1

I'm trying to follow the instructions documented on page 96 of the (excellent) book "Digital Signatures in PDF Documents" section 4.1.2 titled "Signing a document using a USB token (part 2: PKCS#11)".

Specifically, Code Sample 4.2 starts with the following line:

public static final String DLL = "c:/windows/system32/dkck201.dll";

This code example is for a Windows machine. If I'm using Linux (CentOS 64 bit) with a USB Token (such as the example's iKey 4000), what file would I use and where does it come from (e.g. the token manufacturer, the PDF Digital Certificate provider, the CentOS operating system, Java, etc...)?

The text states: Make you have the correct path to the CRYPTOKI (PKCS#11) DLL. If you want to make this work on Linux, you’ll need a path to a .so-file such as libCryptoki2_64.so, libpkcs11.so…

I don't know much about this topic. I searched but those two .so files listed above for Linux do not appear to be on my machine. However, the following files ARE on the machine -- but I'm not sure if one might be a suitable substitute:

/usr/lib64/pkcs11
/usr/lib64/libCrypto.so
/usr/lib64/libeTPkcs11.so
~/jre/lib/amd64/libj2pkcs11.so
~/jre/lib/ext/sunpkcs11.jar

Can someone advise me how to obtain (or locate) an .so file that could be used with a USB Token on Linux 64b? Or at least describe in general terms what this file is, where is comes from, etc.?

Any help much appreciated!

user46688
  • 733
  • 3
  • 11
  • 29

1 Answers1

1

It is almost always the best to get PKCS#11 library from your token/card vendor. I believe that one of my older answers to similar question should give you a little more insight into the topic.

Community
  • 1
  • 1
jariq
  • 11,681
  • 3
  • 33
  • 52
  • Thanks for the comment, do you mean hardware vendor (e.g. SafeNet who provides the iKey4000) or software PDF Digital Cert vendor (e.g. Symmantec, Entrust, etc)? – user46688 Aug 27 '14 at 21:26
  • @user46688 This one is tricky to answer :) It is not unusual that PKCS#11 library is produced by hardware vendor but distributed by certificate authority who will sell you the full package - token with certificate and middleware with PKCS#11 library. – jariq Aug 27 '14 at 21:57
  • @user46688 PKCS#11 library for iKey4000 is distributed as a part of [SafeNet Authentication Client](http://www.safenet-inc.com/multi-factor-authentication/security-applications/authentication-client-token-management/#tab2). I believe you can buy it from any third party reseller. However SafeNet website states that iKey4000 is supported by Windows only but quick Google search revealed there is a company in Czech republic which claims to offer [Linux version of PKCS#11 library for iKey4000](http://www.dignita.cz/bezpecnost/linux-driver-pro-ikey4000-safenet). – jariq Aug 27 '14 at 22:45
  • Wow, thanks for the research @jariq. I've got SafeNet Authentication Client (SAC) already installed on the server, which is why I was surprised not to see the required PKCS#11 library in any directory (although I was only searching for the file names I "know" from above). I'm actually using a SafeNet eToken 5100, which also uses SAC, and works on Linux. – user46688 Aug 27 '14 at 22:49
  • @user46688 Well then one of the libraries installed with SAC should be PKCS#11 library that you are looking for. – jariq Aug 27 '14 at 23:00
  • I'm wondering, since you seem to know a lot about PKCS#11, if you can look at this SAC document (http://loja.certificadodigital.com.br/Serasa/UPLOAD/Downloads/703b.pdf) and search for the term `libeTPkcs11.so` (see PDF page 18; page number on reads 12; and following page) -- from the way they are using this library, does it appear to be the one we're looking for that implements PKCS#11 standard? – user46688 Aug 27 '14 at 23:47
  • @user46688 Yes `libeTPkcs11.so` seems to be PKCS#11 library you are looking for. Try to run `pkcs11-tool --module /usr/lib64/libeTPkcs11.so --list-slots` to display cards/tokens connected to your computer. – jariq Aug 28 '14 at 06:43