dec16180 / sc-hsm-embedded Goto Github PK

sc-hsm-embedded PKCS#11 and CSP-Minidriver Module
=================================================

Light-weight PKCS#11 library for using the SmartCard-HSM in Windows, Linux, MacOSX and embedded systems.

The module also supports various STARCOS based signature cards commonly used in Germany.

Purpose
-------
This module has been initially developed to support the integration of a SmartCard-HSM in
embedded systems with a little footprint. Rather than using a PC/SC daemon to manage
attached card readers and token, the smaller Card Terminal API (CT-API) can be used.

Over time the project has grown into a fully featured PKCS#11 and Microsoft CSP-Minidriver crypto middleware.

Supported Hardware
------------------
The module can be compiled for Linux, Windows and MacOSX. It supports the SmartCard-HSM USB-stick
and SmartCard-HSM cards inserted into a CCID compliant reader. When using the PC/SC interface
any compliant reader can be used.

The ctccid module uses standard functions from the CCID specification, so the driver may work
with other CCID compliant readers as well. However, the only reader used during tests is
the SCR 3310 and the USB-stick.

Further documentation is available at

https://github.com/CardContact/sc-hsm-embedded/wiki

Installation (Linux)
--------------------
Download source and run 

* autoreconf -fi
* configure
* make
* make install

Installation (Windows)
----------------------
Select the 32-Bit or 64-Bit version depending on your version of Windows.
Installing the provided .msi file will make the sc-hsm-pkcs11.dll and sc-hsm-minidriver.dll
available in windows/system32. Test tools are installed in %PROGRAMFILES%/CardContact/SmartCard-HSM.

The 64-Bit version installs both, the 32-Bit and 64-Bit version of DLLs and test programs.

Firefox
-------
Open Firefox and the Add-ons-Manager.
Select "Install Add-ons From File"
Select the file "sc-hsm-pkcs11.xpi"

Note: Mozilla recently introduced mandatory signing of XPI installers. We are working to get our
XPI included in that process. In the meantime you need to register the sc-hsm-pkcs11.dll manually
using Preferences/Advanced/Security Devices.

Thunderbird
-----------
Open Thunderbird and the Security Devices Manager
Select Load and enter "SmartCard-HSM" as Module Name
Select "sc-hsm-pkcs.dll" or "/usr/local/lib/sc-hsm-pkcs11.so" as module filename.

Uninstall
---------
Open Firefox and the Add-ons-Manager.
Uninstall the "SmartCard-HSM PKCS#11 Installer"
Open the "Security Devices Manager"
Unload the entry under "SmartCard-HSM"

Running the test program
------------------------
Open a console and change into the sc-hsm-pkcs11 directory.
Insert a SmartCard-HSM and enter

sc-hsm-pkcs11-test --module lib\sc-hsm-pkcs11.dll

For a STARCOS card you will need to define the token that shall be used for tests:

sc-hsm-pkcs11-test --module lib\sc-hsm-pkcs11.dll --token STARCOS.eUserPKI

The test program uses the default PINs (648219 for SmartCard-HSM or 123456 for STARCOS card).

Please use --pin <pin> if you need to define a different PIN.

Debugging
---------
A debugging version of the PKCS#11 module is provided to aid debugging of
card and card reader problems.

Please install the debug version and create a sc-hsm-embedded directory under
%HOME%/tmp on Linux/MacOSX and %HOMEDIR%/appdata/LocalLow on Windows.

System applications running under root will write logfiles to /var/tmp/sc-hsm-embedded.

On Linux you will need to use configure with --enable-debug.

Release 2.10
------------
Add write support for the SmartCard-HSM
Add CSP-Minidriver for Windows based applications
Add C_WaitForSlotEvent
Add public key operation with C_Verify*(), C_Encrypt*() and C_Digest*() functions
Removed support for obsolete Signtrust Cards.

Release 2.9
-----------
Added ATRs for BNotK cards

Release 2.8
-----------
Added support for ECC keys on DGN card
Added support for static slot ids
Fixed issue with leaked PIN value due to non-cleared buffers
Added multi-threading tests for ECC

Release 2.7
-----------
Added support for DGN HBA on Starcos 3.5

Release 2.6
-----------
Disabled QES token when running under Firefox.

Release 2.5
-----------
Added ATR for contactless SmartCard-HSMs.

Release 2.4
-----------
Removed probing of applications on unrecognized cards.

Release 2.3
-----------
Disabled QES2 on Signtrust 3.2 card as this is never used.
Added environment variable PKCS11_PREALLOCATE_VIRTUAL_SLOTS=<n> to create <n> virtual slots when the
primary slot is allocated for the first time. Without the flag a virtual slot is dynamically created if a
token with more than one PIN is detect. In that case the PKCS#11 module creates an additional virtual slot for
each additional PIN (usually the QES PINs). However, this dynamic behaviour collides with the way Firefox handles
the Friendly flag, which is only set for slots that are present at modul loading.

Release 2.2
-----------
Added support for Signtrust Starcos 3.2 card

Release 2.1
-----------
Added support for D-Trust Starcos 3.4 card
Added support for Signtrust Starcos 3.5 card

Release 2.0
-----------
Added support for Bundesnotarkammer Starcos 3.5 card
Added support for PC/SC card reader