Public-Key Cryptography Standard

PKCS - Wikiwand
What are Public-Key Cryptography Standards (PKCS)?
Guide to Public Key Cryptography Standards in Cyber Security | RSI Security

PKCS #1: RSA (RFC8017)
PKCS #3: Diffie–Hellman Key Agreement Standard

RFC 8018 - PKCS #5: Password-Based Cryptography Specification Version 2.1
PBKDF2 - Wikiwand

Certificate signing request - Wikiwand
RFC 2986 - PKCS #10: Certification Request Syntax Specification Version 1.7

PKCS 12 - Wikiwand
RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1

PKCS 7/CMS

PKCS 7 - Wikiwand
RFC 2315 - PKCS #7: Cryptographic Message Syntax Version 1.5
RFC 5652 - Cryptographic Message Syntax (CMS) IETF picked up CMS, obsoletes 3852

• SignedData
• EnvelopedData
• EncryptedData
• DigestedData
• AuthenticatedData

Defines the Content-encryption Process, especially PKCS7Padding used for block ciphers: appends N bytes, each with the value N, where N = number of padding bytes needed. Even if the original data is aligned, say to block size 16, 16 byte of 16 will still be added to make unpadding deterministic.

RFC 5083 - Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type

• AuthEnvelopedData

RFC 3274 - Compressed Data Content Type for Cryptographic Message Syntax (CMS)

• CompressedData

RFC 4073 - Protecting Multiple Contents with the Cryptographic Message Syntax (CMS)

• ContentCollection
• ContentWithAttributes

RFC 4108 - Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages
RFC 5958 - Asymmetric Key Packages obsoletes RFC5208 PKCS#8
RFC 6010 - Cryptographic Message Syntax (CMS) Content Constraints Extension
RFC 6160 - Algorithms for Cryptographic Message Syntax (CMS) Protection of Symmetric Key Package Content Types
RFC 6211 - Cryptographic Message Syntax (CMS) Algorithm Identifier Protection Attribute
RFC 7468 - Textual Encodings of PKIX, PKCS, and CMS Structures
RFC 8696 - Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)

PKCS 11

PKCS 11 - Wikiwand Cryptoki, C API to communicate with HSM or smart cards
PKCS #11 Specification Version 3.1
oasis-tcs/pkcs11: OASIS PKCS 11 TC: Repository to support version control for development of technical files associated with the OASIS PKCS11 specification

An Introduction to PKCS#11

pkcs11-spec-v3.2-wd13.docx uploaded | OASIS PKCS 11 TC

Clients

ThalesGroup/crypto11: Implement crypto.Signer and crypto.Decrypter for HSM-protected keys via PKCS#11 Go binding

jdk.crypto.cryptoki implementation of the SunPKCS11 security provider
Java PKCS#11 Reference Guide
SimpleMethod/PKCS11-Java-Wrapper: A comprehensive Java library for interacting with PKCS#11 (Cryptoki) compatible hardware security modules (HSMs) and smart cards. This wrapper simplifies cryptographic operations while maintaining high security standards. GPL v3

OpenSC/OpenSC: Open source smart card tools and middleware. PKCS#11/MiniDriver/Tokend LGPL v2.1

openCryptoki - An Open Source Implementation of PKCS #11 - IBM Documentation
opencryptoki/opencryptoki: PKCS#11 library and tools for Linux and AIX. Includes tokens supporting IBM crypto hardware as well as a software token.

c - OpenSC vs openCryptoKI - Stack Overflow
OpenSC is a software stack for smart cards. And it includes a PKCS#11 module. OpenCryptoki is "just" a PKCS#11 module (meaning software-only-module, except for some IBM PCI cards, apparently) that has nothing to do with (most) smart cards.

Software implementations

softhsm/SoftHSMv2: SoftHSM version 2
SoftHSMv2 · Cloudflare SSL/TLS docs

corePKCS11: Overview
FreeRTOS/corePKCS11: Software implementation of the PKCS #11 standard.

yay -S softhsm opensc

> softhsm2-util --show-slots
Available slots:
Slot 0
    Slot info:
        Description:      SoftHSM slot ID 0x0
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.6
        Firmware version: 2.6
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.6
        Firmware version: 2.6
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:

> softhsm2-util --init-token --slot 0 --label Token1
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ******
Please reenter SO PIN: ******
=== User PIN (4-255 characters) ===
Please enter user PIN: ******
Please reenter user PIN: ******
error registering mldsa44 with no hash
The token has been initialized and is reassigned to slot 491172432
A Graduate Course in Applied Cryptography
> pkcs11-tool --show-info --module /usr/lib/softhsm/libsofthsm2.so
error registering mldsa44 with no hash
Cryptoki version 2.40
Manufacturer     SoftHSM
Library          Implementation of PKCS11 (ver 2.6)
Using slot 0 with a present token (0x1d46b250)

> pkcs11-tool --list-slots --module /usr/lib/softhsm/libsofthsm2.so
error registering mldsa44 with no hash
Available slots:
Slot 0 (0x1d46b250): SoftHSM slot ID 0x1d46b250
  token label        : Token1
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 2.6
  firmware version   : 2.6
  serial num         : 628ee7169d46b250
  pin min/max        : 4/255
  uri                : pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=628ee7169d46b250;token=Token1
Slot 1 (0x1): SoftHSM slot ID 0x1
  token state:   uninitialized