to query the example server:

$ export P11_KIT_SERVER_ADDRESS=unix:path=/tmp/1056705225/p11kit.sock
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/ --list-slots
Available slots:
Slot 0 (0x1): example-slot
  token label        : example
  token manufacturer : go-p11-kit
  token model        : example-server
  token flags        : token initialized, readonly
  hardware version   : 0.1
  firmware version   : 0.1
  serial num         : 12345678
  pin min/max        : 0/0
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/ --list-objects
Using slot 0 with a present token (0x1)
Certificate Object; type = X.509 cert
  subject:    DN: CN=test
Private Key Object; RSA
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 256 bits
  Usage:      encrypt, verify
  Access:     none


View Github