5

I am trying to use pkcs11 within my application to access smart cards. Here is the output of the 'list-slots' commands - 

root@penguin:~/src/tools$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)

I have 2 questions

  1. How can I simulate a fake card so Slot 0 has a token/device in it which I can access.

  2. Can I create additional slots and add tokens/devices to it ?

If not, what can I do to add a token/device to the available Slot 0 ?

ksoop
  • 165
  • 1
  • 4
  • 16

1 Answers1

5

You'll need a "module," a dynamically loaded library that interfaces with a specific smart card. If your smart card works with OpenSC (for instance, a Yubikey in PIV mode), you'd use the OpenSC module, which is commonly at /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so on Linux systems, or /Library/OpenSC/lib/opensc-pkcs11.dylib on macOS systems. If you don't have a physical smart card and just want to work with the PKCS#11 APIs, you can install and use SoftHSM, which emulates a PKCS#11 device in software. You'll need to configure SoftHSM a little bit before using it, to create the necessary slots. The SoftHSM module is commonly at /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so on Linux systems. You'll need to specify --module with each execution of pkcs11-tool.

Here's an example of how to set up and use SoftHSMv2:

mkdir softhsm
cd softhsm
echo "directories.tokendir = $PWD/" > softhsm2.conf
export SOFTHSM2_CONF=$PWD/softhsm2.conf
pkcs11-tool -L --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

SoftHSMv2 will have one slot by default. Once you initialize a token in the first slot, it will automatically add a second slot, and so on.

$ pkcs11-tool  --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -L
Available slots:
Slot 0 (0x0): SoftHSM slot 0
  token state:   uninitialized
$ pkcs11-tool  --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --init-token --label my_token
Using slot 0 with a present token (0x0)
Please enter the new SO PIN: 
Please enter the new SO PIN (again): 
Token successfully initialized
membrane:~ $ pkcs11-tool  --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -L
Available slots:
Slot 0 (0x0): SoftHSM slot 0
  token label        : my_token
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : rng, login required, token initialized, other flags=0x20
  hardware version   : 2.0
  firmware version   : 2.0
  serial num         : 5bed215e0df0d1f1
Slot 1 (0x1): SoftHSM slot 1
  token state:   uninitialized

If you're working with a hardware smart card, generally you will have a fixed set of slots.

jsha
  • 602
  • 6
  • 16
  • I tried installing SoftHSM and don't think it helped because I see the same output (no slots available) : root@penguin:~/src/tools$ pkcs11-tool -L --module /usr/lib/softhsm/libsofthsm.so Available slots: No slots. - @jsha – ksoop Nov 28 '17 at 01:08
  • You mentioned - You'll need to configure SoftHSM a little bit before using it, to create the necessary slots - What are the steps to do that ? – ksoop Nov 28 '17 at 01:37
  • Interestingly if I use - softhsm2-util --show-slots, I see the slots. But not with pkcs11-tool -L --module /usr/lib/softhsm/libsofthsm.so. Why is that ? – ksoop Nov 28 '17 at 02:04
  • The instructions to set up softhsm are under "Here's an example of how to set up and use SoftHSMv2" above.I'm not sure why you don't see the slots with pkcs11-tool; it works for me! Are you sure you are giving the right module path to pkcs11-tool? Do you have the SOFTHSM2_CONF environment variable properly exported in both cases? – jsha Dec 06 '17 at 22:52