Académique Documents
Professionnel Documents
Culture Documents
Developer’s Guide
---------------------------------
Version 3.9
Notice
This manual contains information that is proprietary to ARX (Algorithmic Research)
No part of this manual may be reproduced in any form whatsoever without
prior written approval by ARX.
ARX reserves the right to revise this publication and make any changes without
obligation to notify any person of such revisions and changes.
For further information, contact ARX at the address below, or contact your local distributor.
Trademarks
CryptoKit, MiniKey, PrivateCard, CryptoSafe, PrivateSafe, and PrivateSafe
PCMCIA are trademarks of ARX. Other names are trademarks or registered trademarks of
respective owners and are used solely for identification purposes.
ARX (Algorithmic Research) 855 Folsom St. Suite 939, San Francisco, CA 94107 Tel: (415) 839 8161 Fax: (415) 723 7110 www.arx.com
i
CryptoKit Developer's Guide
ii
Table of Contents
iii
CryptoKit Developer's Guide
iv
Chapter 1: Introduction to Cryptography
In this chapter we review some of the concepts and terms of modern
cryptography. If you are new to this field, it might be worthwhile to consult
introductory reference material. Three sources worth referencing are:
Applied Cryptography, Second Edition, Bruce Schneier, John Wiley & Sons,
1996.
Contemporary Cryptology, Edited by Gustavus J. Simmons, IEEE press, 1992.
Security for Computer Networks, Second Edition, D.W. Davies and W. L. Price,
John Wiley & Sons, 1989.
Security Issues
Cryptographic-Strength Data Security deals with four primary issues:
♦ Two-way participant authentication – During data exchange, each side
wants to be sure of the identity of the other.
♦ Data authentication (integrity) – This is a general term that roughly
means the data is reliable and was not tampered with.
♦ Data secrecy – This is needed when sensitive data is transferred.
♦ Non-repudiation – Provides a mechanism for the recipient to prove that
the information was generated by a particular sender.
Cryptographic Algorithms
Data security as described above is maintained through the use of cryptographic
algorithms. A cryptographic algorithm is a method, usually based on some
mathematical function, used for authentication and/or secrecy. Some
applications require only secrecy or only authentication; others require both. The
security of a cryptographic scheme resides entirely in the secret key, and not in
the secrecy of the algorithm. Cryptographic schemes are classified as either
Symmetric or Asymmetric.
1-1
1 CryptoKit Developer's Guide
Symmetric Schemes
Classical (Symmetric) schemes, such as DES, are based on a common secret key
for both encryption and decryption:
User A User B
Ciphertext
Key Encrypt Decrypt Key
Cleartext Cleartext
1-2
Introduction to Cryptography 1
User A User B
Key MAC
Compute MAC Verify MAC Key
Cleartext + Cleartext +
Initial Vector Initial Vector
Symmetric schemes have both strengths and weaknesses. Their strengths include
fast encryption/decryption and participant/data authentication using MACs.
However, their weaknesses include the need for a separate (secure) channel for
key transfer, and the need for very complex key management.
Asymmetric Schemes
Asymmetric cryptographic schemes are based on principles that differ to those
governing Symmetric schemes in the following ways:
♦ The encryption key is different than the decryption key.
♦ The decryption key cannot be calculated from the encryption key (i.e. it
is a one-way function).
Such a scheme is also called a Public Key System, because the encryption key is
made public. This way, a complete stranger can use the encryption key to
encrypt a message, but only someone with the corresponding decryption key can
decrypt the message. The encryption key is called the Public Key, and the
decryption key is called the Private Key. The best-known Asymmetric scheme is
RSA.
Asymmetric schemes provide secrecy by having the sender use the receiver's
public key to encrypt the data, while only the intended receiver, using his private
key, can decrypt the data and use it:
1-3
1 CryptoKit Developer's Guide
User A User B
Ciphertext
Public Key Encrypt Decrypt Private Key
Cleartext Cleartext
User A User B
Cleartext + Cleartext +
Date & Time Date & Time
1-4
Introduction to Cryptography 1
Asymmetric schemes offer both strengths and weaknesses. Their primary
weakness is that encryption/decryption is relatively slow, involving intensive
computations. Their many strengths include:
♦ Fewer security issues in key transfer (all public).
♦ Simple key management (N users => N public keys).
♦ Participant/data authentication using digital signatures.
♦ Non-repudiation through digital signatures.
Symmetric and Asymmetric schemes are useful, and both have strengths and
weaknesses. Thus, it would be ideal to combine the strengths of both and avoid
the weaknesses. The following section describes an attempt to do this.
1-5
1 CryptoKit Developer's Guide
Two-way Authentication
Two-way authentication is achieved with an RSA-based Challenge-Response
protocol performed in both directions at the beginning of each session.
1-6
Introduction to Cryptography 1
Fast Encryption/Decryption
Fast Encryption/Decryption of actual data is DES-based:
User A User B
Ciphertext
Key Encrypt Decrypt Key
Cleartext Cleartext
Data Authentication
As for data authentication, this is done with MACs:
User A User B
MAC
Key Compute MAC Verify MAC Key
Cleartext + Cleartext +
Initial Vector Initial Vector
1-7
1 CryptoKit Developer's Guide
Transaction Non-Repudiation
Transactions that involve payments are authenticated with a Digital Signature,
which also ensures non-repudiation.
User A User B
Cleartext + Cleartext +
Date & Time Date & Time
1-8
] Chapter 2: Component-Related
Technologies
CryptoKit enables the use of several types of smart card solutions including
smart cards, readers and USB smart card tokens, such as MiniKey, which
enhances security, allows storage of sensitive data and the use of secure PINs.
CryptoKit also enables the full emulation of smart card tokens in software,
providing virtual (software-only based) tokens.
2-1
2 CryptoKit Developer's Guide
Key Media
Smart Cards
Smart card chips are secure, single chip microprocessors, produced in a way that
prevents external probing of their memory contents. With a single serial I/O port
as the only means of communication with the outside world and with no external
bus, smart card chips provide a safe place for storing secret information such as
encryption keys, passwords and secret user data. This sensitive information is
kept in non-volatile memory, which provides long-term storage and does not
depend on continuous power supply. The smart card microprocessor runs the
smart card operating system, which controls the resources of the smart card. The
operating system communicates with the outside world using a protocol and
commands specified in ISO standard 7816. Data is organized in a hierarchical
file system (tree).
Password Protection
The most common method for protecting data is by use of a password, which
must be presented before permitting access, or modification of data in files. To
2-2
Component-Related Technologies 2
prevent the type of attack that presents a large number of password attempts in
succession, a smart card operating system can lock the smart card from further
password presentations after a small number of unsuccessful attempts.
Cryptographic Operations
Since encryption keys are kept on the smart card and are not exposed to the
outside world, the algorithms that use them must also reside on the card. Most
smart cards contain symmetric encryption algorithms (such as DES) as part of
the operating system. More advanced smart cards implement asymmetric
algorithms, or public key cryptography, such as RSA, utilizing a special
arithmetic processor that is optimized for performing fast modular arithmetic.
Applications
With the features described above, smart card chips can be used for a wide range
of applications, including: Network login, personal identification, authentication,
digital signatures, e-commerce and more.
Smart cards are the most flexible solution available for enforcing controlled
access to Web pages, Internet services, databases and applications. They
empower organizations to distribute sensitive information over the Net by
implementing user authentication, digital signatures and data encryption.
Removal/Insertion
Smart cards can be changed during application execution. When the smart card
is removed from the reader, applications automatically log off. When the new
smart card is inserted, CryptoKit detects the smart card type and, if supported,
works with it.
2-3
2 CryptoKit Developer's Guide
2-4
Component-Related Technologies 2
♦ X.509 certificates PrivateCard can conveniently store X.509 certificates
to provide digital identity. With its enhanced storage capacity of up to
64K, PrivateCard can be used to secure a current application, and store
additional personal data in the future, such as biometric information.
PrivateCard can be used with all types of smart card readers supported by
CryptoKit.
Models of PrivateCard
CryptoKit supports the use of virtual tokens, which store all PKCS#11 objects in
a specially formatted file that can be created on the hard disk or on a diskette.
Since all cryptographic operations are performed in software, no additional
drivers need to be installed.
2-5
2 CryptoKit Developer's Guide
The distinction between slot and token for software tokens is irrelevant, so these
files can be considered as both slot and token simultaneously.
As a development solution, software key media (virtual tokens) are simpler and
cheaper to implement than smart cards, but at the same time, they provide a
lower level of security. For convenience, you could begin the development
process utilizing key files (software key media), since these make it easy to
maintain a separation of potential development problems from possible
hardware issues. However, it is recommended to switch to smart cards at a later
stage of development for enhanced security, as well as for distribution purposes.
When an application uses software key media, all security-related operations are
performed in the computer. Security depends on the operating system used. All
protected data units in the key file are encrypted. Even in the event of
unauthorized access, the protected data in a key file cannot be compromised as
long as the passwords remain unknown.
Software tokens support RSA 4096 bit operations. A special library, which was
specifically designed for Pentium 4 computers, provides very high performance
of the RSA operations.
CryptoKit supports two types of software key media: static and dynamic. The
number of virtual slots, the maximum number of dynamic slots (which must be
less than the total number of slots) and the directory name for virtual tokens is
stored in the System Registry. System administrators can change these defaults.
For more information how to change the defaults for software tokens refer to
Chapter 7.
Calling the function C_GetSlotInfo can retrieve the name of a virtual token. The
Description field contains only the software token file name, not including the
file path.
Virtual tokens can be initialized and user PINs set by calling C_InitToken and
C_InitPIN functions. For dynamic slots, the appropriate file is created and
initialized during C_InitToken.
2-6
Component-Related Technologies 2
Note: During the first initialization of a virtual token, the value supplied as the
parameter of SO PIN is not checked and it is taken as the initial value of SO
PIN.
When the folder contains fewer files than the maximum, the system displays the
unused number of software slots as empty of tokens. In this case, if new files are
added to the folder, the system continues to display the same number of unused
empty slots until the user fully exits (C_Finalize) and re-initializes the CryptoKit
application.
An application always retrieves the full slot list, containing both non-dynamic
and dynamic slots. If no dynamic slots were configured, the system defines all
software slots as non-dynamic, blocking the capability of dynamic insertion of
tokens.
2-7
2 CryptoKit Developer's Guide
MiniKey Token
PKI-Ready
Thanks to its standard interface and USB Plug &Play capability, MiniKey is
easy to use and does not require any additional hardware. MiniKey is an overall
low-cost solution, since the token itself is inexpensive and it eliminates the need
for a reader, making MiniKey the most attractive, high security PKI token
available.
2-8
Component-Related Technologies 2
Since MiniKey contains AR’s PrivateCard smart card chip, the detailed
description of PrivateCard’s functionality and features provided above is equally
relevant to AR’s MiniKey token.
The Universal Serial Bus (USB) port is used to connect both fast peripheral
devices such as printers, scanners and digital cameras, as well as slow
peripherals such as keyboard, mouse and smart card reader or token. All these
devices can be connected to the same USB port and they are identified by the PC
host controller, which assigns each one a distinct I/O address. USB hubs enable
connection of multiple devices (up to 127) concurrently to the same PC.
Using the computer’s USB port, AR’s MiniKey acts as a USB device, and offers
the same advantages as any other USB peripheral. Since these devices directly
connect through the USB hub, there is no need for special configuration, making
it simple and transparent for users to plug in MiniKey and use its enhanced
security features.
Models of MiniKeys
There are some models of MiniKeys available. The following table shows the
difference between them:
Model Memory RSA Smartcard Operating Driver ITSEC
Size Capability Chip System Cert.
Version
2-9
2 CryptoKit Developer's Guide
For more information about the functionality and operation of the PrivateServer,
refer to the PrivateServer installation manual and to PrivateServer API guide.
2-10
Component-Related Technologies 2
CoSign – Digital Signatures Appliance
For more information about the functionality and operation of the CoSign, refer
to the CoSign manual.
2-11
2 CryptoKit Developer's Guide
The PrivateSafe and CryptoSafe readers have the unique capability to receive
the user’s PIN when he enters it and then present it securely to the inserted smart
card. The following table illustrates the differences between these options:
2-12
Component-Related Technologies 2
PrivateSafe
2-13
2 CryptoKit Developer's Guide
PrivateSafe PCMCIA
2-14
Component-Related Technologies 2
CryptoSafe
Note: If you use AR’s CryptoSafe reader, you have to load into it an appropriate
DLM. The DLM is program that is digitally signed by AR special private key
and the signature is verified once the program is loaded into the reader, so that
no information (passwords or private keys) can be compromised.
2-15
2 CryptoKit Developer's Guide
Media Independence
The CryptoKit API is media independent – it can be used for various types of
key media with minimal or no change. For example, an application written to
use key files can make use of smart cards or MiniKeys with minimal or no
change at all.
Platform Independence
CryptoKit has an ANSI standard, C-like API that is the same for all supported
platforms. An application using CryptoKit can be smoothly ported to any
supported platform. Currently, CryptoKit is available for the following
platforms:
♦ Windows (98, ME, NT, 2000, XP and 2003)
♦ Linux (RedHat, SUSE and Debian)
CryptoKit has a Java interface that allows Java applications to utilize all
supported devices. It includes two Java libraries: a proprietary Java adapter that
provides PKCS#11 style API to Java applications and a standard Java
Cryptography Architecture (JCA) provider. For more information refer to
chapter 5.
The file format used by CryptoKit to store a virtual token is identical for all
platforms. This guaranties that key files can be created and used across different
platforms.
2-16
Component-Related Technologies 2
Advanced Capabilities
Simplicity of Use
Performance
2-17
2 CryptoKit Developer's Guide
CryptoKit is fully designed for server side applications. It has full exception
handling mechanism for stability and recovery from unexpected errors. In
addition, it includes a sophisticated logging mechanism that allows collection of
data to be used for investigation of such problems if they occur.
2-18
Chapter 3 SmartAdaptor Technology
X.509 extension These extensions provide functionality for working with X.509
certificates (request, response, parsing)
PKCS#10,PKCS#7
extension
3-1
3 CryptoKit Developer's Guide
General Concepts
CryptoKit Architecture
CryptoKit’s main component, SmartAdaptor, is a library that transforms the
PKCS#11API, into multifunctional smart card architecture. SmartAdaptor
creates a connection between several PKCS#11 providers and enables smart
card and reader independence from implementations.
3-2
SmartAdaptor Technology 3
Applications
MS CAPI
Applications
User
Java PKCS#11-based Applications
Applications e.g., e.g., Entrust, Baltimore, Netscape
IE/Outlook
Extensions
Adapters
Java CAPI Entrust PKCS PKCS
X.509
Adapter Adapter Adapter #10,7 #12
PKCS#11
Registration
Extension
API *
User Interface
SmartAdaptor
11
S# I SmartAdaptor Engine for
C P
PK A Multi-thread, Multi-process,
Multi-slot, Multi-provider
Reader
Smartcard
Provider
Provider API
API
Providers
3-3
3 CryptoKit Developer's Guide
A Reader provider, written for each smart card reader, supplies the reader’s
operational functionality. SmartAdaptor supports three kinds of readers: PCSC,
CT-API and proprietary readers. PCSC readers do not need to be registered by
SmartAdaptor since they are already registered in the Windows operating
system, allowing SmartAdaptor to detect them automatically.
When a reader has two (or more) supported interfaces, and one of them is PCSC,
SmartAdaptor may display the reader twice on the slot list. In order to prevent a
multiple listing of the same reader, SmartAdaptor provides an option in the API
to block the display of a particular reader as a PCSC device. In this case, it is
listed as a proprietary device only.
3-4
SmartAdaptor Technology 3
Main SmartAdaptor Cryptographic API
The PKCS#11 standard utilizes terms whose specific implications are listed
below:
Mechanisms Security algorithms performed with various types of keys and other
cryptographic objects
Objects Data, certificates and keys stored on tokens
Tokens Smart card, MiniKey or other key media
Slots Smart card readers connected to application computer (e.g.,
Algorithmic Research’s PrivateSafe®, CryptoSafe and PrivateSafe
PCMCIA readers)
Protected PIN entry from protected keypad, finger-print reader, and other
Authentication devices
Path
3-5
3 CryptoKit Developer's Guide
AR or 3 rd Party Applications
AR CryptoKit PKCS#11
Tokens
PrivateServer CoSign
3-6
SmartAdaptor Technology 3
In normal cases, the user initializes his token and sets the PIN when working
with the library. However, for convenience, the special utility argenie.exe is
included in the CryptoKit installation, containing the C_InitToken and
C_InitPIN functions, enabling preparation of the token to use. The utility can
be used after installation to initialize additional tokens and PINs on the tokens
(see Chapter 6).
The full set of RSA, DSS, Diffie-Hellman, RC2, RC4, DES, Triple-DES,
Double-length DES, AES, MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512,
RIPEMD160, SSL3, TLS and key derivation mechanisms are supported by the
CryptoKit PKCS#11 library. Additional proprietary algorithms are also included
for backward compatibility with older versions of CryptoKit (Ver 1.63). The
following table lists all supported mechanisms:
Mechanisms Functions
CKM_RSA_PKCS_KEY_PAIR_GEN GenerateKeyPair
3-7
3 CryptoKit Developer's Guide
Mechanisms Functions
CKM_RSA_PKCS_PSS Sign/Verify
CKM_RSA_9796 Sign/Verify,
SignRecover/VerifyRecover
CKM_MD2_RSA_PKCS Sign/Verify
CKM_MD5_RSA_PKCS Sign/Verify
CKM_SHA1_RSA_PKCS Sign/Verify
CKM_SHA256_RSA_PKCS Sign/Verify
CKM_SHA384_RSA_PKCS Sign/Verify
CKM_SHA512_RSA_PKCS Sign/Verify
CKM_RIPEMD160_RSA_PKCS Sign/Verify
CKM_DSA_KEY_PAIR_GEN GenerateKeyPair
CKM_DSA Sign/Verify
CKM_DSA_SHA1 Sign/Verify
CKM_DH_PKCS_KEY_PAIR_GEN GenerateKeyPair
CKM_DH_PKCS_DERIVE Derive
CKM_GENERIC_SECRET_KEY_GEN GenerateKey
CKM_RC2_KEY_GEN GenerateKey
3-8
SmartAdaptor Technology 3
Mechanisms Functions
CKM_RC2_MAC_GENERAL Sign/Verify
CKM_RC2_MAC Sign/Verify
CKM_RC4_KEY_GEN GenerateKey
CKM_RC4 Encrypt/Decrypt
CKM_DES_KEY_GEN GenerateKey
CKM_DES_MAC_GENERAL Sign/Verify
CKM_DES_MAC Sign/Verify
CKM_DES2_KEY_GEN GenerateKey
CKM_DES3_KEY_GEN GenerateKey
CKM_DES3_MAC_GENERAL Sign/Verify
CKM_DES3_MAC Sign/Verify
CKM_AES_KEY_GEN GenerateKey
3-9
3 CryptoKit Developer's Guide
Mechanisms Functions
CKM_AES_MAC Sign/Verify
CKM_AES_MAC_GENERAL Sign/Verify
CKM_MD2 Digest
CKM_MD2_HMAC_GENERAL Sign/Verify
CKM_MD2_HMAC Sign/Verify
CKM_MD5 Digest
CKM_MD5_HMAC_GENERAL Sign/Verify
CKM_MD5_HMAC Sign/Verify
CKM_SHA_1 Digest
CKM_SHA_1_HMAC_GENERAL Sign/Verify
CKM_SHA_1_HMAC Sign/Verify
CKM_SHA_256 Digest
CKM_SHA_256_HMAC_GENERAL Sign/Verify
CKM_SHA_256_HMAC Sign/Verify
CKM_SHA_384 Digest
CKM_SHA_384_HMAC_GENERAL Sign/Verify
CKM_SHA_384_HMAC Sign/Verify
3-10
SmartAdaptor Technology 3
Mechanisms Functions
CKM_SHA_512 Digest
CKM_SHA_512_HMAC_GENERAL Sign/Verify
CKM_SHA_512_HMAC Sign/Verify
CKM_RIPEMD160 Digest
CKM_RIPEMD160_HMAC_GENERAL Sign/Verify
CKM_RIPEMD160_HMAC Sign/Verify
CKM_MD5_KEY_DERIVATION Derive
CKM_MD2_KEY_DERIVATION Derive
CKM_SHA1_KEY_DERIVATION Derive
CKM_SHA256_KEY_DERIVATION Derive
CKM_SHA384_KEY_DERIVATION Derive
CKM_SHA512_KEY_DERIVATION Derive
CKM_CONCATENATE_BASE_AND_KEY Derive
CKM_CONCATENATE_BASE_AND_DATA Derive
CKM_CONCATENATE_DATA_AND_BASE Derive
CKM_XOR_BASE_AND_DATA Derive
CKM_EXTRACT_KEY_FROM_KEY Derive
CKM_SSL3_PRE_MASTER_KEY_GEN GenerateKey
CKM_SSL3_MASTER_KEY_DERIVE Derive
CKM_SSL3_KEY_AND_MAC_DERIVE Derive
3-11
3 CryptoKit Developer's Guide
Mechanisms Functions
CKM_TLS_PRE_MASTER_KEY_GEN GenerateKey
CKM_TLS_MASTER_KEY_DERIVE Derive
CKM_TLS_KEY_AND_MAC_DERIVE Derive
CKM_TLS_PRF Derive
CKM_ARDFP1 Digest
CKM_ARDFP2 Digest
CKM_ARDFP3 Digest
CKM_ARDFP4 Digest
CKM_DES_STREAM Encrypt/Decrypt
CKM_DES3_STREAM Encrypt/Decrypt
CKM_DES3EEE_ECB Encrypt/Decrypt
CKM_DES3EEE_CBC Encrypt/Decrypt
3-12
SmartAdaptor Technology 3
3-13
3 CryptoKit Developer's Guide
3-14
SmartAdaptor Technology 3
The SO must initialize the token (by calling the C_InitToken function) and
set the user’s initial PIN before a normal user can log in. In order to initialize the
user’s PIN, the SO must log into the public session (it is assumed that the SO
PIN was already initialized on each token, and call the C_InitPIN function.
Though the SO can manipulate certain public data, PKCS#11 does not allow the
SO to gain access to private data. However, since PKCS#11 does not impose a
distinction between the SO and users, the SO may also be a user, and gain access
to private data by logging on as a normal user.
3-15
3 CryptoKit Developer's Guide
These versions support the same RSA (key length up to 4096, DSS and
Diffie-Hellman key lengths (up to 1024 bits) and the same hash and key
derivation algorithms.
An application can check the library version currently in use by calling the
C_GetInfo function. The resulting libraryDescription and libraryVersion
fields contain version information.
3-16
SmartAdaptor Technology 3
“Slots” are smart card readers or other device interfaces connected to the
application computer enabling use of the smart card token as storage for
cryptographic objects and for performing cryptographic functions.
PrivateCard is one of the most intelligent and high performance smart cards
available, performing all operations with the RSA private key located internally
on the smart card chip.
3-17
3 CryptoKit Developer's Guide
Objects are classified by token and by session. While token objects remain on
the token even after all sessions using the token are closed, and even after the
token has been removed from the slot, session objects are temporary. The
lifetime of session objects is limited by the duration of the session during which
they were created. After closing a session, (by calling the C_CloseSession
function or by removing the token from the slot), all objects created in that
session as session objects, are automatically deleted.
Objects are also classified as Public or Private. To view or use Public objects,
there is no need for applications to log into the token. However, authentication is
necessary to gain access to Private objects (see the Users, Administrators and
Sessions section above).
3-18
SmartAdaptor Technology 3
Tokens can generate, destroy, manipulate, and search for objects—they can also
use them (e.g., key objects) to perform cryptographic operations.
PIN Functionality
Private objects can be accessed only after a user has successfully presented his
PIN to the token, authenticating himself as the owner of the key media. The
following explanation of PIN presentation is valid for C_Login,
C_InitToken, C_InitPIN and C_SetPIN functions (all functions that
contain PIN as a parameter).
CryptoKit has three special modes for presenting the PIN to the token:
♦ Secure PIN entry mode, which is activated when NULL is passed as
parameter to the login functions. As documented in the Cryptoki 2.11
standard, this option can be used with tokens that have a protected
authentication path (i.e., protected keypad entry). Algorithmic
Research’s PrivateCard enables this form of authentication when used
with PrivateSafe and CryptoSafe readers, but not with the PrivateSafe
PCMCIA reader or MiniKey. During PIN entry, the reader disconnects
the keyboard from the computer thus disables exposure of sensitive data.
An application can check whether secure PIN entry is enabled on a
specific token by calling C_GetTokenInfo and checking the value of
protected authentication path flag in the CK_TOKEN_INFO structure.
3-19
3 CryptoKit Developer's Guide
♦ SSO mode, in which the user is required to present the PIN only once.
The PIN is stored in memory and afterwards it is automatically retrieved
by CyptoKit everytime logon to the token is required. The SSO
functionality is able to store both the user and SO PINs for each slot.
When the token is removed or when the user logs off from the
workstation, the stored PIN’s are cleared from memory.
♦ Unattended mode, which enables automatic presentation of a PIN that
was previously stored in the registry. This mode can be used to
automatically authenticate to tokens in unattended machines.
For example, a PIN becomes “expired” if it has not been replaced within the
default period of time. Subsequent attempts to use it will return the
CKR_PIN_EXPIRED result code and the user should change the PIN by calling
the C_SetPIN function. The expiration date is automatically re-computed
after replacing the PIN.
Due to inconsistencies, the Cryptoki PKCS#11 API does not grant PIN update
functionality to its applications when a PIN has expired. As a result, if a user
3-20
SmartAdaptor Technology 3
tries to login after his PIN has expired, he will be locked out of the application
since he can use C_Set PIN functionality only after logging in.
During a call to C_SetPIN, if the old PIN was entered by protected keypad, the
replacement PIN must be entered the same way (i.e., if the old PIN was passed
as NULL to the C_SetPIN function, the new PIN must be also passed as
NULL). Another security feature provided by the CryptoKit: A new PIN must
be different than the one it replaces.
3-21
3 CryptoKit Developer's Guide
The following table describes the default PIN parameters that are set by the
CryptoKit installation program for MiniKey, PrivateCard and software tokens.
For details how to change these default settings, refer to the CryptoKit Files and
Registry Entries section in Chapter 7.
3-22
SmartAdaptor Technology 3
Parameter Default Values for Default Values for Explanation &
MiniKey and Software token Valid Values
PrivateCard
Minimum period 0 0 0 – PIN can be changed
for PIN change at any time
1-7 – Minimum number
of days between PIN
changes
3-23
3 CryptoKit Developer's Guide
Thread Safety
The CryptoKit will serialize requests when several processes share a library.
Additionally, according to PKCS#11 specifications, token objects are visible to
all applications (possessing sufficient permissions) connected to the token.
When the CryptoSafe reader is used, the library acquires the current date and
time for PIN presentation and PIN replacement from the reader’s internal clock.
For all other cases, CryptoKit uses the computer’s time and date and attempts to
factor in the time zone. However, there may be some variation in dates and
times due to differences in operating systems, sometimes even on the same
computer.
3-24
SmartAdaptor Technology 3
Some details in the declaration of Cryptoki data structures and functions may
vary between platforms. Therefore it may be necessary to implement some
preprocessor directives or compiler options.
All Cryptoki types and defines are stored in the pkcs11t.h file. Information
about function prototypes is contained in the pkcs11f.h file. In order to
include the main H-file pkcs11.h (or the pkcs11t.h file by itself), it is
necessary to define four platform-specific macros, described below, with their
typical definitions. Note that these definitions are both platform- and compiler-
dependent (and may also be affected by whether a Cryptoki library is linked
statically or dynamically).
AR_WIN32 (3)
AR_SOLARIS (8)
AR_AIX (10)
AR_LINUX (12)
3-25
3 CryptoKit Developer's Guide
Refer to your C or C++ compiler reference guide for information on how to set
preprocessor symbols.
The Cryptoki standard states that on Windows 32bit platform, any structure
should be packed with 1-byte alignment. However, CryptoKit is compiled in
such a way that any program that uses this library will be able to work properly,
regardles of its byte alignment. (The 1-byte packing convention that was
required by older versions of CryptoKit is no longer needed).
Platform-Specific Macros
CK_PTR
The indirection string, for making a pointer into an object, can be used as
follows:
typedef CK_BYTE CK_PTR CK_BYTE_PTR;
For the Windows 32bit platform the following definition was used:
#define CK_PTR *
CK_DECLARE_FUNCTION(returnType, name)
This macro creates an importable Cryptoki library function declaration out of a
return type and a function name. It is used as follows:
extern CK_DECLARE_FUNCTION( CK_RV, C_Initialize )
( CK_VOID_PTR pReserved );
For the Windows 32bit platform the following definition was used to declare a
function in a DLL:
#define CK_DECLARE_FUNCTION( returnType, name ) \
returnType __declspec( dllimport ) name
3-26
SmartAdaptor Technology 3
CK_DECLARE_FUNCTION_POINTER(returnType, name)
This macro creates a Cryptoki API function pointer declaration or function
pointer type declaration out of a return type and a function name. It isused as
follows:
CK_DECLARE_FUNCTION_POINTER( CK_RV, funcPtr )
( args );
For the Windows 32 bit platform the following definition was used to access
functions in a DLL:
#define CK_DECLARE_FUNCTION_POINTER
( returnType, name ) \
returnType __declspec( dllimport ) ( *name )
CK_CALLBACK_FUNCTION(returnType, name)
This macro creates a function pointer type for an application callback using both
a return type for the callback and a name for the callback:
CK_CALLBACK_FUNCTION( CK_RV, myCallback )( args );
3-27
3 CryptoKit Developer's Guide
For the Windows 32bit platform the following definition was used:
#define CK_CALLBACK_FUNCTION( returnType, name ) \
returnType( *name )
3-28
SmartAdaptor Technology 3
Registration API
See the Registration API functions section below for a description of each
function.
The data structures listed below are in C-notation and are defined in the
sadaptor.h file.
3-29
3 CryptoKit Developer's Guide
UMB_RV
typedef UINT32 UMB_RV;
Retrieves return code types that are returned by all the Registration API
functions:
♦ UMB_RV_OK Operation successful
♦ UMB_RV_END Reached end of database in a multi-step
operation (e.g., Find)
♦ UMB_RV_MEMORY Insufficient memory
♦ UMB_RV_INVALID_PARAMETERS Invalid parameters detected
♦ UMB_RV_INSUFFICIENT_BUFFER Allocated buffer too small
♦ UMB_RV_NOT_FOUND Object not found in database
♦ UMB_RV_HARDWARE Hardware error
♦ UMB_RV_CARD_NOT_POWERED Card inserted but not powered up
♦ UMB_RV_CARD_NOT_PRESENTED Card not inserted
♦ UMB_RV_COMMUNICATION Communication problem occurred
♦ UMB_RV_TIMEOUT Operation took too much time, interrupted by
with timeout state
♦ UMB_RV_SHARING_VIOLATION Smart card or reader temporary inaccessible
(locked by another application)
♦ UMB_RV_INTERNAL_ERROR Internal error occurred
UMB_CONTEXT
typedef void * UMB_CONTEXT;
3-30
SmartAdaptor Technology 3
♦ UMB_CreatePKCS11ProviderContext
♦ UMB_CreatePKCS11SmartcardProviderContext
♦ UMB_CreateSmartcardReaderContext
♦ UMB_CreateFindContext
♦ UMB_ListProviders
All the other Registration API functions need this handle as a parameter to
specify the provider.
UMB_PROVIDER_INFO
typedef struct {
UINT32 api_version; // high word - major version,
// low word – minor version
UINT32 impl_version;// high word - major version,
// low word – minor version
char vendor_name[64]; // NULL terminated string
char provider_name[64];// NULL terminated string
} UMB_PROVIDER_INFO;
This structure stores general information about a provider. It is mandatory for all
three types of providers: Core, Reader and Smart card. Functions that create the
context receive this structure as a parameter.
UMB_PCSC_EXCLUDE_STRUCT
typedef struct {
UMB_COMPARE_STYLE flag;// UMB_COMPARE_ALL,
// UMB_COMPARE_START or
// UMB_COMPARE_PART
char readerName[256]; // NULL terminated string
} UMB_PCSC_EXCLUDE_STRUCT;
This structure is used for readers with a PC/SC interface that are nonetheless
registered as a CT-API or proprietary reader and therefore should be excluded
3-31
3 CryptoKit Developer's Guide
from the enumeration of PC/SC readers. The flag field defines how the reader
name should be matched. This attribute can only be assigned to a Reader
provider type context with Reader type set to
UMB_SC_READER_TYPE_PCSC.
Parameters
♦ UMB_COMPARE_ALL – compares readerName to the exact reader
name received from PC/SC.
♦ UMB_COMPARE_START – looks for readerName in the PC/SC
reader name at the start (similar to file compare “name*”).
♦ UMB_COMPARE_PART – looks for readerName somewhere inside
the PC/SC reader name (similar to file compare “*name*”).
UMB_CTAPI_PORT_DESCR
typedef struct {
short phys_number;
short ICC_mask;
} UMB_CTAPI_PORT_DESCR;
This structure describes a CT-API reader port. It can only be assigned to a
Reader provider type context with Reader type set to
UMB_SC_READER_TYPE_CTAPI. For more information, refer to
documentation on CT-API specifications.
Parameters
♦ phys_number – number of the port to which the reader is connected.
This number is passed to the CT_Init function as pn parameter.
♦ ICC_mask – bit mask of the slots available for use in a reader. The
lowest bit accords to the first slot, which must be available.
3-32
SmartAdaptor Technology 3
UMB_CTAPI_PORTS
typedef struct {
int number_of_ports;
UMB_CTAPI_PORT_DESCR ports[16];
} UMB_CTAPI_PORTS;
This structure describes some or all of available CT-API reader ports. It can only
be assigned to a Reader provider type context with Reader type set to
UMB_SC_READER_TYPE_CTAPI. For more information, refer to
documentation on CT-API specifications.
Parameters
♦ number_of_ports – number of cells used in “ports” array.
♦ ports – an array of 16 cells. Each member is a structure of
UMB_CTAPI_PORT_DESCR type, including description of a reader, its
port and slots.
UMB_ATR_DESCRIPTION
typedef struct {
int atr_len; // length of the ATR
char atr[32]; // ATR
char atr_mask[32]; // indicates which bits in
// the ATR read from the
// smart card should be
// compared with this ATR
} UMB_ATR_DESCRIPTION;
This structure can only be assigned to a Smart card provider type context and it
describes one ATR of a smart card supported by this provider. One Smart card
provider can have a number of ATR descriptions (if it supports many smart
cards) but at least one must be provided.
3-33
3 CryptoKit Developer's Guide
UMB_CreatePKCS11ProviderContext
This function creates a Core PKCS#11 provider context. After creating the
provider context, call UMB_SetProviderData to add additional parameters.
Then, register the provider by calling UMB_RegisterProvider.
Syntax
UMB_RV UMB_CreatePKCS11ProviderContext(
const UMB_PROVIDER_INFO * info,
const char * module,
UMB_CONTEXT * context);
Parameters
♦ info [in] – contains a general description of the Core provider. Refer to
the Registration API data types section above for a detailed explanation
of this parameter (Type UMB_PROVIDER_INFO).
♦ module [in] – contains the full path and name of the dll of the Core
provider.
♦ context [out] – receives a pointer to the created context, upon successful
termination of the function.
Note: Since this function’s arguments are mandatory, they cannot be NULL.
Return Values
UMB_RV_OK – context created successfully.
3-34
SmartAdaptor Technology 3
UMB_RV_INVALID_PARAMETERS – invalid parameter detected, a
pointer is probably NULL. Note that the function does not check whether
the file specified in the module parameter exists.
UMB_RV_MEMORY – insufficient memory.
UMB_RV_INTERNAL_ERROR – an internal error occurred.
UMB_CreatePKCS11SmartcardProviderContext
This function creates a Smart card provider context. A mandatory ATR
parameter must be specified to indicate, which smart card ATRs are supported
by that provider. Each Smart card provider can support multiple ATRs, which
can be added to the context by calling UMB_AddATRToList or
UMB_SetProviderData. Then, register the provider by calling
UMB_RegisterProvider.
Syntax
UMB_RV UMBAPI
UMB_CreatePKCS11SmartcardProviderContext(
const UMB_PROVIDER_INFO * info,
const char * module,
const char * entry,
const UMB_ATR_DESCRIPTION * atr,
UMB_CONTEXT * context);
Parameters
♦ info [in] – contains a general description of the Smart card provider.
Refer to the Registration API data types section above for a detailed
explanation of this parameter (Type UMB_PROVIDER_INFO).
♦ module [in] – the full path and name of the dll of the Smartcard
provider.
3-35
3 CryptoKit Developer's Guide
♦ entry [in] – the name of the entry function for this dll, which is called
after it has been loaded. The entry function passes to the Smart card
provider pointers of the reader functions.
♦ atr [in] – description of the ATR for the Smart card provider.
♦ context [out] – receives a pointer to the created context, upon successful
termination of the function.
Note: Since all of these parameters are mandatory, they cannot be NULL.
Return Values
UMB_RV_OK – context successfully created.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected, a
pointer is probably NULL. Note that the function does not check whether
the file specified in the module parameter exists.
UMB_RV_MEMORY – insufficient memory.
UMB_RV_INTERNAL_ERROR – an internal error occurred.
UMB_CreateSmartcardReaderContext
Similar to the functions described above, this function creates a Smart card
reader context. It can be used to create a CT-API or proprietary reader context or
to create a PC/SC reader to be excluded from the readers list. After creating the
context, call UMB_SetProviderData to add additional parameters. Then, register
the provider by calling UMB_RegisterProvider.
Syntax
UMB_RV UMBAPI UMB_CreateSmartcardReaderContext(
int type,
const UMB_PROVIDER_INFO * info,
const char * module,
const char * entry,
3-36
SmartAdaptor Technology 3
UMB_CONTEXT * context);
Parameters
♦ type [in] – there are three possible types of Reader providers, which are
defined in sadaptor.h:
UMB_SC_READER_TYPE_CTAPI, which is used to register a
CT-API reader provider
UMB_SC_READER_TYPE_PROPRIETARY, which is used to
register a proprietary reader provider
UMB_SC_READER_TYPE_PCSC, which is used to exclude a
PC/SC reader from the readers list
♦ info [in] – contains a general description of the Reader provider. Refer to
the Registration API data types section above for a detailed explanation
of this parameter (Type UMB_PROVIDER_INFO).
This parameter is ignored when the reader type is PC/SC and in that case
should be an empty string.
♦ module [in] – contains the full path and name of the dll of the Reader
provider. This parameter must be specified for CT-API and proprietary
Reader providers. It is ignored when the reader type is PC/SC and in that
case should be an empty string.
♦ entry [in] – the name of the entry function for the provider’s dll. This
function is called by sadaptor.dll after the provider’s dll has been
loaded, to retrieve pointers to functions that access the reader. For more
information about the data structure that is returned by the entry function
and the different reader functions, refer to the Reader Provider
Development section, later in this chapter.
This parameter should be specified only for proprietary Reader providers.
It is not required for CT-API and PC/SC Reader providers and in that
case should be an empty string.
♦ context [out] – receives a pointer to the created context, upon successful
termination of the function.
Note: Since all of these parameters are mandatory, they cannot be NULL.
3-37
3 CryptoKit Developer's Guide
Return Values
UMB_RV_OK – context successfully created.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected, a
pointer is probably NULL. Note that the function does not check whether
the file specified in the module parameter exists.
UMB_RV_MEMORY – insufficient memory.
UMB_RV_INTERNAL_ERROR – an internal error occurred.
UMB_SetProviderData
After creating the context for a provider using one of the functions described
above, you can use this function to assign additional attributes to the provider
before registering it in the system. The fieldTag parameter indicates the
assigned attribute, len contains its size and data denotes its value.
Syntax
UMB_RV UMBAPI UMB_SetProviderData(
UMB_CONTEXT * context,
int fieldTag,
int len,
const void * data);
Parameters
♦ context [in] – the context of the provider for which to set the data.
♦ len [in] – the length of the data passed in the data pointer.
♦ data [in] – the pointer to the attribute to be written in the context.
♦ fieldTag [in] – the following tags may be appended (defined in the
sadaptor.h file)
UMB_PROVIDER_FIELD_INFO – general information about
the provider based on the UMB_PROVIDER_INFO structure.
3-38
SmartAdaptor Technology 3
UMB_PROVIDER_FIELD_MODULE – NULL terminated
string. The full path to the module’s dll.
UMB_PROVIDER_FIELD_ENTRY – NULL terminated string.
The name of the entry function.
UMB_PROVIDER_FIELD_FLAGS – DWORD – has no special
significance for SmartAdaptor and can be used for the needs of the
provider.
UMB_PROVIDER_FIELD_EXCLUDE_FROM_PCSC – derived
from UMB_PCSC_EXCLUDE_STRUCT structure, this flag
marks a PC/SC reader as excluded from the readers list. It requires
that reader context was already created and registered using
UMB_CreateSmartcardReaderContext, with type set to
UMB_SC_READER_TYPE_PCSC, followed by
UMB_RegisterProvider.
UMB_PROVIDER_FIELD_CTAPI_PORTS – derived from
UMB_CTAPI_PORTS structure, this parameter can only be added
to a CT-API type Reader provider. This parameter is mandatory
and must be updated for each CT_API reader provider.
UMB_PROVIDER_FIELD_ATR_LIST – derived from
UMB_ATR_DESCRIPTION structure, this parameter can only be
added to a Smart card provider and indicates the ATRs supported
by this provider. One Smart card provider can support a number of
ATRs.
UMB_PROVIDER_FIELD_READER_TYPE – DWORD – this
tag, which can only be assigned to Reader providers, may be one
of following:
UMB_SC_READER_TYPE_CTAPI
UMB_SC_READER_TYPE_PROPRIETARY
UMB_SC_READER_TYPE_PCSC
UMB_PROVIDER_FIELD_DESCRIPTION – NULL terminated
string with the provider’s description.
UMB_PROVIDER_FIELD_LOG_FILE_NAME – NULL
terminated string with a path to the file used for logging the
provider.
3-39
3 CryptoKit Developer's Guide
UMB_PROVIDER_FIELD_LOGGING_LEVEL – DWORD –
logging level for the provider.
UMB_PROVIDER_FIELD_VENDOR_SPECIFIC – not really a
tag, it is the shift from which the vendor specific fields are written.
Allows a provider to store information in the registry. The data is
treated in the same way as a binary buffer.
Return Values
UMB_RV_OK – data successfully written to the context.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected, a
pointer is probably NULL.
UMB_RV_MEMORY – insufficient memory.
UMB_AddATRToList
Provides an easy way to specify additional ATRs for a Smart card provider (see
also UMB_SetProviderData).
Syntax
UMB_RV UMBAPI UMB_AddATRToList(
UMB_CONTEXT * context,
UMB_ATR_DESCRIPTION * atr);
Parameters
♦ context [in] – the context of the provider for which to set the data.
♦ atr [in] – the description of the ATR to add to the context.
Return Values
UMB_RV_OK – data successfully written to the context.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected, a
pointer is probably NULL.
3-40
SmartAdaptor Technology 3
UMB_RV_MEMORY – insufficient memory.
UMB_GetProviderData
This function can be used to retrieve information from the context. The tags are
the same as those used with UMB_SetProviderData. If the value for len is too
small, it is adjusted to the correct length and the
UMB_RV_INSUFFICIENT_BUFFER is returned. If the context does not
contain the record, UMB_RV_NOT_FOUND is returned – otherwise
UMB_RV_OK is returned and the data field is filled with the appropriate value.
When there are multiple occurrences of the requested record in the context
(UMB_PROVIDER_FIELD_ATR_LIST and
UMB_PROVIDER_FIELD_EXCLUDE_FROM_PCSC tags only),
SmartAdaptor treats the len parameter as the size of an array and the data
parameter as the array of the appropriate type of records.
Syntax
UMB_RV UMBAPI UMB_GetProviderData(
UMB_CONTEXT context,
int fieldTag,
int * len,
void * data);
Parameters
♦ context [in] – the context to read from.
♦ fieldTag [in] – the tag of the field to extract from the context. See the
section on UMB_SetProviderData for a description of this parameter.
♦ len [in/out] – on entry to the function should contain the size of the
buffer pointed by data. Upon return, len contains the actual size of the
data returned. This parameter cannot be NULL.
♦ data [out] – the data marked by fieldTag. Can be NULL – in which case
only the size of the data is returned.
3-41
3 CryptoKit Developer's Guide
Return Values
UMB_RV_OK – data read successfully.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected.
UMB_RV_INSUFFICIENT_BUFFER – the size of the buffer is too
small.
UMB_E_GENERAL – the data identified by the specified tag is not in
the context.
UMB_RegisterProvider
Registers the provider after creation of the context (with one of the
“CreateContext” functions) and after writing all the appropriate parameters to
the context using the UMB_SetProviderData and UMB_AddATRToList
functions.
Syntax
UMB_RV UMBAPI UMB_RegisterProvider(
UMB_CONTEXT * context);
Parameter
♦ context [in] – the context of the provider to register.
Return Values
UMB_RV_OK – data read successfully.
UMB_RV_INTERNAL_ERROR – unable to store context.
3-42
SmartAdaptor Technology 3
UMB_CreateFindContext
This function creates a find context, which is a special type of context. This
context can be used to find the context of a registered provider. Then, the
context can be used to add new parameters or to delete parameters from the
provider. This context cannot be registered.
Syntax
UMB_RV UMBAPI UMB_CreateFindContext(
UMB_CONTEXT * context);
Parameter
♦ context [out] – the created context.
Return Values
UMB_RV_OK – data successfully read.
UMB_RV_MEMORY – insufficient memory.
UMB_AddFindContext
This function is similar to UMB_SetProviderData but it can be applied only on
find contexts. It is used to build a specific find context that describes one of the
registered providers. After the find context is created, call UMB_ListProviders
to get a list of all providers that match the search criteria. You can also remove
from the system all providers that match the search criteria by calling
UMB_UnregisterProvider with find context.
All the tags that can be defined for the provider using UMB_SetProviderData
can be used to search for the provider. There are also additional special tags that
can be used only with find context.
Syntax
UMB_RV UMBAPI UMB_AddFindContext (
UMB_CONTEXT * context,
3-43
3 CryptoKit Developer's Guide
UMB_COMPARE_STYLE flag,
int fieldTag,
int len,
const void * data);
Parameters
♦ context [in] – the context of the provider for which to set the data.
♦ flag [in] – tells the function how to perform string matching, can be one
of the following:
UMB_COMPARE_ALL
UMB_COMPARE_START
UMB_COMPARE_PART – only string tags are affected by this
parameter
♦ len [in] – the length of the data passed in the data pointer.
♦ data [in] – the pointer to the attribute to be written in the context.
♦ fieldTag [in] – all tags for regular context are supported (see the
description of UMB_SetProviderData); additional tags are supported for
find context:
UMB_PROVIDER_FIELD_PROVIDER_TYPE – DWORD –
uses one of the following (defined in sadaptor.h) –
UMB_PROVIDER_TYPE_PKCS11
UMB_PROVIDER_TYPE_READER
UMB_PROVIDER_TYPE_PKCS11_SCARD
UMB_PROVIDER_FIELD_API_VER – DWORD – part of the
provider info structure, it specifies the API version of the provider.
UMB_PROVIDER_FIELD_IMPL_VER – DWORD – part of the
provider info structure, it specifies the implementation version of
the provider.
UMB_PROVIDER_FIELD_VENDOR_NAME – NULL
terminated string. Part of the provider info structure, it specifies
the vendor name of the provider.
3-44
SmartAdaptor Technology 3
UMB_PROVIDER_FIELD_PROVIDER_NAME – NULL
terminated string. Part of the provider info structure, it specifies
the provider name of the provider.
UMB_PROVIDER_FIELD_ATR_BUFFER – binary buffer. The
length of the ATR is set by the len parameter – may not exceed 32
bytes. Use to set ATR only, without the ATR mask.
Return Values
UMB_RV_OK – data successfully read.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected.
UMB_RV_MEMORY – insufficient memory.
UMB_UnregisterProvider
This function removes a provider from the system. If the context parameter is
NULL, all registered providers are removed. The context may be of any type. If
the type is find, it must include both the provider type and module attributes,
otherwise UMB_E_PARAMS is returned. Any provider that matches the
context attributes is removed from the system and UMB_RV_OK is returned,
otherwise UMB_RV_NOT_FOUND is returned.
Syntax
UMB_RV UMBAPI UMB_UnregisterProvider(
UMB_CONTEXT * context);
Parameter
♦ context [in] – the context of the provider to remove from the system.
Return Values
UMB_RV_OK – providers matching the context were successfully
removed.
UMB_RV_NOT_FOUND – no provider that matched the context was
found.
3-45
3 CryptoKit Developer's Guide
UMB_ListProviders
Lists the providers that are registered in the system. The patterns parameter
defines how to search for providers. If patterns parameter is NULL, all
registered providers are returned. The number parameter is set to the number of
contexts that are found, i.e., those returned by the found parameter.
Syntax
UMB_RV UMBAPI UMB_ListProviders(
UMB_CONTEXT patterns,
UMB_CONTEXT ** found,
int * number);
Parameters
♦ patterns [in] – context of find type, provides the pattern for searching for
registered providers.
♦ found [in/out] – on entry to the function should contain the pointer to
pointer of context array; if successful, the array is allocated by the
function and the user should free the memory associated with this array
by using UMB_FreeContext.
♦ number [out] – the number of contexts found.
Return Values
UMB_RV_OK – data was successfully read.
UMB_RV_INVALID_PARAMETERS – invalid parameter detected.
UMB_RV_MEMORY – insufficient memory.
3-46
SmartAdaptor Technology 3
UMB_RV_INTERNAL_ERROR – an internal error occurred.
UMB_FreeContext
This function frees the memory associated with previously allocated context.
Syntax
UMB_RV UMBAPI UMB_FreeContext(
UMB_CONTEXT * context);
Parameter
♦ context [in] – pointer to the context to be released.
Return Values
UMB_RV_OK – context memory successfully freed.
UMB_RV_INVALID_PARAMETERS – context is NULL or *context
is NULL.
UMB_GetProviderType
This function returns the context type, which should be one of the following:
♦ UMB_PROVIDER_TYPE_PKCS11
♦ UMB_PROVIDER_TYPE_READER
♦ UMB_PROVIDER_TYPE_PKCS11_SCARD
♦ UMB_PROVIDER_TYPE_FIND
Syntax
UMB_RV UMBAPI UMB_GetProviderType(
UMB_CONTEXT context,
int * type);
3-47
3 CryptoKit Developer's Guide
Parameters
♦ context [in] – the context for which to check the type.
♦ type [out] – the context type (one of the four values listed above).
Return Value
UMB_RV_OK – successful result.
3-48
SmartAdaptor Technology 3
PC/SC Readers
CTAPI Readers
Since SmartAdaptor can use the standard CT-API interface, it is not necessary to
develop a specific library for CT-API readers. However, you must register
CT-API readers in SmartAdaptor since operating systems do not automatically
recognize CT-API readers. (For more stable performance in stress situations,
vendors can supply a dll with additional functionality, for example, an entry
function and an i_am_closed function. For more details see below.)
3-49
3 CryptoKit Developer's Guide
Proprietary Readers
3-50
SmartAdaptor Technology 3
UMB_ENTRY
The entry function is the first function that SmartAdaptor calls. It is used to
initialize the provider and to load pointers to all other functions of the provider.
The entry function is also used to provide SmartAdaptor with the number of
slots that are supported by the Reader provider. By convention, the slots are
counted from zero.
Syntax
typedef UMB_RV (UMBAPI * UMB_ENTRY)
(UMB_ENV * env,
UMB_PROVIDER_READER * reader);
Since the entry function is not pre-named, you can assign it any name. This
name must be provided (in the entry parameter) when the provider is registered.
For more information, refer to function UMB_CreateSmartcardReaderContext
in the section SmartAdaptor Registration API Functions.
The pointers to all of the Reader provider’s functions are supplied in the output
UMB_PROVIDER_READER structure.
3-51
3 CryptoKit Developer's Guide
struct _tag_UMB_PROVIDER_READER {
UMB_PROVIDER_HEADER header;
// This parameter is filled by SmartAdaptor
// and is not relevant for reader provider.
UINT32 slots_number;
// This parameter is filled by the reader
// provider and informs SmartAdaptor how
// many slots are supported by the provider.
Parameters
♦ env [in] – pointer to UMB_ENV structure, which contains only one
member that is relevant for the Reader provider – the i_am_closed
function. The provider should call this function during the
DLL_DETACH process, although this is not mandatory.
♦ reader [out] – pointer to the output UMB_PROVIDER_READER
structure.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
3-52
SmartAdaptor Technology 3
UMB_RV_INVALID_PARAMETERS – if the value of a parameter is
NULL.
UMB_RV_OK – successful result.
UMB_READER_GET_NAME
This function should return the reader name to SmartAdaptor according to the
slot number.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_GET_NAME)
(UINT32 slotID,
char * nameBuf,
UINT32 * nameLen);
Parameters
♦ slotID [in] – number of the slot.
♦ nameBuf [out] – pointer to buffer, which receives the NULL terminated
name. If this parameter is NULL, it returns needed buffer size in the
nameLen parameter and UMB_RV_INSUFFICIENT_BUFFER in
return value.
♦ nameLen [in/out] – on entry to the function should contain the
maximum length of nameBuf buffer. Upon return, nameLen contains
the actual length of the reader name, not including the NULL terminator.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_INSUFFICIENT_BUFFER – when nameBuf is too small.
UMB_RV_INVALID_PARAMETERS – when the slot number is
invalid or when the pointer to nameLen is NULL.
UMB_RV_OK – operation successful.
3-53
3 CryptoKit Developer's Guide
UMB_READER_GET_STATE
This function should return the state of the slot to SmartAdaptor.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_GET_STATE)
(UINT32 slotID,
UINT32 * slotState);
Parameters
♦ slotID [in] – number of the slot.
♦ slotState [out] – state of the slot. Can be one of three states:
UMB_READER_STATE_ABSENT – no card in the slot.
UMB_READER_STATE_INSERTED – card in the slot, not
powered.
UMB_READER_STATE_POWERED – card in the slot,
powered.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_INVALID_PARAMETERS – when the slot number is
invalid or when the pointer to slotState is NULL.
UMB_RV_OK – operation successful.
UMB_READER_POWER_ON
This function should power-on the smart card and return it’s ATR.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_POWER_ON)
(UINT32 slotID,
3-54
SmartAdaptor Technology 3
char * ATRBuf,
UINT32 * ATRlen);
Parameters
♦ slotID [in] – number of the slot.
♦ ATRBuf [out] – pointer to buffer, which receives the ATR of the smart
card. The maximum size needed to receive any ATR is 32 bytes.
♦ ATRLen [in/out] – on entry to the function should contain the maximum
length of ATRBuf. Upon return, ATRLen contains the actual length of
the ATR.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_INSUFFICIENT_BUFFER – when ATRBuf is too small.
UMB_RV_INVALID_PARAMETERS – when the slot number is
invalid or another parameter is NULL.
UMB_RV_OK – operation successful.
UMB_READER_POWER_OFF
This function should power-off the smart card.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_POWER_OFF)
(UINT32 slotID);
Parameters
♦ slotID [in] – number of the slot.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
3-55
3 CryptoKit Developer's Guide
UMB_READER_TRANSMIT
This function should send command to smart card and return the answer.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_TRANSMIT)
(UINT32 slotID,
char * sendBuf,
UINT32 sendLen,
char * recvBuf,
UINT32 * recvLen);
Parameters
♦ slotID [in] – number of the slot.
♦ sendBuf [in] – pointer to buffer with outgoing command.
♦ sendLen [in] – size of buffer of outgoing command.
♦ recvBuf [out] – pointer to buffer that receives the answer.
♦ recvLen [in/out] – on entry to the function should contain the maximum
length of recvBuf buffer. Upon return, recvLen contains the actual
length of the answer.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_INSUFFICIENT_BUFFER – when ATRBuf is too small.
3-56
SmartAdaptor Technology 3
UMB_RV_INVALID_PARAMETERS – when the slot number is
invalid or another parameter is NULL.
UMB_RV_OK – operation successful.
UMB_READER_GET_NATIVE_RESULT_VALUE
This function should return from the Reader provider the “native” result code of
the last operation.
Syntax
typedef UMB_RV
(UMBAPI * UMB_READER_GET_NATIVE_RESULT_VALUE)
(UINT32 slotID,
UINT32 * result);
Parameters
♦ SlotID [in] – number of the slot.
♦ result [out] – pointer to DWORD that receives the native result code.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_INVALID_PARAMETERS – when the slot number is
invalid or another parameter is NULL.
UMB_RV_OK – operation successful.
UMB_READER_CLOSE
This function should finalize the operation with the reader. It is called only once
by SmartAdaptor in the event of DLL_DETACH.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_CLOSE)
3-57
3 CryptoKit Developer's Guide
(void);
Parameters
None.
Return Values
UMB_RV_INTERNAL_ERROR – general error occured.
UMB_RV_OK – operation successful.
UMB_READER_I_AM_CLOSED
When the entry function is called, SmartAdaptor provides to the Reader provider
a pointer to the function UMB_READER_I_AM_CLOSED. The reader provider
can call this function during the DLL_DETACH process to notify SmartAdaptor
that the reader is no longer available. Calling this function is not mandatory and
it is mainly used for handling abnormal termination of the program.
Syntax
typedef UMB_RV (UMBAPI * UMB_READER_I_AM_CLOSED)
(UMB_ENV * env);
Parameters
♦ env [in] – environment variable passed in entry function.
Return Values
UMB_RV_INTERNAL_ERROR – general error occurred.
UMB_RV_OK – operation successful.
3-58
SmartAdaptor Technology 3
PKCS#11 API Extensions
SmartAdaptor supports the full PKCS#11 API functionality. In addition,
SmartAdaptor supports functions that enhance the standard PKCS#11 API.
These functions are defined in the files pkcsgext.h and pkcs_ui.h.
3-59
3 CryptoKit Developer's Guide
3-60
SmartAdaptor Technology 3
C_EXT_GetProviderList
This function returns the list of providers that are registered in the SmartAdaptor
system.
Syntax
CK_RV C_EXT_GetProviderList(
CK_PROVIDER_ID_PTR pProviderList,
CK_ULONG_PTR pulCount);
The calling convention of this function is the same as for all PKCS#11 functions
that return an array. If the pProviderList pointer is NULL, pulCount returns
the size of the needed array and CKR_OK is returned. If pProviderList is not
NULL and the pulCount array size is too small, CKR_BUFFER_TOO_SMALL
is returned. Otherwise, the array is filled with CK_PROVIDER_IDs and
pulCount is updated with the actual number of providers returned. Each
CK_PROVIDER_ID is a unique handle that represents a provider. This handle
can be used to retrieve additional information about the provider. For additional
information, see the functions below.
Parameters
♦ pProviderList (output) – receives array of IDs.
♦ pulCount [in/out] – on entry to the function should contain the
maximum size of the pProviderList array. Upon return, pulCount
contains the actual number of providers read.
Return Values
CKR_OK – operation successful.
CKR_FUNCTION_FAILED – erroneous parameters.
3-61
3 CryptoKit Developer's Guide
C_EXT_GetProviderInfo
This function returns information about a specific provider.
Syntax
CK_RV C_EXT_GetProviderInfo(
CK_PROVIDER_ID provider_id,
CK_INFO_PTR pInfo);
Parameters
♦ provider_id [in] – the ID of the provider.
Return Values
CKR_OK – operation successful.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_PROVIDER_ID_INVALID - the provider ID is incorrect. This
return code is not a standard PKCS#11 return code. It is defined in the
pkcsgext.h file.
CKR_FUNCTION_FAILED – incorrect parameters.
C_EXT_GetProviderContext
This function returns the context of the provider, read from the registry. For
PC/SC readers, SmartAdaptor itself creates and fills the context.
3-62
SmartAdaptor Technology 3
Syntax
CK_RV C_EXT_GetProviderContext(
CK_PROVIDER_ID provider_id,
UMB_CONTEXT * pContext);
Parameters
♦ provider_id [in] – the ID of the provider.
♦ pContext [in/out] – pointer to a buffer, which receives the provider’s
context.
Return Values
CKR_OK – operation successful.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_PROVIDER_ID_INVALID – the provider ID is incorrect. This
return code is not a standard PKCS#11 return code. It is defined in the
pkcsgext.h file.
CKR_FUNCTION_FAILED – incorrect parameters.
C_EXT_GetProviderSlotList
This function retrieves the list of slots that are handled by a specific provider.
For Reader providers, the list includes the slot(s) of the reader. For Core
providers, the list includes the slots of the core provider. Smart card providers do
not have slots.
Syntax
CK_RV C_EXT_GetProviderSlotList(
CK_PROVIDER_ID provider_id,
CK_SLOT_ID_PTR pSlotList,
CK_ULONG_PTR pulCount);
3-63
3 CryptoKit Developer's Guide
The calling convention of this function is the same as for all PKCS#11 functions
that return an array. If the pSlotList pointer is NULL_PTR, pulCount returns
the size of the needed array and CKR_OK is returned. If pSlotList is not NULL
and the pulCount array size is too small, CKR_BUFFER_TOO_SMALL is
returned. Otherwise, the array is filled with CK_SLOT_IDs and pulCount is
updated with the actual number of slotss returned.
Parameters
♦ provider_id [in] – the ID of the provider.
♦ pSlotList [in/out] – receives array of slot IDs.
♦ pulCount [in/out] – on entry to the function should contain the
maximum size of the pSlotList array. Upon return, pulCount contains
the actual number of slots retrieved.
Return Values
CKR_OK – operation successful.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_PROVIDER_ID_INVALID – the provider ID is incorrect. This
return code is not a standard PKCS#11 return code. It is defined in the
pkcsgext.h file.
CKR_BUFFER_TOO_SMALL – the size of the slot list array is too
small.
CKR_FUNCTION_FAILED – incorrect parameters.
C_EXT_GetSlotProvider
This function returns the provider associated with a specific slot.
Syntax
CK_RV C_EXT_GetSlotProvider(
3-64
SmartAdaptor Technology 3
CK_SLOT_ID slot,
CK_ULONG type,
CK_PROVIDER_ID_PTR pProvider);
The type parameter is used to specify which provider to return in cases when
more than one provider is hadling the same slot. This is the normal situation
when a smart card is inserted into a reader. In that case, both a Smart card
provider and a Reader provider are attached to the same slot. The possible
values of the type parameter are defined in sadaptor.h file:
♦ UMB_PROVIDER_TYPE_PKCS11
♦ UMB_PROVIDER_TYPE_PKCS11_SCARD
♦ UMB_PROVIDER_TYPE_READER
Parameters
♦ slot [in] – the ID of the slot.
♦ type [in] – the type of provider to be returned.
♦ pProvider [out] – the ID of the provider, which is associated with that
slot.
Return Values
CKR_OK – operation successful.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_SLOT_ID_INVALID – the slot parameter is not a valid slot
number.
CKR_ARGUMENTS_BAD – the type parameter is not one of the three
listed above.
3-65
3 CryptoKit Developer's Guide
C_EXT_PassToProvider
This function enables an application to use functions specific to a provider but
not contained in the standard PKCS#11 API. The function must be of the special
C_EXT_PROVIDER_FUNCTION type, which is defined in pkcsgext.h
file.
Syntax
CK_RV C_EXT_PassToProvider(
const CK_CHAR_PTR name,
CK_PROVIDER_ID provider_id,
CK_SLOT_ID slotID,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObjectList,
CK_ULONG ulCount,
CK_VOID_PTR parameter);
The name parameter contains the NULL terminated string with name of the
function. The following is an example of this special function:
CK_RV GetProviderSpecialUndocumentedInfoNow(
CK_SLOT_ID slot,
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObjectList,
CK_ULONG ulCount,
CK_VOID_PTR parameter);
3-66
SmartAdaptor Technology 3
Since SmartAdaptor translates slotIDs, objects and session handles supplied by
applications to internal handles, any function relevant to the provider, which
uses these internal handles, should pass them to the C_EXT_PassToProvider
function separately. This means that parameter may not contain these handles.
Parameters
♦ name [in] – the name of function to call.
♦ provider_id [in] – the ID of provider to which the call should be passed.
♦ slotID [in] – the ID of the slot, if any.
♦ hSession [in] – the handle to session, if any.
♦ phObjectList [in] – the list of object handles passed to provider.
♦ ulCount [in] – the number of object handles in the previous parameter.
♦ parameter [in] – pointer to any structure, only for use with the function
that was called.
Return Values
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_SLOT_ID_INVALID - the slot parameter is not a valid slot
number (if slotID is not 0).
CKR_SESSION_HANDLE_INVALID – the session handle is not valid
(if hSession is not 0).
3-67
3 CryptoKit Developer's Guide
3-68
SmartAdaptor Technology 3
C_EXT_Bind
This function binds a specific file to a dynamic software slot. If no free
(unbound) dynamic slot is available, CKR_DEVICE_MEMORY is returned.
When one process binds a file to a specific slot, if another process binds the
same file, it is assigned the same slot. When two processes share the same
dynamic slot (using the same file), if one unbinds the file, the other can still use
the slot, until it unbinds the file as well.
Syntax
CK_RV C_EXT_Bind(
const CK_CHAR_PTR name,
CK_SLOT_ID_PTR slot);
Parameters
♦ name [in] – the name of the file to associate with a slot.
♦ slot [out] – the ID of the slot to which the file is assigned.
Return Values
3-69
3 CryptoKit Developer's Guide
C_EXT_Unbind
This function unbinds a dynamic slot from a previously assigned file. The slot
becomes free again and can be used in next C_EXT_Bind calls. If
C_EXT_Unbind is called when a slot is not bound, CKR_GENERAL_ERROR
is returned.
Syntax
CK_RV C_EXT_Unbind(
CK_SLOT_ID slot);
Parameter
♦ slot [in] – the slot number to unbind.
Return Values
CKR_OK – operation successful.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki library has not
been initialized.
CKR_GENERAL_ERROR – the slot is not a bound dynamic slot.
3-70
SmartAdaptor Technology 3
C_EXT_WaitForSingleSlotEvent
This function waits for an event on a specific slot for a limited period of time. It
has two modes of operation: blocking and non-blocking.
Syntax
CK_RV C_EXT_WaitForSingleSlotEvent(
CK_SLOT_ID slot,
CK_FLAGS flags,
CK_ULONG timeout,
CK_VOID_PTR pReserved);
When the flags parameter is equal to zero the function operates in blocking
mode. It returns CKR_OK if a slot event had occurred or CKR_NO_EVENT
when the timeout has expired.
When the flags parameter is equal to CKF_DONT_BLOCK, the function
operates in non-blocking mode. It checks if the status of the smart card has
changed since the last call to this function and returns immediately to the calling
application. The return codes in this case are CKR_OK if a change had occurred
or since the last call to the function and CKR_NO_EVENT if no change was
detected.
Parameters
♦ slot [in] – ID of slot on which an event is monitored.
♦ flags [in] – mode of operation. 0= blocking mode,
CKF_DONT_BLOCK=non-blocking mode.
♦ timeout [in] – timeout in milliseconds.
♦ pReserved [in] – reserved. Should be NULL_PTR.
3-71
3 CryptoKit Developer's Guide
Return Values
CKR_OK – event occurred.
CKR_FUNCTION_FAILED – one of the arguments or a combination of
arguments was invalid.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_NO_EVENT – no event occurred before the timeout expired.
C_EXT_WaitForSlotEvent
This function is similar to C_EXT_WaitForSingleSlotEvent, but it can handle a
group of slots. The function receives an array of CK_SLOT_EVENT structures
(defined in the pkcsgext.h file). These structures consist of two fields:
slot – indicates the slot on which to check for an event,
bEvent – a boolean flag, which is TRUE if an event occurred on the slot
The function exits upon the first occurrence of an event on one of the slots in the
array, or when timeout expires.
Syntax
CK_RV C_EXT_WaitForSlotEvent(
CK_SLOT_EVENT_PTR pSlots,
CK_ULONG number,
CK_FLAGS flags,
CK_ULONG timeout,
CK_VOID_PTR pReserved);
Parameters
♦ pSlots [in/out] – on entry to the function should contain an array of
structures with the list of slots to be checked. Upon return, bEvent field
of the slots is set to TRUE if an event occurred.
3-72
SmartAdaptor Technology 3
♦ number [in] – number of slots to be checked.
♦ flags [in] – mode of operation. 0= blocking mode,
CKF_DONT_BLOCK=non-blocking mode.
♦ timeout [in] – timeout in milliseconds.
♦ pReserved [in] – reserved. Should be NULL_PTR.
Return Values
CKR_OK – event occured.
CKR_FUNCTION_FAILED – one of the arguments, or a combination of
arguments was invalid.
CKR_CRYPTOKI_NOT_INITIALIZED – the Cryptoki has not been
initialized.
CKR_NO_EVENT – no event occurred before the timeout expired.
3-73
3 CryptoKit Developer's Guide
C_EXT_ChangeTokenLabel
The PKCS#11 standard only enables setting the token label when the token is
formatted with C_InitToken function. The C_EXT_ChangeTokenLabel function
allows modifying the label of a formatted token. The operation can be performed
only after the user opens a R/W session and performs successful login with the
token.
Syntax
CK_RV C_EXT_ChangeTokenLabel(
CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pLabel);
Parameters
♦ hSession [in] – handle to an open session with the token.
♦ pLabel [in] – pointer to a 32 byte blank padded buffer containing the
token label.
Return Values
CKR_OK – operation successful
CKR_FUNCTION_FAILED – pLabel parameter is NULL; Token is not
AR proprietary token (PrivateCard or file) or is not formatted properly.
CKR_SESSION_HANDLE_INVALID – the session handle is invalid.
CKR_USER_NOT_LOGGED_IN – user is not logged on.
CKR_FUNCTION_NOT_SUPPORTED – function not supported by
provider correspondent to current session
CKR_GENERAL_ERROR – unexpected error in provider dll
3-74
SmartAdaptor Technology 3
CKR_TOKEN_NOT_PRESENT – token not present or was removed
CKR_TOKEN_NOT_RECOGNIZED – token is not AR proprietary
token or not proprietary formatted
3-75
3 CryptoKit Developer's Guide
C_UI_GetPassword
Note: SmartAdaptor supports this function only for backward compatibility with
previous versions. The functionality is now supported by the standard PKCS#11
functions as described below.
This function is used to pop up password entry dialog boxes that get the current
password and/or get a new password from the user for tokens that do not support
“Protected Authentication Path”. The returned passwords, could then be used in
standard PKCS#11 functions: C_Login, C_InitToken, C_InitPIN and
C_SetPIN as parameters in plain text. In old versions SmartAdaptor disabled
execution of these functions with NULL parameters for this type of tokens.
From CryptoKit version 3.6.0, this function is not needed anymore. When
calling functions that require password entry (C_Login, C_InitToken,
C_InitPIN and C_SetPIN) with NULL parameter as the password, an
appropriate PIN entry dialog box is opened.
Syntax
CK_RV C_UI_GetPassword(
CK_SLOT_ID slotID,
CK_ULONG reason,
AR_CB_PWD_DESCR_PTR pwdDescr,
CK_CHAR_PTR password,
CK_CHAR_PTR newPassword
CK_USER_TYPE userType);
Parameters
♦ slotID [in] – slot number
3-76
SmartAdaptor Technology 3
♦ reason [in] – reason for the call. May be one of the following values:
ARCB_REASON_LOGIN – open login dialog box and get password for
C_Login or C_InitToken.
ARCB_REASON_NEW_PWD – open init PIN dialog box and get
password for C_InitPIN.
ARCB_REASON_CNG_PWD – open change password dialog box and
get passwords for C_SetPIN
♦ pwdDescr [in] – password parameters structure
♦ password [out] – the current password
♦ newPassword [out] – the new password. NULL if the reason is
ARCB_REASON_LOGIN.
♦ userType [in] – type of the user: CKU_SO or CKU_USER
Return Values
CKR_OK – operation successful
CKR_CRYPTOKI_NOT_INITIALIZED – Cryptoki library not
initialized with C_Initialize.
CKR_SLOT_ID_INVALID – slot number is invalid.
CKR_CANCEL – the user canceled the password entry.
CKR_GENERAL_ERROR – the function was called for a token with
Protected Authentication Path; the returned password is NULL or does
not match the password parameters in pwdDescr structure.
3-77
3 CryptoKit Developer's Guide
C_UI_SetMessage
The C_UI_SetMessage function enables users to replace the standard
SmartAdaptor messages with customized messages.
Syntax
CK_RV C_UI_SetMessage(
CK_SLOT_ID slotID,
CK_ULONG ulMsgCode,
CK_CHAR_PTR message);
It is possible to dynamically set the messages that appear in the following PIN
entry dialog boxes:
Login Dialog
3-78
SmartAdaptor Technology 3
Init PIN Dialog
3-79
3 CryptoKit Developer's Guide
Parameters
♦ slotID [in] – the slot number.
♦ ulMsgCode [in] – the code of message to set. May be one of the
following values:
ARCB_HEADER_LOGIN – Login dialog header
ARCB_HEADER_INIT – Init PIN dialog header
ARCB_HEADER_CHANGE – Change PIN dialog header
ARCB_PROMPT_ENTER_PWD – prompt the user to enter password in
the Login and Change PIN dialogs
ARCB_PROMPT_INIT_PWD – prompt the user to enter new password
in the Init PIN dialog
ARCB_PROMPT_ENTER_NEW_PWD – prompt the user to enter new
password in the Change PIN dialog
ARCB_PROMPT_REENTER_NEW_PWD – prompt the user to confirm
new password in the Init PIN and Change PIN dialogs
♦ message [in] – customized message value to set
Return Values
CKR_OK – operation successful
CKR_CRYPTOKI_NOT_INITIALIZED – Cryptoki library not
initialized with C_Initialize.
CKR_GENERAL_ERROR – function failed
3-80
SmartAdaptor Technology 3
C_UI_GetMessage
The C_UI_GetMessage function enables users to get the current values of the
messages that appear in the different PIN entry dialog boxes. The returned value
is the default message or the last customized message value that was set with
C_UI_SetMessage.
Syntax
CK_RV C_UI_GetMessage(
CK_SLOT_ID slotID,
CK_ULONG ulMsgCode,
CK_CHAR_PTR message);
Parameters
♦ slotID [in] – the slot number.
♦ ulMsgCode [in] – the code of message to get. For a complete list see
values of this parameter in C_UI_SetMessage above.
♦ message [out] – the current value of the message
Return Values
CKR_OK – operation successful
CKR_CRYPTOKI_NOT_INITIALIZED – Cryptoki library not
initialized with C_Initialize.
CKR_GENERAL_ERROR – function failed
3-81
3 CryptoKit Developer's Guide
3-82
Chapter 4: AR Cryptographic Service Provider
4-1
4 CryptoKit Developer's Guide
As mentioned above, the CryptoAPI also provides support for handling PKI
applications and specifically functions for handling certificates, which are kept
in certificate stores. The CryptoAPI provides functions that manage certificate
stores, and work with the certificates within those stores. These functions (with a
"Cert" prefix) provide tools to store, retrieve, delete, list (enumerate), and verify
certificates.
4-2
AR Cryptographic Service Provider 4
user's certificates. The MY store can be at any one of many physical locations,
including the registry on a local or remote computer, a file, data base, directory,
a smart card, or other location. While any certificate can be stored in the MY
store, this store should be reserved for user's personal certificates which are used
for performing cryptographic operations such as signing and decrypting that
user's messages.
Application A Application B
Application
Crypto API
Layer
“Crypt…” API “Cert…” API Operating
System
System certificate store
Crypto SPI
CSP Types
4-3
4 CryptoKit Developer's Guide
For additional information about the CSP concept, certificate stores, CryptoAPI
functions refer to Microsoft documentation. The documentation also includes
4-4
AR Cryptographic Service Provider 4
many sample programs that demonstrate how to perform cryptographic
operations using the CryptoAPI.
CAPI Applications use handles to refer to data objects in the CSP such as key
containers, hash objects, session key objects, and public/private key pair objects.
Context
A context is a temporary object that contains key objects, hash objects, and a
handle to a specific key container. It enables applications to query and set info of
the specific CSP it uses.
Key Objects
Key objects may be symmetric keys (DES, RC4, etc.) or asymmetric public
keys. They are created only for temporary use and each is associated with a
specific context. A key object is destroyed when the context is released. The
only case when key objects are stored on the token is when importing private
asymmetric keys (RSA key).
Hash Objects
Hash objects are temporary objects that are used to hash data. They are
associated with a specific context and destroyed when the context is released.
Key Containers
Key containers are not temporary objects. They are stored on the smart card and
contain up to two pairs of public and private keys. The signature key pair is used
to create digital signatures and the exchange key pair is used to both encrypt
session keys and create digital signatures.
A specific key container is available for the application only when the
cryptographic token on which it is stored is available.
4-5
4 CryptoKit Developer's Guide
A key container may be empty i.e. without any keys. It is possible to create the
key container at a specific time and to generate the keys later.
Each key container must have a unique name to distinguish it from other key
containers. When an application wants to use a specific key container, it can
acquire a context to it, by specifying its name.
ARCSP Provider
Architecture
4-6
AR Cryptographic Service Provider 4
Following is a list of some of the major characteristics of ARCSP provider:
♦ Support for all AR tokens – ARCSP enables an application to use
simultaneously all the key containers that reside in any of the
cryptographic tokens, which are present at a given time. SmartAdaptor
provides easy access to all the key containers, which reside in a
PrivateCard inserted to a reader (PrivateSafe, CryptoSafe, PrivateSafe
PCMCIA or any other PC/SC reader), a MiniKey, a software token,
PrivateServer HSM or CoSign appliance.
♦ Multiprocess/Multithread – ARCSP is thread safe and process safe as
the CSP is built over SmartAdaptor technology.
However, in a multi-threaded application it is recommended not to share
context handles between threads. If you use the same key container in
several threads, you should acquire a new context for each thread. This
will prevent errors when one thread needs to perform an operation with
an object that is locked by another thread at the same time.
♦ Shared keys and objects with PKCS#11 applications – It is possible to
use the same keys and certificates with both CAPI and PKCS#11
applications. A PKCS#11 application can access the objects that were
created in the token with ARCSP and vise versa. However, in some cases
PKCS#11 objects may need to be modified in order to be recognized by
ARCSP. For more information refer to standardize operation in AR
Genie utility.
ARCSP stores the key containers as PKCS#11 objects. The private key is
stored as a RSA private object and the public key is stored as a RSA
public object. Both objects have the same CKA_ID attribute, as the
corresponding certificate. This enables to group the objects of the same
key container together. ARCSP differentiates between the exchange and
signature key pairs by setting a different value to the PKCS#11 WRAP
attribute. The exchange public key has the wrap flag set, while the
signature public key has it cleared.
♦ Support for tokens with protected authentication path – When using a
token with protected authentication path such as AR PrivateSafe, the PIN
is entered in a secure way.
4-7
4 CryptoKit Developer's Guide
However, there are some limitations that arise when using PKCS#11 for
performing the cryptographic operations. ARCSP is designed to minimize them:
♦ If a token is inserted to a reader and an application acquires a context to
the key container on it. Then, the token is removed and inserted into
another reader. When the application will access the key container that
was received when the card was in the previous reader, it will find it on
the new reader and continue to work as if nothing has changed.
♦ The CSP requires that at any given time, only one key container with a
specific key container name should be available in all present tokens.
But, it is possible to create two smart cards with the same key container
name and insert them at the same time into two different readers. In that
case the behavior of ARCSP is undetermined.
4-8
AR Cryptographic Service Provider 4
♦ If you install a new reader, it will not be available to existing applications
until you reset the application. However, it is possible to configure
ARCSP to load the list of the available readers when the application
releases all open contexts. For more information refer to explanation
about the parameter FinalizeLibraryUse in Chapter 7.
Provider Registration
Signature
ARCSP is digitally signed by Microsoft and can be used with the released
versions of Windows 2003 server, Windows XP, Windows 2000,
Windows NT(SP6), Windows 98(+SE) and Windows ME.
4-9
4 CryptoKit Developer's Guide
Versions
All versions support the RSA, hash and key derivation algorithms.
Supported Algorithms
4-10
AR Cryptographic Service Provider 4
Algorithm ID Description Comments
CALG_SSL3_SHAMD5 SHA & MD5 hash
algorithm
4-11
4 CryptoKit Developer's Guide
The AR RSA SChannel Cryptographic Provider supports all the algorithms that
are supported by the RSA provider and also additional algorithms that are
needed for SSL3 and TLS.
Algorithm ID Description
CALG_SSL3_MASTER
CALG_TLS1_MASTER
All these algorithms are used by the
CALG_SCHANNEL_MASTER_HASH SChannel system to derive SSL3 and
TLS session keys
CALG_SCHANNEL_MAC_KEY
CALG_SCHANNEL_ENC_KEY
Supported Functions
ARCSP supports most of the functions that are required from a CSP by
Microsoft. However, there are a few differences in AR’s implementation: some
functions and flags are not supported; there are few proprietary parameters and
finally, there are cases where the standard is not binding and may be interpreted
in different ways.
4-12
AR Cryptographic Service Provider 4
The following table describes the functions that are supported by AR
cryptographic service providers and highlights only the specific differences in
AR’s implementation:
Function Comments
CryptAcquireContext In addition to the regular use, it is possible to
enumerate the containers or get information on a
specific smart card. To do that, set the
CRYPT_VERIFYCONTEXT flag and specify the
name of the specific reader in the container name in a
fully qualified container name format (\\.\”
readername”). Then call CryptGetProvParam to
enumerate the containers with that context.
CRYPT_MACHINE_KEYSET is ignored.
CryptReleaseContext
4-13
4 CryptoKit Developer's Guide
Function Comments
CryptGenRandom If the key of the container is stored on hardware token
then the random number is also generated on the
hardware token.
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptSetHashParam
CryptHashData
CryptDestroyKey
4-14
AR Cryptographic Service Provider 4
Function Comments
CryptImportKey SYMMETRICWRAPKEYBLOB – not supported
PLAINTEXTKEYBLOB – not supported
CRYPT_OAEP – not supported
CryptGetUserKey
CryptVerifySignature
4-15
4 CryptoKit Developer's Guide
Certificate Store
In order to make the keys stored in AR’s tokens available for use, ARCSP has to
make sure that the certificates of these keys are placed into MY store of the user.
When the token is not available the certificate has to be removed from the store.
The certificates from all available tokens are loaded into the MY store of the
user that logged in to the computer. A special process monitors token insertion
and removal. When a token is inserted, the process adds the certificates to the
MY store and when removed, the certificates are removed from the store.
When a new certificate is written into the MY store and it is not placed in any
available token but its matching keys are placed in one of the tokens, the same
process will recognize the event and add that certificate to that token. This
normally happens during key/certificate enrollment or key/certificate import
operation.
This process does not provide a solution in cases where a newer certificate
replaced the previous one, while the token was inserted. In that case the MY
store will still contain the old certificate.
4-16
AR Cryptographic Service Provider 4
Physical Certificate Store on Windows 2000, XP and 2003
4-17
4 CryptoKit Developer's Guide
Export/Import Functionality
CryptoKit offers another method for importing and exporting keys using the
PKCS#12 Import/Export utility. This utility can export any extractable key from
AR tokens and to import it to any other token. For more information about this
utility refer to PKCS#12 Import/Export utility in Chapter 6.
4-18
Chapter 5: SmartAdaptor Add-On Adapters
Thanks to the robustness of the CryptoKit PKCS#11 API, most of the other
cryptographic interfaces can be implemented on top of it. The CryptoKit
package contains the following adapters and extensions:
♦ Java adapter
♦ Entrust adapter
♦ X.509 Toolkit extension
♦ PKCS#10,#7 Toolkit extension
♦ PKCS#12 Toolkit Extension
5-1
5 CryptoKit Developer's Guide
Java Adapter
ARJCA
The Java Security API is a core API of the Java programming language, built
around the java.security package and its sub-packages. This API is designed to
allow developers to incorporate both low-level and high-level security
functionality into their programs.
The first release of Security API in JDK 1.1 introduced the Java Cryptography
Architecture (JCA), a framework for accessing and developing cryptographic
functionality for the Java platform. In JDK 1.1, the JCA included APIs for
digital signatures and message digests.
The JCA encompasses the parts of the Java 2 SDK Security API related to
cryptography, as well as a set of conventions and specifications provided in this
document. It includes a provider architecture that allows for multiple and
interoperable cryptography implementations.
5-2
SmartAdaptor Add-On Adapters 5
The detailed explanation about JCA and numerous samples can be found on the
Sun Java home page at:
http://java.sun.com/j2se/1.4.2/docs/guide/security/Cry
ptoSpec.html
AR implementation
The ARJCA implements the following JCA interfaces:
♦ KeyPairGenerator methods for the generation of RSA keys.
♦ Signature methods for RSA signatures. Supported algorithms are
SHA1withRSA and MD5withRSA.
♦ KeyFactory methods for creating a key from a specification or returning
a key specification of a key. ARJCA supports creation of objects from
the following specifications:
Private keys can be created from PKCS8EncodedKeySpec or
RSAPrivateCrtKeySpec.
Public keys can be created from X509EncodedKeySpec or
RSAPublicKeySpec.
ARJCA returns key specification in the following formats:
RSAPrivateKeySpec or RSAPrivateCrtKeySpec for RSA private
keys.
RSAPublicKeySpec for RSA public key.
The KeyFactory also enables to translate Sun RSA keys into AR RSA
keys.
♦ KeyStore methods are used for saving keys into the key store (token).
Supported functionalities are:
Storing of RSA public/private keys generated or created using
ARJCA KeyPairGenerator or KeyFactory.
Storing of RSA public/private keys generated or created by any
other JCA provider. This operation will succeed only if the
5-3
5 CryptoKit Developer's Guide
provider can supply the necessary data for creation of the key
objects.
Storing of X.509 certificates.
Installation
ARJCA has to be installed on a computer with CryptoKit and Java Runtime
Environment. Follow the steps below:
♦ Copy arjca.jar and ckit.jar files to:
...\JAVA_DIR\jre\lib\ext
where JAVA_DIR is the directory where Java is installed on the
computer.
♦ Edit the Java security file java.security in the
...\JAVA_DIR\jre\lib\security directory.
Find the place in the file where the list of installed providers is
declared. It should look as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=...
If you want the AR provider to be the default provider, for the
functionalities it supports, put it first in the list and adjust the
priorities for others, so the list will look as follows:
security.provider.1=COM.arx.jca.ARJCA
security.provider.2=sun.security.provider.Sun
security.provider.3=...
Otherwise, put it at the end of the list and set it's priority
accordingly. Since many applications access only the default
provider, it is recommended to set the ARJCA as such.
♦ Copy the arjca.conf file into user home directory. For example on
Windows 2000:
C:\Documents and Settings\UserName.DomainName
5-4
SmartAdaptor Add-On Adapters 5
Configuration File Parameters
The configuration file enables setting different parameters for the ARJCA
provider. The arjca.conf file has to be in the user home directory. If it
doesn’t exist, then default values are taken. The file is read during the
initialization of the library. It has a standard windows INI file format with three
sections: General, Log and RSA.
5-5
5 CryptoKit Developer's Guide
5-6
SmartAdaptor Add-On Adapters 5
Sample JCA Program
The following sample demonstrates a basic usage of three JCA classes:
KeyPairGenerator, Signature and KeyStore. It generates an RSA key pair, signs
a buffer with the private key, verifies the result with the public key and then
stores the public key on the token. The program explicitly uses ARJCA
provider, but it can be easily modified to work with any other provider that
supports similar functionalities.
import java.io.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
import java.security.spec.*;
import java.security.interfaces.*;
5-7
5 CryptoKit Developer's Guide
try {
KeyStore ks =
KeyStore.getInstance("JKS", "ARJCA");
ks.load(null, null);
Key pub = RSAkeys.getPublic();
ks.setKeyEntry(pubName, pub, passw.toCharArray(),
null);
return true;
}
catch (Exception ex){
exc_abort(ex);
}
return false;
}
public boolean RSAverify(byte[] buffer, byte[]
signature, KeyPair RSAkeys) {
System.out.println("Verifying..");
try {
PublicKey pub = RSAkeys.getPublic();
Signature sig=Signature.getInstance("SHA1withRSA",
"ARJCA");
sig.initVerify(pub);
sig.update(buffer);
return sig.verify(signature);
}
catch (Exception e) {
5-8
SmartAdaptor Add-On Adapters 5
exc_abort(e);
return false;
}
}
public byte[] RSAsign(byte[] buffer, KeyPair RSAkeys) {
System.out.println("Signing..");
try {
PrivateKey priv = RSAkeys.getPrivate();
Signature sig=Signature.getInstance("SHA1withRSA",
"ARJCA");
sig.initSign(priv);
sig.update(buffer);
System.out.println("Sign OK");
return sig.sign();
}
catch (Exception e) {
exc_abort(e);
}
return null;
}
public KeyPair GenerateRSAKeys() {
System.out.println("Generating RSA pair..");
KeyPairGenerator keyGen = null;
try {
keyGen=KeyPairGenerator.getInstance("RSA",
"ARJCA");
keyGen.initialize(1024);
KeyPair keypair = keyGen.genKeyPair();
System.out.println("Generate OK");
return keypair;
}
catch (Exception e) {
exc_abort(e);
}
return null;
}
}
5-9
5 CryptoKit Developer's Guide
AR Java PKCS
The AR Java package (ckit.jar) provides PKCS#11 style API access to Java
applications. The Java adapter is implemented through a JNI interface (Java
Native Interface) over a C-based PKCS#11 SmartAdaptor interface, providing a
set of Java classes for use by developers. While these classes present PKCS#11
functionality in proprietary manner, it remains very similar to the native
PKCS#11 architecture, structures and functions, enabling developers already
familiar with the PKCS#11 standard to start using these Java classes without a
significant learning curve. The detailed information about these Java classes is
provided in the JavaDoc files, which is archived in the JavaCKit folder of the
CryptoKit installation.
Main Packages
The ckit.jar contains two packages: COM.arx.jpkcs11 and
COM.arx.jpkcs11.Native.
Main Classes
Following is a list of some of the main classes in ckit.jar. These classes belong
to the COM.arx.jpkcs11 package and are extended by the corresponding classes
in the COM.arx.jpkcs11.Native package. For a complete list refer to the JavaDoc
files in CryptoKit installation.
♦ AR_JPKCS11 This class initializes the PKCS#11 library through the
getInstance method. It returns the slot list and provides additional general
functions.
5-10
SmartAdaptor Add-On Adapters 5
♦ AR_JPKCS11Slot This class implements all the PKCS#11 slot
functionality. All PKCS#11 functions, which relate to a slot, are mapped
into a corresponding method in this class with the same functionality.
Some of the methods in this class are: openSession, getMechanismList,
initToken, waitForSlotEvent etc.
♦ AR_JPKCS11Session This class implements all the PKCS#11 session
related functionality, such as login, creation of objects, generation of
keys and performing cryptographic operations like hash, sign, encrypt,
decrypt etc. A session object is created by openSession method of the
AR_JPKCS11Slot class.
♦ AR_JPKCS11Object This class implements all the PKCS#11 object
related functionality, such as setting and getting object attributes,
destroying objects etc. It includes the object template constants such as
class, token, sensitive, extractable etc. An object of this class can be
created by several methods for example by generateKeyPair method of
the AR_JPKCS11Session class.
♦ AR_JPKCS11Mechanism This is an abstract class that defines the
PKCS#11 mechanisms and returns the mechanism info object through
the getInfo method.
♦ AR_JPKCS11Exception This is an extension of Java Exception class.
All the PKCS#11 errors are thrown through it. It is possible to get a text
explanation about each error by using the errorMessage method.
Sample Program
The following sample program shows how to use AR Java PKCS provider to
generate an RSA key pair and then sign a buffer with the private key.
import java.io.*;
import COM.arx.jpkcs11.*;
import COM.arx.jpkcs11.Native.*;
try {
// Initialize
5-11
5 CryptoKit Developer's Guide
AR = (AR_NativePKCS11)
(AR_JPKCS11.getInstance("Sadaptor", null, 0));
AR_JPKCS11Slot[] slots;
AR_JPKCS11Session sess;
if (slots.length > 0) {
sess = slots[0].openSession(
AR_JPKCS11SessionInfo.AR_JPKCS11_FLG_RW_SESSION |
AR_JPKCS11SessionInfo.AR_JPKCS11_FLG_SERIAL_SESSION,
null, null);
}
else {
return;
}
AR_JPKCS11ObjectAttribute[] attr_priv =
new AR_JPKCS11ObjectAttribute[2];
byte[] Exponent =
{(byte)0x0,(byte)0x1,(byte)0x0,(byte)0x1};
5-12
SmartAdaptor Add-On Adapters 5
attr_pub[3] = new AR_JPKCS11ObjectAttribute(
AR_JPKCS11Object.AR_JPKCS11_PUBLIC_EXPONENT,
new BigInteger(Exponent));
AR_JPKCS11Mechanism mech_sign =
new AR_NativePKCS11Mechanism(
AR_JPKCS11Mechanism.AR_JPKCS11_MECH_MD5_RSA_PKCS,
sess.getSlot(), null);
5-13
5 CryptoKit Developer's Guide
Entrust Adapter
5-14
SmartAdaptor Add-On Adapters 5
Entrust Desktop Solution applications v5.1, v6.0
Entrust 6 CA enables using the keys and certificates with CAPI based
applications. When this option is selected in the Entrust CA, the user certificates
are written on the public area of the token. In order for ARCSP to be able to use
these keys there is an additional step that has to be done. A special procedure
called “standardize” which can be activated from AR Genie utility program
creates a corresponding public key and verifies that all objects have the same ID
value. In that way ARCSP is capable of identifying the containers on the token
and makes them available for CAPI applications. For more information refer to
explanation about the AR Genie utility in chapter 6.
5-15
5 CryptoKit Developer's Guide
X.509 Toolkit
With the addition of the X.509 Toolkit, The PKCS#11 CryptoKit now supports
the X.509 v.3 certificate standard.
The X.509 Toolkit provides a set of programming tools for compliance with
ITU-T Recommendation X.509, and the IETF-PKIX's RFC 2459. This library
enables parsing and encoding of X.509 certificates and Certificate Revocation
Lists (CRLs), while using the cryptographic power of CryptoKit for signing and
verifying signatures.
The functions and data types in the X.509 Toolkit are very straightforward,
extracted directly from the X.509 definition, and are therefore easy to
understand and use.
The X.509 Toolkit does not supply a CA (Certificate Authority) or any functions
for communicating with one; application programmers should obtain the
certificates and CRLs independently.
Overview
Using the X.509 Toolkit assumes a good working knowledge of public key
cryptography and PKI (Public Key Infrastructure), including the X.509
recommendation. The following section provides a short overview of these
topics, and while useful as background material, it does not replace extensive
study of these subjects.
5-16
SmartAdaptor Add-On Adapters 5
Classic cryptography uses symmetric schemes in which both sides have a mutual
secret: the secret key. If Alice and Bob want to pass secret messages to one
another, they must meet and decide on a secret key, known to both of them
alone. Then Alice can encrypt a message using the secret key and send it to Bob
who will use the same key to decrypt the message and read it. With a good
algorithm and a key that is practically impossible to guess, Alice and Bob can
pass messages safely without anyone else being able to understand them.
Symmetric schemes have a catch: Alice and Bob must meet in order to agree on
a secret key (if they send the key, someone could intercept it). This might be
problematic if Alice and Bob live far away from each other, or if Alice wants to
maintain secure communications with many people.
Asymmetric schemes, or public key algorithms, were designed to overcome
these limitations. In this case Alice now has two keys: a private key, known only
to her, and a public key, which is widely known. Messages encrypted using
Alice’s public key can only be decrypted by her private key – this means that
Bob can ask Alice for her public key, and then send her messages that only she
can read.
Using her private key, Alice can also affix digital signatures to her messages.
When Bob receives a message signed by Alice with her private key, he can use
Alice’s public key to verify that Alice really wrote the message.
5-17
5 CryptoKit Developer's Guide
The CA has a list of users and their public keys. Each user must give the CA his
own public key, and receive the CA’s public key in a secure way. Then the user
can securely obtain any other user’s public key from the CA.
X.509
The following is an excerpt from the X.509 standard that was formulated by the
ITU-T:
The X.509 certificate has evolved through several versions. Version 1 included
seven fields. This was extended to nine fields in version 2. Version 3 introduced
a tenth field (extensions), which enables the addition of any number of fields,
and makes the standard more robust. The Internet Engineering Task Force's
Public Key Infrastructure working group (IETF-PKIX) defines in RFC 2459
some more extensions, and the correct procedures for using X.509 certificates
and extensions. Some extension types are standard, and others may be added to
customize certificates for specific applications.
1
Abstract Syntax Notation One, as defined in ITU-T Recommendation X.680.
5-18
SmartAdaptor Add-On Adapters 5
The standard certificate fields are:
Subject Public Key Information about the enclosed public key, including the
Info key itself, its size, and the algorithm it should be used
for.
Issuer Unique The CA’s unique identifier (added in version 2). This
Identifier field is optional, and is not recommended for use.
Subject Unique The user’s unique identifier (added in version 2). This
Identifier field is optional, and is not recommended for use.
The Certificate Revocation List (CRL) is a list of revoked certificates that the
CA issues at regular intervals, and more often if necessary. A certificate can be
revoked for many reasons: the user’s private key has been compromised, the
CA’s database has been compromised, the user has moved to another CA, etc.
2
Distinguished Names are defined in ITU-T Recommendation X.501 – The Directory: Models.
5-19
5 CryptoKit Developer's Guide
The CRL includes a certificate list with the following standard fields:
Next Update Planned time for next update (added in version 2).
For a list of the various extensions of certificates and CRLs defined in the
standard and supported by X.509 Toolkit, refer to General Data Types on page
4-51.
The data cannot be transported in these structures, and is therefore encoded into
a series of bytes using a subset of the ASN.1 Basic Encoding Rules (BER), as
defined in the recommendation. The X.509 Toolkit implementation encodes the
data using the ASN.1 Distinguished Encoding Rules (DER), which are a more
tightly defined subset of BER, and therefore also comply with the rules defined
in X.509.
5-20
SmartAdaptor Add-On Adapters 5
Additional Reading
X.509
ITU-T Recommendation X.509 (1997) | “Information Technology – Open
Systems Interconnection – The Directory: Authentication Framework”
RFC 2459 "Internet X.509 Public Key Infrastructure Certificate and CRL
Profile", D. Solo, Russ Housley, Warwick Ford, T. Polk, 1999.3
X.509 Background
ITU-T Recommendation X.500 (1997) | “Information Technology – Open
Systems Interconnection – The Directory: Overview of concepts, models and
services.”
ASN.1
ITU-T Recommendation X.680 (1994) | “Information Technology – Abstract
Syntax Notation One (ASN.1): Specification of basic notation.”
3
At the time of this writing, the following Internet site http://ietf.org/ids.by.wg/pkix.html contains
this document, in addition to many other relevant ones.
5-21
5 CryptoKit Developer's Guide
The transition between these types is not trivial, due to the robust nature of the
certificate and CRL definitions. Decoding or encoding data involves numerous
memory allocations that can cause greatly fragmented memory and necessitate
complex memory management.
For this reason, X.509 Toolkit functions do not perform any real memory
allocation: the calling function supplies a memory block for the X.509 Toolkit
function, and the X.509 Toolkit function does all memory allocation inside this
memory block. This method assures that all the data is arranged in a continuous
block of memory, which can be easily disposed of when the function is
complete.
{
FILE * f;
X509_certificate * cert;
CK_BYTE encCert[5000];
CK_BYTE decCert[5000];
5-22
SmartAdaptor Add-On Adapters 5
CK_ULONG encCertLen;
CK_ULONG decCertLen = sizeof(decCert);
CK_RV rc;
f = fopen(argv[1],"rb");
encCertLen = fread(encCert,1,5000,f);
fclose(f);
rc = C_X509_Decode(CK_X509_ID_CERT, encCert,
encCertLen,decCert,&decCertLen);
cert = (X509_certificate *)decCert;
The program first reads the encoded certificate from a file. The memory block
needed for decoding the certificate into is provided by an array. The buffer is
decoded. At the end the program prints the certificate version number.
5-23
5 CryptoKit Developer's Guide
{
FILE * f;
CK_BYTE encCert[5000];
CK_ULONG encCertLen;
CK_RV rc;
CK_ULONG version;
CK_ULONG verLen;
f = fopen(argv[1],"rb");
encCertLen = fread(encCert,1,5000,f);
fclose(f);
verLen = sizeof(version);
rc = C_X509_GetField(CK_X509_ID_CERT,
encCert,encCertLen,(CK_VOID_PTR)&version,
&verLen,CK_X509_CERT_FIELD_VERSION);
In this example, C_X509_GetField is used for decoding only the version field
of the encoded certificate, by specifying the
CK_X509_CERT_FIELD_VERSION constant as the last parameter. This is
possible for all fields; refer to the Constants section of this chapter for a
5-24
SmartAdaptor Add-On Adapters 5
complete list of the field type constants. Since version is already a CK_ULONG
variable, there is no need to cast it after the call to C_X509_GetField; the
version value is put directly in the variable version when the function is run.
5-25
5 CryptoKit Developer's Guide
{
FILE * f;
CK_BYTE encCert[5000];
CK_ULONG encCertLen;
CK_RV rc;
CK_SLOT_ID pSlotList[10];
CK_ULONG ulCount = 10;
CK_SESSION_HANDLE hSession;
f = fopen(argv[1],"rb");
encCertLen = fread(encCert,1,5000,f);
fclose(f);
rc = C_Initialize(NULL_PTR);
rc = C_GetSlotList(FALSE,pSlotList,&ulCount);
rc = C_OpenSession(pSlotList[0],CKF_RW_SESSION |
CKF_SERIAL_SESSION,NULL_PTR,NULL_PTR,&hSession);
rc = C_X509_Verify(hSession,CK_INVALID_HANDLE,
CK_X509_ID_CERT,encCert,encCertLen,NULL_PTR,0);
if (rc != CKR_OK)
printf("*** error verifying – %x\n",rc);
else
printf("Verification successful!\n");
rc = C_CloseSession(hSession);
rc = C_Finalize(NULL_PTR);
return 0;
}
5-26
SmartAdaptor Add-On Adapters 5
♦ CK_INVALID_HANDLE – No external key is needed for verification.
♦ CK_X509_ID_CERT – the input buffer is a certificate. When decoding
a CRL the value of this parameter should be CK_X509_ID_CRL.
♦ encCert – the input encoded certificate.
♦ encCertLen – the size, in bytes, of the encoded certificate.
♦ NULL_PTR – no external CA certificate is needed for verification.
♦ 0 – the size of the CA certificate, if present.
Usually the pCACert parameter would be the certificate of the CA, which
signed the certificate that is now being verified.
5-27
5 CryptoKit Developer's Guide
This functionality can be achieved in two ways, either through consecutive calls
to C_X509_Encode for encoding, and then C_X509_Sign for signing, or
through one call to C_X509_EncodeSign for both encoding and signing. For
most applications the single call to C_X509_EncodeSign is preferable,
however, for demonstrating the use of more functions, the following example
uses the two step approach.
The following sample illustrates a function for encoding and signing a certificate
or CRL, and also incorporates some error handling. In this example, it is
assumed that the key media has already been formatted and generated.
CK_RV encodeAndSign( CK_ASN_ID type,
void * structuredData,
CK_ULONG structuredDataLen,
CK_BYTE * encoded,
CK_ULONG * encodedLen)
{
CK_RV rc;
CK_BYTE_PTR pCertBuf;
CK_ULONG certBufLen = 0;
CK_ULONG encTbsLen;
CK_SLOT_ID pSlotList[10];
CK_ULONG ulCount = 10;
CK_SESSION_HANDLE hSession;
CK_CHAR_PTR pin = "12345678";
CK_ULONG attribPrivateKey = CKO_PRIVATE_KEY;
5-28
SmartAdaptor Add-On Adapters 5
CK_ULONG attribRSA = CKK_RSA;
CK_ATTRIBUTE findRSAPrivateKey[] = {
{CKA_CLASS,&attribPrivateKey, sizeof(attribPrivateKey)},
{CKA_KEY_TYPE, &attribRSA, sizeof(attribRSA)},
};
CK_ULONG ulObjectsFound;
CK_OBJECT_HANDLE hPrivateKey;
rc = C_X509_Encode(type,structuredData,
structuredDataLen,NULL,&certBufLen);
if (rc == CKR_BUFFER_TOO_SMALL)
pCertBuf = malloc(certBufLen);
else if (rc != CKR_OK) {
printf("*** error in encode – %x\n",rc);
return rc;
}
encTbsLen = certBufLen;
rc = C_X509_Encode(type,structuredData,
structuredDataLen,pCertBuf,&certBufLen);
if (rc != CKR_OK) {
printf("*** error encoding – %x\n",rc);
return rc;
}
rc = C_Initialize(NULL_PTR);
if (rc != CKR_OK) {
printf("*** Error in C_Initialize – %x\n",rc);
return rc;
}
rc = C_GetSlotList(FALSE,pSlotList,&ulCount);
if (rc != CKR_OK) {
printf("*** Error in C_GetSlotList – %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_OpenSession(pSlotList[0],CKF_RW_SESSION |
CKF_SERIAL_SESSION,NULL_PTR,NULL_PTR,&hSession);
if (rc != CKR_OK) {
printf("*** Error in C_OpenSession – %x\n",rc);
C_Finalize(NULL_PTR);
5-29
5 CryptoKit Developer's Guide
return rc;
}
rc = C_Login(hSession,CKU_USER,pin,8);
if (rc != CKR_OK) {
printf("*** Error in C_Login – %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_FindObjectsInit(hSession,findRSAPrivateKey,2);
if (rc != CKR_OK) {
printf("*** Error in C_FindObjectsInit – %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_FindObjects(hSession,&hPrivateKey,1, &ulObjectsFound);
if ((rc != CKR_OK) || (ulObjectsFound != 1)) {
printf("*** Error in C_FindObjects – %x,
ulObjectsFound=%d\n",rc,ulObjectsFound);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_FindObjectsFinal(hSession);
if (rc != CKR_OK) {
printf("*** Error in C_FindObjectsFinal – %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_X509_Sign(hSession,hPrivateKey,type,pCertBuf,
encTbsLen,encoded,encodedLen);
if (rc != CKR_OK) {
printf("*** Error signing – %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
rc = C_Logout(hSession);
if (rc != CKR_OK) {
printf("*** Error in C_Logout - %x\n",rc);
C_Finalize(NULL_PTR);
return rc;
}
C_Finalize(NULL_PTR);
5-30
SmartAdaptor Add-On Adapters 5
return CKR_OK;
}
crl is an object of type X509_crl, and encCrl is a buffer for the encoded and
signed CRL.
5-31
5 CryptoKit Developer's Guide
{
FILE * f;
CK_BYTE encCert[5000];
CK_ULONG encCertLen;
CK_BYTE encCrl[5000];
CK_ULONG encCrlLen;
CK_RV rc;
CK_ULONG result;
f = fopen(argv[1],"rb");
encCertLen = fread(encCert,1,5000,f);
5-32
SmartAdaptor Add-On Adapters 5
fclose(f);
f = fopen(argv[2],"rb");
encCrlLen = fread(encCrl,1,5000,f);
fclose(f);
rc = C_X509_FindInCRL(encCert,encCertLen,encCrl,
encCrlLen,CK_X509_ID_CERT,NULL,NULL,&result);
if (rc == CKR_OK) {
if (result == CKR_X509_DIFFERENT_ISSUERS)
printf("Certificate and crl are from different
issuers\n");
else if ((result >= CKR_X509_FOUND) && (result
< CKR_X509_NOT_FOUND))
printf("Certificate has been revoked!\n");
else if (result == CKR_X509_NOT_FOUND)
printf("certificate has not been revoked\n");
}
else
printf("*** Error in C_X509_FindInCRL – %x\n",rc);
return 0;
}
5-33
5 CryptoKit Developer's Guide
Each revoked item in the CRL has a serial number, revocation time, and some
optional extensions. If you want C_X509_FindInCrl to return the complete
structure associated with the serial number, send a memory buffer in pRevoked.
This will provide all the relevant data in X509_Revoked structure pointed to by
pRevoked.
rc = C_X509_FindInCRL(serialNum,serialNumLen,encCrl,
encCrlLen,CK_X509_ID_SER_NUM,NULL,NULL,&result);
Using this technique, C_X509_FindInCrl cannot check if the issuer is the same
for both certificate and CRL; the application programmer must do this.
5-34
SmartAdaptor Add-On Adapters 5
Copying a Complete Data Structure
A complete X509_certificate or X509_crl structure contains a great deal of data
and numerous pointers. It is not possible to copy these structures simply by
using memcpy; rather it is a laborious process of following pointers and
allocating new ones. C_X509_copy enables you to copy any complete structure,
such as X509_certificate, X509_crl, and X509_Dname.
Let’s assume you want to manipulate the certificate issuer’s distinguished name
without changing the original data. The following example shows how
C_X509_copy can be used to to copy a complete certificate.
#include "ck_x509.h"
#include <stdio.h>
#include <stdlib.h>
{
FILE * f;
X509_certificate * certificate;
CK_BYTE encCert[5000];
CK_BYTE decCert[5000];
CK_ULONG encCertLen;
CK_ULONG decCertLen = sizeof(decCert);
CK_BYTE dnameBuf[1000];
CK_ULONG dnameBufLen = sizeof(dnameBuf);
X509_Dname * issuerDname;
CK_RV rc;
f = fopen(argv[1],"rb");
encCertLen = fread(encCert,1,5000,f);
fclose(f);
rc = C_X509_Decode(CK_X509_ID_CERT, encCert,
encCertLen,decCert,&decCertLen);
certificate = (X509_certificate *)decCert;
rc = C_X509_Copy(CK_X509_ID_DNAME, &(certificate->tbs.issuer),
1000,dnameBuf,&dnameBufLen);
5-35
5 CryptoKit Developer's Guide
return 0;
}
5-36
SmartAdaptor Add-On Adapters 5
Building Certificates
Building the structured certificates is not an easy task. The installation disk
contains a sample project called creatcrt, which helps you create a simple
certificate with user-friendly menus. This utility can be used also to create a
self-signed certificate. Note that it does not check the integrity of the data you
provide. You must verify that the certificate is valid by checking it against the
X.509 specification.
Although we will not explain creatcrt in full, reviewing it can provide a good
understanding of how to work with the X.509 data structures.
Object Identifiers
Object identifiers are defined in ASN.1 as a universal way of describing objects
as a sequence of integer components. The object identifiers are built as a tree,
where each node inherits the integer sequence from its parent, and adds a new
integer at the end. Thus, an entity receives its unique object identifier, and is
allowed to assign object identifiers inherited from its integer sequence. This
ensures that no two entities are able to accidentally assign the same object
identifier.
For example, the general object identifier for an X.509 certificate extension is:
id-ce OBJECT IDENTIFIER::= {joint-iso-ccitt(2) ds(5)
29}
5-37
5 CryptoKit Developer's Guide
A complete list of the object identifiers recognized by the X.509 Toolkit can be
found in the Constants section of this chapter (below), they are defined in the
file obj_ids.h.
Constants
This section describes some of the ASN.1 constants defined in the X.509
Toolkit. For a full list refer to the H-file cx509def.h. These constants are
categorized as follows:
♦ Certificate/CRL Fields
♦ Object Types
♦ Types of General Names
♦ Object Identifiers:
Algorithm Identifiers
PKCS (#7, #9 and #12)
Attribute Types (for Distinguished Names)
Extensions
Qualifier Types
Key Purposes
Hold Instructions
Attribute Certificates
5-38
SmartAdaptor Add-On Adapters 5
Certificate/CRL Fields
The following are field identifiers for C_X509_GetField. Note that extension
types have two names: an extension number, and a meaningful name. Since both
refer to the same extension, they are interchangeable.
Certificate/CRL Fields
CK_X509_FIELD_ENTIRE The entire certificate/CRL.
CK_X509_CRL_FIELD_ENTIRE The entire CRL.
CK_X509_CRL_FIELD_SIG The signature field of the CRL.
CK_X509_CRL_FIELD_VERSION The version field of crl_tbs.
CK_X509_CRL_FIELD_SIG_ALG The signature_alg field of crl_tbs.
CK_X509_CRL_FIELD_ISSUER The issuer field of crl_tbs.
CK_X509_CRL_FIELD_THIS_UPDATE The this_update field of crl_tbs.
CK_X509_CRL_FIELD_NEXT_UPDATE The next_update field of crl_tbs.
CK_X509_CRL_FIELD_EXTENSIONS The extensions field of crl_tbs.
CK_X509_CRL_FIELD_EXT_2920 The CRL_number
CK_X509_CRL_FIELD_EXT_CRL_NUMBER (X509_ext_2920) extension.
CK_X509_CRL_FIELD_EXT_2921 The CRL_reason
CK_X509_CRL_FIELD_EXT_REASON_CODE (X509_ext_2921) extension.
CK_X509_CRL_FIELD_EXT_2923 The HoldInstructionCode
CK_X509_CRL_FIELD_EXT_INSTRUCTION_CODE (X509_ext_2923) extension.
CK_X509_CRL_FIELD_EXT_2924 The InvalidityDate
CK_X509_CRL_FIELD_EXT_INVALIDITY_DATE (X509_ext_2924) extension.
CK_X509_CRL_FIELD_EXT_2927 The DeltaCRLIndicator
CK_X509_CRL_FIELD_EXT_DELTA_CRL_INDICATOR (X509_ext_2927) extension.
CK_X509_CRL_FIELD_EXT_2928 The IssuingDistributionPoint
CK_X509_CRL_FIELD_EXT_ISSUING_DIST_POINT (X509_ext_2928) extension.
5-39
5 CryptoKit Developer's Guide
Certificate/CRL Fields
CK_X509_CRL_FIELD_EXT_2929 The CertificateIssuer
CK_X509_CRL_FIELD_EXT_CERT_ISSUER (X509_ext_2929) extension.
CK_X509_CERT_FIELD_ENTIRE The entire certificate.
CK_X509_CERT_FIELD_SIG The signature field of certificate.
CK_X509_CERT_FIELD_VERSION The version field of the certificate
to be signed.
CK_X509_CERT_FIELD_SER_NUM The serial_number field of the
certificate to be signed.
CK_X509_CERT_FIELD_SER_NUM_DER The DER encoded serial_number
field of the certificate. Used to
create a PKCS#11 certificate
object.
CK_X509_CERT_FIELD_SIG_ALG The signature_alg field of the
certificate to be signed.
CK_X509_CERT_FIELD_ISSUER The issuer field of the certificate
to be signed.
CK_X509_CERT_FIELD_ISSUER_DER The DER encoded issuer field of
the certificate. Used to create a
PKCS#11 certificate object.
CK_X509_CERT_FIELD_VALIDITY The validity field of the certificate
to be signed.
CK_X509_CERT_FIELD_SUBJECT The subject field of the certificate
to be signed.
CK_X509_CERT_FIELD_SUBJECT_DER The DER encoded subject field of
the certificate. Used to create a
PKCS#11 certificate object.
CK_X509_CERT_FIELD_PUB_KEY_INFO The subject_key_info field of the
certificate to be signed.
5-40
SmartAdaptor Add-On Adapters 5
Certificate/CRL Fields
CK_X509_CERT_FIELD_ISSUER_ID The issuer_id field of the
certificate to be signed.
CK_X509_CERT_FIELD_SUBJECT_ID The subject_id field of the
certificate to be signed.
CK_X509_CERT_FIELD_EXTENSIONS The extensions field of the
certificate to be signed.
CK_X509_CERT_FIELD_EXT_2914 The X509_ext_2914 extensions
CK_X509_CERT_FIELD_EXT_SUBJECT_KEY_ID field (if it exists).
CK_X509_CERT_FIELD_EXT_2915 The X509_ext_2915 extension
CK_X509_CERT_FIELD_EXT_KEY_USAGE field (if it exists).
CK_X509_CERT_FIELD_EXT_2916 The X509_ext_2916 extension
CK_X509_CERT_FIELD_EXT_PRIV_USAGE_PERIOD field (if it exists).
CK_X509_CERT_FIELD_EXT_2917 The subject_alt_name extension
CK_X509_CERT_FIELD_EXT_SUBJECT_ALT_NAME field (X509_ext_2917_8) (if it
exists).
CK_X509_CERT_FIELD_EXT_2918 The issuer_alt_name extension
CK_X509_CERT_FIELD_EXT_ISSUER_ALT_NAME field (X509_ext_2917_8) (if it
exists).
CK_X509_CERT_FIELD_EXT_2919 The X509_ext_2919 extension
CK_X509_CERT_FIELD_EXT_BASIC_CONSTRAINTS field (if it exists).
CK_X509_CERT_FIELD_EXT_2930 The X509_ext_2930 extension
CK_X509_CERT_FIELD_EXT_NAME_CONSTRAINTS field (if it exists).
CK_X509_CERT_FIELD_EXT_2931 The X509_ext_2931 extension
CK_X509_CERT_FIELD_EXT_CRL_DIST_POINT field (if it exists).
CK_X509_CERT_FIELD_EXT_2932 The X509_ext_2932 extension
CK_X509_CERT_FIELD_EXT_CERTIFICATE_POLICIES field (if it exists).
CK_X509_CERT_FIELD_EXT_2933 The X509_ext_2933 extension
CK_X509_CERT_FIELD_EXT_POLICY_MAPPING field (if it exists).
5-41
5 CryptoKit Developer's Guide
Certificate/CRL Fields
CK_X509_CERT_FIELD_EXT_2935 The X509_ext_2935 extension
CK_X509_CERT_FIELD_EXT_AUTH_KEY_ID field (if it exists).
CK_X509_CERT_FIELD_EXT_2936 The X509_ext_2936 extension
CK_X509_CERT_FIELD_EXT_POLICY_CONSTRAINTS field (if it exists).
CK_X509_CERT_FIELD_EXT_2937 The X509_ext_2937 extension
CK_X509_CERT_FIELD_EXT_EXTENDED_KEY_USAGE field (if it exists).
5-42
SmartAdaptor Add-On Adapters 5
Object Types
The following are internal object types used as the Type variable in the X.509
functions.
Object Types
CK_X509_ID_CERT An X509_certificate structure
CK_X509_ID_CRL An X509_crl structure
CK_X509_ID_SIG An X509_signature structure
CK_X509_ID_TBS An X509_tbs structure
CK_X509_ID_CRL_TBS An X509_crl_tbs structure
CK_X509_ID_SER_NUM A serial number (char *)4
CK_X509_ID_ALG_STRUCT An X509_alg_struct structure
CK_X509_ID_DNAME An X509_Dname structure
CK_X509_ID_KEY_INFO An X509_key_info structure
CK_X509_ID_UNIQUE_ID An X509_unique_id structure
CK_X509_ID_EXTENSIONS An X509_extensions structure
CK_X509_ID_EXTENSION An X509_ext structure
CK_X509_ID_REVOKED_LIST An X509_rev_list structure
CK_X509_ID_REVOKED An X509_revoked structure
CK_X509_ID_GENERAL_NAMES An X509_general_names structure
CK_X509_ID_GENERAL_NAME An X509_general_name structure
CK_X509_ID_GENERAL_SUBTREE An X509_general_subtree structure
4
A printable hex representation of the serial number.
5-43
5 CryptoKit Developer's Guide
5-44
SmartAdaptor Add-On Adapters 5
Object Identifiers
The following are tables of object identifiers recognized by the X.509 Toolkit,
as defined in obj_ids.h:
5-45
5 CryptoKit Developer's Guide
5-46
SmartAdaptor Add-On Adapters 5
Object Identifiers: PKCS
ASN1_OI_PKCS9_3 PKCS#9 Content Type
ASN1_OI_PKCS9_4 PKCS#9 Message Digest
ASN1_OI_PKCS9_5 PKCS#9 Signing Time
ASN1_OI_PKCS9_6 PKCS#9 Counter Signature
ASN1_OI_PKCS9_7 PKCS#9 Challenge Password
ASN1_OI_PKCS9_8 PKCS#9 Unstructured Address
ASN1_OI_PKCS9_9 PKCS#9 Extended Certificate attribute
5-47
5 CryptoKit Developer's Guide
5-48
SmartAdaptor Add-On Adapters 5
Object Identifiers: Extensions
ASN1_EXT_DELTA_CRL_INDICATOR Delta CRL Indicator extension
ASN1_EXT_ISSUING_DIST_POINT Issuing Distribution Point extension
ASN1_EXT_CERT_ISSUER Certificate Issuer extension
ASN1_EXT_NAME_CONSTRAINTS Name Constraints extension
ASN1_EXT_CRL_DIST_POINT CRL Distribution Point extension
ASN1_EXT_CERTIFICATE_POLICIES Certificate Policies extension
ASN1_EXT_POLICY_MAPPING Policy Mapping extension
ASN1_EXT_AUTH_KEY_ID Authority Key Identifier extension
ASN1_EXT_POLICY_CONSTRAINTS Policy Constraints extension
ASN1_EXT_EXTENDED_KEY_USAGE Extended Key Usage extension
5-49
5 CryptoKit Developer's Guide
5-50
SmartAdaptor Add-On Adapters 5
The following are the application-specific data definitions for the X.509 Toolkit,
as defined in cx509def.h. Note that the X.509 Toolkit also uses some data
types defined in PKCS#11.
These data types are used to represent the ASN.1 structures of X.509 certificates
and CRLs. The following figure shows the hierarchical relationship between the
different structures that are defined in the X.509 Toolkit. The right tree structure
shows the X509_certificate structure while the left tree shows X509_crl. The
different data structures are explained below.
5-51
5 CryptoKit Developer's Guide
5-52
SmartAdaptor Add-On Adapters 5
Basic Data Types
The following are basic data types, as defined in the X.509 Toolkit:
Fields to be decoded:
#define CK_X509_FIELD int
#define CK_X509_CERT_FIELD int
#define CK_X509_CRL_FIELD int
CK_DATA
CK_DATA is a general data structure for holding any kind of data and its size in
bytes.
typedef struct {
CK_VOID_PTR ptr;
CK_ULONG size;
} CK_DATA;
CK_TIME_T
CK_TIME_T is the time (in seconds) that has elapsed since midnight, 1/1/1970.
For dates until the year 2038, this value is identical to time_t (long integer).
CK_TIME_T (unsigned long) can represent all subsequent dates until the year
2106.
#define CK_TIME_T unsigned long
X509_certificate
X509_certificate is the main certificate data structure. It consists of two parts:
the information to be signed (tbs), and the signature. The C_X509_Decode
function returns data in this format, when applied on a certificate.
5-53
5 CryptoKit Developer's Guide
typedef struct {
X509_tbs tbs; // to be signed information
X509_signature signature;
// signature of the certificate
} X509_certificate;
X509_tbs
The X509_tbs represents the “to be signed” part of an X.509 certificate. The
serial_number field is the printable hex representation of the integer certificate
serial number.
typedef struct {
int version;
// certificate version
// number 1,2 or 3
char CK_PTR serial_number;
// certificate serial number
X509_alg_struct signature_alg;
// signature algorithm
X509_Dname issuer;
// issuer distinguished name
X509_validity validity;
// validity of this certificate
X509_Dname subject;
// subject distinguished name
X509_key_info subject_key_info;
// subject key info
X509_unique_id issuer_id; // issuer unique id
X509_unique_id subject_id; // subject unique id
X509_extensions extensions;
// certificate extensions
} X509_tbs;
5-54
SmartAdaptor Add-On Adapters 5
X509_crl
X509_crl represents the main CRL data structure. It consists of two parts: the
information to be signed (tbs), and the signature of the CRL. The
C_X509_decode function returns data in this format, when applied on a CRL.
typedef struct {
X509_crl_tbs tbs; // to be signed information
X509_signature signature;
// signature of the CRL
} X509_crl;
X509_crl_tbs
The X509_crl_tbs represents the “to be signed” part of a CRL.
typedef struct {
int version;
// CRL version number 1 or 2
X509_alg_struct signature_alg;
// signature algorithm
X509_Dname issuer;
// issuer distinguished name
CK_TIME_T this_update; // CRL update time
CK_TIME_T next_update;
// CRL next update time
X509_rev_list rev_list;
// list of revoked certificates
X509_extensions extensions;
// global CRL extensions
} X509_crl_tbs;
X509_signature
The X509_signature structure represents the signature part of an X.509
certificate or CRL. It contains data about the signature and hash algorithms, as
well as the signature itself.
5-55
5 CryptoKit Developer's Guide
typedef struct {
X509_alg_struct sign_alg;
// algorithm of the signature
int sig_len; // signature length
CK_BYTE_PTR signature; // binary signature
} X509_signature;
X509_alg_struct
The X509_alg_struct contains data about a cryptographic algorithm: the
algorithm object identifier, and algorithm parameters such as key_size and
initialization vector (iv). For example, for DSA, params is cast to
X509_DSA_params.
typedef struct {
X509_obj_id alg_id; // algorithm id
CK_DATA params; // additional parameters
} X509_alg_struct;
X509_obj_id
TheX509_obj_id structure contains information about an object identifier. When
the X.509 Toolkit recognizes the object identifier, its stores its internal code in
int_id. When the object identifier is not recognized, the whole object identifier is
stored in char_id as a sequence of numbers separated by dots (for example,
2.5.29.15 for the key usage extension).
typedef struct {
int int_id;
char CK_PR char_id;
} X509_obj_id;
5-56
SmartAdaptor Add-On Adapters 5
X509_alg_params_key_iv
The params field of X509_alg_struct is cast to the X509_alg_params_key_iv
data type if the algorithm parameters include both key size and initialization
vector. Note that this is irrelevant for public key algorithms.
typedef struct {
int key_size;
CK_BYTE_PTR iv;
} X509_alg_params_key_iv;
X509_alg_params_key
The params field of X509_alg_struct is cast to the X509_alg_params_key data
type if the algorithm parameters include only key size.
typedef struct {
int key_size;
} X509_alg_params_key;
X509_DSA_params
The params field of X509_alg_struct is cast to the X509_DSA_params data type
for the DSA signature algorithm.
typedef struct{
int key_size; // length of p in bytes
BYTE p[128];
// prime number of length key_size
BYTE q[20];
// 160-bit prime factor of p-1
BYTE g[128];
// h^((p-1)/q) mod p for
// smallest h s.t. g>1
} X509_DSA_params;
5-57
5 CryptoKit Developer's Guide
X509_alg_params_dh
The params field of X509_alg_struct is cast to the X509_DH_params data type
for the Diffie-Hellman key exchange algorithm.
typedef struct {
int plen; // length of p in bytes
CK_BYTE_PTR p; // prime number
int glen; // length of g in bytes
CK_BYTE_PTR g; // generator
int qlen; // length of q in bytes
CK_BYTE_PTR q; // prime factor of p-1
int jlen; // length of j in bytes.
// j=0 means no value given
CK_BYTE_PTR j; // subgroup factor, p = qj+1
X509_validation_params CK_PTR vp;
// validation params
} X509_alg_params_dh;
X509_validation_params
The X509_validation_params contains validation parameters for the Diffie-
Hellman key exchange algorithm.
typedef struct {
int seed_len; // seed length in bytes
CK_BYTE_PTR seed; // seed
int pgen_len;
// length of pgenCounter in bytes
CK_BYTE_PTR pgenCounter;
} X509_validation_params;
5-58
SmartAdaptor Add-On Adapters 5
X509_Dname
The X509_Dname contains the main structure for Distinguished Names, as
defined in X.500. The Distinguished name is constructed of Relative
Distinguished Names (RDNs).
X509_RDN
The X509_RDN structure represents a Relative Distinguished Name, consisting
of ATAVs (Attribute Types and Values; in X.501, it is called ATA – Attribute
Type Assertion).
X509_ATAV
The X509_ATAV structure is used to store an Attribute Type and Value.
5-59
5 CryptoKit Developer's Guide
ASN.1 has three different types of printable strings. value_type stores the
original ASN.1 coding of a printable string. It used to ensure that decoding
followed by encoding would result in the same ASN.1 sequence.
typedef struct {
X509_obj_id type; // object id of type
BYTE value_type; // asn1 type of value
int value_len; // length of value
CK_BYTE_PTR value; // value itself
} X509_ATAV; // Attribute Type and Value
X509_validity
The X509_validity contains the validity period of the certificate: neither before
nor after specific dates. The dates are saved as CK_TIME_T type variables and
are therefore easy to compare. You can use the ANSI localtime or gmtime
functions to convert this to a readable time/date format.
typedef struct {
CK_TIME_T not_before;
// certificate not valid before
CK_TIME_T not_after;
// certificate not valid after
} X509_validity;
X509_key_info
The X509_key_info structure contains information about the public key of a
user. It consists of two fields: algorithm_id and public_key. The algorithm_id
has the public key algorithm’s details. The public_key is a CK_DATA structure
cast to X509_RSA_key_info for the RSA algorithm, or X509_def_key_info for
all other algorithms.
typedef struct {
X509_alg_struct algorithm_id;
// algorithm id of the key
5-60
SmartAdaptor Add-On Adapters 5
CK_DATA public_key; // public key data
} X509_key_info;
X509_def_key_info
X509_def_key_info structure contains public key data for algorithms, whose
information consists of the key length and the key itself (such as DSA).
typedef struct {
int key_length; // key length
CK_BYTE_PTR public_key; // public key
} X509_def_key_info;
X509_RSA_key_info
X509_RSA_key_info structure contains public key data, when the algorithm is
RSA, and both the key and the exponent are required.
typedef struct {
int key_length; // key length
CK_BYTE_PTR public_key; // public key
int exp_length; // exponent length
CK_BYTE_PTR exp; // exponent
} X509_RSA_key_info;
X509_unique_id
X509_unique_id structure contains in the data field a unique id (unparsed) and
its length in the length field.
typedef struct {
int length; // length of data
CK_BYTE_PTR data; // unique id as was in the cert
} X509_unique_id;
5-61
5 CryptoKit Developer's Guide
X509_revoked
X509_revoked is a structure that contains one revoked item in the CRL. The
serial_number field is the printable hex representation of the integer serial
number.
typedef struct {
char CK_PTR serial_number;
// revoked serial number
CK_TIME_T revoked_time; // revoked time
X509_extensions extensions;
// specific revoke extensions
} X509_revoked;
X509_rev_list
X509_rev_list contains the list of revoked certificates inside a CRL. The
revoked field is an array of num_of_rev revoked items. For example, the serial
number of the fifth revoked item on the list rev_list would be:
rev_list.revoked[4].serial_number.
typedef struct {
int num_of_rev;
X509_revoked CK_PTR revoked;
} X509_rev_list;
X509_extensions
X509_extensions structure contains a group of extensions. The extensions field
is an array of num_of_ext extensions. For example, the extension type of the
fourth extension on the extension list cert_exts would be:
cert_exts.extensions[3].ext_id.
typedef struct {
int num_of_ext;
X509_ext CK_PTR extensions;
} X509_extensions;
5-62
SmartAdaptor Add-On Adapters 5
X509_ext
The X509_ext is a general structure for one extension. It contains data about the
type of extension, and how critical it is. The data pointer is cast to a structure
according to the type of extension. For example, if ext_id = 2915, you could use
the following line:
X509_ext_2915 KeyUsage=
(X509_ext_2915*)cert_exts.extensions[3].data;
Note that extension structures can be named interchangeably with a full name, or
a shorter extension number (see Certificate/CRL fields in the section on
Constants).
X509_ext_0000, X509_ext_unknown
This structure is used when the X.509 Toolkit is unable to parse an extension.
The extension is then copied unparsed into ext_data, and the data’s length is put
in ext_length.
typedef struct {
int ext_length;
CK_BYTE_PTR ext_data;
} X509_ext_0000, X509_ext_unknown;
5-63
5 CryptoKit Developer's Guide
X509_ext_2914, X509_ext_SubjectKeyIdentifier
X509_ext_2914 structure contains the subject key identifier extension. It holds a
printable string, as well as the string’s length.
typedef struct {
int len;
char CK_PTR data;
} X509_ext_2914, X509_ext_SubjectKeyIdentifier;
X509_ext_2915, X509_ext_KeyUsage
X509_ext_2915 structure contains the permitted key usage. A TRUE value
means that the public key may be used for that purpose.
typedef struct {
CK_BBOOL digitalSignature;
CK_BBOOL nonRepudiation;
CK_BBOOL keyEncipherment;
CK_BBOOL dataEncipherment;
CK_BBOOL keyAgreement;
CK_BBOOL keyCertSign;
CK_BBOOL cRLSign;
CK_BBOOL encipherOnly;
CK_BBOOL decipherOnly;
} X509_ext_2915, X509_ext_KeyUsage;
X509_ext_2916, X509_ext_PrivateKeyUsagePeriod
X509_ext_2916 structure contains the private key usage period extension, which
states the time period in which the private key is valid.
typedef struct {
CK_TIME_T not_before;
// private key not valid before
5-64
SmartAdaptor Add-On Adapters 5
CK_TIME_T not_after;
// private key not valid after
} X509_ext_2916, X509_ext_PrivateKeyUsagePeriod;
X509_general_name
The X509_general_name structure contains a general name. The possible types
of general names are listed in the Constants section above. The general name is
parsed into the data field and should be cast according to its type (string,
distinguished name, etc.). When the general name is unparsed (parsed = =
FALSE), the full-unparsed general name is stored in the data field.
typedef struct {
int type;
CK_BBOOL parsed;
int len;
CK_VOID_PTR data;
} X509_general_name;
X509_ext_2919, X509_ext_BasicConstraints
The X509_ext_2919 structure contains the basic constraints extension. If ca field
is TRUE, the subject is certified to act as a CA. The pathLenConstraint field
indicates the number of CA-certificates that may follow this one (if ca is
TRUE). The value –1 means that no value was specified for this field.
typedef struct {
5-65
5 CryptoKit Developer's Guide
CK_BBOOL ca;
int pathLenConstraint;
} X509_ext_2919, X509_ext_BasicConstraints;
X509_ext_2920, X509_ext_CRLNumber
The X509_ext_2920 structure contains the CRL number extension. It enables a
CRL user to detect when a particular CRL supersedes another CRL.
typedef struct {
int CRLnumber;
} X509_ext_2920, X509_ext_CRLNumber;
X509_ext_2921, X509_ext_CRLreason
X509_ext_2921 structure is usually used as an extension to a revoked item in a
CRL. It specifies the reason for the revocation. The data structure is also used as
part of the X509_distribution_point structure for specifying the types of
revocation reasons that may be distributed through the CRL distribution point.
typedef struct {
CK_BBOOL unspecified;
CK_BBOOL keyCompromise;
CK_BBOOL cACompromise;
CK_BBOOL affiliationChanged;
CK_BBOOL superseded;
CK_BBOOL cessationOfOperation;
CK_BBOOL certificateHold;
CK_BBOOL removeFromCRL;
} X509_ext_2921, X509_ext_CRLreason;
X509_ext_2923, X509_ext_HoldInstructionCode
The X509_ext_2923 structure contains the hold Instruction Code CRL
extension. It is used to prove a registered instruction identifier, which indicates
5-66
SmartAdaptor Add-On Adapters 5
the action to be taken after encountering a certificate that has been placed on
hold.
typedef struct {
X509_obj_id holdInstructionCode;
} X509_ext_2923, X509_ext_HoldInstructionCode;
X509_ext_2924, X509_ext_InvalidityDate
The X509_ext_2924 structure contains the CRL invalidity date extension. It
provides the date on which it is known or suspected that the private key was
compromised or that the certificate otherwise became invalid.
typedef struct {
CK_TIME_T invalidityDate;
} X509_ext_2924, X509_ext_InvalidityDate;
X509_ext_2927, X509_ext_DeltaCRLIndicator
The X509_ext_2927 structure contains the CRL delta Indicator extension. It
identifies the CRL as a delta CRL. The baseCRLNumber is the number of the
CRL that this Delta CRL is based on.
typedef struct {
int baseCRLNumber;
} X509_ext_2927, X509_ext_DeltaCRLIndicator;
X509_ext_2928, X509_ext_IssuingDistributionPoint
The X509_ext_2928 structure contains the CRL Issuing Distribution Point
extension. It identifies the CRL distribution point for a particular CRL, and
indicates certain restrictions on the contents of the CRL.
typedef struct {
X509_DPN CK_PTR DP;
CK_BBOOL onlyContainsUserCerts;
CK_BBOOL onlyContainsCACerts;
X509_ext_CRLreason CK_PTR onlySomeReasons;
5-67
5 CryptoKit Developer's Guide
CK_BBOOL indirectCRL;
} X509_ext_2928, X509_ext_IssuingDistributionPoint;
X509_ext_2929, X509_ext_CertificateIssuer
The X509_ext_2929 structure contains CRL Certificate Issuer extension. It
identifies the certificate issuer associated with an entry in an indirect CRL.
typedef struct {
X509_general_names certificateIssuer;
} X509_ext_2929, X509_ext_CertificateIssuer;
X509_ext_2930, X509_ext_NameConstraints
The X509_ext_2930 structure contains the name constraints extension. It is built
of two general subtrees: permitted and excluded.
typedef struct {
X509_general_subtree CK_PTR permitted;
X509_general_subtree CK_PTR excluded;
} X509_ext_2930, X509_ext_NameConstraints;
X509_general_subtree
The X509_general_subtree structure represents a single general subtree within a
connected list of general subtrees. The base field is the general name of the base
of the subtree, and min and max are the upper and lower bounds in the tree. The
next_subtree field is a pointer to the next subtree.
typedef struct _General_subtree {
X509_general_name CK_PTR base;
int min;
int max;
struct _General_subtree CK_PTR next_subtree;
} X509_general_subtree;
5-68
SmartAdaptor Add-On Adapters 5
X509_ext_2931, X509_ext_CRLDistributionPoint
X509_ext_2931 structure contains a list of CRL Distribution points (points
where the CRLs can be obtained). The DPs field is an array of num_of_DPs
pointers to individual distribution points.
typedef struct {
int num_of_DPs;
X509_distribution_point CK_PTR DPs;
} X509_ext_2931, X509_ext_CRLDistributionPoint;
X509_distribution_point
The X509_distribution_point structure contains an individual CRL distribution
point. The distribution_point field is the distribution point’s name, the reasons
field are the possible revocation reasons this distribution point is allowed to
give, and the CRLissuer field is the issuer whose CRL’s are available at this
distribution point. Any of these fields may be NULL.
typedef struct {
X509_DPN CK_PTR distribution_point;
X509_ext_2921 CK_PTR reasons;
X509_general_names CK_PTR CRLissuer;
} X509_distribution_point;
X509_DPN
The X509_DPN structure contains the name of a distribution point. It may be
either a full name, or the distribution point’s name relative to the CRL issuer
(but not both).
typedef struct {
X509_general_names CK_PTR full_name;
X509_RDN CK_PTR name_relative_to_CRL_issuer;
} X509_DPN; // Distribution Point Name
5-69
5 CryptoKit Developer's Guide
X509_general_names
X509_general_names structure contains a linked list of X509_general_name
structures.
typedef struct _General_names {
X509_general_name CK_PTR general_name;
struct _General_names CK_PTR next_name;
} X509_general_names;
X509_ext_2932, X509_ext_CertificatePolicies
X509_ext_2932 structure contains the certificate policies extension, via a linked
list of single policies. The cpid field is the policy’s object identifier. The
qualifiers are saved unparsed in qualifiers field, and the next pointer points to
the next policy.
typedef struct _Ext_2932 {
X509_obj_id cpid;
int qualifiers_len;
CK_BYTE_PTR qualifiers;
struct _Ext_2932 CK_PTR next;
} X509_ext_2932, X509_ext_CertificatePolicies;
X509_ext_2933, X509_ext_PolicyMappings
X509_ext_2933 structure is used for mapping policies from the issuer domain to
the subject domain. Issuer_domain_policy and subject_domain_policy are both
arrays of num_of_policies object identifiers, where
subject_domain_policy[i] is the mapping of
issuer_domain_policy[i].
typedef struct {
int num_of_policies;
X509_obj_id CK_PTR issuer_domain_policy;
X509_obj_id CK_PTR subject_domain_policy;
5-70
SmartAdaptor Add-On Adapters 5
} X509_ext_2933, X509_ext_PolicyMappings;
X509_ext_2935, X509_ext_AuthorityKeyIdentifier
X509_ext_2935 structure contains the authority key identifier extension data.
The key may be identified in two different ways:
♦ As key_id – an octet string identifying the key. The octet string and its
length are stored in CK_DATA data structure.
♦ By identifying the certificate associated with the key. As
auth_cert_issuer, the issuer of the certificate, and cert_ser_num, the
certificate’s serial number.
typedef struct {
CK_DATA key_id;
X509_general_names CK_PTR auth_cert_issuer;
char CK_PTR cert_ser_num;
} X509_ext_2935, X509_ext_AuthorityKeyIdentifier;
X509_ext_2936, X509_ext_PolicyConstraints
X509_ext_2936 structure specifies constraints, which may require explicit
certificate policy identification or inhibit policy mapping for the remainder of
the certification path. The RequireExplicitPolicy and inhibitPolicyMapping
fields specify the number of certificates in the path to skip before starting with
these constraints. A value of (–1) for any of these fields means that no value was
specified.
typedef struct {
int requireExplicitPolicy;
int inhibitPolicyMapping;
} X509_ext_2936, X509_ext_PolicyConstraints;
5-71
5 CryptoKit Developer's Guide
5-72
SmartAdaptor Add-On Adapters 5
Functions
For examples of how to use these functions, refer to Working with the X.509
Toolkit, earlier in this chapter.
C_X509_Decode
C_X509_Decode receives a BER encoded structure of a certificate/CRL, and
decodes it.
Syntax
int C_X509_Decode(CK_ASN_ID Type,
CK_VOID_PTR pEncoded,
CK_ULONG ulEncodedLen,
CK_VOID_PTR pDecoded,
CK_ULONG_PTR pulDecodedLen);
Parameters
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pEncoded [in] – the BER encoded certificate/CRL.
♦ ulEncodedLen [in] – the size in bytes of the encoded certificate/CRL in
pEncoded.
5-73
5 CryptoKit Developer's Guide
Return codes
CKR_OK – function was completed successfully.
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulDecodedLen.
CKR_BADLY_FORMATTED_INPUT – pEncoded is not a valid BER
encoded structure of type Type.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
C_X509_Encode
C_X509_Encode receives a decoded structure of a certificate/CRL and DER
encodes it.
Syntax
int C_X509_Encode(CK_ASN_ID Type,
CK_VOID_PTR pDecoded,
CK_ULONG ulDecodedLen,
CK_VOID_PTR pEncoded,
CK_ULONG_PTR pulEncodedLen);
Parameters
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pDecoded [in] – the decoded data structure.
5-74
SmartAdaptor Add-On Adapters 5
♦ ulDecodedLen [in] – the size in bytes of the input data structure
pDecoded.
♦ pEncoded [in/out] – on entry, points to a buffer for holding the output
DER encoded certificate/CRL. Upon return, points to the DER encoded
structure.
♦ pulEncodedLen [in/out] – on entry, holds the size in bytes of the input
pEncoded buffer. Upon return, it contains the number of unused bytes in
the pEncoded buffer.
Return codes
CKR_OK – function was completed successfully.
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulEncodedLen.
CKR_X509_BAD_STRUCTURE – a bad data structure was given to the
function.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
C_X509_GetField
C_X509_GetField receives a BER encoded structure of a certificate/CRL, and
decodes only one of its fields. If the specified field does not appear in the
certificate (such as a specific extension), an empty structure is returned.
Syntax
int C_X509_GetField( CK_ASN_ID Type,
CK_VOID_PTR pEncoded,
CK_ULONG ulEncodedLen,
CK_VOID_PTR pDecoded,
CK_ULONG_PTR pulDecodedLen,
5-75
5 CryptoKit Developer's Guide
CK_X509_FIELD Field);
Parameters
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pEncoded [in] – the BER encoded certificate/CRL.
♦ ulEncodedLen [in] – the size in bytes of the input certificate/CRL in
pEncoded.
♦ pDecoded [in/out] – on entry, points to a buffer for holding the output
decoded structure. Upon return, points to the decoded structure. This
structure should be cast to a structure according to the field type. For
example, if Field is X509_CERT_FIELD_ISSUER, cast pDecoded to
X509_Dname.
♦ pulDecodedLen [in/out] – on entry, holds the size in bytes of pDecoded
buffer. Upon return, it contains the number of unused bytes in the
pDecoded buffer.
♦ Field [in] – the desired field. A list of fields can be found in the
Constants section above.
Return codes
CKR_OK – function was completed successfully.
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulDecodedLen.
CKR_BADLY_FORMATTED_INPUT – pEncoded is not a valid BER
encoded structure of type Type.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
C_X509_Copy
C_X509_Copy copies a complex structure into a duplicate in a continuous
memory block.
5-76
SmartAdaptor Add-On Adapters 5
Syntax
int C_X509_Copy( CK_ASN_ID Type,
CK_VOID_PTR pSrc,
CK_ULONG ulSrcLen,
CK_VOID_PTR pDst,
CK_ULONG_PTR pulDstLen);
Parameters
♦ Type [in] – the internal type of the structure (Certificate, CRL, Dname,
extension etc.).
♦ pSrc [in] – the source structure.
♦ ulSrcLen [in] – the size in bytes of the source structure.
♦ pDst [in/out] – on entry, points to a buffer for holding the destination
structure. Upon return, pDst points to the copied structure.
♦ pulDstLen [in/out] – on entry, holds the size of pDst buffer. Upon
return, it contains the number of unused bytes in pDst buffer.
Return codes
CKR_OK – function was completed successfully.
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulDstLen.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
CKR_BADLY_FORMATTED_INPUT – a bad structure was given to
the function.
5-77
5 CryptoKit Developer's Guide
C_X509_Sign
C_X509_Sign receives a BER encoded ToBeSigned section of a certificate or
CRL and signs it using the user’s private key, thereby constructing a fully signed
X.509 certificate or CRL object. C_X509_Sign requires that a cryptographic
session be opened before it is called. C_X509_sign uses the signature_alg field
of the input to know which hash and signature algorithm to use.
Note that a DSA signature incorporates random data, which results in different
lengths of ASN.1 encoding. When the function is not given enough memory, the
return size may be a few bytes more than actually required for the signing.
Syntax
int C_X509_Sign(CK_SESSION_HANDLE hSess,
CK_OBJECT_HANDLE hKey,
CK_ASN_ID Type,
CK_VOID_PTR pObject,
CK_ULONG ulObjectLen,
CK_VOID_PTR pSignedObject,
CK_ULONG_PTR pulSignedObjectLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ hKey [in] – handle to the private key object of the signer.
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pObject [in] – the object to be signed.
♦ ulObjectLen [in] – the size in bytes of the input object pObject.
♦ pSignedObject [in/out] – on entry, points to a buffer for holding the
signed certificate/CRL. Upon return, points to the signed object.
5-78
SmartAdaptor Add-On Adapters 5
♦ pulSignedObjectLen [in/out] – on entry, holds the size in bytes of the
input pSignedObject buffer. Upon return, it contains the number of
unused bytes in the pSignedObject buffer.
Return codes
CKR_OK – function was completed successfully.
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulSignedObjectLen.
CKR_BADLY_FORMATTED_INPUT – pObject is not a valid BER
encoded structure of type Type.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
CKR_UNSUPPORTED_ENC_ALG – X.509 Toolkit does not support
the encryption algorithm.
CKR_UNSUPPORTED_HASH_ALG – X.509 Toolkit does not support
the hash algorithm.
CKR_KEY_SIZE_RANGE – key size not supported by the X.509
Toolkit for this algorithm.
C_X509_EncodeSign
C_X509_EncodeSign receives an X509_certificate or X509_crl data struture,
DER encodes it, and signs it with the user’s private key, thereby constructing a
fully signed X.509 certificate or CRL object. C_X509_EncodeSign requires that
a cryptographic session be opened before it is called. C_X509_EncodeSign uses
the signature_alg field of the input to know which hash and signature algorithm
to use.
Note that a DSA signature incorporates random data, which results in different
lengths of ASN.1 encoding. When the function is not given enough memory, the
return size may be a few bytes more than actually required for the signing.
5-79
5 CryptoKit Developer's Guide
Syntax
int C_X509_EncodeSign(
CK_SESSION_HANDLE hSess,
CK_OBJECT_HANDLE hKey,
CK_ASN_ID Type,
CK_VOID_PTR pDecoded,
CK_ULONG ulDecodedLen,
CK_VOID_PTR pSignedObject,
CK_ULONG_PTR pulSignedObjectLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ hKey [in] – handle to the private key object of the signer.
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pDecoded [in] – the X509_certificate or X509_crl structure to be
encoded and signed.
♦ ulDecodedLen [in] – the size in bytes of the input object pDecoded.
♦ pSignedObject [in/out] – on entry, points to a buffer for holding the
encoded and signed certificate/CRL. Upon return, points to the encoded
and signed object.
♦ pulSignedObjectLen [in/out] – on entry, holds the size in bytes of the
input pSignedObject buffer. Upon return, it contains the number of
unused bytes in the pSignedObject buffer.
Return codes
CKR_OK – function was completed successfully.
5-80
SmartAdaptor Add-On Adapters 5
CKR_BUFFER_TOO_SMALL – the buffer supplied was too small. The
amount of memory required (beyond what was supplied) is returned in
pulSignedObjectLen.
CKR_X509_BAD_STRUCTURE – pDecoded is not a valid data
structure of type Type.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
CKR_UNSUPPORTED_ENC_ALG – X.509 Toolkit does not support
the encryption algorithm.
CKR_UNSUPPORTED_HASH_ALG – X.509 Toolkit does not support
the hash algorithm.
CKR_KEY_SIZE_RANGE – X.509 Toolkit does not support the
required key size for this algorithm.
C_X509_Verify
C_X509_Verify verifies the signature and time validity of a BER encoded
certificate/CRL. It also checks if an unknown critical extension is present.
C_X509_Verify requires that a cryptographic session be opened before it is
called. C_X509_Verify uses the signature_alg field of the input to know which
hash and signature algorithm to use.
Note that C_X509_Verify first checks the signature, then the time validity, and
finally the critical extensions. If one of the KEY_NOT_VALID or the
CKR_X509_UNKNOWN_CRITICAL_EXTENSION codes is returned, this
indicates that the signature was checked and is valid.
If no key is specified in the form of hKey or pCACert, it is assumed that the
input is a self-signed certificate.
Syntax
int C_X509_Verify(
CK_SESSION_HANDLE hSess,
CK_OBJECT_HANDLE hKey,
5-81
5 CryptoKit Developer's Guide
CK_ASN_ID Type,
CK_VOID_PTR pSignedObject,
CK_ULONG ulSignedObjectLen,
CK_VOID_PTR pCACert,
CK_ULONG ulCACertLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ hKey [in] – handle to the public key object of the signer.
♦ Type [in] – the internal type of the structure (Certificate, CRL).
♦ pSignedObject [in] – the BER encoded signed object to be verified.
♦ pSignedObjectLen [in] – the size in bytes of pSignedObject.
♦ pCACert [in] – the certificate of the CA, which signed the above
certificate/CRL. If hKey is NULL and pCACert is not NULL, the
public key from pCACert will be used to verify the signature. If both
hKey and pCACert are NULL, it is assumed that the input is a self-
signed certificate.
♦ ulCACertLen [in] – the size in bytes of pCACert.
Return codes
CKR_OK – function was completed successfully.
CKR_SIGNATURE_INVALID – signature is invalid.
CKR_X509_KEY_NOT_VALID_YET – validity period has not begun.
CKR_X509_KEY_NOT_VALID_ANYMORE – validity period has
ended.
CKR_X509_UNKNOWN_CRITICAL_EXTENSION – certificate/CRL
has an unknown extension, which is marked critical.
5-82
SmartAdaptor Add-On Adapters 5
CKR_BADLY_FORMATTED_INPUT – pSignedObject is not a valid
BER encoded structure of type Type.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
CKR_UNSUPPORTED_ENC_ALG – X.509 Toolkit does not support
the encryption algorithm.
CKR_UNSUPPORTED_HASH_ALG – X.509 Toolkit does not support
the hash algorithm.
CKR_KEY_SIZE_RANGE – X.509 Toolkit does not support the
required key size for this algorithm.
C_X509_FindInCrl
C_X509_FindInCrl checks if a certificate is listed in a CRL. This is
accomplished by checking that the issuer (if a complete certificate or X509_tbs
is supplied) is the same, and then comparing the certificate's serial number to the
serial numbers specified in the revocation list.
Syntax
int C_X509_FindInCRL(
CK_VOID_PTR pEncodedObj,
CK_ULONG ulEncodedObjLen,
CK_VOID_PTR pEncodedCRL,
CK_ULONG ulEncodedCRLLen,
CK_ASN_ID Type,
CK_VOID_PTR pRevoked,
CK_ULONG_PTR pulRevokedLen,
CK_ULONG_PTR pulResult);
Parameters
5-83
5 CryptoKit Developer's Guide
5-84
SmartAdaptor Add-On Adapters 5
CKR_X509_FOUND_SUPERSEDED – the certificate was
revoked because it was superseded.
CKR_X509_FOUND_CESSATION_OF_OPERATION – the
certificate was revoked because it is no longer required for the
purpose it was issued for.
CKR_X509_FOUND_CERTIFICATE_HOLD – the certificate
was placed on hold.
CKR_X509_FOUND_REMOVE_FROM_CRL – the certificate
should be removed from the CRL (used only with delta-CRLs).
Return codes
CKR_OK – function was completed successfully.
CKR_BADLY_FORMATTED_INPUT – pEncodedObj or
pEncodedCrl is not a valid BER encoded structure.
CKR_ARGUMENTS_BAD – one of the function parameters is invalid.
CKR_X509_BAD_STRUCTURE- a bad structure was given to the
function (when X509_tbs is given as input).
5-85
5 CryptoKit Developer's Guide
The building blocks for any application based on PKI (Public Key
Infrastructure) are public key certificates. These serve as a digital ID for the End
Entity, which can be a person, a software application or a hardware device. A
public key certificate is issued to the End Entity by a trusted third party called a
CA (Certificate Authority), which must first receive a certificate request
message from the End Entity. The CA verifies that the request is valid and was
indeed sent by the End Entity, and then creates a certificate reply message,
which includes the End Entity's certificate.
Currently, some standard and legacy message protocols are used for processing
certificate requests and issuing certificates. Applications implemented around
the world use protocols such as PKIX, CMP/CRMF, PEM, VeriSign's CRS and
Cisco's SCEP. One of the simplest and most popular methods for certification
messages uses PKCS#10 certificate requests, and PKCS#7 certificate replies
(also known as a "certificates only SignedData PKCS#7 message").
5-86
SmartAdaptor Add-On Adapters 5
5-87
5 CryptoKit Developer's Guide
CRQ_FORMAT
DER encoding is used to encode PKCS#10 certificate requests. It creates a
binary message from the stream of data. Some applications though, require that
the binary certificate request be converted to a text message, possibly with a
header and footer. CRQ_FORMAT defines the exact format of the PKCS#10
certificate request.
#define CRQ_FORMAT int
Possible Values
♦ BASIC_PKCS10 – DER encoded binary data.
♦ BASE64_PKCS10 – Base64 encoding of the DER data, results in a text
message.
♦ VERISIGN_CSR – Base64 encoding of the DER data with header and
footer as defined for VeriSign's CSR message.
CRP_FORMAT
Similarly to the PKCS#10 certificate request, the PKCS#7 certificate reply can
be encoded as a binay stream of data in DER format. Some applications though,
require that the binary certificate reply be converted to a text message, possibly
with a header and footer. CRP_FORMAT defines the exact format of the
PKCS#7 certificate reply.
#define CRP_FORMAT int
Possible Values
♦ BASIC_PKCS7 – DER encoded binary data.
♦ BASE64_PKCS7 – Base64 encoding of the DER data, results in a text
message.
♦ VERISIGN_PKCS7 – Base64 encoding of the DER data with header and
footer as defined by VeriSign for replies to CSR messages.
5-88
SmartAdaptor Add-On Adapters 5
pkcs10_cr
This data structure represents the contents of a PKCS#10 certificate request. It is
used as input to the C_PKCS10_CreateCRQ function and as output of the
C_PKCS10_AcceptCRQ function. All the fields of the structure (except for the
signature) must be filled before calling C_PKCS10_CreateCRQ. For a simpler
version of certificate request, which is sufficient for most applications, see
simple_dname later in this section.
typedef struct {
pkcs10_cri cri;
X509_signature signature;
} pkcs10_cr;
pkcs10_cri
The pkcs10_cri data structure represents the Certificate request info section, of
a PKCS#10 certificate request.
typedef struct {
int version;
X509_Dname subject;
X509_key_info subject_key_info;
X509_attributes CK_PTR attributes;
} pkcs10_cri;
♦ version – PKCS#10 protocol version: Always 0.
♦ subject – distinguished name of the subject (person or machine
requesting the certificate).
5-89
5 CryptoKit Developer's Guide
X509_attributes
The X509_attributes structure contains a set of attributes that provide
additional information about the requesting entity and its keys.
typedef struct {
int num_of_attributes;
X509_attribute CK_PTR attributes;
} X509_attributes;
♦ num_of_attributes – number of attributes in this set.
♦ attributes – array of num_of_attributes attributes.
X509_attribute
The X509_attribute contains one attribute consisting of its type and its value(s).
typedef struct {
X509_obj_id type;
int num_of_values;
X509_attr_value CK_PTR values;
} X509_attribute;
♦ type – object Identifier defining the attribute type.
♦ num_of_values – number of different values defined for this attribute.
♦ values – array of num_of_values values.
5-90
SmartAdaptor Add-On Adapters 5
X509_attr_value
The X509_attr_value structure contains the value of an attribute.
typedef struct {
CK_BYTE value_type;
int value_len;
CK_BYTE_PTR value;
} X509_attr_value;
♦ value_type – ASN.1 value type (e.g., Printable String – 0x13).
♦ value_len – length of the value, in bytes.
♦ value – actual value.
simple_dname
The simple_dname structure is a simplified version of a certificate request. It
can be used as input for creating a PKCS#10 certificate request, with the
C_PKCS10_SimpleCreateCRQ function.
typedef struct {
CK_ASN_ID RDN_type;
char value[64];
} simple_dname;
♦ RDN_type – type of the RDN (Relative Distinguished Name) value.
♦ value – actual value (a null terminated string).
certs_and_crls
The certs_and_crls structure contains a list of certificates and CRLs. This
structure is used as input or output to different PKCS#7 functions.
typedef struct {
5-91
5 CryptoKit Developer's Guide
cert_list
The cert_list data structure contains a list of certificates or CRLs.
typedef struct {
CK_BYTE_PTR CK_PTR certs;
CK_ULONG_PTR certLen;
CK_ULONG numOfCerts;
} cert_list;
♦ certs – an array of numOfCerts binary (DER encoded)
certificates/CRLs.
♦ certLen – array featuring the size, in bytes, of each corresponding
certificate/CRL – array size is defined by numOfCerts.
♦ numOfCerts – the number of certificates/CRLs in the list.
5-92
SmartAdaptor Add-On Adapters 5
Functions
C_PKCS10_CreateCRQ
C_PKCS10_CreateCRQ creates a PKCS#10 certificate request in the format
specified by crqFormat, according to the data in pkcs10_cri (Certificate
Request Information).
Syntax
int C_PKCS10_CreateCRQ(
CK_SESSION_HANDLE hSess,
CK_OBJECT_HANDLE hKey,
CRQ_FORMAT crqFormat,
pkcs10_cr CK_PTR pCR,
CK_BYTE_PTR pEncodedCrq,
CK_ULONG_PTR pulEncodedCrqLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ hKey [in] – handle to the user’s private key.
♦ crqFormat [in] – the format of the output certificate request.
5-93
5 CryptoKit Developer's Guide
C_PKCS10_SimpleCreateCRQ
C_PKCS10_SimpleCreateCRQ also creates a PKCS#10 certificate request. The
simple input parameters, enables you to create the cretificate request without
building the complex data structure of pkcs10_cri. The public key information
is taken from the key media, and no attributes are included in the message.
Syntax
int C_PKCS10_SimpleCreateCRQ(
CK_SESSION_HANDLE hSess,
CK_OBJECT_HANDLE hKey,
CRQ_FORMAT crqFormat,
simple_dname CK_PTR pDname,
CK_ULONG ulNumOfRDNs,
CK_BYTE_PTR pEncodedCrq,
CK_ULONG_PTR pulEncodedCrqLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ hKey [in] – handle to the user’s private key.
♦ crqFormat [in] – the format of the output certificate request.
♦ pDname [in] – an array of RDN values that comprises the subject’s
dname.
5-94
SmartAdaptor Add-On Adapters 5
♦ ulNumOfRDNs [in] – the number of entries in the dname array.
♦ pEncodedCrq [out] – a buffer for the output encoded PKCS#10
certificate request in the format specified by crqFormat.
♦ pulEncodedCrqLen [in/out] – on entry, holds the initial size of the
pEncodedCrq buffer. Upon return, it contains the actual size of the
encoded data, or the required size, if the buffer is not large enough.
C_PKCS10_AcceptCRQ
C_PKCS10_AcceptCRQ accepts a PKCS#10 certificate request. It verifies that
the signature that was affixed to it was by the private key that corresponds to the
public key it contains. Then, it returns its contents in a pkcs10_cr data
structure.
Syntax
int C_PKCS10_AcceptCRQ(
CK_SESSION_HANDLE hSess,
CRQ_FORMAT crqFormat,
CK_BYTE_PTR pEncodedCrq,
CK_ULONG ulEncodedCrqLen,
CK_BYTE_PTR pDecodedCrq,
CK_ULONG_PTR pulDecodedCrqLen);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ crqFormat [in]- the format of the input certificate reply.
♦ pEncodedCrq [in] – the input PKCS#10 certificate request.
♦ ulEncodedCrqLen [in] – the size in bytes of pEncodedCrq.
♦ pDecodedCrq [out] – the buffer for the output pkcs10_cr structure.
5-95
5 CryptoKit Developer's Guide
C_PKCS7_AcceptCRP
C_PKCS7_AcceptCRP accepts a PKCS#7 certificate reply and returns the
certificate(s) contained in it. If CA certificates are included, the complete
certification chain is constructed and verified. If the reply also contains CRLs,
the verification process includes the data in the CRLs.
Syntax
int C_PKCS7_AcceptCRP(
CK_SESSION_HANDLE hSess,
CRP_FORMAT crpFormat,
CK_BYTE_PTR pEncodedCrp,
CK_ULONG ulEncodedCrpLen,
CK_BYTE_PTR pDecodedCrp,
CK_ULONG_PTR pulDecodedCrpLen,
cert_list CK_PTR pCACerts);
Parameters
♦ hSess [in] – handle to a cryptographic session.
♦ crpFormat [in] – the format of the input certificate reply.
♦ pEncodedCrp [in] – the certificate reply comprised of certificates-only
PKCS#7 signed data.
♦ ulEncodedCrpLen [in] – the size in bytes of pEncodedCrp.
♦ pDecodedCrp [out] – a buffer for the output certificate(s). It should be
cast to certs_and_crls.
5-96
SmartAdaptor Add-On Adapters 5
♦ pulDecodedCrpLen [in/out] – on entry holds the initial size of the
pDecodedCrp buffer. Upon return, it contains the actual size of the
decoded data, or the required size, if the buffer is not large enough.
♦ pCACerts [in] – CA certificate(s) (or fingerprints of these certificates)
needed for verifying the signature on the certificate and the message. If
this value is NULL, then no signature will be verified.
C_PKCS7_CreateCRP
C_PKCS7_CreateCRP creates a PKCS#7 certificate reply with the certificates
and CRLs in pCertsAndCrls.
Syntax
int C_PKCS7_CreateCRP(
CRP_FORMAT crpFormat,
certs_and_crls CK_PTR pCertsAndCrls,
CK_BYTE_PTR pEncodedCrp,
CK_ULONG_PTR pulEncodedCrpLen);
Parameters
♦ crpFormat [in] – the format of the output certificate reply.
♦ pCertsAndCrls [in] – the certificates and CRLs to be included in the
reply.
♦ pEncodedCrp [out] – a buffer for the output encoded PKCS#7
certificate reply in the format specified by crpFormat.
♦ pulEncodedCrpLen [in/out] – on entry holds the initial size of
pEncodedCrp buffer. Upon return, contains the actual size of the
encoded data, or the required size, if the buffer is not large enough.
5-97
5 CryptoKit Developer's Guide
Programming Samples
int main()
{
CK_RV rc;
CK_SLOT_ID pSlotList[10];
CK_ULONG ulCount = 10;
CK_SESSION_HANDLE hSession;
CK_ATTRIBUTE findDSAPrivateKey[] = {
{CKA_CLASS,&attribPrivateKey,sizeof(attribPrivateKey)},
{CKA_KEY_TYPE,&attribDSA,sizeof(attribDSA)},};
5-98
SmartAdaptor Add-On Adapters 5
CK_ULONG ulObjectsFound;
CK_OBJECT_HANDLE hPrivateKey;
FILE * f;
simple_dname dnames[10];
BYTE encodedCrq[2048];
CK_ULONG encodedCrqLen = sizeof(encodedCrq);
5-99
5 CryptoKit Developer's Guide
5-100
SmartAdaptor Add-On Adapters 5
fwrite(encodedCrq,1,encodedCrqLen,f);
fclose(f);
printf("CRQ created successfully and saved in file
%s\n",fname);
}
else
printf("*** Error – Unable to open output file
%s\n",fname);
// Close crypto
rc = C_Logout(hSession);
if (rc != CKR_OK)
printf("*** Error in C_Logout – %x\n",rc);
C_Finalize(NULL_PTR);
return(0);
}
Once the program has completed these assignments it is ready to call the
function:
rc = C_PKCS10_SimpleCreateCRQ(
hSession,hPrivateKey,crqFormat,dnames,3,
encodedCrq,&encodedCrqLen)
5-101
5 CryptoKit Developer's Guide
After the call has been completed successfully, the certificate request is saved to
a file. It can also be displayed to a user for cut&paste, or sent directly over
TCP/IP.
#include <stdio.h>
#include <stdlib.h>
#include "ck_pk107.h"
#include "pkcs11.h"
{
FILE * f;
char fname[32];
CK_SLOT_ID pSlotList[10];
CK_ULONG ulCount = 10;
CK_SESSION_HANDLE hSess;
CK_CHAR_PTR pin = "12345678";
5-102
SmartAdaptor Add-On Adapters 5
CK_RV rc;
BYTE encodedCrp[4096];
CK_ULONG encodedCrpLen = sizeof(encodedCrp);
BYTE decodedCrp[4096];
CK_ULONG decodedCrpLen = sizeof(decodedCrp);
CK_ULONG tmpLen;
certs_and_crls * CertsAndCrls;
CRP_FORMAT crpFormat = BASE64_PKCS7;
CK_ULONG i;
if (argc != 2) {
printf("Usage: AcceptCrp crp_file\n\n");
exit(0);
}
// Start crypto
rc = C_Initialize(NULL_PTR);
if (rc != CKR_OK) {
printf("*** Error in C_Initialize – %x\n",rc);
exit(0);
}
rc = C_GetSlotList(FALSE,pSlotList,&ulCount);
if (rc != CKR_OK) {
printf("*** Error in C_GetSlotList – %x\n",rc);
exit(0);
}
5-103
5 CryptoKit Developer's Guide
rc = C_OpenSession(pSlotList[0],CKF_RW_SESSION |
CKF_SERIAL_SESSION,NULL_PTR,NULL_PTR,&hSess);
if (rc != CKR_OK) {
printf("*** Error in C_OpenSession – %x\n",rc);
exit(0);
}
C_Finalize(NULL_PTR);
exit(0);
}
5-104
SmartAdaptor Add-On Adapters 5
if (CertsAndCrls->crls) {
for (i=0;i<CertsAndCrls->crls->numOfCerts;i++) {
sprintf(fname,"crl%d.crl",i+1);
f = fopen(fname,"wb");
if (f) {
fwrite(CertsAndCrls->crls
->certs[i],1,CertsAndCrls
->crls->certLen[i],f);
printf("Certificate written to file
%s\n",fname);
}
else
printf("*** Error – Failed to open file %s
for output\n",fname);
}
}
// End crypto
C_Finalize(NULL_PTR);
return(0);
}
The program first reads the certificate reply data from a file. Then it opens a
cryptographic session, and calls C_PKCS7_AcceptCRP to process the certificate
reply. The program does not check the validity of the certificate. You can check
for the certificate validity by loading the known CA's certificates, placing them
in a cert_list structure, and adding them to the parameters when calling the
function.
5-105
5 CryptoKit Developer's Guide
The data that results from calling the function is placed in decodedCrp and cast
to certs_and_crls. Then, all the certificates and CRLs present in the certificate
reply are saved to disk. In actual applications, the certificates and CRLs are
probably stored in a database, or even in the key media. For example, using
Algorithmic Research's PrivateWire, the End Entity's certificate is saved in the
key media.
This is illustrated in the following sample and, in fact, this application can serve
as a fully functional CA, or be used as the basis for a comprehensive CA.
5-106
SmartAdaptor Add-On Adapters 5
int main(int argc, char **argv)
{
FILE * f;
CK_SLOT_ID pSlotList[10];
CK_ULONG ulCount = 10;
CK_SESSION_HANDLE hSess;
CK_OBJECT_HANDLE hKey;
CK_RV rc;
BYTE encodedCrq[4096];
CK_ULONG encodedCrqLen = sizeof(encodedCrq);
BYTE encodedCrt[4096];
CK_ULONG encodedCrtLen = sizeof(encodedCrt);
BYTE decodedCrq[4096];
CK_ULONG decodedCrqLen = sizeof(decodedCrq);
BYTE decodedCrt[4096];
CK_ULONG decodedCrtLen = sizeof(decodedCrt);
BYTE encodedCrp[4096];
CK_ULONG encodedCrpLen = sizeof(encodedCrp);
CK_ULONG tmpLen;
certs_and_crls CertsAndCrls;
cert_list CertList;
CRQ_FORMAT crqFormat;
CRP_FORMAT crpFormat;
char outFile[3][16] = {
{"reply.der"},{"reply.b64"},{"reply.pk7"}};
pkcs10_cr * pCr;
X509_certificate * pCert;
CK_BYTE_PTR pCerts[2];
CK_ULONG CertsLen[2];
if (argc != 5) {
printf("Usage: MicroCA <CA_file> <crq_file> <crq/p
format> <SN>\n");
printf("\t<CA_file> = CA certificate file\n");
printf("\t<crq_file> = file with crq\n");
printf("\t<crq/p format> = (1)basic der, (2)basic
base64, (3)VeriSign csr\n");
printf("\t<SN> = Serial number to be given to the new
certificate\n\n");
exit(0);
5-107
5 CryptoKit Developer's Guide
}
// Read the CA certificate from file
f = fopen(argv[1],"rb");
if (!f) {
printf("*** Error opening crt file\n");
exit(0);
}
tmpLen = fread(encodedCrt,1,encodedCrtLen,f);
fclose(f);
if (tmpLen == encodedCrtLen) {
printf("*** Internal Error – Buffer too short for Crt
file\n");
exit(0);
}
encodedCrtLen = tmpLen;
if (tmpLen == encodedCrqLen) {
printf("*** Internal Error – Buffer too short for Crq
file\n");
exit(0);
}
encodedCrqLen = tmpLen;
5-108
SmartAdaptor Add-On Adapters 5
// Start crypto
rc = C_Initialize(NULL_PTR);
if (rc != CKR_OK) {
printf("*** Error in C_Initialize – %x\n",rc);
exit(0);
}
rc = C_GetSlotList(FALSE,pSlotList,&ulCount);
if (rc != CKR_OK) {
printf("*** Error in C_GetSlotList – %x\n",rc);
exit(0);
}
rc = C_OpenSession(pSlotList[0],CKF_RW_SESSION|
CKF_SERIAL_SESSION, NULL_PTR,NULL_PTR,&hSess);
if (rc != CKR_OK) {
printf("*** Error in C_OpenSession – %x\n",rc);
exit(0);
}
// Decode CA certificate
rc = C_X509_Decode(CK_X509_ID_CERT,encodedCrt,encodedCrtLen,
decodedCrt,&decodedCrtLen);
if (rc != CKR_OK) {
printf("*** Error in C_X509_Decode – %x\n",rc);
C_Finalize(NULL_PTR);
exit(0);
}
pCert = (X509_certificate *)decodedCrt;
5-109
5 CryptoKit Developer's Guide
// Logon to media
rc = C_Login(hSess,CKU_USER,NULL_PTR,0);
if (rc != CKR_OK) {
printf("*** Error in C_Login – %x\n",rc);
C_Finalize(NULL_PTR);
exit(0);
}
5-110
SmartAdaptor Add-On Adapters 5
rc = GetKeyHandle(hSess,&hKey,pCert
->signature.sign_alg.alg_id.int_id);
if (rc != CKR_OK) {
C_Finalize(NULL_PTR);
exit(0);
}
rc =
C_X509_EncodeSign(hSess,hKey,CK_X509_ID_CERT,pCert,decodedCrtLen,
encodedCrt,&encodedCrtLen);
encodedCrtLen = sizeof(encodedCrt) – encodedCrtLen;
// Encode crp
rc = C_PKCS7_CreateCRP(crpFormat,&CertsAndCrls,
encodedCrp,&encodedCrpLen);
if (rc != CKR_OK) {
printf("*** Error in C_PKCS7_CreateCRP – %x\n",rc);
exit(0);
}
5-111
5 CryptoKit Developer's Guide
5-112
SmartAdaptor Add-On Adapters 5
if ((rc != CKR_OK) || (ulObjectsFound != 1)) {
printf("*** Error in C_FindObjects – %x,
ulObjectsFound=%d\n",rc,ulObjectsFound);
return rc;
}
rc = C_FindObjectsFinal(hSession);
if (rc != CKR_OK) {
printf("*** Error in C_FindObjectsFinal – %x\n",rc);
return rc;
}
return CKR_OK;
}
5-113
5 CryptoKit Developer's Guide
See the X.509 Toolkit section for more information about decoding of the CA
certificate, and encoding and signing of the End Entity certificate.
Note: This application does not check whether the certificate request actually
originated from the entity written in the Distinguished Name section of the
certificate request, nor whether this entity is approved to get a certificate from
this CA.
2. Then, the program parses the CA certificate and builds the End Entity's
certificate with the data described above. In this case the End Entity's
certificate is built directly on top of the CA certificate because it contains
many of the same fields. This changes the parsed version of the CA
certificate only, but does not affect either the encoded CA certificate, or
the original CA certificate from the disk.
3. Finally, it logs on to the key media and retrieves a handle to the CA's
private key for signing the End Entity's certificate. It calls the X.509
5-114
SmartAdaptor Add-On Adapters 5
Toolkit function C_X509_EncodeSign to encode and sign the certificate.
The certificate is placed in a certs_and_crls structure which is used as a
parameter for C_PKCS7_CreateCRP:
rc = C_PKCS7_CreateCRP(crpFormat,&CertsAndCrls,
encodedCrp,&encodedCrpLen);
♦ crpFormat – same format as the certificate request.
♦ CertsAndCrls – a structure that includes the newly created End Entity
certificate.
♦ encodedCrp – buffer for the encoded certificate reply.
♦ encodedCrpLen – the size of the encodedCrp buffer.
The certificate reply is saved into a file that can be sent to the End Entity.
5-115
5 CryptoKit Developer's Guide
The PKCS#12 Toolkit allows importing and exporting of keys and certificates,
which are stored in standard PKCS#12 files (PFX files). The toolkit provides
two simple functions. One for importing and the other for exporting keys and
certificates.
Functions
ImportPKCS12
This function imports a private key and certificate from a standard PKCS#12
file.
Syntax
CK_RV ImportPKCS12(
CK_SESSION_HANDLE hSession,
char * pfxfile,
char * password,
char errmsg[128]);
Parameters
5-116
SmartAdaptor Add-On Adapters 5
♦ hSession [in] – handle to a cryptographic session with the token into
which the keys and certificate will be imported to. The user must be
already logged on.
♦ pfxfile [in] – the name of the PKCS#12 file with the keys and certificates
to be imported..
♦ password [in] – password of the PKCS#12 file.
♦ errMsg [out] – buffer to which a message will be copied upon
completion of the function.
Return codes
CKR_OK – function was completed successfully.
CKR_GENERAL_ERROR – open or read file operation failed
CKR_MECHANISM_INVALID – unsupported mechanism is needed to
import the file.
ExportPKCS12
This function exports a private key and certificate from the token into a standard
PKCS#12 file. The private key must be extractable.
Syntax
CK_RV ExportPKCS12(
CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hPrivKey,
char * outfile,
char * password,
CK_MECHANISM_TYPE mech,
char errmsg[128]);
Parameters
5-117
5 CryptoKit Developer's Guide
Return codes
CKR_OK – function was completed successfully
CKR_GENERAL_ERROR – open or write file operation failed
5-118
Chapter 6: SmartAdaptor Utilities
This chapter describes the utilities available with SmartAdaptor to manage
tokens: format, change PIN, view contents, import and export keys and
certificates, prepare for use with other applications and more.
AR Genie Utility
The AR Genie utility application enables the user to perform routine operations
on tokens. The operations include password maintenance, token formatting,
default setting, token standardization and more.
6-1
6 CryptoKit Developer's Guide
Change Password
Use this option to change the user password (PIN) that protects the token. The
password should be changed periodically. In order to change the password, you
must present the current password.
Login
This option is used to login into the token. It can be used with the Single Sign
On (SSO) mechanism to set the password for a specific token. Then it is
possible to run an application that does not have any user interface but still be
6-2
SmartAdaptor Utilities 6
able to access the private keys that are stored on that token. Selection of this
option opens the PIN entry dialog box.
Format Token
Use this option to format the token and prepare it for work. This operation
erases all objects stored on a token (keys, certificates and data objects) and
should be performed only once. To format the token:
1. Select the token from the list.
2. Shut down any CryptoKit applications that may be running or using the
token.
3. Click Action menu and then select Format.
4. In the PIN entry dialog box, enter the new token password (minimum 6,
to maximum 54 alphanumeric characters) and confirm it.
5. Wait until the operation is finished. Now the token is initialized and
ready for operation.
Note: It is possible to hide this option by setting an entry in the registry. Please
refer to explanation about GenieFormat parameter in Chapter 7.
6-3
6 CryptoKit Developer's Guide
Standardize Token
AR CryptoKit supports the two most common cryptographic standards. One is
PKCS#11 (by RSA) and the second is CryptoAPI (by Microsoft). Most
applications use one of these standards. However, in some cases, applications
(such as Entrust) create keys using PKCS#11 standard in a way that AR
CryptoKit is unable to work with them in applications that use CryptoAPI.
Use this option to standardize the objects on the token in such a way that would
enable CryptoAPI applications to use the keys that were created via the
PKCS#11 standard without damaging the original keys and still enable these
keys to be used by their original applications.
Note: It is possible to hide this option by setting an entry in the registry. Please
refer to explanation about GenieStandardize utility in Chapter 7.
As mentioned above, AR Genie can run in administrator mode (by entering the
command: argenie /br). In that mode, you can perform different actions on
slots, tokens and objects.
Slot Menu
The Slot menu includes operations that can be performed on PKCS#11 slots,
such as: Get Information, Refresh List, Bind, Unbind, Set Default Slot an Clear
Default Slot.
The options in the Slot menu that are available only in administrator mode are:
6-4
SmartAdaptor Utilities 6
Viewing List of Slots
In administrator mode all the slots that are installed are displayed. Non-inserted
slots are insensitive.
Slot Information
To view the slot information:
1. Select the desired slot.
2. Click Slot menu and then select Get Information.
6-5
6 CryptoKit Developer's Guide
Refresh List
This option will refresh the displayed list.
Bind
This option allows the user to dynamically bind to a software token file. This
option is displayed in the menu only if CryptoKit was installed with software
token feature. To bind to a software token:
1. Click Slot menu and then select Bind option.
2. Browse your computer and select a CryptoKit software token file.
Usually, these files will have the *.sft extension.
3. If there is an empty dynamic slot that the file can be bound to and the file
is valid software token then it will be bound to an empty software slot.
The slot will appear as if a token was inserted.
6-6
SmartAdaptor Utilities 6
Unbind
This option allows the user to unbind a dynamic software slot. This option is
displayed in the menu only if CryptoKit was installed with software token
feature. To unbind to a software token:
1. Select the software slot that was previously bound.
2. Click Slot menu and then select Unbind option.
3. The slot should appear as if the token was removed.
Token Menu
The Token menu includes operations that can be performed on the available
tokens, such as: Get Information, Change User and SO PIN, View Objects,
Login, Standardize, Format, Change Label, Dump and Import Key.
The options in the Token menu that are available only in administrator mode
are:
Token Information
To view the token information:
1. Select the slot where the token is inserted.
2. Click Token menu and then select Get Information.
6-7
6 CryptoKit Developer's Guide
Change SO Password
Use this option to change the SO password (PIN) that protects the token. In
order to change the password, you must present the current password.
6-8
SmartAdaptor Utilities 6
Change Label
Using this option you can change the token label:
1. Select the token you want to change its label.
2. Click Token menu and then select Change Label.
3. If you are not logged in, the PIN entry dialog will be displayed.
4. Enter the new token label in the Set Token Label dialog.
Dump
Use this option to print the whole token contents into a text file:
6-9
6 CryptoKit Developer's Guide
Note: You can dump the contents of a specific object from the Objects window.
Import Key
Use this option to import a PKCS#12 file (*.pfx, *.p12) into the token. These
files are used to transfer private, public and certificate objects from one token to
another. The PFX file may be protected by a password. To import a PFX file
contents into the token do the following:
1. Select the token you want to import the PFX file to.
2. Click Token menu and then select Import Key.
3. Enter the name and location of a valid PKCS#12 file (*.pfx or *.p12) or
click Browse button to search for the file to import.
4. Enter the password that protects the PFX file. You may leave the
password empty if the PFX file is not protected by password.
5. Click OK to import the file.
6. If you are not logged in, you will be requested to enter the token PIN.
7. The file contents will be imported into the token. You can view the new
objects in the Objects window.
Note: You can import PFX files also by using the PKCS#12 import/export
utility as explained later in this chapter.
6-10
SmartAdaptor Utilities 6
View Objects
Use this option to view the objects that are stored on the token: data objects,
keys and certificates. Use the Login option to login into the token and to view
the private objects as well. Press the title of the table to sort the objects by:
Type, Label, Size, Private/Public or their ID. Double click an object to view its
details. Right click an object or click Object in the menu to perform additional
operations on the selected object.
6-11
6 CryptoKit Developer's Guide
6-12
SmartAdaptor Utilities 6
The following window shows the details of RSA public key object. Please refer
to the PKCS#11 standard for specific explanation about the meaning of the
parameters displayed in this window.
6-13
6 CryptoKit Developer's Guide
When viewing a data object, you can see its contents in binary or hex format.
You can copy the value of the object into the clipboard.
Similar windows are displayed also for private RSA keys and secret keys.
6-14
SmartAdaptor Utilities 6
When a certificate object is selected, the following window is displayed:
6-15
6 CryptoKit Developer's Guide
Click the View certificate button to view the contents of the certificate:
6-16
SmartAdaptor Utilities 6
Refresh List
This option will refresh the displayed list of objects.
Dump Object
Use this option to print the object content into a text file:
1. Select the object you want to dump its contents.
2. Click Object menu and then select Dump or right-click the object and
select Dump from the pull down menu.
3. Enter the name and location of the text file that will be created and then
click Save button.
4. The object contents and attributes will be written into the file.
Export Object
Use this option to export private and public RSA keys and their corresponding
certificate into a PKCS#12 file (*.pfx). You must be logged in for this option to
be available. The operation will fail if the RSA private key is not extractable.
To export a PFX file do the following:
1. Select an RSA public or private key object that you want to export into a
PFX file.
2. Click Object menu and then select Export or right-click the object and
select Export from the pull down menu.
3. The Export Key File dialog will open.
4. Enter the name and location of the PFX file that will be created or click
Browse button.
5. Enter the password that will protect the PFX file
6. From the Encryption Mechanism list, select the algorithm that will be
used to encrypt the objects inside the PFX file: RC2 or 3DES.
6-17
6 CryptoKit Developer's Guide
Note: You can export PFX files also by using the PKCS#12 import/export utility
as explained later in this chapter.
Delete Object
To delete an object, which is stored on the token:
1. Open the object list window.
2. Select the object you want to delete.
3. Click Object menu and then select Delete or right-click the object and
select Delete from the pull down menu.
Note: It is possible to hide this option by setting an entry in the registry. Please
refer to explanation about GenieDeleteMode parameter in Chapter 7.
6-18
SmartAdaptor Utilities 6
All operations that AR Genie provides are available from the command line,
without any user interface.
Note: The parameters are not case sensitive. Parameters in [ ] are optional. If
a parameter is omitted a default value will be used or an appropriate dialog
box will appear. The default slotId is 1.
Usage
Display the list of all available command line parameters.
Syntax:
ARgenie /?
User Mode
Run AR Genie in user mode.
Syntax:
ARgenie
Administrator Mode
Run AR Genie in administrator mode.
Syntax:
ARgenie /BR
Format
Format the token and set the user PIN.
6-19
6 CryptoKit Developer's Guide
Syntax:
ARgenie /cmd=Format [/slotId=XX] [/label="abc"]
[/oldSOPin="abc"] [/newPin="abc"]
Parameters:
slotId – The number of the slot to format. If omitted, the default is slot 1.
label – The label of the token. If omitted, the label will be CryptoKit’s
default.
oldSOPin – The SO PIN, which is needed to format the token. If omitted, the
default "11111111" is used. If the default PIN fails, the PIN entry dialog box
will open, requesting the user to enter the SO PIN.
newPin – The new user PIN. If omitted, the default is "12345678".
Syntax:
ARgenie /cmd=ChangePIN [/slotId=XX] [/oldPin="abc"]
[/newPin="abc"]
Parameters:
slotId – The number of the slot you want to change the user PIN. If omitted,
the default is slot 1.
oldPin – The current user PIN. If omitted, then the user will be prompted to
login and then to change the PIN. Two dialogs will be displayed: the first is the
login dialog and then the change PIN dialog.
newPin – The new user PIN. If omitted, and oldPin is also omitted then the
user will be prompted to login and then to change the PIN. If omitted and
oldPin is not empty, the operation will fail.
Change SO PIN
Change the SO PIN.
Syntax:
ARgenie /cmd=ChangePIN [/slotId=XX] [/oldSOPin="abc"]
[/newSOPin="abc"]
6-20
SmartAdaptor Utilities 6
Parameters:
slotId – The number of the slot you want to change the user PIN. If omitted,
the default is slot 1.
oldSOPin – The current SO PIN. If omitted, then the user will be prompted to
login and then to change the SO PIN. Two dialogs will be displayed: the first is
the login dialog and then the change PIN dialog.
newSOPin – The new SO PIN. If omitted, and oldSOPin is also omitted then
the user will be prompted to login and then to change the SO PIN. If omitted
and oldSOPin is not empty, the operation will fail.
Change Label
Change the token label.
Syntax:
ARgenie /cmd=ChangeLabel /label="abc" [/slotId=XX]
[/oldPin="abc"]
Parameters:
label – The new label of the token. If omitted, the current token label will not
be changed.
slotId – The number of the slot you want to change its label. If omitted, the
default is slot 1.
oldPin – The current user PIN. If omitted the PIN dialog will be displayed.
Syntax:
ARgenie /cmd=SetDefaultSlot [/slotId=XX]
Parameters:
slotId – The number of the slot you want to be the default slot number for
CAPI applications. If omitted, the default is slot 1.
6-21
6 CryptoKit Developer's Guide
Syntax:
ARgenie /cmd=ClearDefaultSlot
Dump
Dump token contents into a text file.
Syntax:
ARgenie /cmd=Dump [/slotId=XX] [/filename="abc"]
[/oldPin="abc"]
Parameters:
slotId – The number of the slot you want to dump its contents. If omitted,
the default is slot 1.
filename – The output filename. If omitted it will be "DumpToken.txt".
oldPin – The current user PIN. If omitted the PIN dialog will be displayed.
Import
Import objects from a PKCS#12 (*.pfx, *.p12) file into the token.
Syntax:
ARgenie /cmd=Import /filename="abc" [/slotId=XX]
[/oldPin="abc"] [/filePin="abc"]
Parameters:
filename – The name of the PFX file you want to import
slotId – The number of the slot you want to import to. If omitted, the default
is slot 1.
oldPin – The current user PIN. If omitted the PIN dialog will be displayed.
filePin – The PFX file password. May be omitted if the PFX is not protected
by a password.
6-22
SmartAdaptor Utilities 6
Standardize
Standardize the token.
Syntax:
ARgenie /cmd=Standardize [/slotId=XX] [/oldPin="abc"]
Parameters:
slotId – The number of the slot you want to standardize. If omitted, the
default is slot 1.
oldPin – The current user PIN. If omitted the PIN dialog will be displayed.
6-23
6 CryptoKit Developer's Guide
Import Operation
To import objects contained in a PKCS#12 file into a token, run the utility with
the following command line parameters:
Export Operation
To export objects contained in a token into a PKCS#12 PFX file, run the utility
with the following command line parameters:
6-24
SmartAdaptor Utilities 6
♦ filename – the name of PFX file to be created. If not specified, the
default output file name is out.pfx.
♦ id – the id of the key and certificate to export. The default is the first key
found on the token.
♦ label – the label of the key and certificate to export. The default is the
first key found on the token.
♦ slot – the slot number of the token. The default is the first slot with token
inserted.
♦ 3des – the algorithm that will be used to encrypt the objects inside the
PFX file. The default is RC2. If this parameter is specified, 3DES is
used.
6-25
6 CryptoKit Developer's Guide
DlmLoad Utility
The DlmLoad.exe utility program is a command line utility that can be used
to load DLMs into the PrivateSafe reader. A DLM is a special program that is
loaded into the reader and provides additional functionality.
CryptoKit installs this utility when the PrivateSafe reader feature is selected.
After the driver is installed the user has to reboot the machine and then the
DlmLoad utility is automatically executed to install the latest DLM into the
PrivateSafe reader. When this utility is loading a DLM into the reader, the user
keyboard is disabled because the PrivateSafe is connected to the keyboard.
The utility can also be used to view which version of DLM is loaded and it can
erase the loaded DLM. The command line parameters of this utility are:
Usage
Display the list of all available command line parameters.
Syntax:
Dlmload /?
Status
Display the PrivateSafe version and DLM version.
Syntax:
Dlmload
Description:
Running the utility without any parameter will display a message box:
6-26
SmartAdaptor Utilities 6
Load DLM
Load a DLM file into the PrivateSafe reader. You can specify up to three DLM
files. Only DLMs that match the PrivateSafe reader you have will be loaded.
Syntax:
Dlmload DlmFile1 [DlmFile2] [DlmFile3] [/Replace] [/Silent]
Parameters:
DlmFile1 – The name of the DLM file you want to load
DlmFile2 – Optional additional DLM file to load
DlmFile3 – Optional additional DLM file to load
Replace – By default the utility will replace an existing DLM only if the new
one has a higher version number. Use this flag if you want to suppress the
version check and force DLM load.
Silent – Use this parameter to disable any dialog box during the execution
of this utility.
Kill DLM
Delete the existing DLM from the PrivateSafe reader.
Syntax:
Dlmload /Kill
Note: Some applications will not function correctly if no DLM is loaded in the
PrivateSafe reader. Use this option with care.
6-27
Chapter 7: Installation
Installation Packages
7-1
7 CryptoKit Developer's Guide
Installation From CD
To install CryptoKit, simply insert the installation CD. CryptoKit has an
AUTORUN option, which runs the setup automatically. If this option is disabled
on the user’s computer, run the setup program (setup.exe) from the root
directory of the installation CD.
Important Note: In order to be able to install CryptoKit, you must have
administrator rights.
7-2
Installation 7
In the License Agreement screen, click I accept the license agreement and then
click the Next button.
7-3
7 CryptoKit Developer's Guide
In the Destination directory screen, enter the installation directory and then click
the Next button. You can change the default folder by entering a different
directory name in the Destination Folder edit box or by clicking the Browse
button and selecting an existing directory.
7-4
Installation 7
In the Features tree screen, select the features you want to install, and then click
the Next button.
In the confirmation screen, click Yes button to start the CryptoKit installation.
7-5
7 CryptoKit Developer's Guide
When the installation is complete, the Finish screen will appear. Click the
Finish button to exit the installation program and if requested, reboot the
machine.
The CryptoKit installation requires reboot only in cases when it is needed for
example, when installing hardware drivers that need reboot to operate or when
the installation needs to replace a file, which is currently locked. If no reboot is
required, the Finish screen will allow you to exit the installation program and
immediately start working with CryptoKit.
Note: When the Netscape plug-in is selected, the setup program runs the
Netscape Navigator with an installation applet.
7-6
Installation 7
Modifying or Removing an Existing Installation
7-7
7 CryptoKit Developer's Guide
Note: I f you do not want to allow users to modify or repair the installation, you
can hide this window by setting the parameter showMaint to FALSE. In this
case, the user will be prompted to confirm uninstalling CryptoKit. For more
information, please refer to explanation how to customize the installation, later
in this chapter.
Note: Due to changes in the installation program, this feature is supported only
when upgrading from version 3.5.x. When upgrading from older versions, such
as 3.2 and 3.4, you must first uninstall the old version.
7-8
Installation 7
In the Welcome screen, click the Next button to upgrade existing installed
features to the newer version of CryptoKit.
Silent Installation
CryptoKit can be installed in unattended and silent mode. This means that no
user interaction is needed and no indication of the progress of installation is
displayed. This feature is supported by the InstallShield program, which is used
to install CryptoKit.
7-9
7 CryptoKit Developer's Guide
In order to create a silent installation you need to perform the following steps:
• On an end user's system, run the installation in silent mode, using the
data in the response file in place of user input.
To generate the response file, you have to run the setup.exe with the /r switch.
This displays the installer's dialog boxes, and additionally records the data you
enter in the dialog boxes in a text response file. By default, the response file is
generated in the Windows folder and is called setup.iss. The response file
uses the .iss (for "InstallShield silent") file name extension. However, you can
specify an alternative file name and location, with the /f1 argument. For
example:
setup /r /f1"C:\sample\install.iss"
Note: there is no space between /f1 and the quoted path to the response file to
create.
To deploy CryptoKit silently, based on the response file, you need to copy the
response file to the CryptoKit installation package and run silent installation
with the /s switch. Again, using the /f1 switch you can specify the name and
location of the response file to be used. For example:
setup /s /f1"C:\sample\install.iss"
Note: When silent installation is used, no dialog box appears to the end user,
even the reboot confirmation dialog. If reboot is needed after installation, and
you selected to reboot the computer when recording the response file, then
reboot will be executed automatically on the client machine. You can either
select to reboot later or run the silent installation when no user is logged on as
explained in the next section.
7-10
Installation 7
Centralized Installation from Active Directory
To use group policies to centrally install CryptoKit, you need to perform three
steps:
The first step will be to create a silent CryptoKit installation with the features
you want to install in your network:
♦ Copy the CryptoKit installation package files to a clean machine.
7-11
7 CryptoKit Developer's Guide
The following VBscript sample copies the installation files from the server into
a temporary directory on the client machine. Then it runs a silent installation.
The script file has to be saved with .vbs extension.
Note: You need to change the variable strSourceDir to the name of the
shared directory, where the CryptoKit setup files are located.
'===============================================================
' Script Name: CryptoKit.vbs
'
' Install CryptoKit from active directory or Microsoft SMS server
'===============================================================
'---------------------------------------------------------------
' Variables declaration
'---------------------------------------------------------------
Dim objFileSystem, objShell, objProvEnv
Dim strTmpDir, strRegistry, strSourceDir, strDestDir
'---------------------------------------------------------------
' !!! Change strSourceDir to the name of a shared directory !!!
' !!! where the CryptoKit setup files are located !!!
'---------------------------------------------------------------
strSourceDir = "\\Server_Name\Share_Name"
'---------------------------------------------------------------
' Initialize Variables
'---------------------------------------------------------------
7-12
Installation 7
On Error Resume Next
Set objShell = CreateObject("Wscript.Shell")
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objProvEnv = objShell.Environment("Process")
'---------------------------------------------------------------
' Read from registry and quit if CryptoKit is already installed
'---------------------------------------------------------------
strRegistry =
objShell.RegRead("HKLM\Software\ARL\SmartAdaptor\Main\CkitDir")
If Err.number = vbEmpty and strRegistry <> "" then
Wscript.Quit
End If
'---------------------------------------------------------------
' Find TEMP directory on local computer
'---------------------------------------------------------------
strTmpDir = objProvEnv("TEMP")
If strTmpDir <> "" And objFileSystem.FolderExists(strTmpDir)Then
strDestDir = strTmpDir
Else
strDestDir = "C:\Temp"
End If
'---------------------------------------------------------------
' Copy installation files to local computer and run silent setup
'---------------------------------------------------------------
objFileSystem.CopyFolder strSourceDir, strDestDir, True
The script can be used not only to install CryptoKit on a clean machine, but it
can be easily changed to handle CryptoKit upgrade. The CryptoKit installation
7-13
7 CryptoKit Developer's Guide
The final step is to assign the startup script to a group of computers in the
domain:
♦ From a Windows 2000-based computer in the domain, log on as a
domain administrator, and start the Active Directory Users and
Computers snap-in.
♦ Click the container you want to have the Group Policy Object (GPO)
linked to. Right-click that container, click Properties, and then click the
Group Policy tab.
7-14
Installation 7
♦ Create a new GPO for installing the CryptoKit package, and give it a
descriptive name.
♦ While the GPO is selected, click Edit to start the Group Policy snap-in
and edit this GPO.
7-15
7 CryptoKit Developer's Guide
7-16
Installation 7
♦ Click Computer Configuration, Windows Setting, Scripts
(Startup/Shutdown)
7-17
7 CryptoKit Developer's Guide
♦ Click Show Files to open the default folder where startup scripts
assigned to this GPO are stored on your domain controller. The startup
scripts are stored in a subfolder of the SYSVOL share on the domain
controller, which is named:
\SYSVOL\<domain_DNS_name>\Policies\<policy_GUID>\
MACHINE\scripts\Startup
The contents of this folder are automatically replicated to all domain
controllers in the domain.
7-18
Installation 7
♦ Using Windows Explorer copy into this folder the startup VBscript script
that was created in the previous step.
♦ Close the folder window and return to the Logon Properties screen and
click Add button to open the Add a Script dialog box.
♦ In the Script Name field, type the name of the startup script file you
want to assign and press OK.
♦ In the Logon Properties dialog press the Apply button or press OK
button twice to assign the new startup script.
7-19
7 CryptoKit Developer's Guide
The startup script will be executed when the machines in the container will
reboot.
It is possible to install CryptoKit from Microsoft SMS 2003 Server. The steps
are very similar to installation from active directory. However, the assignment to
groups of computers has to be done in a different way.
To use Microsoft SMS 2003 Server to centrally install CryptoKit, you need to
perform three steps:
The first two steps are exactly the same as when centrally installing CryptoKit
using active directory group policies mechanism. Please refer to the previous
section for a detailed explanation. The third step however, has to be done from
the SMS Management console.
The following section assumes that you have an SMS 2003 server working in
your network environment and that you have some minimal knowledge in using
this software. It assumes that you are familiar with the basic concepts of SMS
server such as collections, packages, advertisements etc. This section shows only
the minimal operations you have to do in order to install CryptoKit using SMS
2003 server. You may need to modify other SMS parameters according to your
needs, for example: creating collections or changing the schedule of the
installation and more.
7-20
Installation 7
For more information about using SMS 2003 server, please refer to Microsoft’s
documentation and manuals.
To install CryptoKit, run the SMS Management console and perform the
following operations:
♦ Right click Packages and select New | Package
7-21
7 CryptoKit Developer's Guide
♦ In the New Distribution Points Wizard, select the checkbox next to the
distribution point and click Finish.
7-22
Installation 7
7-23
7 CryptoKit Developer's Guide
7-24
Installation 7
Collection click Browse and select a collection of computers you want
to install to.
♦ For testing purposes click the button in the Schedule tab, and assign
the advertisement As soon as possible and click Apply.
♦ The advertisement should now be active and will begin pushing the
CryptoKit package to the systems in the collection. You can view the
advertisement status in the System Status, Advertisement Status
screen.
7-25
7 CryptoKit Developer's Guide
CryptoKit enables you to use smart card authentication to the server and then
use the smart card with other applications that run on the Citrix server. You can
work with both CAPI and PKCS#11 applications. Moreover, you can install
CryptoKit on the client machine as well and then access it from applications that
run on the server and on the client at the same time.
To work in this environment you need to install and configure both the server
and the client machines.
The following explanation assumes that you already have a working Citrix
environment and that you want to add to it smart card support.
7-26
Installation 7
♦ Open Control Panel, Add Remove Software and click the Install
Software from CD button.
♦ Run Setup.exe from the CryptoKit installation package.
♦ The CryptoKit installation program should automatically detect it is
being installed on a Citrix server and display the Citrix feature in the
features tree screen. Select the features: Citrix, CAPI, Logon and
optionally the MiniKey5.
Note: The terminal Server feature is automatically selected when the Citrix
feature is selected.
♦ Complete the installation and then reboot the server.
♦ Load the root CA certificate into the local machine store of the server.
♦ Use the Citrix SCCONFIG.EXE utility to register any additional
applications that run on the server and need access the smart card on the
client's computer. The utility has to be run from the command line. For
example, to register Microsoft Internet Explorer enter the command:
SCCONFIG /ENABLE_PROCESS:iexplore.exe /FARM
To view the list of registered applications, enter the command:
SCCONFIG /QUERY
Note: You can use smart card to logon to the Citrix server. However, you should
not lock the machine if the smart card is removed. Defining this policy will
7-27
7 CryptoKit Developer's Guide
cause clients that are connected to the server to be disconnected when the user
removes his smart card.
The Citrix client machine can be configured with or without local smart card
logon. In each case you may want to work with a standard PC/SC reader or with
MiniKey5 USB token. For each one of these cases there is a slightly different
installation procedure.
7-28
Installation 7
♦ To configure the ICA client to use smart cards, right click the Citrix
client icon and select Properties.
7-29
7 CryptoKit Developer's Guide
♦ Open the ICA client and then insert the smart card with appropriate
public, private and certificate. Enter the PIN and login to the Citrix
server.
7-30
Installation 7
CryptoKit enables the client machine to perform smart card authentication to the
server and then to use the smart card with other CAPI and PKCS#11
applications that run on the server. Moreover, you can install CryptoKit on the
client machine as well, and then access the smart card from applications that run
on the server and on the client machine at the same time.
To work in this environment you need to install and configure both the server
and the client machines.
The following explanation assumes that you already have a working terminal
server environment and that you want to add to it smart card support.
7-31
7 CryptoKit Developer's Guide
Client Configuration
The client machine connects to the server using Microsoft’s Remote Desktop
Connection application. This application is part of the Windows XP operating
system. On windows 2000 machines, it has to be separately installed.
The client machine can be configured with or without local smart card logon. In
each case you may want to work with a standard PC/SC reader or with
MiniKey5 USB token. For each one of these cases there is a slightly different
installation procedure.
7-32
Installation 7
♦ Now, depending on the configuration, the token you want to use and the
operating system, you need to install different CryptoKit features on the
client machine:
* Actually, only two registry entries are needed in this case. Those entries
are placed in:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Cryptography\Calais\SmartCards\PrivateCard
and
HKEY_LOCAL_MACHINE\Software\Microsoft\
Cryptography\Calais\SmartCards\PrivateCardEx
For more information about the values in these entries see later in this
chapter.
7-33
7 CryptoKit Developer's Guide
♦ Insert the smart card and enter PIN to login to the server.
7-34
Installation 7
The following section describes the files in the CryptoKit installation package.
instmsiw.exe Microsoft installer program for Windows NT, 2000 and XP.
This file is automatically installed by setup.exe, if
msiexec.exe file is too old or missing.
Note: The default version on Windows 2000 and XP platforms
is sufficient enough.
CK_LANG.INI A file that contains all the text that is displayed during the setup
process. This text can be translated to different languages. Read
how to customize the setup text using this file, later in this
chapter.
Autorun.inf This file runs the installation program automatically when the
CD is inserted
7-35
7 CryptoKit Developer's Guide
CryptoKit.msi CryptoKit main installation file, with all the logic and
definitions
*.cab Cab files that contain the files of the different CryptoKit
features. Each feature is contained in a different Cab file
7-36
Installation 7
7-37
7 CryptoKit Developer's Guide
String Constants
Key Description
<TARGETDIR> or The full path of the directory where CryptoKit is installed
<INSTALLDIR>
Feature Names
The following table lists the CryptoKit feature names. Some features are visible
by default in the feature tree window and some are hidden. Some features are
selected by default and some are not. Both defaults can be overidden by the
[Hidden] and [ComponentSelect] sections of the CK_SETUP.INI file.
7-38
Installation 7
Feature Name Description Visible Selected
Readers_And_Tokens\PrivateSafe_ PrivateSafe PCMCIA reader
PCMCIA
Readers_And_Tokens\Software Software token
Readers_And_Tokens\Siemens Siemens USB token
Plugins\CAPI AR CAPI provider
Plugins\SSO Single Sign On
Plugins\Netscape Netscape plugin (2)
Plugins\IPSEC Microsoft IPSEC support (3)
Plugins\Entrust Entrust plugin (2)
Plugins\Logon Smart Card logon (3)
Plugins\Terminal_Services Terminal Services support (4)
Plugins\Logical_Channels Smart card logical channels (3)
support for terminal server and
Citrix environments
Plugins\Citrix Citrix MetaFrame Server (2)
support
Plugins\Utils CryptoKit utilities
Plugins\Utils\Argenie AR Genie utility
Plugins\Utils\pkcs12util PKCS#12 utility
Plugins\Utils\PHL PHL utility
(5)
SDK SDK files and sample (5)
programs for developers
SDK\headers Developer header files (5) (5)
SDK\libraries Developer library files (5) (5)
SDK\Documentation CryptoKit documentation (5) (5)
SDK\Samples Sample programs (PKCS#11 (5) (5)
and PHL)
SDK\Java_API JCA provider and Java adaptor (5) (5)
7-39
7 CryptoKit Developer's Guide
Notes:
(1) This feature is mandatory and must be selected and installed
(2) This feature is automatically displayed on machines with this software
installed
(3) This feature is available only for Windows 2K, XP and 2003
(4) This feature is automatically displayed on Windows XP an Windows 2003
(5) All SDK features are available only in the extended version of CryptoKit
CK_SETUP.INI
[General]
The General section in the CK_SETUP.INI file contains the following
parameters:
7-40
Installation 7
ShowWelcome Controls whether to display the ShowWelcome = FALSE
Welcome dialog. By default the
dialog is displayed.
7-41
7 CryptoKit Developer's Guide
7-42
Installation 7
StoreMode Allows setting the ARCSP StoreMode = 2
parameter StoreMode. For more
information, refer to explanation
about ARCSP component later in
this chapter.
Note: It is also possible to replace the image that appears when the installation
is loaded by replacing the file setup.bmp with a new image.
[AutoSettings]
The AutoSettings section allows setting default values for the following
parameters:
7-43
7 CryptoKit Developer's Guide
[Hidden]
The Hidden section allows selecting the components of CryptoKit that will be
displayed or hidden in the component selection window.
[ComponentSelect]
The ComponentSelect section allows selecting the features of CryptoKit that
will be selected for installation or not selected.
[EntrustPaths]
The CryptoKit setup program automatically searches for Entrust INI files, but it
is also possible to specifically direct the setup to the location of these files by
registering them in this section.
7-44
Installation 7
Key Description Example
Any legal Specify list of directories which C:\
directory contain entrust.ini or entmgr.ini
files. You can use string constants
from the list above.
[CopyFiles]
The CopyFiles section, allows copying additional files as part of the CryptoKit
installation. The files should be added to the installation directory and can be
copied to any location on the target system.
[RegFiles]
The RegFiles section, allows importing additional registry files at the end of
CryptoKit installation. The files should be added to the installation directory. It
is recommended to copy these registry files to the CryptoKit target directory to
allow importing them again at the end of repair operation.
7-45
7 CryptoKit Developer's Guide
[Language]
The CryptoKit installation can be translated to any language. All the text that is
displayed during the setup process is retrieved from an external file name
CK_LANG.INI file, which is in the CryptoKit’s installation package. This file
can contain text in several languages. Each language should be placed in a
different section.
This section in the CK_SETUP.INI file enables setting the default installation
language. Specify in the LANG parameter the three-letter language code that
should be used by the installation program to retrieve the text from the
CK_SETUP.INI file.
7-46
Installation 7
CK_LANG.INI
The CK_LANG.INI provides the setup program all the text that appears during
installation. The name of each section in that file is the name of the language.
Each section should contain parameters with text for all installation dialogs.
7-47
7 CryptoKit Developer's Guide
License Dialog
(1) Msg_License1
(2) Msg_License2
(3) Msg_License3
(4) Msg_License4
(5) Msg_License5
(6) Msg_Back,
Msg_Next,
Msg_Cancel
7-48
Installation 7
Destination Dialog
(1) Msg_Destination1
(2) Msg_Destination2
(3) Msg_Destination3
(4) Msg_Destination4
(5) Msg_Destination5
(6) Msg_Browse
(7) Msg_Back,
Msg_Next,
Msg_Cancel
Features Dialog
(1) Msg_Components1
(2) Msg_Components2
(3) Msg_Components3
(4) Msg_Components4
(5) Msg_Components5
(6) Msg_Back,
Msg_Next,
Msg_Cancel
7-49
7 CryptoKit Developer's Guide
Finish Dialog
Finish Installation:
(1) Msg_Finish_Inst1
(2) Msg_Finish_Inst2
Finish Maintenance:
(1) Msg_Finish_Maint1
(2) Msg_Finish_Maint2
Finish Upgrade:
(1) Msg_FinishUpgrade1
(2) Msg_FinishUpgrade2
Finish Uninstall:
(1) Msg_Finish_Uninst1
(2) Msg_Finish_Uninst2
All Modes:
(3) Msg_Finish_All1
(4) Msg_Finish_All3
(Only if MiniKey5
was installed)
(5) Msg_Back,
Msg_Finish,
Msg_Cancel
7-50
Installation 7
Finish Reboot Dialog
Finish Installation:
(1) Msg_Finish_Inst1
(2) Msg_Reboot_Inst2
Finish Maintenance:
(1) Msg_Finish_Maint1
(2) Msg_Reboot_Maint2
Finish Upgrade:
(1) Msg_FinishUpgrade1
(2) Msg_FinishUpgrade2
Finish Uninstall:
(1) Msg_Finish_Uninst1
(2) Msg_Reboot_Uninst2
All Modes:
(3) Msg_Reboot1
(4) Msg_Reboot2
(5) Msg_Reboot_All1
(6) Msg_Reboot_All2
(7) Msg_Finish_All3
(Only if MiniKey5
was installed)
(8) Msg_Back,
Msg_Finish,
Msg_Cancel
7-51
7 CryptoKit Developer's Guide
Maintenance Dialog
(1) Msg_Maint1
(2) Msg_Maint2
(3) Msg_Maint3
(4) Msg_Maint4
(5) Msg_Maint5
(6) Msg_Maint6
(7) Msg_Maint7
(8) Msg_Maint8
(9) Msg_Maint9
(10) Msg_Back,
Msg_Next,
Msg_Cancel
Upgrade Dialog
(1) Msg_Upgrade1
(2) Msg_Upgrade2
(3) Msg_Upgrade3
(4) Msg_Back,
Msg_Next,
Msg_Cancel
7-52
Installation 7
Select Language Dialog
(1) Msg_Language1
(2) Msg_Language2
(3) Msg_Language3
(4) Msg_Language4
(5) Msg_Back,
Msg_Next,
Msg_Cancel
Abort Dialog
(1) Msg_Abort1
(2) Msg_Abort2
Confirm Uninstalling
(1) Msg_ConfirmUninst1
(2) Msg_ConfirmUninst2
7-53
7 CryptoKit Developer's Guide
Additional Messages
(1) Msg_AD_AlreadyInstalled
(2) Msg_AD_Only
(3) Msg_Minikey4_5Problem
(4) Msg_InsertMinikey
(5) Msg_EnterDisk
(6) Msg_UnsupportedOS
(7) Msg_UserNotAdministrator
(8) Msg_OldCkitBlock
(9) Msg_FileCopyError
(10) Msg_Downgrade
7-54
Installation 7
General Guidelines
7-55
7 CryptoKit Developer's Guide
SmartAdaptor
Files
OS File Name Target Description
Registry
The SmartAdaptor registry entries include general parameters and the basic
entries of AR Core provider and AR Smart Card provider. The SmartAdaptor
parameters are placed in the subfolder:
7-56
Installation 7
HKEY_LOCAL_MACHINE\Software\Arl\SmartAdaptor\Main
LogLevel DWORD Controls the how detailed the log file would be.
Each level includes all other less detailed levels:
0 – Errors only
1 – In/Out function parameters
2 – Information
3 – Most detailed Information
Default: dword:00000003
7-57
7 CryptoKit Developer's Guide
7-58
Installation 7
UseMsReaders DWORD Instruct SmartAdaptor to add into the list of
slots, PC/SC readers that exist in the registry
but not physically connected. In the event of
connecting such a reader, it is recognized
immediately and the current applications can
access it without reboot.
0 – List of slots will include only
connected PC/SC readers
1 – List of slots will include both
connected and registered PC/SC readers.
Default: This entry does not exist. The list of
PC/SC readers will not be read from registry
and will include only the connected readers.
7-59
7 CryptoKit Developer's Guide
LogLevel DWORD Controls the how detailed the log file would be.
Each level includes all other less detailed levels:
0 – Errors only
1 – In/Out function parameters
2 – Information
3 – Most detailed Information
Default: dword:00000003
7-60
Installation 7
LogGroup DWORD The CryptoKit component whose log should be
activated. Each bit controls a different
component:
0x0001 ARDaemon.exe
0x0002 ARGenie.exe
0x0004 ARGenie.dll
0x0008 ARGUI.dll
0x0010 SSO.dll
0x0020 ARcltsrv.exe
Default: dword:00000000
Each Core provider subfolder includes two subordinate subfolders, Info and
VendorDefined, as well as four keys. The default Core provider is in the
subfolder Provider_0 and contains the following keys:
7-61
7 CryptoKit Developer's Guide
LogLevel DWORD Controls the how detailed the log file would be. Each
level includes all other less detailed levels:
0 – Errors only
1 – In/Out function parameters
2 – Information
3 – Most detailed Information
Default: dword:00000003
7-62
Installation 7
Key name Key Type Description
API_Version DWORD Version of API
High word – major version
Low word – minor version
Default: dword:00020001
ProviderName String String that holds the provider name (max 64 letters)
Default:
"UMB PKCS#11 non-US Extended Ver "
VendorName String String that holds the vendor name (max 64 letters)
Default:
"Algorithmic Research Ltd. "
7-63
7 CryptoKit Developer's Guide
7-64
Installation 7
Attribute_303 Binary Number of attempts for presenting SO PIN of
software token. 0 – Unlimited or 3-12.
Default: hex:00,00,00,00
Each Smart card provider subfolder includes three subfolders: ATRs, Info and
VendorDefined and these include several keys. The default Smart card
provider is in the subfolder Provider_0 and contains the following keys:
7-65
7 CryptoKit Developer's Guide
ProviderName String String that holds the provider name (max 64 letters)
Default: "PrivateCard"
VendorName String String that holds the vendor name (max 64 letters)
Default:
"Algorithmic Research Ltd. "
7-66
Installation 7
Attribute_301 Binary Maximum number of RSA key pairs on the smart
card or MiniKey
Default: hex:06,00,00,00
7-67
7 CryptoKit Developer's Guide
7-68
Installation 7
HKEY_LOCAL_MACHINE\Software\Arl\SmartAdaptor\
READER_PROVIDERS
Note that there is no need to register standard PC/SC readers. These readers are
enumerated automatically by calling standard PC/SC windows functions.
Each Reader provider subfolder includes an Info subfolder containing the keys
listed in the following table:
7-69
7 CryptoKit Developer's Guide
ProviderName String String that holds the provider name (max 64 letters)
VendorName String String that holds the vendor name (max 64 letters)
Files
7-70
Installation 7
OS File Name Target Description
All Arcltsrv.exe <INSTALLDIR>\utils The service is run for each
terminal session. It operates in
a machine context
Registry
On Windows 98, ME and NT, the client service and daemon are activated with
the following registry entries, which are placed in the subfolder:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Key name Key Type Description
AAARCLTSRV String "<INSTALLDIR>\Utils\arcltsrv.exe"
On Windows 2000, XP and 2003 the daemon is not installed and the client service is installed as a
service with the following parameters:
DisplayName Arcltsrv
Dependencies ScardSvr
StartType Automatic
InteractWithDesktop No
7-71
7 CryptoKit Developer's Guide
In some cases there is need to disable the automatic open session which is done
by the service when a token is inserted. To do that, add the following registry
entry:
HKEY_LOCAL_MACHINE\Software\Arl\SmartAdaptor\Main\
Parameters
The service can be used to lock the workstation after a certain delay from smart
card removal. This option is only active if the user used smart card to logon to
the station on Windows 2000, XP and 2003. This option can be used to allow the
user to remove the token that was used to login, but without automatically
locking the station.
HKEY_LOCAL_MACHINE\Software\Arl\SmartAdaptor\
Components\Parameters
ARCSP
The CSP is one of the adapters supported by CryptoKit (see Chapter 4).
Algorithmic Research’s CSP includes an RSA cryptographic provider for all
operating systems and an additional SChannel provider for Windows 2003.
Files
7-72
Installation 7
OS File Name Target Description
All Arcsp.dll <SystemFolder> CSP dll, signed by Microsoft
Arstore.dll
Registry
LogLevel DWORD Controls the how detailed the log file would be.
Each level includes all other less detailed levels:
0 – Errors only
1 – In/Out function parameters
2 – Information
3 – Most detailed Information
Default: dword:00000003
7-73
7 CryptoKit Developer's Guide
7-74
Installation 7
FinalizeLibraryUse DWORD Controls the mode of operation of ARCSP
when all processes released their context:
0 – No action will take place. The
PKCS#11 will stay initialized and all
sessions will stay open.
1 – The PKCS#11 library will be
closed with C_Finalize function
2 – All open sessions will be closed
but the PKCS#11 library will stay
initialized.
3 – Re-initialize the PKCS#11 library
if the list of PC/SC readers has
changed. This mode will
automatically identify and work with
new smart card readers, which were
inserted. It is also required for correct
operation in Terminal Server
environment.
Default: dword:00000003
Signature Binary 136 bytes read from the binary file ARCSP.SIG
7-75
7 CryptoKit Developer's Guide
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
Defaults\Provider\
AR RSA SChannel Cryptographic Provider
Key name Key Type Description
Image Path String "arcsp.dll"
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
Calais\SmartCards\PrivateCardEx
Key name Key Type Description
Crypto Provider String "AR Base Cryptographic Provider"
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
OID\EncodingType0\CertDllOpenStoreProv\arPhysicalOpen
7-76
Installation 7
Key name Key Type Description
Dll String "ARstore.dll"
7-77
7 CryptoKit Developer's Guide
CryptoKit stores in the user context the default CAPI slot. This entry is created
by AR Genie utility, when the user sets a default CAPI slot and deleted when the
user clears the default slot.
HKEY_CURRENT_USER\Software\ARL\Cryptoki CSP\Parameters
Key name Key Type Description
Software Token
Files
OS File Name Target Description
All Token1.sft <INSTALLDIR>\sft_tok Empty software token file.
This file must have read
permissions to all users.
Registry
7-78
Installation 7
The registry entries of software token are placed in the subfolder:
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
PKCS#11_Providers\Provider_0\VendorDefined
Files
OS File Name Target Description
All Arcksso.dll <INSTALLDIR> Single Sign On dll
Registry
7-79
7 CryptoKit Developer's Guide
7-80
Installation 7
PrivateSafe Reader
The PrivateSafe files are copied during the installation to a temporary directory.
Then, an installation program is executed to install the driver.
Files
OS File Name Target Description
Registry
7-81
7 CryptoKit Developer's Guide
HKEY_LOCAL_MACHINE\Software\ARL\ARcryptoSafe\Settings\
Protocol1
Note: The value 0000 in Windows 98 may be different depending on the number
of readers you have installed and the order of installation.
7-82
Installation 7
When the PrivateSafe is installed as a proprietary driver, additional registry
entries must exist. A reader provider has to be registered in SmartAdaptor:
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
Reader_Providers\Provider 0
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
Reader_Providers\EXCLUDE_PCSC
It is possible to define processes that should not have access to the PrivateSafe reader.
This can be done, by entering the list of process names in:
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
Main\Parameters
Driver Types
7-83
7 CryptoKit Developer's Guide
MiniKey5
The MiniKey5 files are copied during the installation to a temporary directory.
Then, installation functions in euci5in.dll are called to install the driver.
Files
OS File Name Target Description
All euci5.cat <INSTALLDIR>\Installati Signature of driver
on\Crypto5
Registry
7-84
Installation 7
When the driver installation is finished, the MiniKey is registered as a PC/SC
device in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
Calais\Readers\Algorithmic Research Minikey 0
And
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
Calais\Readers\Algorithmic Research Minikey 1
The Siemens PKCS#11 provider enables working with Siemens MiniKey and is
registered in SmartAdaptor as a PKCS#11 core provider.
Files
OS File Name Target Description
All ApiAsn1.dll <SystemFolder>
ApiCore.dll
ApiCrypto.dll
ApiSCCom.dll
CardOS_CSP.dll
CardOS_PKCS11.dll
CSP_Module.dll
ErrMngr.dll
SiCertificateViewer.dll
SiCertViewer.dll
Registry
7-85
7 CryptoKit Developer's Guide
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
PKCS#11_PROVIDERS\Provider_x\Info
Key name Key Type Description
Some models of Siemens MiniKey use the Ifdh a USB driver. The driver
installation files are copied during the installation to a temporary directory and
then the registration dll is called to install the driver.
Files
7-86
Installation 7
OS File Name Target Description
All eTCoreReg.dll <SystemFolder> Registration dll which installs
and uninstalls the driver
NT UsbHub.sys <SystemFolder>\Drivers
aksup.sys
adfrt.sys
UsbDrv.sys
aksifdh.sys
Registry
When the driver installation is finished, the Ifdh driver is registered as a PC/SC
device in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\
Calais\Readers\Algorithmic Research AKS ifdh 0
7-87
7 CryptoKit Developer's Guide
Terminal Services
Registry
Only one registry entry is needed to activate the terminal services support:
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\Main\
Parameters
Key name Key Type Description
ServerMode DWORD Value of 1 enables terminal services support.
dword:00000001
Citrix Server
Registry
The following registry entries are needed to activate CryptoKit on the Citrix
server:
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\Main\
Parameters
Key name Key Type Description
ServerMode DWORD On Windows 2000 server:
dword:00000027
7-88
Installation 7
HKEY_LOCAL_MACHINE\Software\Citrix\CtxHook\
AppInit_Dlls\Smart Card Hook
Utility Programs
Files
OS File Name Target Description
All ARgenie.exe <INSTALLDIR>\utils AR Genie utility program
Registry
There are some registry entries that control the behavior of the AR Genie utility
program. They are placed in:
7-89
7 CryptoKit Developer's Guide
HKEY_LOCAL_MACHINE\Software\ARL\SmartAdaptor\
Components\Parameters
7-90
Installation 7
SOPinMode DWORD When equal to 0, the AR Genie utility will always
attempt to use the default SO PIN of ‘11111111’
and only if it fails, it would present the SO PIN
entry dialog. When equal to 1, the SO PIN entry
dialog is always presented when SO
authentication is needed.
Default: dword:00000000
Additional entries are stored for each user and placed in:
HKEY_CURRENT_USER\Software\ARL\SmartAdaptor\
Components\Parameters
Key name Key Type Description
GenieParams DWORD The AR Genie utility stores in each bit of this
parameter the user settings. It is updated from the
Program setting dialog in the Options menu:
0x0001 Automatically login when the user
wants to view the token objects
0x0002 Allow the user to enter the token
label during format token operation
SDK Files
When the CryptoKit SDK component is installed, the following additional files
are also copied:
Target Description
<INSTALLDIR>\include Developer include files
7-91
7 CryptoKit Developer's Guide
Files
OS File Name Target Description
All CyCpten5.dll <SystemFolder> Entrust 5 adapter
Registry
7-92
Installation 7
LogLevelV5 DWORD Level of logging of Entrust adapter for version 5.x
(0 – disabled; 4 – max)
Shortcuts
Shortcuts
OS File Name
98, ME <WinDir>\Start Menu\Programs\CryptoKit
Package Information
Registry
7-93
7 CryptoKit Developer's Guide
And
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\CryptoKit
Files
OS Folder Name
All <ProgramFiles>\InstallShield Installation Information\{EE046602-
85F3-4B87-A734-148C17748848}
7-94
Index
C_PKCS7_CreateCRP, 5-97
A C_UI_GetMessage, 3-81
Active Directory Installation, 7-11 C_UI_GetPassword, 3-76
Advanced capabilities, 2-17 C_UI_SetMessage, 3-78
Algorithms, 1-1 C_X509_copy, 5-35
AR Genie C_X509_Copy, 5-76
Administrator Mode, 6-4 C_X509_Decode, 5-22, 5-73
Command Line, 6-19 C_X509_Encode, 5-28, 5-74
Registry, 7-89 C_X509_EncodeSign, 5-28, 5-79
User Mode, 6-2 C_X509_FindInCrl, 5-32, 5-83
ARCSP Provider, 4-6 C_X509_GetField, 5-24, 5-75
Algorithms, 4-10 C_X509_Sign, 5-28, 5-78
Functions, 4-12 C_X509_Verify, 5-25, 5-27, 5-81
Installation, 7-72 CA, 5-17
RSA, 4-9, 4-10 cert_list, 5-92
SChannel, 4-9, 4-12 Certificate Authorities, 5-17
Type, 4-6, 4-9 Certificate reply, 5-86, 5-102, 5-106
Asymmetric schemes, 1-3 Certificate request, 5-86, 5-98, 5-106
Authentication of data, 1-7 Certificate Store, 4-16
Certificate/CRL fields, 5-39
C Certificates, 5-17
C_EXT_Bind, 3-69 Building, 5-37
C_EXT_ChangeTokenLabel, 3-74 Decoding, 5-22
C_EXT_GetProviderContext, 3-62 Object identifiers, 5-37
C_EXT_GetProviderInfo, 3-62 Validating, 5-27
C_EXT_GetProviderList, 3-61 certs_and_crls, 5-91
C_EXT_GetProviderSlotList, 3-63 Challenge-Response protocol, 1-6
C_EXT_GetSlotProvider, 3-64 Checking for revoked certificates, 5-32
C_EXT_PassToProvider, 3-66 Citrix Server, 7-26, 7-88
C_EXT_Unbind, 3-70 CK_ASN_ID, 5-53
C_EXT_WaitForSingleSlotEvent, 3-71 CK_CALLBACK_FUNCTION, 3-27
C_EXT_WaitForSlotEvent, 3-72 CK_DATA, 5-53
C_PKCS10_AcceptCRQ, 5-95 CK_DECLARE_FUNCTION, 3-26
C_PKCS10_CreateCRQ, 5-93, 5-116, 5-117 CK_DECLARE_FUNCTION_POINTER, 3-27
C_PKCS10_SimpleCreateCRQ, 5-94 CK_LANG.INI, 7-47
C_PKCS7_AcceptCRP, 5-96 CK_PTR, 3-26
I-1
I CryptoKit Developer's Guide
I-2
Index I
Citrix, 7-26 N
CK_LANG.INI, 7-47 Netscape, 3-5
CK_SETUP.INI, 7-40 Non-repudiation transaction, 1-8
Customizing, 7-37
Files, 7-55 O
Package files, 7-35 Object Identifiers, 5-37, 5-45
Registry, 7-55 Algorithm Identifiers, 5-45
Silent, 7-9 Attribute Types, 5-38, 5-47
SMS Server, 7-20 Extensions, 5-48
Terminal Server, 7-31 Key Purposes, 5-49
Uninstallation, 7-7 PKCS, 5-46
Upgrade, 7-8 Qualifier Types, 5-49
Objects, 3-5
J
Java Adapter, 5-2 P
Java PKCS, 5-10 ParallelSlots, 7-59
JCA, 5-2 PC/SC Readers, 3-49
PCMCIA, 2-14
K Pentium4RSAMode, 7-60
Key Container, 4-5 Performance, 2-17
Key Media PIN
CoSign, 2-11 Default parameters, 3-20
MiniKey, 2-8 functionality, 3-19
Overview, 2-2 passing NULL, 3-19
PrivateCard, 2-2 Secure PIN entry, 3-19
PrivateServer, 2-10 Single Sign On, 3-20
Software, 2-5 Unattended mode, 3-20
PKCS#10, 5-86
M PKCS#11
Macros
Data objects, 3-18
AR_PLATFORM, 3-25
Mechanisms, 3-5
CK_CALLBACK_FUNCTION, 3-27
Objects, 3-5
CK_DECLARE_FUNCTION, 3-26
Protected authentication path, 3-5
CK_DECLARE_FUNCTION_POINTER,
Slots, 3-5
3-27
Tokens, 3-5
CK_PTR, 3-26
PKCS#11 standard, 3-5
Mechanisms, 3-5, 3-7. See list, pp. 1-3 to 1-6
PKCS#12
Message Authentication Codes (MACs), 1-2
ExportPKCS12, 5-117
MiniKey, 2-8, 2-12, 7-84
ImportPKCS12, 5-116
I-3
I CryptoKit Developer's Guide
I-4
Index I
UMB_READER_GET_NATIVE_RESULT_ Working with, 5-22
VALUE, 3-57 X509, 5-72
UMB_READER_GET_STATE, 3-54 X509_alg_params_dh, 5-58
UMB_READER_I_AM_CLOSED, 3-58 X509_alg_params_key, 5-57
UMB_READER_POWER_OFF, 3-55 X509_alg_params_key_iv, 5-57
UMB_READER_POWER_ON, 3-54 X509_alg_struct, 5-56
UMB_READER_TRANSMIT, 3-56 X509_ATAV, 5-59
UMB_RV, 3-30 X509_attr_value, 5-91
UMBAPI X509_attribute, 5-90
UMB_AddATRToList, 3-40 X509_attributes, 5-90
UMB_AddFindContext, 3-43 X509_certificate, 5-53
UMB_CreateFindContext, 3-43 X509_crl, 5-55
UMB_CreatePKCS11SmartcardProvider X509_crl_tbs, 5-55
Context, 3-35 X509_def_key_info, 5-61
UMB_CreateSmartcardReaderContext, X509_distribution_point, 5-69
3-36 X509_Dname, 5-59
UMB_FreeContext, 3-47 X509_DPN, 5-69
UMB_GetProviderData, 3-41 X509_DSA_params, 5-57
UMB_GetProviderType, 3-47 X509_ext, 5-63
UMB_ListProviders, 3-46 X509_ext_0000 / X509_ext_unknown, 5-63
UMB_RegisterProvider, 3-42 X509_ext_2914, 5-64
UMB_SetProviderData, 3-38 X509_ext_2914 /
UMB_UnregisterProvider, 3-45 X509_ext_SubjectKeyIdentifier, 5-64
Unattended login, 3-20, 7-80 X509_ext_2915, 5-64
Uninstallation, 7-7 X509_ext_2916, 5-64
Utility X509_ext_2916 /
AR Genie, 6-1 X509_ext_PrivateKeyUsagePeriod,
DlmLoad, 6-26 5-64
PKCS#12, 6-24 X509_ext_2917_8, 5-65
X509_ext_2919, 5-65
V X509_ext_2919 / X509_ext_BasicConstraints,
Validating certificates, 5-27 5-65
Version X509_ext_2920, 5-66
information on current, 3-16 X509_ext_2921, 5-66
X509_ext_2921 / X509_ext_CRLreason, 5-66
X X509_ext_2923,X509_ext_HoldInstructionCo
X.509, 5-18 de, 5-66
X.509 Toolkit, 5-16 X509_ext_2924,X509_ext_InvalidityDate,
Constants, 5-38 5-67
Overview, 5-16
I-5
I CryptoKit Developer's Guide
I-6