Cybersecurity-Projects/PROJECTS/advanced/hsm-emulator/vendor/pkcs11
CarterPerez-dev ccb1b40a15 feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7)
Software HSM that compiles to a real Cryptoki (PKCS#11) v2.40 shared
object, loadable by pkcs11-tool / OpenSSL like a smartcard. SoftHSM2-style
three-layer split: C-ABI facade -> typed core state -> crypto + persistence.

- M0  hand-written v2.40 ABI + build-time OASIS cross-check; exports only C_GetFunctionList
- M1  sessions, login, Argon2id PIN, lockout
- M2  objects + find, CKA_PRIVATE gating, persisted token store
- M3  RNG, SHA-2 digest, HMAC, AES-CBC/CBC-PAD/GCM
- M4  ECDSA P-256/P-384 keygen + sign/verify (std.crypto)
- M5  RSA 2048-4096 via libcrypto: PKCS#1 v1.5 / PSS sign-verify, PKCS#1 / OAEP enc-dec
- M6  encrypted-at-rest store: selective AES-256-GCM envelope, master key wrapped under Argon2id(User-PIN)
- M7  hardening (session-secret zeroization, fail-closed relock, heap-leak scrub, ubsan-free ABI) + Docker

Verified three ways: 65/65 unit tests, in-process dlopen smoke, and
cross-process OpenSC pkcs11-tool (token keys survive process restart).

Also excludes vendor/pkcs11 from the trailing-whitespace / end-of-file
pre-commit hooks so the vendored OASIS headers keep their documented
SHA-256 provenance.
2026-06-01 20:35:48 -04:00
..
PROVENANCE.md feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7) 2026-06-01 20:35:48 -04:00
pkcs11.h feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7) 2026-06-01 20:35:48 -04:00
pkcs11f.h feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7) 2026-06-01 20:35:48 -04:00
pkcs11t.h feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7) 2026-06-01 20:35:48 -04:00
shim.h feat(hsm-emulator): PKCS#11 HSM emulator in Zig (M0–M7) 2026-06-01 20:35:48 -04:00