Menu

The pkcs11 interface

The pkcs11 interface enables the PKCS#11 Cryptographic Token Interface Standard to be used with access to exposed tokens.

The slot is usually declared in a gadget snap and provides access to a specific daemon socket. It is declared in the following manner:

slots:
    pkcs11-optee-slot-0:
    interface: pkcs11
    pkcs11-socket: /run/p11-kit/pkcs11-optee-slot-0

While the plug is declared in the usual way:

plugs:
    pkcs11-access:
       interface: pkcs11

This interface is restricted because it gives privileged access to potentially sensitive cryptographic token operations.

Interface documentation:

See Interface management and Supported interfaces for further details on how interfaces are used.

Developer details

Auto-connect: no
Super-privileged: yes

Attributes:

  • pkcs11-socket (slot): defines the path to p11-kit server socket exposed by the slot. The path must start with /run/p11-kit/.

Code examples

The test code can be found in the snapd repository:
snapd/interfaces/builtin/pkcs11_test.go at master · canonical/snapd · GitHub

The source code for the interface is in the snapd repository:
snapd/interfaces/builtin/pkcs11.go at master · canonical/snapd · GitHub

Last updated 8 days ago.

Help improve this document in the forum.