In addition to using the the TSM SDK, it is also possible to integrate with a TSM via PKCS#11.

Blockdaemon provides a golang implementation of the PKCS#11 interface using the TSM for cryptography and key management.

Supported Mechanisms

• CKM_AES_KEY_GEN
• CKM_AES_CTR
• CKM_EC_KEY_PAIR_GEN
• CKM_ECDSA
• CKM_ECDSA_SHA1
• CKM_ECDSA_SHA224
• CKM_ECDSA_SHA256
• CKM_ECDSA_SHA384
• CKM_ECDSA_SHA512
• CKM_RSA_PKCS_KEY_PAIR_GEN
• CKM_RSA_X_509

Java Integration

We support Java CSP integration through SunPKCS11. After configuring the library with TSM info, the provider can be registered as follows:

final String pkcs11ConfigSettings = String.format("name = TSM\n" +
                "library =%s\n"
                "attributes(*,CKO_SECRET_KEY,CKK_AES) = {\n" +
                "  CKA_ENCRYPT = true\n" +
                "}", libraryPath);
final byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
final ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
final SunPKCS11 provider = new SunPKCS11(confStream);
Security.addProvider(provider);

Set the libraryPath to point to the p11Tsm library file.

📘

Further information

More info on integration with PKCS#11 is provided in our repositories.