Most people know that wolfSSL supports being a PKCS11 consumer. It is easy to enable this with the --enable-pkcs11
configure time flag and then trying out the examples. Now, what most people don’t realize is that we also have the ability to be a PKCS11 provider!! This is via our library called wolfPKCS11. Check out the source repo on github.
The most interesting thing about PKCS11 is that the post-quantum stateful hash-based signature scheme LMS/HSS has already been added to the PKCS11 standard. If you look at the latest specification, you can already find an example template definition for a private key:
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; CK_KEY_TYPE keyType = CKK_HSS; CK_UTF8CHAR label[] = “An HSS private key object”; CK_ULONG hssLevels = 123; CK_ULONG lmsTypes[] = {123,...}; CK_ULONG lmotsTypes[] = {123,...}; CK_BYTE value[] = {...}; CK_BBOOL true = CK_TRUE; CK_BBOOL false = CK_FALSE; CK_ATTRIBUTE template[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)}, {CKA_KEY_TYPE, &keyType, sizeof(keyType)}, {CKA_TOKEN, &true, sizeof(true)}, {CKA_LABEL, label, sizeof(label)-1}, {CKA_SENSITIVE, &true, sizeof(true)}, {CKA_EXTRACTABLE, &false, sizeof(true)}, {CKA_HSS_LEVELS, &hssLevels, sizeof(hssLevels)}, {CKA_HSS_LMS_TYPES, lmsTypes, sizeof(lmsTypes)}, {CKA_HSS_LMOTS_TYPES, lmotsTypes, sizeof(lmotsTypes)}, {CKA_VALUE, value, sizeof(value)}, {CKA_SIGN, &true, sizeof(true)} };
Are you looking to use wolfSSL to consume LMS/HSS? Our wolfCrypt library already has support for LMS/HSS; want to consume it via a PKCS11 interface? Want to get ahead of the curve and start prototyping ML-KEM (FIPS 203) or ML-DSA (FIPS 204) in PKCS11? Send a message to facts@wolfSSL.com to let us know which of these you want accelerated.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now