PKCS#11 is an open standard for cryptographic operations. More information and
the standard document may be downloaded from RSA Laboratories
(EMC)
The example will test three standard operations with a smart card: create/verify
a digital signature, encrypt/decrypt a message and wrap/unwrap a secret key. The
example uses Microsoft Developer Studio, but is written in standard C and should
be possible to compile using any compiler.
Download
sample code
You should
list all available slots (C_GetSlotList), and then open a session for every
found slot and serach for all certificates in all slots. When all certificates
have been collected check them against the rules set up by your application and
the context. If you get more than one hit you should present a descent dialog
where the user can select a certificate. Then proceed with the desired
operations.
The current version of the standard is 2.20, but our implementation will return
2.11 as version information. The difference between the two versions is
algorithm extensions not concerning smart cards and changed suggestion for
handling multiple PINs (see below). The suggestion regarding multiple PINs is
useless and will be removed in future versions of the standard. The
implementation in Net iD Enterprise will be upgraded when version 2.30 is
released. Applications implementing the standard should only be concerned with
the major version (2) and minor versions adding support for specific algorithms
which are needed, i.e. in those rare cases where a new specific algorithm is
mandatory.
The PKCS#11 library may be installed in any location; it has no other binary
dependencies, and only needs the configuration file for license information. For
library version 5.4 and later the configuration file may be included in the
binary, there is no need for a separate file.
|
#define CKR_OK |
0x00000000 |
|
#define CKR_CANCEL |
0x00000001 |
|
#define CKR_HOST_MEMORY |
0x00000002 |
|
#define CKR_SLOT_ID_INVALID |
0x00000003 |
|
#define CKR_GENERAL_ERROR |
0x00000005 |
|
#define CKR_FUNCTION_FAILED |
0x00000006 |
|
#define CKR_ARGUMENTS_BAD |
0x00000007 |
|
#define CKR_NO_EVENT |
0x00000008 |
|
#define CKR_NEED_TO_CREATE_THREADS |
0x00000009 |
|
#define CKR_CANT_LOCK |
0x0000000A |
|
#define CKR_ATTRIBUTE_READ_ONLY |
0x00000010 |
|
#define CKR_ATTRIBUTE_SENSITIVE |
0x00000011 |
|
#define CKR_ATTRIBUTE_TYPE_INVALID |
0x00000012 |
|
#define CKR_ATTRIBUTE_VALUE_INVALID |
0x00000013 |
|
#define CKR_DATA_INVALID |
0x00000020 |
|
#define CKR_DATA_LEN_RANGE |
0x00000021 |
|
#define CKR_DEVICE_ERROR |
0x00000030 |
|
#define CKR_DEVICE_MEMORY |
0x00000031 |
|
#define CKR_DEVICE_REMOVED |
0x00000032 |
|
#define CKR_ENCRYPTED_DATA_INVALID |
0x00000040 |
|
#define CKR_ENCRYPTED_DATA_LEN_RANGE |
0x00000041 |
|
#define CKR_FUNCTION_CANCELED |
0x00000050 |
|
#define CKR_FUNCTION_NOT_PARALLEL |
0x00000051 |
|
#define CKR_FUNCTION_NOT_SUPPORTED |
0x00000054 |
|
#define CKR_KEY_HANDLE_INVALID |
0x00000060 |
|
#define CKR_KEY_SIZE_RANGE |
0x00000062 |
|
#define CKR_KEY_TYPE_INCONSISTENT |
0x00000063 |
|
#define CKR_KEY_NOT_NEEDED |
0x00000064 |
|
#define CKR_KEY_CHANGED |
0x00000065 |
|
#define CKR_KEY_NEEDED |
0x00000066 |
|
#define CKR_KEY_INDIGESTIBLE |
0x00000067 |
|
#define CKR_KEY_FUNCTION_NOT_PERMITTED |
0x00000068 |
|
#define CKR_KEY_NOT_WRAPPABLE |
0x00000069 |
|
#define CKR_KEY_UNEXTRACTABLE |
0x0000006A |
|
#define CKR_MECHANISM_INVALID |
0x00000070 |
|
#define CKR_MECHANISM_PARAM_INVALID |
0x00000071 |
|
#define CKR_OBJECT_HANDLE_INVALID |
0x00000082 |
|
#define CKR_OPERATION_ACTIVE |
0x00000090 |
|
#define CKR_OPERATION_NOT_INITIALIZED |
0x00000091 |
|
#define CKR_PIN_INCORRECT |
0x000000A0 |
|
#define CKR_PIN_INVALID |
0x000000A1 |
|
#define CKR_PIN_LEN_RANGE |
0x000000A2 |
|
#define CKR_PIN_EXPIRED |
0x000000A3 |
|
#define CKR_PIN_LOCKED |
0x000000A4 |
|
#define CKR_SESSION_CLOSED |
0x000000B0 |
|
#define CKR_SESSION_COUNT |
0x000000B1 |
|
#define CKR_SESSION_HANDLE_INVALID |
0x000000B3 |
|
#define CKR_SESSION_PARALLEL_NOT_SUPPORTED |
0x000000B4 |
|
#define CKR_SESSION_READ_ONLY |
0x000000B5 |
|
#define CKR_SESSION_EXISTS |
0x000000B6 |
|
#define CKR_SESSION_READ_ONLY_EXISTS |
0x000000B7 |
|
#define CKR_SESSION_READ_WRITE_SO_EXISTS |
0x000000B8 |
|
#define CKR_SIGNATURE_INVALID |
0x000000C0 |
|
#define CKR_SIGNATURE_LEN_RANGE |
0x000000C1 |
|
#define CKR_TEMPLATE_INCOMPLETE |
0x000000D0 |
|
#define CKR_TEMPLATE_INCONSISTENT |
0x000000D1 |
|
#define CKR_TOKEN_NOT_PRESENT |
0x000000E0 |
|
#define CKR_TOKEN_NOT_RECOGNIZED |
0x000000E1 |
|
#define CKR_TOKEN_WRITE_PROTECTED |
0x000000E2 |
|
#define CKR_UNWRAPPING_KEY_HANDLE_INVALID |
0x000000F0 |
|
#define CKR_UNWRAPPING_KEY_SIZE_RANGE |
0x000000F1 |
|
#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT |
0x000000F2 |
|
#define CKR_USER_ALREADY_LOGGED_IN |
0x00000100 |
|
#define CKR_USER_NOT_LOGGED_IN |
0x00000101 |
|
#define CKR_USER_PIN_NOT_INITIALIZED |
0x00000102 |
|
#define CKR_USER_TYPE_INVALID |
0x00000103 |
|
#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN |
0x00000104 |
|
#define CKR_USER_TOO_MANY_TYPES |
0x00000105 |
|
#define CKR_WRAPPED_KEY_INVALID |
0x00000110 |
|
#define CKR_WRAPPED_KEY_LEN_RANGE |
0x00000112 |
|
#define CKR_WRAPPING_KEY_HANDLE_INVALID |
0x00000113 |
|
#define CKR_WRAPPING_KEY_SIZE_RANGE |
0x00000114 |
|
#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT |
0x00000115 |
|
#define CKR_RANDOM_SEED_NOT_SUPPORTED |
0x00000120 |
|
#define CKR_RANDOM_NO_RNG |
0x00000121 |
|
#define CKR_DOMAIN_PARAMS_INVALID |
0x00000130 |
|
#define CKR_BUFFER_TOO_SMALL |
0x00000150 |
|
#define CKR_SAVED_STATE_INVALID |
0x00000160 |
|
#define CKR_INFORMATION_SENSITIVE |
0x00000170 |
|
#define CKR_STATE_UNSAVEABLE |
0x00000180 |
|
#define CKR_CRYPTOKI_NOT_INITIALIZED |
0x00000190 |
|
#define CKR_CRYPTOKI_ALREADY_INITIALIZED |
0x00000191 |
|
#define CKR_MUTEX_BAD |
0x000001A0 |
|
#define CKR_MUTEX_NOT_LOCKED |
0x000001A1 |
|
#define CKR_VENDOR_DEFINED |
0x80000000 |
Mechanism types CKM_VENDOR_DEFINED and above are permanently reserved for token
vendors. For interoperability, vendors should register their mechanism types
through the PKCS process.