Application description
From the main Latchset - pkcs11-provider on GitHub (https://github.com/latchset/pkcs11-provider): This is an OpenSSL 3.x provider to access Hardware and Software Tokens using the PKCS#11 Cryptographic Token Interface. Access to tokens depends on loading an appropriate PKCS#11 driver that knows how to talk to the specific token. The PKCS#11 provider is a connector that allows OpenSSL to make proper use of such drivers. This code targets PKCS#11 version 3.1 but is backwards compatible to version 3.0 and 2.40 as well.Why providers instead of engines
OpenSSL 3.x introduced a provider-based architecture, replacing the deprecated engine system from OpenSSL 1.x.| Feature | OpenSSL 1.x Engine | OpenSSL 3.x Provider |
|---|---|---|
| Integration | Manual load, low-level ENGINE_* APIs | Modular, auto-loadable, integrated with EVP/config |
| Hardware Access | Requires engine-specific glue code | Standardized PKCS#11–style provider modules |
| FIPS Support | Separate FIPS engine, complex integration | Dedicated FIPS provider simplifies certification |
| Flexibility | Harder to extend, single-engine focus | Easier to extend, multiple providers can coexist |
Why Latchset pkcs11-provider
- Direct integration with OpenSSL 3.x provider API
- Variety of successful integrations tested with Futurex HSMs
- Supports PKCS#11 3.0+ tokens without extra libraries
- Simplifies configuration compared to engines
Guardian integration
The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:- Centralization of device management
- Elimination of points of failure
- Distribution of transaction loads
- Group-specific function blocking
- User-defined grouping systems