How to communicate via PKCS#11 with a HSM
Question
I have a Python application which needs to encrypt data. The symmetric keys lying in a separate hardware called HSM.
I have implemented a wrapper in python
pip install python-pkcs11
and set the path to the c-pkcs11-library for initialization.
lib = pkcs11.lib(os.environ['PATH_TO_C-PKCS11_LIB'])
But what next? How can I configure the whole wrapper or the C-library to watch in the HSM for the key?
And how does the app and the HSM communicate? Is it via HTTP?
Appreciate any help
1 answers
solution1
1 ACCPTED 2022-04-04 14:50:55
Your question is very broad. Have a look atexamples in the documentation. Use get_key to lookup key in HSM and encrypt to encrypt.
Example code encrypting a block of zeroes in CBC mode with zero IV using AES key TEST stored in HSM token DEMO :
import os
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
with token.open(user_pin='1234') as session:
key = session.get_key(key_type=pkcs11.mechanisms.KeyType.AES, label='TEST')
iv = bytes.fromhex('00000000000000000000000000000000')
data = bytes.fromhex('00000000000000000000000000000000')
ciphertext = key.encrypt(data=data, mechanism=pkcs11.mechanisms.Mechanism.AES_CBC, mechanism_param=iv)
print(ciphertext.hex())
You definitely should read the PKCS#11 specification and SDK documentation for your HSM.
Good luck with your project!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.