In this section we present the smart-card and hardware security module (HSM) support in GnuTLS using PKCS #11 [PKCS11]. Hardware security modules and smart cards provide a way to store private keys and perform operations on them without exposing them. This decouples cryptographic keys from the applications that use them and provide an additional security layer against cryptographic key extraction. Since this can also be achieved in software components such as in Gnome keyring, we will use the term security module to describe any cryptographic key separation subsystem.
PKCS #11 is plugin API allowing applications to access cryptographic
operations on a security module, as well as to objects residing on it. PKCS
#11 modules exist for hardware tokens such as smart cards10,
cryptographic tokens, as well as for software modules like Gnome Keyring.
The objects residing on a security module may be certificates, public keys,
private keys or secret keys. Of those certificates and public/private key
pairs can be used with GnuTLS. PKCS #11’s main advantage is that
it allows operations on private key objects such as decryption
and signing without exposing the key. In GnuTLS the PKCS #11 functionality is
Moreover PKCS #11 can be (ab)used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in Figure 5.1. That way applications could load their trusted certificate list, as well as user certificates from a common PKCS #11 module. Such a provider is the p11-kit trust storage module11.
|• PKCS11 Initialization:|
|• Accessing objects that require a PIN:|
|• Reading objects:|
|• Writing objects:|
|• Using a PKCS11 token with TLS:|
|• p11tool Invocation:|
For example, OpenSC-supported cards.