Keychain Pkcs11 Versions Save

A shared library that implements a PKCS#11 interface to the Apple Security framework


2 years ago

Greetings! I am pleased to announce the 1.0 release of Keychain-PKCS11!

This release includes the following changes since the last release:

  • The Installer now includes support for Apple Silicon! The keychain-pkcs11.dylib is now built as a multi-architecture library and the same library should work on x86_64 or amd64.
  • Support for the CKM_RSA_X_509 PKCS#11 mechanism (decrypt only)
  • Minor bug fixes

This release has been tested primarily on Catalina and Big Sur, but should work on all versions of MacOS X from High Sierra onwards.

Feedback is always welcome. Please contact the author at [email protected]


2 years ago

Greetings! After a long time I have finally had the opportunity to come out with a new release of Keychain-PKCS11!

Major changes in this release include:

  • A proper installer! Keychain-PKCS11 is now distributed as a product archive which should provide a better end user experience.
  • The Installer package is signed and notarized! The Installer package should open under any MacOS system without any workarounds or extra steps. In addition, the keychain-pkcs11.dylib has been code-signed so there should be no issues with Gatekeeper causing warnings on Catalina.
  • Proper support for multiple hardware tokens. Keychain-PKCS11 now puts each hardware token in a different PKCS#11 slot like other PKCS#11 libraries.
  • Better support for token insertion/removal events. Keychain-PKCS11 now uses the TKToken watcher interface to receive token insertion and removal events, so tokens should be made available to the applications immediately upon insertion.
  • Expanded crypto support. Keychain-PKCS11 now supports the OAEP and PSS mechanisms in addition to the basic PKCS#1 RSA v1.5 mechanism.
  • Keychain-PKCS11 now supports multipart signing and signature verification (C_SignUpdate & C_VerifyUpdate).

A caution for Catalina users: IF the application you are using with Keychain-PKCS11 is running under the hardened runtime environment, it must have the entitlement to access smartcard tokens. Most popular applications (such as Firefox) already do this.

Feedback is always welcome. Please contact the author at [email protected]


4 years ago

Greetings! This is the first public release of Keychain-PKCS11. It is not perfect, but I believe it is functional. We have a number of users locally and they have not reported problems, so I feel comfortable deploying this to a wider audience.

We have specifically tested this library with Firefox, MIT Kerberos, and various versions of Adobe Acrobat. Some preliminary testing has been done with Thunderbird but nothing extensive yet.

Please send any feedback to the author at [email protected]