Discussion:
CryptoAPI and PKCS#11 interoperability
(too old to reply)
Max
2004-06-03 06:25:30 UTC
Permalink
Is it possible to open a PKCS#11 session to a smart card from within a
smart card CSP without causing problems?
I am working with a legacy smart card CSP that under certain
situations delegates to a PKCS#11 module to retrieve/store data
previously cached in the public sector of a smart card. Apparently,
even reading from the card using PKCS#11 prevents CryptoAPI from
working properly. For example, I noticed that signing fails if I
delegate to the PKCS#11 module. If I comment out the lines of code
that delegates to the PKCS#11 module and hard-code the data that it
would return from the card, signing works fine.

Any ideas? Thanks!
Alon Bar-Lev
2004-06-03 20:06:17 UTC
Permalink
Hello Max,

It is vendor specific, each vendor chooses how to implement it.
CSP best practices do no refer to PKCS#11 interoperability.
Most of vendor chooses to support both in parallel under some restrictions,
So what you describe is avoided...

If you need to use data objects, you can implement all of your program using
PKCS#11 standard.

Best Regards,
Alon Bar-Lev.
Post by Max
Is it possible to open a PKCS#11 session to a smart card from within a
smart card CSP without causing problems?
I am working with a legacy smart card CSP that under certain
situations delegates to a PKCS#11 module to retrieve/store data
previously cached in the public sector of a smart card. Apparently,
even reading from the card using PKCS#11 prevents CryptoAPI from
working properly. For example, I noticed that signing fails if I
delegate to the PKCS#11 module. If I comment out the lines of code
that delegates to the PKCS#11 module and hard-code the data that it
would return from the card, signing works fine.
Any ideas? Thanks!
lelteto
2004-06-16 23:18:01 UTC
Permalink
CSP / PKCS#11 connection is vendor dependent. I would not mix both within the same application (because of potential locking problems). Also note that CAPI is little endian (LSB) while PKCS#11 is big endian (MSB), so the various key attributes (eg. modulus) is reverse in CAPI and PKCS#11.
If you need PKCS#11 features than use PKCS#11 - you should be able to do everything just like in CAPI (although - especially for certificates - you have to work much more).

If you cannot live w/o using both APIs than at least you will need to know how the token identifies CAPI containers and associate the keypairs and certs with each container. This part is definitely vendor-dependent.

Laszlo Elteto
SafeNet, Inc.

Loading...