p11ex logo

p11ex --- PKCS#11 bindings for Elixir

p11ex is an Elixir library that provides access to the PKCS#11 interface for cryptographic tokens such as Hardware Security Modules and smartcards. The library exposes most PKCS#11 functionality to Elixir, though it is not yet feature complete. Available functions include:

Some PKCS#11 functions require mechanism parameters as arguments. Common parameter types are supported and documented in the Elixir documentation.

The implementation is automatically tested with SoftHSM on Linux (AMD64 and ARM64) and macOS (ARM64). Additional tests are available for the Yubikey PKCS#11 module, though these do not run automatically as part of the build.

Build Prerequisite: PKCS#11 Headers

The NIF build expects PKCS#11 C headers in c_src/. In CI these files are downloaded before compilation; for local builds, do the same manually:

cd c_src
curl -fL -O https://raw.githubusercontent.com/oasis-tcs/pkcs11/master/published/3-01/pkcs11.h
curl -fL -O https://raw.githubusercontent.com/oasis-tcs/pkcs11/master/published/3-01/pkcs11t.h
curl -fL -O https://raw.githubusercontent.com/oasis-tcs/pkcs11/master/published/3-01/pkcs11f.h
cd ..
mix deps.compile p11ex --force

Do not commit downloaded header files accidentally if your workflow stores them outside the source tree.

p11ex_cli --- CLI program to use PKCS#11 tokens

The project also includes a CLI program named p11ex_cli for working with cryptographic tokens. This program provides access to key p11ex functions.

Available Commands

For detailed documentation on each command, run p11ex_cli <command> --help.

EdDSA Support

p11ex_cli supports EdDSA signatures (Ed25519, Ed448). Use the sign command with the appropriate mechanism:

p11ex_cli sign --mechanism Ed25519 --key-label my-ed25519-key --data-file input.txt --signature-file output.sig

Release Process

The release process is semi-automated using three GitHub Actions workflows. Before creating a release, ensure the CHANGELOG.md is updated with the changes to be released.

Prerequisites

Three Workflows Involved

The release process uses three separate workflows that should be triggered in order:

1. Release Library to Hex.pm (.github/workflows/release-lib-hexpm.yml)

This workflow:

Run this first - it creates the git tag needed by the other workflows. The dry-run test ensures the package can be compiled correctly before publishing.

2. Release CLI Binaries (.github/workflows/release-cli.yml)

This workflow:

Run this second - after the git tag exists from step 1.

3. Create Codeberg Release (.github/workflows/release-lib-codeberg.yml)

This workflow:

Run this third - after the git tag exists from step 1.

Release Steps

  1. Update CHANGELOG.md

    • Move items from "Unreleased" section to a new version section
    • Follow the Keep a Changelog format
    • Commit and push the changelog update
  2. Trigger Library Release

    • Go to Actions → "Release p11ex library to Hex.pm"
    • Click "Run workflow"
    • The workflow will calculate version, update files, and publish
  3. Trigger CLI Release

    • Wait for library release to complete and tag to be created
    • Go to Actions → "Release p11ex-cli binaries"
    • Click "Run workflow"
    • Enter the version tag (e.g., 0.4.0)
    • Download the release artifacts from the workflow run
  4. Create GitHub/Codeberg Release (if applicable)

    • Create a release on the repository using the git tag
    • Upload the CLI binaries from the workflow artifacts
    • Add release notes from CHANGELOG.md

For detailed information about the release process, troubleshooting, and manual release procedures, see RELEASE.md.

Quick Reference

WorkflowTriggerInputOutput
release-lib-hexpm.ymlManualNoneHex.pm package, git tag
release-cli.ymlManualVersion tagCLI binaries, checksums
release-lib-codeberg.ymlManualTag name, versionCodeberg release

Note: The Docker workflows (.github/workflows/docker-base.yml and .github/workflows/docker-build.yml) build and maintain the test infrastructure images used by the release workflows. They run automatically on a schedule (twice weekly) or can be triggered manually if needed.