Taking the OpenSSL into the PKCS#11 world and vice versa

OpenSSL never directly supported accessing hardware modules through PKCS#11. Over the years, the community created various engines for this task, but only with the OpenSSL 3 Store API and with providers integration it became more streamlined, which is when we started working on the pkcs11-provider project [1]. But we did not stop here. From the pkcs11-provider side, we brought the SKEY API to OpenSSL 3.5. We also implemented a new software pkcs11 module kryoptic [2] (using OpenSSL), which closes the circle and we can now use OpenSSL also as a PKCS#11 module. In this presentation, I would like to talk about the recent development of the PKCS#11 standard, about the development of a pkcs11-provider, and how kryoptic works and what problems it solved for us. [1] https://github.com/latchset/pkcs11-provider [2] https://github.com/latchset/kryoptic/