#pkcs11 #keychain #macos #back-end

native-pkcs11-keychain

native-pkcs11 backend for macos keychain

22 releases

Uses new Rust 2024

0.2.26 Mar 18, 2025
0.2.24 Jan 13, 2025
0.2.23 Dec 18, 2024
0.2.22 Oct 1, 2024
0.2.7 Mar 22, 2023

#253 in Authentication

Download history 15/week @ 2024-12-24 51/week @ 2025-01-07 67/week @ 2025-01-14 7/week @ 2025-01-21 5/week @ 2025-01-28 1/week @ 2025-02-04 58/week @ 2025-02-11 126/week @ 2025-02-18 18/week @ 2025-02-25 5/week @ 2025-03-04 4/week @ 2025-03-11 130/week @ 2025-03-18 8/week @ 2025-03-25 1/week @ 2025-04-01 10/week @ 2025-04-08

151 downloads per month
Used in 2 crates

Apache-2.0

43KB
895 lines

native-pkcs11

pkcs11 module for native credential stores

native-pkcs11 is a crate for building PKCS#11 modules. Its primary use-case is authenticating with client certificates. native-pkcs11 aims to support native certificate stores (MacOS Keychain, Windows Platform Key Provider) out of the box. It can also be extended with a custom backend (see this section).

Host Software Compatibility

Software compatibility is a core goal of native-pkcs11. It is currently tested with

  • openssh
  • openvpn
  • Chrome
  • Firefox

If a native-pkcs11 module does not work for your software, please file an issue.

Building a Custom Backend

The native_pkcs11_traits::Backend trait can be implemented to add support for a new credential store. Backends are registered in the exported C_GetFunctionList function. In order to register your own backend, enable the custom-function-list feature on native-pkcs11 and export the method from your crate. For example:

use native_pkcs11::{CKR_OK, CK_FUNCTION_LIST_PTR_PTR, CK_RV, FUNC_LIST};
#[no_mangle]
pub extern "C" fn C_GetFunctionList(ppFunctionList: CK_FUNCTION_LIST_PTR_PTR) -> CK_RV {
    native_pkcs11_traits::register_backend(Box::new(backend::MyBackend {}));
    unsafe { *ppFunctionList = &mut FUNC_LIST };
    return CKR_OK;
}

Running tests

macOS

Create a tempory keychain and set NATIVE_PKCS11_KEYCHAIN_PATH to run cargo test without endless password prompts.

$ . tests/create_keychain.sh
$ cargo test

Releasing

The cargo-ws tool can be used to version bump and release all crates in the workspace at once. It can be installed with cargo install cargo-workspaces.

# Create a branch for the release PR
git checkout -b release
# Bump the version of all crates in the workspace
cargo ws version --allow-branch=release --no-git-push
# Publish all crates to crates.io
cargo ws publish --no-git-push

Dependencies

~4.5MB
~78K SLoC