快速鏈接:
.
👉👉👉 個人博客筆記導(dǎo)讀目錄(全部) 👈👈👈

概念

PKCS#11標準定義了與密碼令牌（如硬件安全模塊（HSM）和智能卡）的獨立于平臺的API，并將API本身命名為“Cryptoki”（來自“加密令牌接口”，發(fā)音為“crypto-key” - 但是“PKCS#11”通常用于指代API以及定義它的標準）。 API定義了最常用的加密對像類型（RSA密鑰，X.509證書，DES / 三重DES密鑰等）以及使用，創(chuàng)建/生成，修改和刪除這些對象所需的所有功能。

在密碼系統(tǒng)中，PKCS#11是公鑰加密標準（PKCS, Public-Key Cryptography Standards）中的一份子 ，由RSA實驗室(RSA Laboratories)發(fā)布[1]，它為加密令牌定義了一組平臺無關(guān)的API ，如硬件安全模塊和智能卡。
由于沒有一個真正的標準加密令牌，這個API已經(jīng)發(fā)展成為一個通用的加密令牌的抽象層。 PKCS#11 API定義最常用的加密對象類型（ RSA密鑰，X.509證書，DES /三重DES密鑰等）和所有需要使用的功能，創(chuàng)建/生成，修改和刪除這些對象。注意：pkcs#11只提供了接口的定義， 不包括接口的實現(xiàn)，一般接口的實現(xiàn)是由設(shè)備提供商提供的，如usbkey的生產(chǎn)廠商會提供 符合PKCS#11接口標準的API的實現(xiàn)。這樣你只要通過接口調(diào)用API函數(shù)即可實現(xiàn)其功能

簡而言之， PKCS#11 是一個標準，規(guī)定了Cryptoki API .

Cryptoki API

Cryptoki API有哪些API ？ 可以去查閱pkcs11-base-v3.0-os.pdf文檔的第5小節(jié)

Cryptoki API 分為以下幾類

• general-purpose functions (4 functions)
• slot and token management functions (9 functions)
• session management functions (8 functions)
• object management functions (9 functions)
• encryption functions (4 functions)
• message-based encryption functions (5 functions)
• decryption functions (4 functions)
• message digesting functions (5 functions)
• signing and MACing functions (6 functions)
• functions for verifying signatures and MACs (6 functions)
• dual-purpose cryptographic functions (4 functions)
• key management functions (5 functions)
• random number generation functions (2 functions)
• parallel function management functions (2 functions)

optee中的pkcs#11集成(HSM in optee)

設(shè)計框圖非常簡單，其實就是一個CA(lib庫的形式存在)和一個TA

如下列出了CA(lib庫中所支持的CryptokiAPI

(optee_client/libckteec/src/pkcs11_api.c)static const CK_FUNCTION_LIST libckteec_function_list = {.version = {.major = CK_PKCS11_VERSION_MAJOR,.minor = CK_PKCS11_VERSION_MINOR,},.C_Initialize = C_Initialize,.C_Finalize = C_Finalize,.C_GetInfo = C_GetInfo,.C_GetFunctionList = C_GetFunctionList,.C_GetSlotList = C_GetSlotList,.C_GetSlotInfo = C_GetSlotInfo,.C_GetTokenInfo = C_GetTokenInfo,.C_GetMechanismList = C_GetMechanismList,.C_GetMechanismInfo = C_GetMechanismInfo,.C_InitToken = C_InitToken,.C_InitPIN = C_InitPIN,.C_SetPIN = C_SetPIN,.C_OpenSession = C_OpenSession,.C_CloseSession = C_CloseSession,.C_CloseAllSessions = C_CloseAllSessions,.C_GetSessionInfo = C_GetSessionInfo,.C_GetOperationState = C_GetOperationState,.C_SetOperationState = C_SetOperationState,.C_Login = C_Login,.C_Logout = C_Logout,.C_CreateObject = C_CreateObject,.C_CopyObject = C_CopyObject,.C_DestroyObject = C_DestroyObject,.C_GetObjectSize = C_GetObjectSize,.C_GetAttributeValue = C_GetAttributeValue,.C_SetAttributeValue = C_SetAttributeValue,.C_FindObjectsInit = C_FindObjectsInit,.C_FindObjects = C_FindObjects,.C_FindObjectsFinal = C_FindObjectsFinal,.C_EncryptInit = C_EncryptInit,.C_Encrypt = C_Encrypt,.C_EncryptUpdate = C_EncryptUpdate,.C_EncryptFinal = C_EncryptFinal,.C_DecryptInit = C_DecryptInit,.C_Decrypt = C_Decrypt,.C_DecryptUpdate = C_DecryptUpdate,.C_DecryptFinal = C_DecryptFinal,.C_DigestInit = C_DigestInit,.C_Digest = C_Digest,.C_DigestUpdate = C_DigestUpdate,.C_DigestKey = C_DigestKey,.C_DigestFinal = C_DigestFinal,.C_SignInit = C_SignInit,.C_Sign = C_Sign,.C_SignUpdate = C_SignUpdate,.C_SignFinal = C_SignFinal,.C_SignRecoverInit = C_SignRecoverInit,.C_SignRecover = C_SignRecover,.C_VerifyInit = C_VerifyInit,.C_Verify = C_Verify,.C_VerifyUpdate = C_VerifyUpdate,.C_VerifyFinal = C_VerifyFinal,.C_VerifyRecoverInit = C_VerifyRecoverInit,.C_VerifyRecover = C_VerifyRecover,.C_DigestEncryptUpdate = C_DigestEncryptUpdate,.C_DecryptDigestUpdate = C_DecryptDigestUpdate,.C_SignEncryptUpdate = C_SignEncryptUpdate,.C_DecryptVerifyUpdate = C_DecryptVerifyUpdate,.C_GenerateKey = C_GenerateKey,.C_GenerateKeyPair = C_GenerateKeyPair,.C_WrapKey = C_WrapKey,.C_UnwrapKey = C_UnwrapKey,.C_DeriveKey = C_DeriveKey,.C_SeedRandom = C_SeedRandom,.C_GenerateRandom = C_GenerateRandom,.C_GetFunctionStatus = C_GetFunctionStatus,.C_CancelFunction = C_CancelFunction,.C_WaitForSlotEvent = C_WaitForSlotEvent, };

參考

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Python PKCS#11 - High Level Wrapper API
Oracle Solaris 加密框架 : Overview of the Cryptoki Library

總結(jié)

以上是生活随笔為你收集整理的pkcs#11和Cryptoki的介绍的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。