PKCS#11 Library

Updated: July 25, 2017

Download

The SmartKey™ PKCS#11 library for Linux 64-bit can be downloaded here.

Installation

To install, run sudo ./install.sh. To uninstall, run sudo ./uninstall.sh.

The installer copies the SmartKey™ PKCS#11 shared object file (also called library or module) to /opt/fortanix/pkcs11/sdkms-pkcs11.so.

Usage

You can verify that you can use the SmartKey PKCS#11 library using the pkcs11-tool utility, which is distributed along with the OpenSC smart card library at https://github.com/OpenSC/OpenSC.

pkcs11-tool --module <module path> --show-info

The expected output is:

Cryptoki version 2.40
Manufacturer     Fortanix
Library          SmartKey PKCS#11 Library (ver 0.3)
Using slot 0 with a present token (0x1)

Applications use SmartKey PKCS#11 library to interact with SmartKey for key management and cryptographic operations. The PKCS#11 specification has notions of slots and tokens, which correspond to physical entities in an HSM. Multiple clients or applications connecting to a token on an HSM have equal access to the entire key space. However, SmartKey allows access to several applications simultaneously while guaranteeing strong cryptographic separation of key spaces. This is equivalent to every application having access to its own HSM. SmartKey PKCS#11 library implements this by mapping the application credential to the user PIN, and by having a single slot (numbered 0), with a token (numbered 1) already initialized. Administration of SmartKey is done using the web UI and using the REST APIs, so the support for doing it through the PKCS#11 library is disabled. PKCS#11 security officer login is disabled, and will always fail with CKR_PIN_INCORRECT. Similarly, the administrative functions such as C_InitToken, C_InitPIN, and C_SetPIN return errors such as CKR_PIN_INCORRECT or CKR_USER_NOT_LOGGED_IN.

The library can also be used by Java applications using the SunPKCS11 JCE provider. Some examples to build applications using this PKCS#11 library are provided in example code. Please look at our Knowledge Base to learn more about how to configure legacy applications with a PKCS#11 interface to use SmartKey™.