Bouncy Hsm is an developer friendly implementation of a cryptographic store accessible through a PKCS#11 interface. It can simulate HSM (hardware security module) and smart cards (also with a qualified area), it also includes a web administration interface and a REST interface.
Bouncy Hsm was created to facilitate the development and testing of applications using PKCS#11 devices. It is not intended for production data, as it does not implement any data and key protection in storage or during network calls.
The BouncyHsm project was created as an alternative to SoftHSMv2, due to ongoing problems I had using it.
(Screenshots from version 1.1.0)
- Multiple application and users access using PKCS#11 interface.
- Slot and crypto object management using web interface and REST API.
- Create/remove slots.
- Plug and unplug devices (tokens).
- Import P12/PFX files.
- Import crypto objects in PEM format.
- Generate CSR, generate self-signed certificate, import certificate from file.
- Generate keys.
- ...
- Possibility to simulate cards with a qualified area and a signature pin.
- Possibility to simulate protected authentication path using web interface.
- Possibility to simulate removable devices (tokens).
- Supports RSA keys (with size 2-6K).
- Supports 80 named elliptic curves.
- Supports secrets (HMAC, derive,...)
- Supports AES keys.
- Supports mechanisms
- Supports custom profiles for mechanisms (To limit mechanisms to simulate a specific type of HSM or card).
- Same behavior and algorithm support across platforms and versions of Linux operating systems.
- Native PKCS#11 library without dependencies (no dependency hell, no permission configuration).
- BouncyHsm runs on all platform supported .Net 8.0. Moreover, it can be run as a Windows service and also works on Raspberry Pi Zero 2 W. Native lib BouncyHsm.Pkcs11Lib is awaitable for Windows x86 and x64, Linux x64 (it can also be compiled for other platforms).
- CLI tool for management.
- Nuget (BouncyHsm.Client) with REST API client and native PKCS#11 libraries for unit testing. (See example project.)
Pull requests are welcome. If you are not sure about the change, open an issue first.
If the found error or changes refer to the PKCS#11 standard, please complete the link section of the standard.
See more rules in CONTRIBUTING.
- PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
- Software Ideas Modeler - tool in which the diagrams in the documentation were drawn
- NSwag studio - tool for generate OpenApi client
- Ako som robil BouncyHsm - My blog post about BouncyHsm development, technological decisions and reasons for development - in Slovak language