The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM), smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it).
The API defines most commonly used cryptographic object types (RSAX.509 keys, DES/Triple DES Certificates/keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.
This container relies on a PKCS#11 a library which handles the communication with the token/card. This can be a vendor specific library or an opensource one, please select the correct one depending on the type of token/card you are using.
Interface Summary
The Abstract PKCS #11 smartcard interface is summarized in the following snippet:
Each interface will be covered on this wiki, accompanied with example code and response objects.
Get the PKCS #11 container object
For more information on how to configure the T1C-JS client library see Client Configuration.
To set the locations of the PCKS#11 library, pass a ModuleConfig object when initializing the client:
var moduleConfig = {"linux":"/usr/local/lib/libeTPkcs11.so","mac":"/usr/local/lib/libeTPkcs11.dylib","win":"C:\\Windows\\System32\\eTPKCS11.dll"}var config =newGCLConfig("ds uri","apikey", moduleConfig);GCLLib.GCLClient.initialize(config,function(err, gclClient) {// gclClient ready to use});
To successfully sign data, we need the following parameters:
Slot ID of the token to use
Certificate ID of the signing certificate
PIN code
Hashed data to sign
Hashing algorithm used
The slot id can be found using either a call to slots, slotsWithTokenPresent. Once the slot id is found, the certificates can be retrieved with a call to certificates. This then returns the certificate id. Now we can combine this with the PIN code and hashed data + hashing algorithm (SHA1, SHA256, SHA384, SHA512) to create the final signData call:
The functions specified are asynchronous and always need a callback function.
The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback: