On Jan 10, 2008, at 3:35 PM, Stephen Hamilton wrote:
Now for the part you just mentioned--if I am doing this at too low of level, I need to stop now--I don't want to make this harder than it should be. What include file does the pkcs11 interface for coolkey come in? I grepped the coolkey files cky* in my usr/ include, and didn't see C_GetAttribute. I found it in coolkey.cpp, however it isn't in my include anywhere--do I need to be programming in C++, and if so, what do I need to include to access it?
Virtually any crypto relatively complete library that supports X.509 should support PKCS#11. That includes NSS and OpenSSL among others. These libraries usually use dynamic loading to load a specific PKCS#11 engine (coolkey, muscle, opensc, soft-pkcs11, etc.--also, that this makes things like OpenSC's pkcs11-spy possible, which is incredibly useful for debugging). With the right library, you can use the crypto library for operations and not worry about where keys are stored and processed--you point the lib at the PKCS#11 engine as a configuration detail, and the rest happens automagically. :)
The added abstraction makes for portable implementations; you won't be tied to card edge protocols.
Since you're using the CAC you need to stick with a FIPS validated crypto library--either the FIPS version of OpenSSL (if you can find someone who has it) or the FIPS version NSS (3.6, IIRC) if you're working on UNIX. On Windows, you code to CAPI and the system installed middleware (usually ActivClient) figures it out.
If you're supporting a DoD contract, you can get help from one of the service offices, including pointers to toolkits & etc. Since I support the AF PKI SPO in my day job, I can get you POCs if you need it. I'm also *very* curious as to exactly what you're doing with the CAC. Feel free to email me off-list.
Description: S/MIME cryptographic signature
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel