{"id":50398922,"url":"https://github.com/codestation/peru-dnie-pkcs11","last_synced_at":"2026-05-30T22:02:23.898Z","repository":{"id":357992568,"uuid":"1239447608","full_name":"codestation/peru-dnie-pkcs11","owner":"codestation","description":"PKCS#11 module for signing PDF documents using a Peruvian DNI","archived":false,"fork":false,"pushed_at":"2026-05-15T05:36:52.000Z","size":42,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-15T07:38:16.817Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codestation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-15T05:22:07.000Z","updated_at":"2026-05-15T05:36:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/codestation/peru-dnie-pkcs11","commit_stats":null,"previous_names":["codestation/peru-dnie-pkcs11"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/codestation/peru-dnie-pkcs11","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codestation%2Fperu-dnie-pkcs11","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codestation%2Fperu-dnie-pkcs11/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codestation%2Fperu-dnie-pkcs11/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codestation%2Fperu-dnie-pkcs11/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codestation","download_url":"https://codeload.github.com/codestation/peru-dnie-pkcs11/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codestation%2Fperu-dnie-pkcs11/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33711018,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-30T22:02:23.015Z","updated_at":"2026-05-30T22:02:23.886Z","avatar_url":"https://github.com/codestation.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Peru DNIe PKCS#11\n\n`peru-dnie-pkcs11` is a Rust PKCS#11 module for signing PDF documents with the\nPeruvian electronic identity card (DNIe). It exposes the DNIe signing\ncertificate and performs card-bound RSA signatures through PC/SC.\n\n## Legal / Compliance Notice\n\nThis project is an independent open-source implementation. It is not affiliated\nwith RENIEC and is not an official RENIEC project, product, or release.\n\nThe module targets PKCS#11 v2.40 and builds a shared object:\n\n```text\ntarget/release/libperu_dnie_pkcs11.so\n```\n\n## What It Does\n\n- Detects Peruvian DNIe cards through known ATRs and application-selection\n  probes.\n- Supports DNIe 1.0, DNIe 2.0, and DNIe 3.0.\n- Exposes the signing certificate, optional issuer certificates, and a\n  non-extractable private key object.\n- Supports the PKCS#11 operations required by PDF signing clients: slot and\n  token discovery, sessions, login/logout, object enumeration and attributes,\n  mechanism discovery, and signing.\n- Performs signatures on the card. It does not fake signatures in software.\n\nUnsupported PKCS#11 operations return `CKR_FUNCTION_NOT_SUPPORTED`.\n\n## Tested Applications\n\nThe module has been tested with:\n\n- Okular\n- LibreOffice Draw\n- `pdfsig`\n- `pyHanko`\n\n## PACE/CAN Secure Messaging\n\nPACE using the CAN code is optional. When no CAN is configured, the current\nsigning flow continues to use plaintext card communication. When a CAN is\nconfigured, the module establishes PACE during card open and protects subsequent\nAPDUs with secure messaging. If PACE fails, card open fails instead of falling\nback to plaintext.\n\n## Requirements\n\n- Rust 1.85 or newer\n- PC/SC runtime and development headers\n- OpenSSL development headers\n- A Peruvian DNIe card and compatible reader\n- Optional: OpenSC tools for `pkcs11-tool` smoke tests\n\nOn Debian or Ubuntu:\n\n```sh\nsudo apt-get update\nsudo apt-get install -y build-essential pkg-config libpcsclite-dev libssl-dev opensc\n```\n\nOn Arch Linux:\n\n```sh\nsudo pacman -S --needed base-devel rust pkgconf pcsclite openssl opensc\nsudo systemctl enable --now pcscd.service\n```\n\n## Build\n\n```sh\ncargo build --release\n```\n\nThe PKCS#11 module will be written to:\n\n```text\ntarget/release/libperu_dnie_pkcs11.so\n```\n\n## Basic Usage\n\nList slots:\n\n```sh\npkcs11-tool --module ./target/release/libperu_dnie_pkcs11.so -L\n```\n\nList visible objects:\n\n```sh\npkcs11-tool --module ./target/release/libperu_dnie_pkcs11.so -O\n```\n\nPDF signing clients should be configured to load\n`target/release/libperu_dnie_pkcs11.so` as a PKCS#11 provider.\n\n## Certificate Chain Configuration\n\nThe leaf signing certificate is loaded lazily when objects are enumerated,\nattributes are requested, or signing needs it. Intermediate issuer certificates\nare loaded when certificate objects are listed so PDF signing clients can embed\nthe certificate chain in signed PDFs. Initialization does not perform AIA network\naccess.\n\nSigning requires at least one issuer certificate. Configure issuer certificates\nmanually with `PERU_DNIE_CERT_CHAIN`:\n\n```sh\nexport PERU_DNIE_CERT_CHAIN=/path/intermediate.cer:/path/root.cer\n```\n\nWhen `PERU_DNIE_CERT_CHAIN` is set and non-empty, only those files are used. AIA\ndownload and cache lookup are skipped.\n\nWhen `PERU_DNIE_CERT_CHAIN` is not set, issuer URLs are discovered from the\ncertificate AIA extension. Downloaded certificates are cached under:\n\n```text\n$XDG_CACHE_HOME/peru-dnie-pkcs11\n```\n\nor, when `XDG_CACHE_HOME` is not set:\n\n```text\n~/.cache/peru-dnie-pkcs11\n```\n\nSet `PERU_DNIE_AIA_CACHE=0` to ignore the cache. The module will still download\nAIA certificates, but it will not read or write cached files.\n\n## CAN Configuration\n\nTo enable PACE secure messaging, provide the CAN with `PERU_DNIE_CAN`:\n\n```sh\nexport PERU_DNIE_CAN=123456\n```\n\nAlternatively, set `can = \"123456\"` in\n`~/.config/peru-dnie-pkcs11/config.toml`. The environment variable takes\nprecedence. Do not enable this unless the CAN belongs to the card being used;\nan invalid CAN causes `C_Initialize`/card open paths to fail when the card is\nopened.\n\n## Logging\n\nLogging is disabled by default. Logs are written to stderr.\n\n```sh\nexport PERU_DNIE_LOG=none\nexport PERU_DNIE_LOG=error\nexport PERU_DNIE_LOG=warn\nexport PERU_DNIE_LOG=info\nexport PERU_DNIE_LOG=debug\nexport PERU_DNIE_LOG=trace\n```\n\n`PERU_DNIE_DEBUG=1` or `PERU_DNIE_DEBUG=true` enables debug logging.\n\nLogs are intended for integration troubleshooting. They must never contain PINs,\nCAN codes, secure messaging keys, private keys, private key material, sensitive\nAPDU payloads, or personally identifying data read from the DNI.\n\nWhen logging is enabled, `C_Initialize` prints startup metadata: package name,\npackage version, Git commit id, Git commit date, and whether the build was made\nfrom a clean worktree.\n\nExample:\n\n```sh\nPERU_DNIE_LOG=debug pkcs11-tool --module ./target/release/libperu_dnie_pkcs11.so -O\n```\n\n## Testing\n\nRun the CI-equivalent local checks:\n\n```sh\ncargo fmt --check\ncargo clippy --all-targets --all-features -- -D warnings\ncargo test --all-features\ncargo build --release\n```\n\nHardware-independent tests run with `cargo test`. PC/SC smoke tests require a\ncard and reader:\n\n```sh\npkcs11-tool --module ./target/release/libperu_dnie_pkcs11.so -L\npkcs11-tool --module ./target/release/libperu_dnie_pkcs11.so -O\n```\n\nIf a PC/SC command reports `SCardEstablishContext failed` in a sandboxed\nenvironment, rerun it with direct host access to PC/SC.\n\n## Security Considerations\n\n- The private key remains non-extractable and card-bound.\n- The module does not invent signing APDUs or emulate signatures.\n- PINs, CAN codes, secure messaging keys, private keys, private key material,\n  and sensitive APDU payloads must not be logged.\n- Certificate listing must not fail only because issuer certificates are\n  missing.\n- Signing fails if no issuer certificate can be loaded.\n- PACE/CAN is optional for the current signing flow. When configured, it must\n  succeed before the module sends protected card commands.\n\n## Troubleshooting\n\n- `CKR_TOKEN_NOT_PRESENT`: confirm the reader is visible through PC/SC and the\n  DNIe is inserted.\n- `CKR_PIN_INCORRECT`: verify the PIN with the card issuer tools before retrying.\n- Signing fails after certificate listing works: configure `PERU_DNIE_CERT_CHAIN`\n  or allow AIA download so an issuer certificate can be loaded.\n- AIA download fails: check network access, proxy/firewall rules, and whether\n  manual `PERU_DNIE_CERT_CHAIN` configuration is more appropriate.\n- Client does not show the private key: login may be required before the key is\n  visible to that application.\n\n## Project Status\n\nThis project is early public open-source software. It has practical coverage for\nDNIe 1.0, 2.0, and 3.0 PDF signing workflows, but PKCS#11 support is intentionally\nlimited to the operations needed by tested PDF clients.\n\n## License\n\nLicensed under either of:\n\n- MIT license\n- Apache License, Version 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodestation%2Fperu-dnie-pkcs11","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodestation%2Fperu-dnie-pkcs11","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodestation%2Fperu-dnie-pkcs11/lists"}