PKCS11

[PKCS11]
AllowCertificate=
DetectNewSlotsEvent=0
DetectNewSlotsList=0
DisableNonRep=0
DisableDuplicate=0
EngineMode=0xFFFFFFFF
FriendlyName=
IgnoreLogout=0
InsertEmptySlots=0
LogoutAtLastSession=0
:MaxObject=128
:MaxSessions=256
:MechanismAllow=
:MechanismDeny=
SessionToken=1
SinglePin=0
:ValidateReturnValue=1
VerifyAlgorithms=0

AllowCertificate

The AllowCertificate parameter is used to specify any matching condition that should be fulfilled to allow the certificate to be available. This matching can also be used to remove unwanted certificates. The default value is none, which will allow all certificates.

[PKCS11]
AllowCertificate=

DetectNewSlotsEvent, DetectNewSlotsList

The standard update detection of new events, for example smart card inserted or removed, requires asking the smart card reader service about its current status. This questioning is done asynchronous, which means that a calling application can have a different expectation about the current status. This asynchronous behavior is important, but status change detection is also important. We must not ask to often, since this will have an impact on the performance and stability. To avoid too many detections we have added the possibility to run additional detection round when asking for the current slot list and when asking for possible events.

[PKCS11]
DetectNewSlotsEvent=1
DetectNewSlotsList=1

Values

0

off

1

on

DisableNonRep

The disable non-repudation certificate features are added to handle applications that try to use non-repuditaion certificates for anything, instead of the real intended purpose. Use conditions to control the behavior of a specific application.

[PKCS11]
DisableNonRep=0

Values

0

off

1

on

DisableDuplicate

The disable duplicate certificate features are added to handle applications that have problems with handling of updated certificates. A duplicate means that the certificate has the same issuer and subject field. Only the newest certificate is shown.

[PKCS11]
DisableDuplicate=0

Values

0

off

1

on

EngineMode

The Net iD Client has an implementation for all supported algorithms But there are other implementations available that has better performance, for example OpenSSL or Microsoft CNG. The engine mode parameter tells when to use an external engine.

[PKCS11]
EngineMode=0xFFFFFFFF

Values

#define ENGINE_EXTERNAL 0x01
#define ENGINE_OPENSSL 0x02
#define ENGINE_CNG 0x04
#define ENGINE_CAPI 0x08
#define ENGINE_INTERNAL 0x80
#define ENGINE_MODE_RSA_GEN(a) (CK_BYTE)(a & 0xFF)
#define ENGINE_MODE_RSA_USE(a) (CK_BYTE)((a >> 8) & 0xFF)
#define ENGINE_MODE_ECC_GEN(a) (CK_BYTE)((a >> 16) & 0xFF)
#define ENGINE_MODE_ECC_USE(a) (CK_BYTE)((a >> 24) & 0xFF)

FriendlyName

The friendly name is the description that sometimes is used to show the name of the certificate. This parameter is used to specify the format of that text.

[PKCS11]
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})

IgnoreLogout

The IgnoreLogout parameter disables all attempts to logout a smart card by the caller, to avoid interference with single sign-on.

[PKCS11]
IgnoreLogout=0

Values

0

off

1

on

InsertEmptySlots

Some PKCS#11 applications have a problem with inserting new slots. Firefox will for example set its own flags like public-readable-certificates when the library is first loaded. This parameter adds a number of additional slots that will be empty, but at least present.

[PKCS11]
InsertEmptySlots=0

Values

0

off

1

on

LogoutAtLastSession

Our PKCS#11 implementation enables the current logon status to be stored even when the last session is closed, since we think that single sign-on is an important feature. Some people believe that this behavior is bad practice, and you can specify that a logout will happen when the last session is closed.

[PKCS11]
LogoutAtLastSession=0

Values

0

off

1

on

MaxObject

The MaxObject parameter tells how many token objects and session objects that can be in each object box. Session objects are created through PKCS#11. Token objects are loaded from different units, for example smart cards.

[PKCS11]
MaxObject=<objects>

Values

objects

Number of token and session objects in each object box. The MaxObject value must be greater than or equal to 10.

MaxSessions

The MaxSessions parameter tells the maximum number of active sessions.

[PKCS11]
MaxSessions=<activesessions>

Values

activesessions

Maximum number of active sessions. The activesessions value must be greater than or equal to 10.

MechanismAllow

The MechanismAllow parameter tells which mechanisms are permitted for the PKCS#11 library.

A mechanism in PKCS#11 is an algorithm that specifies how a certain cryptographic process is performed.
[PKCS11]
MechanismAllow=<wild-card-list>

Values

wild-card-list

Use mechanism name according to PKCS#11. Separate names with a semicolon. Use * for wildcards.

Examples

Example 1. Allow and deny algorithms using specified patterns.

Patterns are given for MechanismAllow and MechanismDeny to set permitted algorithms.

[PKCS11]
MechanismAllow=*RSA*
MechanismDeny=CKM_SHA1;*_PSS;
Trace output
[00008044:00011868] 13.02.34.814 CryptoKi - Mechanism BLOCKED by policy: CKM_RSA_PKCS_PSS
[00008044:00011868] 13.02.34.815 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA_1
[00008044:00011868] 13.02.34.815 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA_1_HMAC
[00008044:00011868] 13.02.34.815 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA224
[00008044:00011868] 13.02.34.815 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA224_HMAC
[00008044:00011868] 13.02.34.815 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA256
[00008044:00011868] 13.02.34.816 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA256_HMAC
[00008044:00011868] 13.02.34.816 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA384
[00008044:00011868] 13.02.34.816 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA384_HMAC
[00008044:00011868] 13.02.34.816 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA512
[00008044:00011868] 13.02.34.816 CryptoKi - Mechanism BLOCKED by policy: CKM_SHA512_HMAC
[00008044:00011868] 13.02.34.817 CryptoKi - Mechanism BLOCKED by policy: CKM_PKCS5_PBKD2
[00008044:00011868] 13.02.34.817 CryptoKi - Mechanism BLOCKED by policy: CKM_AES_CMAC

MechanismDeny

The MechanismDeny parameter tells which mechanisms that are not permitted for the PKCS#11 library.

A mechanism in PKCS#11 is an algorithm that specifies how a certain cryptographic process is performed.
[PKCS11]
MechanismDeny=<wild-card-list>

Values

wild-card-list

Use mechanism name according to PKCS#11. Separate names with a semicolon. Use * for wildcards.

Examples

For example, see MechanismAllow examples.

SessionToken

The SessionToken parameter tells that the PKCS#11 should insert a session slot that always will be present. This is necessary when a calling application want to use our library for cryptographic operations when no token is present.

[PKCS11]
SessionToken=1

Values

0

off

1

on

SinglePin

The normal behavior for the PKCS#11 library is to create a number of virtual tokens for each token and PIN to allow for multi-PIN support. Some applications cannot handle multiple slots, so it can be necessary to specify that a single PIN should be used. Usually, those applications also have problems with multiple smart card readers.

[PKCS11]
SinglePin=0

Values

0

off

1

on

ValidateReturnValue

The normal behavior for the PKCS#11 library is to only return allowed return values for each function according to the PKCS#11 specification. There are situations where other return values are generated, but those will be translated to a valid value.

[PKCS11]
ValidateReturnValue=1

Values

0

off

1

on

VerifyAlgorithms

The PKCS#11 can execute an algorithm test at startup to validate that all algorithms are working as expected. This will only be required when doing initial testing on a new platform, so it is only used by developers.

[PKCS11]
VerifyAlgorithms=0

Values

0

off

1

on