PKCS11

The AllowCertificate parameter is used to specify any matching condition that should be fulfilled to allow the certificate to be available. This matching can also be used to remove unwanted certificates. The default value is none, which will allow all certificates.

The standard update detection of new events, for example smart card inserted or removed, requires asking the smart card reader service about its current status. This questioning is done asynchronous, which means that a calling application can have a different expectation about the current status. This asynchronous behavior is important, but status change detection is also important. We must not ask to often, since this will have an impact on the performance and stability. To avoid too many detections we have added the possibility to run additional detection round when asking for the current slot list and when asking for possible events.

The disable non-repudation certificate features are added to handle applications that try to use non-repuditaion certificates for anything, instead of the real intended purpose. Use conditions to control the behavior of a specific application.

The disable duplicate certificate features are added to handle applications that have problems with handling of updated certificates. A duplicate means that the certificate has the same issuer and subject field. Only the newest certificate is shown.

The Net iD Client has an implementation for all supported algorithms But there are other implementations available that has better performance, for example OpenSSL or Microsoft CNG. The engine mode parameter tells when to use an external engine.

The friendly name is the description that sometimes is used to show the name of the certificate. This parameter is used to specify the format of that text.

The IgnoreLogout parameter disables all attempts to logout a smart card by the caller, to avoid interference with single sign-on.

Some PKCS#11 applications have a problem with inserting new slots. Firefox will for example set its own flags like public-readable-certificates when the library is first loaded. This parameter adds a number of additional slots that will be empty, but at least present.

Our PKCS#11 implementation enables the current logon status to be stored even when the last session is closed, since we think that single sign-on is an important feature. Some people believe that this behavior is bad practice, and you can specify that a logout will happen when the last session is closed.

The MaxObject parameter tells how many token objects and session objects that can be in each object box. Session objects are created through PKCS#11. Token objects are loaded from different units, for example smart cards.

The MaxSessions parameter tells the maximum number of active sessions.

The MechanismAllow parameter tells which mechanisms are permitted for the PKCS#11 library.

The MechanismDeny parameter tells which mechanisms that are not permitted for the PKCS#11 library.

The SessionToken parameter tells that the PKCS#11 should insert a session slot that always will be present. This is necessary when a calling application want to use our library for cryptographic operations when no token is present.

The normal behavior for the PKCS#11 library is to create a number of virtual tokens for each token and PIN to allow for multi-PIN support. Some applications cannot handle multiple slots, so it can be necessary to specify that a single PIN should be used. Usually, those applications also have problems with multiple smart card readers.

The normal behavior for the PKCS#11 library is to only return allowed return values for each function according to the PKCS#11 specification. There are situations where other return values are generated, but those will be translated to a valid value.

The PKCS#11 can execute an algorithm test at startup to validate that all algorithms are working as expected. This will only be required when doing initial testing on a new platform, so it is only used by developers.