Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
Eclipse Keybridge
Modern applications often need to use cryptographic keys that are stored in hardware-backed, centrally managed, or otherwise non-exportable environments. These environments include hardware security modules, smart cards, cryptographic tokens, trusted platform modules through suitable providers, and key management systems.
PKCS #11, also known as Cryptoki, defines a platform-independent API for cryptographic tokens such as hardware security modules and smart cards. OASIS publishes PKCS #11 specifications and associated header files, but Go developers still need idiomatic Go libraries that expose these capabilities through Go’s standard cryptographic interfaces.
The initial contribution to Eclipse Keybridge consists of existing Go projects that address this need: crypto11, which integrates PKCS #11-backed keys with Go’s crypto.Signer and crypto.Decrypter interfaces, and gose, which provides JOSE, JWT, JWK, JWS, and JWKS functionality for Go developers.
Eclipse Keybridge simplifies the integration of HSM-backed keys, PKCS #11 tokens, JOSE protocols, and future key-management technologies into Go applications through a set of idiomatic Go libraries.
Eclipse Keybridge provides Go libraries, examples, and supporting tools for cryptographic-token integration, protected-key usage, and cryptographic protocol support.
The project includes idiomatic Go APIs and helper libraries for integrating Go applications with external cryptographic standards and services, including PKCS #11, JOSE, and future key-management protocols such as KMIP. It also includes tests, examples, documentation, and interoperability support that help developers use protected keys safely and consistently from Go applications.
The project does not define new cryptographic standards, create new cryptographic algorithms, provide hardware firmware, or replace Go’s standard cryptography packages. Instead, it builds on Go’s standard interfaces and implements or integrates with existing standards and protocols.
Eclipse Keybridge is a collection of Go libraries for applications that need to use protected cryptographic keys, cryptographic tokens, and standard cryptographic protocols.
The project provides Go developers with reusable building blocks for integrating hardware security modules, PKCS #11 devices, key-management systems, and JOSE-based application protocols into Go software. The libraries are designed to be idiomatic for Go developers, to work with standard Go cryptography interfaces where appropriate, and to provide clear examples for common use cases such as signing, decryption, token-backed keys, JWT handling, and JOSE object processing.
Eclipse Keybridge provides a vendor-neutral home for these libraries under Eclipse Foundation governance. The project is intended to encourage broader collaboration among users, maintainers, device vendors, cloud providers, and application developers who need interoperable cryptographic integrations in Go.
Future work may include additional Go libraries and tools that fit the Keybridge scope, including:
- pkcs11-go: idiomatic Go bindings or wrappers around PKCS #11 APIs and data types.
- kmip-go: a Go client library for the OASIS Key Management Interoperability Protocol. KMIP specifies client-server communication for managing objects stored in key management systems, including cryptographic keys and certificates.
- Interoperability tests for PKCS #11 devices, software tokens, and HSM-backed deployments.
- Examples showing integration with Go TLS, X.509, JOSE/JWT, code-signing, document-signing, and application authentication workflows.
- Security-focused documentation that explains safe usage patterns, limitations, and operational considerations for protected-key integrations.
Thalesgroup is the creator of crypto11 and gose, and the main maintainer.
A couple of large companies, including web giants social networks, are using hardware security modules and kubernetes. And they use those Golang librairies.
Projects crypto11 and gose exist under github.com/ThalesGroup organisation and already have a couple of releases.
- Log in to post comments
Eclipse Keybridge is a collection of Go libraries for applications that need to use protected cryptographic keys, cryptographic tokens, and standard cryptographic protocols.
The project provides Go developers with reusable building blocks for integrating hardware security modules, PKCS #11 devices, key-management systems, and JOSE-based application protocols into Go software. The libraries are designed to be idiomatic for Go developers, to work with standard Go cryptography interfaces where appropriate, and to provide clear examples for common use cases such as signing, decryption, token-backed keys, JWT handling, and JOSE object processing.
Eclipse Keybridge provides a vendor-neutral home for these libraries under Eclipse Foundation governance. The project is intended to encourage broader collaboration among users, maintainers, device vendors, cloud providers, and application developers who need interoperable cryptographic integrations in Go.
- Log in to post comments