How to communicate via PKCS#11 with a HSM

Question

I have a Python application which needs to encrypt data. The symmetric keys lying in a separate hardware called HSM.

I have implemented a wrapper in python

pip install python-pkcs11

and set the path to the c-pkcs11-library for initialization.

lib = pkcs11.lib(os.environ['PATH_TO_C-PKCS11_LIB'])

But what next? How can I configure the whole wrapper or the C-library to watch in the HSM for the key?

And how does the app and the HSM communicate? Is it via HTTP?

Appreciate any help

Answer 1

Your question is very broad. Have a look at examples in the documentation. Use get_key to lookup key in HSM and encrypt to encrypt.

Example code encrypting a block of zeroes in CBC mode with zero IV using AES key TEST stored in HSM token DEMO:

import os
import pkcs11

lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
with token.open(user_pin='1234') as session:
    key = session.get_key(key_type=pkcs11.mechanisms.KeyType.AES, label='TEST')
    iv = bytes.fromhex('00000000000000000000000000000000')
    data = bytes.fromhex('00000000000000000000000000000000')
    ciphertext = key.encrypt(data=data, mechanism=pkcs11.mechanisms.Mechanism.AES_CBC, mechanism_param=iv)
    print(ciphertext.hex())

You definitely should read the PKCS#11 specification and SDK documentation for your HSM.

Good luck with your project!