On Fri, 2020-01-24 at 18:10 +0100, Emmanuel Deloget wrote:
In my experience this is mostly true - the key word in that sentence
being "mostly". The PKCS#11 is fairly big (
) and while it fully describes the interface between the
cryptographic system and its user, it does very little to describe
how is shall be used. That's where the experience comes in handy:
different softwares use different workflows. So given a specific
PKCS#11 engine, you may be able to have it work with (for example)
OpenVPN, but not with wget (though the PKCS#11 engine for OpenSSL).
This will only be true if the specific PKCS#11 engine you use for
your device implements everything in the spec.
FWIW much of this *shouldn't* be true, at least for basic key storage
for TLS and similar purposes.
If you have a properly functioning PKCS#11 provider which is correctly
registered with p11-kit on a Linux system, then any application which
accepts certificates+keys in a PEM or PKCS#12 or similar file SHOULD
also accept a PKCS#11 URI as defined by RFC7512.
At least in Fedora, if you find an application for which that *isn't*
true, please file a bug and Cc me.
On other distributions, YMMV.