{"id":45949787,"url":"https://github.com/opencryptoki/opencryptoki","last_synced_at":"2026-02-28T12:02:29.314Z","repository":{"id":21270745,"uuid":"92066127","full_name":"opencryptoki/opencryptoki","owner":"opencryptoki","description":"PKCS#11 library and tools for Linux and AIX. Includes tokens supporting IBM crypto hardware as well as a software token.","archived":false,"fork":false,"pushed_at":"2026-02-16T10:43:04.000Z","size":15644,"stargazers_count":150,"open_issues_count":8,"forks_count":61,"subscribers_count":9,"default_branch":"master","last_synced_at":"2026-02-16T19:09:14.994Z","etag":null,"topics":["aix","c","crypto","hsm","linux","pkcs11"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opencryptoki.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":"CONTRIBUTING.md","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-05-22T14:59:02.000Z","updated_at":"2026-02-16T10:43:08.000Z","dependencies_parsed_at":"2023-11-20T10:33:48.755Z","dependency_job_id":"faacac18-a938-4dcd-9881-aad1ab39808b","html_url":"https://github.com/opencryptoki/opencryptoki","commit_stats":null,"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/opencryptoki/opencryptoki","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencryptoki%2Fopencryptoki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencryptoki%2Fopencryptoki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencryptoki%2Fopencryptoki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencryptoki%2Fopencryptoki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opencryptoki","download_url":"https://codeload.github.com/opencryptoki/opencryptoki/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencryptoki%2Fopencryptoki/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29933021,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T09:58:13.507Z","status":"ssl_error","status_checked_at":"2026-02-28T09:57:57.047Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aix","c","crypto","hsm","linux","pkcs11"],"created_at":"2026-02-28T12:02:27.377Z","updated_at":"2026-02-28T12:02:29.301Z","avatar_url":"https://github.com/opencryptoki.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://app.travis-ci.com/opencryptoki/opencryptoki.svg?branch=master)](https://app.travis-ci.com/opencryptoki/opencryptoki)\n[![Coverity Scan Build Status](https://img.shields.io/coverity/scan/16802.svg?branch=master)](https://scan.coverity.com/projects/opencryptoki-opencryptoki)\n\n# openCryptoki\n\nPackage version 3.26\n\nPlease see [ChangeLog](ChangeLog) for release specific information.\n\n## OVERVIEW\n\nopenCryptoki version 3.26 implements the PKCS#11 specification version 3.0\nand partially version 3.1.\n\nThis package includes several cryptographic tokens:\nCCA, ICA, TPM, SWToken, ICSF and EP11.\n\nFor a more in-depth overview of openCryptoki, please refer to manual\n[openCryptoki - An Open Source Implementation of PKCS #11](https://www.ibm.com/docs/en/linux-on-systems?topic=support-opencryptoki-open-source-pkcs-11)\n\n**Note:** The TPM token is deprecated, because it supports only TPM version 1.2.\nDoes not work with TPM version 2.0. We plan to remove the TPM token in a future \nopenCryptoki release or version.\n\nAIX only supports the CCA and software tokens, and both are enabled in a\ndefault build configuration. Other tokens are unsupported and cannot be\nforce-enabled, even through the `configure` utility.\n\n## REQUIREMENTS:\n\n### Common\nBuilding opencryptoki needs the following utilities.\n- flex\n- bison\n- make\n- autoconf\n- automake\n- pkg-config\n- libtool\n- m4\n- openldap-devel\n- openssl-devel\n- libcap-devel (Linux-only)\n- systemd-devel (Linux-only)\n\nThese libraries are usually provided by your platform's package management\nutilities. On AIX, they must be installed from the AIX Toolbox repositories.\n\n### Tokens\n- IBM ICA - requires libica library version 3.3.0 or higher for accessing ICA\nhardware crypto on IBM zSeries.\n\n- IBM CCA - requires the CCA host library with version 7.1 or higher, and IBM\nCrypto CEX3C card (or higher) on Linux for IBM Z. On AIX, Linux on x64, and\nLinux on Power only the IBM CEX7S (4769) crypto card is supported. On all\nplatforms, this token needs the `lber` library, which is usually part of the\n`openldap` package.\n\n- TPM (**deprecated**) - requires a TPM, TPM tools, and TCG software stack.\nSupports TPM version 1.2 only. \n\n- SWToken - The software token uses OpenSSL version 1.1.1 or higher. This token\nneeds the `lber` library, which is usually part of openldap.\n\n- ICSF    - The Integrated Cryptographic Service Facility (ICSF) token requires\nopenldap and openldap client software version 2.4.23 or higher. Lex and Yacc are\nalso required to build this token.\n\n- EP11    - The EP11 token is a token that uses the IBM Crypto Express adapters\n(starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11\n(EP11) firmware.\n\n\n\n## BUILD PROCESS\n\n**Note:** Building opencryptoki on AIX is only supported on AIX 7.2 and above.\nAttempts to build on older AIX releases will fail due to missing APIs.\n\nThe simplest way to compile this package is to enter the source code main\ndirectory and do the following:\n\n1. Run the bootstrap.sh script by typing:\n\n```\n    $ ./bootstrap.sh\n```\n\n**Note:** This package used the `AX_PROG_CC_FOR_BUILD` autoconf macro\nfrom the autoconf archive to support cross compiler builds.\nIf your system does not provide this macro, you might need to install the\n`autoconf-archive` package or download the macro and place it into the\n`m4` directory. See [here](https://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html)\nfor a link to the latest version of `ax_prog_cc_for_build.m4`.\n\n\n2. Configure the source code by typing:\n\n```\n    $ ./configure\n```\n\n   If you're planning to install the package into your home directory or to a\n   location other than `/usr/local` then add the flag `--prefix=PATH` to\n   `configure`. Fox example, if your home directory is `/home/luser` you can\n   configure the package to install itself there by invoking:\n\n```\n    $ ./configure --prefix=/home/luser\n```\n\nIf your stdll headers and libraries are not under any standard path, you will\nneed to pass the paths to your files to the configure script.\n**Note:** When compiling on AIX, `CFLAGS` and `LDFLAGS` must be set to the\ncorrect paths where it can find openldap libraries and header files correctly.\n\nIf using the `openldap-devel` package from the [AIX Toolbox](https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha#O),\nthen `CFLAGS` and `LDFLAGS` must be set to `-I/opt/freeware/include` and\n`-L/opt/freeware/lib`, respectively, before or with the `./configure`\ninvocation. For instance,\n\n```bash\n    $ CPPFLAGS=\"-L/path/lib\" LDFLAGS=\"-I/path/include\" ./configure\n```\n\nSee `./configure --help` for info on various options. The default behavior is\nto build all tokens that have their prerequisites met. The ICA and EP11 tokens\ncan only be built on s390x, since that is the only platform that fulfils the\nprerequisites. On AIX, only the CCA and software tokens can be built. Other\ntokens may be enabled using the corresponding `--enable-\u003ctok\u003e` configuration\noption, provided the appropriate libraries are available and the token is\nsupported on the platform you are compiling.\n\nWhile running, `configure` prints some messages telling which features is it\nchecking for.\n\n**Note**: On AIX, if you wish to run `make distcheck`, the environment variable `DISTCHECK_CONFIGURE_FLAGS` to include the appropriate values for `CFLAGS` and `CXXFLAGS`\n\n3. Compile the package by typing:\n\n```\n    $ make\n```\n   **Note:** Do not specify `prefix=/foo/bar`, `libdir=/foo/bar` with\n   the `make` invocation. Specify them with `configure` instead. Specifying\n   them with `make` is not supported by the openCryptoki package and may\n   produce unexpected results!\n\n4. openCryptoki defaults to be usable by anyone who is in the group ``pkcs11``.\nAdd the pkcs11 group before installing it, by typing as root the command:\n\n```\n    # groupadd pkcs11\n```\n\n   In addition, add the necessary user to the pkcs11 group (root doesn't need to\n   be in pkcs11 group):\n\n```\n    # usermod -a -G pkcs11 \u003cuser\u003e\n```\n\n5. Type `make install` (as root) to install the programs and any data files and\ndocumentation.  During installation, the following files go to the following\ndirectories:\n\n```\n    ${prefix}/sbin/pkcsconf\n    ${prefix}/sbin/pkcsslotd\n    ${prefix}/sbin/pkcsicsf\n    ${prefix}/libdir/libopencryptoki.so\n    ${prefix}/libdir/libopencryptoki.so.0\n    ${prefix}/libdir/opencryptoki/libopencryptoki.so\n    ${prefix}/libdir/opencryptoki/libopencryptoki.so.0\n    ${prefix}/libdir/opencryptoki/libopencryptoki.so.0.0.0\n    ${prefix}/var/lib/opencryptoki\n    ${prefix}/etc/opencryptoki/opencryptoki.conf\n```\n\n   Token objects, which may be optionally built, go to the following locations:\n\n```\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_cca.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_cca.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_cca.so.0.0.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ep11.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0.0.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ica.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ica.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_ica.so.0.0.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_icsf.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_sw.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_sw.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_sw.so.0.0.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_tpm.so\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0\n    ${prefix}/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0\n```\n\n   where `prefix` is either `/usr/local` or the PATH that you specified in the\n   `--prefix` flag. `libdir` is the name of the library directory, for 32-bit\n   libraries it is usually `lib` and for 64-bit libraries it is usually `lib64`.\n\n   To maintain backwards compatibility, some additional symlinks are generated\n   (note that these are deprecated and applications should migrate to use the\n   LSB-compliant names and locations for libraries and executable):\n\n```\n    ${prefix}/lib/opencryptoki/PKCS11_API.so\n    - Symlink to ${prefix}/lib/opencryptoki/libopencryptoki.so\n\n    ${prefix}/lib/opencryptoki/stdll/PKCS11_CCA.so\n    - Symlink to ${prefix}/lib/opencryptoki/stdll/libpkcs11_cca.so\n\n    ${prefix}/lib/opencryptoki/stdll/PKCS11_EP11.so\n    - Symlink to ${prefix}/lib/opencryptoki/stdll/libpkcs11_ep11.so\n\n    ${prefix}/lib/opencryptoki/stdll/PKCS11_ICA.so\n    - Symlink to ${prefix}/lib/opencryptoki/stdll/libpkcs11_ica.so\n\n    ${prefix}/lib/opencryptoki/stdll/PKCS11_ICSF.so\n    - Symlink to ${prefix}/lib/opencryptoki/stdll/libpkcs11_icsf.so\n\n    ${prefix}/lib/opencryptoki/stdll/PKCS11_SW.so\n    - Symlink to ${prefix}/lib/opencryptoki/stdll/libpkcs11_sw.so\n\n    ${prefix}/lib/pkcs11/PKCS11_API.so\n    - Symlink to ${prefix}/lib/opencryptoki/libopencryptoki.so\n\n    ${prefix}/lib/pkcs11\n    - Directory created if non-existent\n\n    ${prefix}/lib/pkcs11/methods\n    - Symlink to ${prefix}/sbin\n\n    ${prefix}/lib/pkcs11/stdll\n    - Symlink to ${prefix}/lib/opencryptoki/stdll\n\n    ${prefix}/etc/pkcs11\n    - Symlink to ${prefix}/var/lib/opencryptoki\n```\n\n   If any of these directories do not presently exist, they will be created on\n   demand. Note that if `prefix` is `/usr`, then `${prefix}/var` and `${prefix}/etc`\n   resolve to `/var` and `/etc`. On the `make install` stage, if content exists\n   in the old `${prefix}/etc/pkcs11` directory, it will be migrated to the new\n   '${prefix}/var/lib/opencryptoki` location.\n\n   If you are installing in your home directory make sure that `/home/luser/bin`\n   is in your path.  If you're using the bash shell add this line at the end of\n   your `.bashrc` file:\n\n```\n    PATH=\"/home/luser/bin:${PATH}\"\n    export PATH\n```\n\n   If you are using csh or tcsh, then use this line instead:\n\n```\n    setenv PATH /home/luser/bin:${PATH}\n```\n\n   By prepending your home directory to the rest of the PATH you can override\n   systemwide installed software with your own custom installation.\n\n   For more installation information, please check [INSTALL](INSTALL).\n\n## CONFIGURATION\n\nSee:\nhttps://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lxce/lxce_stackoverview.html\n\nPrior to version 3, openCryptoki used `pk_config_data` as its configuration\nfile. This file was created upon running `pkcs11_startup`. In version 3,\n`pkcs11_startup` and `pk_config_data` have been removed and replaced with a\ncustomizable config file named, `opencryptoki.conf`. It contains an entry for\neach token currently supported by openCryptoki. However, only those token, whose\nhardware and software requirements are available on the local system, will show\nup as present and available upon running the `pkcsconf -t` command.\n\nBefore using, each token must be first initialized. You can select the token\nwith the `-c` command line option; refer to the documentation linked to above\nfor further instructions.\n\nInitialize a particular token by running `pkcsconf`:\n\n```\n    $ pkcsconf -I -c\n```\n\nIn this version of openCryptoki, the default SO PIN is `87654321`. This should\nbe changed to a different PIN value before use.\n\nYou can change the SO PIN by running pkcsconf:\n\n```\n    $ pkcsconf -P -c\n```\n\nYou can initialize and change the user PIN by typing:\n\n```\n    $ pkcsconf -u -c\n```\n\nYou can later change the user PIN again by typing:\n\n```\n    $ pkcsconf -p -c\n```\n\n## CONTRIBUTING\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencryptoki%2Fopencryptoki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopencryptoki%2Fopencryptoki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencryptoki%2Fopencryptoki/lists"}