Trying to understand whether it is feasible to create a multi-platform Python package that could be able to sign objects using HSM of any vendor?
Since pkcs#11 libraries of different vendors must implement single interface, it seems to be possible if not use vendor specific API. However, OpenSC has a list of supported HSMs and a list of not supported, so I think that it is more complicated than I thought.
Please let me know whether it is possible or explain why not. Thanks.
PKCS#11 is an API standard. It describes an API for software that wants to use a smart card or other crypto 'device'. It does not describe how a vendor should do anything underneath that API. And, it does not expect you (as the software programmer) to know how to access all the hardware out there.
Your app says "C_Login" because that's PKCS#11. P11 states what C_Login expects, and what the state of the environment should be after that call is made -- it does not tell the vendor how to get to that state, only what end-state is expected, not the path how to get there.
Now: ...multi-platform Python package... Absolutely possible, assuming you had access to EVERY device binary protocol, communications protocol and programming methodology, for everything out there that provides a crypto-card interface.
Every smart-card, HSM, soft-HSM etc that supplies a P11 library knows what your application will ask for, but how it goes about making that object or state available is entirely up to the actual device/pseudo-device. This is why a vendor-specific library is needed -- because the vendor knows the vendor's devices and protocols.
Or you could provide an API standard that defines a standardized way for software to access hardware, making the binary protocol, communications protocol and programming methodology abstract... ie, you'd be recreating PKCS#11, but one specific to Python.
Faster to use the Py lib that talks PKCS#11, and connects to any of the P11 vendor-provided libraries, to talk to that vendor's equipment.