Creating applications with smart card support
Table of Contents
If you, as a developer, want to write software that can work with cryptographic smart cards, you need to orientate in the maze of different cryptographic APIs.
Platform crypto interfaces
PKCS#11
PKCS#11 is the only universal, cross-platform cryptography interface, defined by RSA Laboratories. OpenSC and almost all hardware cryptography device vendors (smart cards, HSM-s) provide one with their hardware. PKCS#11 is the most universal and flexible API, but it also has a major drawback: applications need to be manually configured to use a specific PKCS#11 module. Choose PKCS#11 as your primary interface if you are writing a specialized crypto application or universality and portability are very important to you. PKCS#11 only provides cryptographic primitives, it dos not provide X509 and trust management features. OpenSC provides a PKCS#11 module which should be usable by any software claiming PKCS#11 support.
Tools and libraries
These tools and libraries help in talking to PKCS#11 modules or integrate PKCS#11 with other frameworks.
- C
- libp11 is a simple wrapper around PKCS#11, written in C.
- pkcs11-helper is a wrapper around PKCS#11 modules written in C. It also includes an OpenSSL engine.
- engine_pkcs11 is a stand-alone OpenSSL engine that bridges OpenSSL and PKCS#11. SSL connections can be terminated with keys from a PKCS#11 module
- gp11 is a GObject based wrapper for PKCS#11, distributed with gnome-keyring.
- PaKChoiS aims to provide a thin wrapper over the PKCS#11 interface.
- Python
- PyKCS11 is a python wrapper (SWIG) for PKCS#11 modules.
- Java
- Java wiki page has more resources on Java and smart cards, including a list of PKCS#11 wrappers
Additional resources
- Gnome Keyring has PKCS#11 related ideas in their architecture
CrytpoAPI (Windows)
Windows applications use CryptoAPI to do native SSL connections and to use the Windows certificate store. All applications using CryptoAPI (or CryptoAPI-NG) can transparently use all smart cards that provide a full CSP or a smart card BaseCSP module. Most card vendors provide one such driver. OpenSC has a rudimentary BaseCSP module (a MiniDriver), but it is still work in progress. Use CryptoAPI if you are writing a Windows-only application or if you want a well functioning and integrated experience for your users. CryptoAPI provides trust management (user has a centralized location to set the trust bits for various X509 certificates) in addition to basic cryptographic operations and windows API provides higher level functions that are CAPI enabled (TODO: OpenURL example/link)
CDSA/Keychain (Mac OS X)
Mac OS X implements CDSA as the cryptography API for the Mac platform (in theory it is a universal specification but in practice only implemented by Apple). OS X 10.4 and above implement Tokend, what is similar in nature to BaseCSP on Windows - it provides a plugin architecture to add support for smart cards into the system. Applications using CDSA can then transparently make use of smart cards. Applications usually use higher level API-s (like Keychain or SSL socket API-s) that internally make use of CDSA. Trust management is exposed centrally via Keychain.app. Use Keychain API-s if writing a native application for Mac OS X or if you want to have a smooth "Mac style" user experience.
Java Cryptography Architecture (JCA)
TODO, but Java has some pointers
SSL/TLS toolkit integration
OpenSSL
OpenSSL has an easy way to integrate smart card support. libp11 has code to make using OpenSC PKCS#11 module with OpenSSL quite easy and includes example code for using SSL with client certificate authentication using a smart card too (FIXME: link). engine_pkcs11 project has an OpenSSL engine implementation so you can change any code using OpenSSL to move the crypto operation from your CPU to your smart card with only a few small changes. Wpa_supplicant is an example of an application using OpenSSL and this engine for smart card support.
NSS
NSS (Network Security Services) is used by Mozilla products (Firefox, Thunderbird) and many applications in Fedora, like mod_nss. NSS supports PKCS#11 for SSL.
QCA
QCA (Qt Cryptographic Architecture) adds cryptography support into Qt applications. QCA has PKCS#11 support since v2.0. See http://sites.google.com/site/alonbarlev/qca-pkcs11 for more information.
GnuTLS
Alon Bar-Lev has WIP code to integrate GnuTLS and PKCS#11, see http://sites.google.com/site/alonbarlev/gnutls-pkcs11 for more information. An experimental release is also available.
cryptlib
cryptlib is a library by Peter Gutmann and claims support for SSL and PKCS#11 modules.
Low level smart card access
OpenSC is for cryptographic smart cards and the preferred method for accessing such cards is via one of the high level cryptographic API-s listed above, which hides the details of actual card access via one of the interfaces described below. As a general rule, don't use the low level smart card API-s if the functionality is implemented via a cryptographic API.
PC/SC
PC/SC is a standard from PC/SC Workgroup but the "reference implementation" is still Windows winscard.dll. Linux uses the open source pcsc-lite package. And Mac OS X uses a fork of pcsc-lite included in the SmartCardServices project.
Tools and libraries
- Python
- Java
- See dedicated Java page about javax.smartcardio in Java 1.6+