Plugin

The plugin interface was initially meant to provide cryptographic access in all available web browsers. Since the real interface between web browser and library component depends on web browser and the web browser evolution, a stable interface that does not change too often was necessary. As a result, four generic functions were exported and named the plugin interface:

  • SetProperty

  • GetProperty

  • EnumProperty

  • Invoke

Disclaimer

The Plugin API is proprietary and your application should NOT use this API if you want a generic solution that will work with PKI clients from other vendors.

Interfaces

In reality the plugin interface is a collection of interfaces that provides the same functionality, but with small differences. Accessing those interfaces is programming language dependent, but it is very straight-forward for anyone used to respective language and/or platform.

The current interfaces:

  • C-API

  • ActiveX

  • NPAPI

  • JNI

  • Web-extension (I/O-API)

  • JavaScript-Native-Bridge

C-API

The C-API plugin interface that all other interfaces uses is exported from library:

Initialize/finalize
CK_VOID* OS_STDCALL
P_Initialize(
    const char*       deviceID,
    const char*       configGlobalPath,
    const char*       configLocalPath,
    CK_TRACE_CALLBACK traceCallback);

CK_VOID OS_STDCALL
P_Finalize(
    CK_VOID* ctx);
Operations
CK_VOID OS_STDCALL
P_SetProperty(
    CK_VOID*    ctx,
    const char* name,
    const char* value);

const char* OS_STDCALL
P_GetProperty(
    CK_VOID*    ctx,
    const char* name);

const char* OS_STDCALL
P_EnumProperty(
    CK_VOID*    ctx,
    const char* name,
    const char* index);

CK_LONG OS_STDCALL
P_Invoke(
    CK_VOID*    ctx,
    const char* name);
External smart card reader
CK_RV OS_STDCALL
P_AddExternalSlot(
    CK_VOID*     ctx,
    CK_ADD_SLOT* addSlot,
    CK_ULONG*    slotID,
    CK_ULONG*    count);

CK_RV OS_STDCALL
P_RemoveExternalSlot(
    CK_VOID* ctx,
    CK_ULONG slotID);
External cryptographic engine
CK_RV OS_STDCALL
P_AddExternalGenerator(
    CK_VOID*              ctx,
    CK_MECHANISM_TYPE     type,
    const char*           name,
    CK_GENERATOR_CALLBACK callback);

ActiveX

The ActiveX interface is a standard Microsoft COM interface and is accessed in the same manner as all COM objects.

GUID identifying the interface:

{5BF56AD2-E297-416E-BC49-00B327C4428E}
An example when used in web page:
<object
    name='netid-plugin'
    id='netid-plugin'
    classid='CLSID:5BF56AD2-E297-416E-BC49-00B327C4428E'
    width='0'
    height='0'>
</object>

The most common application using this interface is Internet Explorer. And that application may use protected mode, also known as sandbox, when a site is accessing and not marked as trusted. The parameter SiteAccessUntrusted sets different maximum access levels for untrusted sites, besides the normal Plugin AllowURL setting.

[Plugin]
SiteAccessUntrusted=low

NPAPI

The NPAPI is the Netscape Plugin API and is removed from most browsers, but it may still be available.

Mime-type identifying the interface:

application/x-netid
An example when used in web page:
<object
    name='netid-plugin'
    id='netid-plugin'
    type='application/x-netid'
    width='0'
    height='0'>
</object>

JNI

JNI, or Java Native Interface, is the C-API exported to be loaded from Java. The main purpose is to export a C-API that is automatically loaded from Java without much Java source code:

Initialize/finalize
CK_EXPORT_SPEC jint JNICALL
Java_com_secmaker_netid_sdk_Interface_load(
    JNIEnv*  env,
    jobject  thiz,
    jstring  deviceID,
    jstring  configGlobal,
    jstring  configLocal,
    jstring  properties,
    jboolean trace)

CK_EXPORT_SPEC void JNICALL
Java_com_secmaker_netid_sdk_Interface_release(
    JNIEnv* env,
    jobject thiz)
Operations
CK_EXPORT_SPEC void JNICALL
Java_com_secmaker_netid_sdk_Interface_setProperty(
    JNIEnv* env,
    jobject thiz,
    jstring name,
    jstring value)

CK_EXPORT_SPEC jstring JNICALL
Java_com_secmaker_netid_sdk_Interface_getProperty(
    JNIEnv* env,
    jobject thiz,
    jstring name)

CK_EXPORT_SPEC jstring JNICALL
Java_com_secmaker_netid_sdk_Interface_enumProperty(
    JNIEnv* env,
    jobject thiz,
    jstring name,
    jstring index)

CK_EXPORT_SPEC jint JNICALL
Java_com_secmaker_netid_sdk_Interface_invoke(
    JNIEnv* env,
    jobject thiz,
    jstring name)
External smart card reader
CK_EXPORT_SPEC jint JNICALL
Java_com_secmaker_netid_sdk_Interface_readerAdd(
    JNIEnv* env,
    jobject thiz)

CK_EXPORT_SPEC void JNICALL
Java_com_secmaker_netid_sdk_Interface_readerRemove(
    JNIEnv* env,
    jobject thiz,
    jint    slotID)

Web-extension (I/O-API)

All new web browsers have added the possibility to communicate between web-extension and native library using I/O-interface. For this interface will the application write to stdin and expect result in stdout. There are some small differences between different web-browsers, but hopefully their behavior will be sufficiently stable.

This API should be considered as the replacement for NPAPI interface, but unfortunately it is a security nightmare and should never ever be used unless you are 100% secure you can trust the execution environment, that is, the PC.

The web browsers have been focusing on end-user integrity and completely forgot that the end-user may be running in an insecure environment. The use of I/O-interface guarantees that we as the client never can really know who is actually calling us, so fully open for man-in-middle-attack. The web browser allow a normal end-user to modify which web-extensions is loaded, so an attacker will only need user privileges to start a man-in-middle-attack, even though we require administrator privileges to update our client configuration.

Considered as NPAPI replacement, but sensitive to man-in-middle-attack. We try to reduce the risk of man-in-the-middle attacks, but due to the design we can never completely avoid this problem.

There is a special configuration parameter that sets access level for this API. Since there is no way to detect the real caller, default access level is "low":

[Plugin]
SiteAccessUnknown=low

The call itself is very straight-forward:

  1. Serialize all operations with arguments.

  2. Make the call.

  3. Deserialize the operation result.

Example 1. Making a call
> SetProperty("ActiveSlot", "0")
> SetProperty("Data", "YSBiaXQgb2YgZGF0YQ==")
> Invoke("Digest")
> GetProperty("Data")

Serialize the information above. All values are base64-encoded and each call is separated with semicolon:

"setproperty ActiveSlot MA==;setproperty Data WVNCaWFYUWdiMllnWkdGMFlRPT0=;invoke Digest;getproperty Data"

In the result all values except invoke will be base64-encoded:

"invoke Digest 0;getproperty data RzM2UDNyNnVaQkZVdzd5bGlBb3F3TDJxQnUwPQ=="

Deserialize and invoke result will be success (=0) and result data:
G36P3r6uZBFUw7yliAoqwL2qBu0=.

JavaScript-Native-Bridge

Net iD Client includes a simple web-browser, WebApp. The WebApp is available on all platforms and have two main functionalities:

  • Use HTML/CSS/JavaScript to build a native application.

  • Include a bridge between JavaScript and the native plugin interface.

This bridge will change over time, since platform OS changes rapidly, so it will not be documented here. Instead is the source code available in the Client SDK for those interested about the implementation. All access is done using the provided JavaScript-files included in the SDK. As long as the access is made by using the provided JavaScript-files you will have a high probability to be able to handle future changes. This is because those files will be updated by us when needed, and you should be able to just replace the files with updated versions without changing your application.

SDK JavaScript-files:

  • _netid.js (old, and should be considered obsolete)

  • _netid-ng.js (new, and should be used for all new applications)

Limitations

For historical reasons there are two fundamental limitations that need to be handled. Changing the behavior will require a too big change for those currently using the interface, so instead we have decided that it need to be handled by caller.

Single-threaded

The interface will return a string, or actually a character string array pointer. This string will continue to exist until next call that requires return of a string. Caller should copy the string as soon as it is retrieved.

Single session/context

The interface is very generic and each real operation will require multiple calls But there is no session or context, so running multiple operations in the same time will probably fail since parameter names are shared between different operations.

Example 2. Pseudo-code example when digesting with any slot and signing with slot 100
 > SetProperty("ActiveSlot", "0")
 > SetProperty("Data", "YSBiaXQgb2YgZGF0YQ==")
 > Invoke("Digest")
 > GetProperty("Data")
 > SetProperty("ActiveSlot", "100")
 > SetProperty("Data", "YW5vdGhlciBiaXQgb2YgZGF0YQ==")
 > Invoke("Sign")
 > GetProperty("Signature")
 > SetProperty("ActiveSlot", "0")
 > SetProperty("Data", "YSBiaXQgb2YgZGF0YQ==")
 > SetProperty("ActiveSlot", "100")
 > SetProperty("Data", "YW5vdGhlciBiaXQgb2YgZGF0YQ==")
 > Invoke("Digest")
 > GetProperty("Data")
 > Invoke("Sign")
 > GetProperty("Signature")

Operations

The interface is generic and it will usually require several calls to make a real operation. The JavaScript-file _netid-ng.js will include a complete list of all available operations with arguments. So instead of duplicating the information in _netidx.js, and risk inconsistency, this file is used as the main source of documentation. Check the Client SDK for latest version.

Client SDK/src/javascript/_netid-ng.js

Security

The plugin interface can be called from an unsafe environment, most usually a web browser. But some, or most, operations should only be possible to execute in a safe environment. It is easy to understand that private keys are sensitive, but even certificates is considered sensitive if not used correctly. For example, an end-user can be tracked which is an integrity issue.

What is safe or unsafe depends on situation as well as OS platform. Thus, we have decided that each client package can be configured to tell when a specific action can be used, or how a specific parameter should look like. For example minimum and maximum size of a parameter value.

Value types

There are eight different value types. The names are quite self-explanatory and tell what characters are allowed.

  • ignore

  • bool

  • number

  • hex

  • base64

  • oid

  • string

  • url

Access level

For each parameter and action you can specify required access level:

always

This parameter or action is always accessible, even when Plugin is blocked. The parameter should not be sensitive at all.

full

The parameter or action is accessible when the configuration says you have full access.

use

The parameter or action is accessible when the configuration says you have use access

low

The parameter or action is accessible at the lowest possible access. Usually, the parameter is not sensitive at all.

block

The parameter or action is blocked and is therefore ignored.

The configuration sections Plugin AllowApp and Plugin AllowURL tells the access level for a specific application or a specific URL.

The configuration parameters SiteAccessUnknown and SiteAccessUntrusted in section Plugin adds more requirements for access level when running in such scenarios.

Default sizes

The configuration below uses some pre-defines sizes. Sizes are in bytes.

#define MAX_PIN_SIZE     64
#define MAX_TEXT         256
#define MAX_SIZE_DATA    64 * 1024
#define MAX_SIZE_BLOB    16 * 1024 * 1024

Default access SetProperty

Default access SetProperty
  {"ActiveSlot",          PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"ActiveToken",         PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"Algorithm",           PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"AllowExternalCert",   PARAM_ACCESS_FULL, PARAM_TYPE_BOOL,        0, 0},
  {"AppendCert",          PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Authentication",      PARAM_ACCESS_USE,  PARAM_TYPE_BOOL,        0, 0},
  {"AuthorityKeyId",      PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Base64",              PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"BrowseInfo",          PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Cache|*",             PARAM_ACCESS_FULL, PARAM_TYPE_BASE64,      0, MAX_SIZE_BLOB},
  {"Certificate",         PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"CertificateLabel",    PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"CKA_*",               PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Command",             PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Compact",             PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Config:*",            PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"ConfigLocal:Temp:*",  PARAM_ACCESS_LOW,  PARAM_TYPE_BASE64,      0, MAX_SIZE_DATA},
  {"ConfigLocal:Reset:*", PARAM_ACCESS_FULL, PARAM_TYPE_BASE64,      0, MAX_SIZE_DATA},
  {"ConfigLocal:*",       PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"ConfirmPassword",     PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"Data",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_BLOB},
  {"DataToBeSigned",      PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_BLOB},
  {"Detached",            PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Dialog",              PARAM_ACCESS_FULL, PARAM_TYPE_BOOL,        0, 0},
  {"Digested",            PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Drive",               PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, 1},
  {"EnumLimit",           PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"ExpectedVersion",     PARAM_ACCESS_LOW,  PARAM_TYPE_OID,         0, 16},
  {"Exportable",          PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Extractable",         PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"FileName",            PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"FileType",            PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 16},
  {"ForceExternalCert",   PARAM_ACCESS_FULL, PARAM_TYPE_BOOL,        0, 0},
  {"ImportPassword",      PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"IncludeCaCert",       PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"IncludeHostInfo",     PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"IncludeRootCaCert",   PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Information",         PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"InvokeThread",        PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Issuers",             PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"IV",                  PARAM_ACCESS_LOW,  PARAM_TYPE_BASE64,      0, 64},
  {"Key",                 PARAM_ACCESS_LOW,  PARAM_TYPE_HEXADECIMAL, 0, MAX_SIZE_DATA},
  {"KeyCurve*",           PARAM_ACCESS_LOW,  PARAM_TYPE_OID,         0, 64},
  {"KeyId*",              PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"KeyLabel*",           PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_LABEL_SIZE},
  {"KeyReuse*",           PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"KeySize*",            PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"KeyUsage*",           PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"Label",               PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_LABEL_SIZE},
  {"License",             PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Link",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Location",            PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"MaxResponse",         PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"MIME",                PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"MoreData",            PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      1, MAX_SIZE_BLOB},
  {"MoreDataToBeSigned",  PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      1, MAX_SIZE_BLOB},
  {"Name",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_LABEL_SIZE},
  {"NewPassword",         PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"OneTimePassword",     PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"Other",               PARAM_ACCESS_FULL, PARAM_TYPE_BOOL,        0, 0},
  {"Password",            PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"PasswordMaxLen",      PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"PasswordMinLen",      PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"PasswordPolicy",      PARAM_ACCESS_USE,  PARAM_TYPE_NUMBER,      0, 0},
  {"PasswordType",        PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, 8},
  {"Path",                PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PinPad",              PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Policy",              PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PrivateData",         PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PrivateData|*",       PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Progress",            PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Profile",             PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PubKey*",             PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PublicData",          PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"PublicData|*",        PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Quick",               PARAM_ACCESS_USE,  PARAM_TYPE_BOOL,        0, 0},
  {"Raw",                 PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Remove",              PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"RenewMode",           PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, MAX_TEXT},
  {"RequestInfo*",        PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"RequestType",         PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Seed",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Server",              PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Signature",           PARAM_ACCESS_USE,  PARAM_TYPE_BASE64,      MAX_TEXT, MAX_SIZE_BLOB},
  {"SignReturnName",      PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"Size",                PARAM_ACCESS_USE,  PARAM_TYPE_NUMBER,      0, 0},
  {"Standalone",          PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Subject",             PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"SubjectAltName",      PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Subjects",            PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Template",            PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"Test",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Text",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Time",                PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"Timeout",             PARAM_ACCESS_LOW,  PARAM_TYPE_NUMBER,      0, 0},
  {"Title",               PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"TokenData",           PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"TokenLabel",          PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_LABEL_SIZE},
  {"TokenNumber",         PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, 64},
  {"TokenType",           PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, 8},
  {"TraceInfo",           PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Type",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"UnlockPassword",      PARAM_ACCESS_USE,  PARAM_TYPE_STRING,      0, MAX_PIN_SIZE},
  {"URLEncode",           PARAM_ACCESS_LOW,  PARAM_TYPE_BOOL,        0, 0},
  {"User",                PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, 64},
  {"Value",               PARAM_ACCESS_LOW,  PARAM_TYPE_STRING,      0, MAX_SIZE_DATA},
  {"Variable|*",          PARAM_ACCESS_FULL, PARAM_TYPE_STRING,      0, MAX_TEXT},
  {"Version",             PARAM_ACCESS_LOW,  PARAM_TYPE_OID,         0, 16},

Default access GetProperty

Default access GetProperty.
  {"AccessLevel",        PARAM_ACCESS_ALWAYS},
  {"ActiveSlot",         PARAM_ACCESS_USE},
  {"ActiveToken",        PARAM_ACCESS_USE},
  {"Algorithm",          PARAM_ACCESS_LOW},
  {"Allowed",            PARAM_ACCESS_FULL},
  {"Cache|*",            PARAM_ACCESS_FULL},
  {"Certificate",        PARAM_ACCESS_USE},
  {"CertificateChain",   PARAM_ACCESS_LOW},
  {"CertificateInfo",    PARAM_ACCESS_USE},
  {"CertificatePresent", PARAM_ACCESS_USE},
  {"Challenge",          PARAM_ACCESS_USE},
  {"CKA_*",              PARAM_ACCESS_USE},
  {"Config:*",           PARAM_ACCESS_FULL},
  {"ConfigFileLocal",    PARAM_ACCESS_FULL},
  {"ConfigFileGlobal",   PARAM_ACCESS_FULL},
  {"ConfigGlobal:*",     PARAM_ACCESS_FULL},
  {"ConfigLocal:*",      PARAM_ACCESS_FULL},
  {"Data",               PARAM_ACCESS_USE},
  {"Error*",             PARAM_ACCESS_LOW},
  {"EventPresent",       PARAM_ACCESS_USE},
  {"ExpandString*",      PARAM_ACCESS_USE},
  {"ExpandText|*",       PARAM_ACCESS_USE},
  {"FileName",           PARAM_ACCESS_USE},
  {"Image:*",            PARAM_ACCESS_FULL},
  {"InvokeResult",       PARAM_ACCESS_LOW},
  {"Issuer",             PARAM_ACCESS_USE},
  {"HasSlotEvent",       PARAM_ACCESS_USE},
  {"HostAddress",        PARAM_ACCESS_USE},
  {"KeyData*",           PARAM_ACCESS_FULL},
  {"KeyUsage",           PARAM_ACCESS_USE},
  {"LanguageList",       PARAM_ACCESS_LOW},
  {"LoggedIn",           PARAM_ACCESS_USE},
  {"MachineInfo",        PARAM_ACCESS_FULL},
  {"MoreResponse",       PARAM_ACCESS_USE},
  {"PasswordStatus",     PARAM_ACCESS_USE},
  {"Path",               PARAM_ACCESS_USE},
  {"PrivateData|*",      PARAM_ACCESS_USE},
  {"ProductInfo",        PARAM_ACCESS_ALWAYS},
  {"Progress",           PARAM_ACCESS_USE},
  {"Protected|*",        PARAM_ACCESS_USE},
  {"ProtectedMode",      PARAM_ACCESS_LOW},
  {"PublicData|*",       PARAM_ACCESS_USE},
  {"Random",             PARAM_ACCESS_USE},
  {"Request",            PARAM_ACCESS_USE},
  {"Response",           PARAM_ACCESS_USE},
  {"ResourceRoot",       PARAM_ACCESS_FULL},
  {"Scaling",            PARAM_ACCESS_FULL},
  {"Signature",          PARAM_ACCESS_LOW},
  {"SlotInfo",           PARAM_ACCESS_USE},
  {"Subject",            PARAM_ACCESS_USE},
  {"SupportInfo",        PARAM_ACCESS_USE},
  {"String*",            PARAM_ACCESS_USE},
  {"TokenInfo",          PARAM_ACCESS_USE},
  {"TokenPath",          PARAM_ACCESS_FULL},
  {"TokenPresent",       PARAM_ACCESS_USE},
  {"TokenTypeList",      PARAM_ACCESS_FULL},
  {"TraceEnabled",       PARAM_ACCESS_LOW},
  {"Version",            PARAM_ACCESS_ALWAYS},
  {"Web:*",              PARAM_ACCESS_FULL},

Default access EnumProperty

Default access EnumProperty.
  {"Certificate",       PARAM_ACCESS_USE},
  {"CertificateEx",     PARAM_ACCESS_USE},
  {"Component",         PARAM_ACCESS_USE},
  {"Object",            PARAM_ACCESS_USE},
  {"Key",               PARAM_ACCESS_USE},
  {"Language",          PARAM_ACCESS_USE},
  {"PrivateData",       PARAM_ACCESS_USE},
  {"ProfileInitToken",  PARAM_ACCESS_USE},
  {"ProfileResetToken", PARAM_ACCESS_USE},
  {"PublicData",        PARAM_ACCESS_USE},
  {"Slot",              PARAM_ACCESS_USE},
  {"SlotCard",          PARAM_ACCESS_USE},
  {"SlotSoft",          PARAM_ACCESS_USE},
  {"SlotVirtual",       PARAM_ACCESS_USE},
  {"Token",             PARAM_ACCESS_USE},
  {"TokenCard",         PARAM_ACCESS_USE},
  {"TokenSoft",         PARAM_ACCESS_USE},

Default access Invoke

Default access Invoke.
  {"Abort",                    PARAM_ACCESS_USE},
  {"Action",                   PARAM_ACCESS_FULL},
  {"BrowseFolder",             PARAM_ACCESS_FULL},
  {"ChangePassword",           PARAM_ACCESS_USE},
  {"Compress",                 PARAM_ACCESS_FULL},
  {"CreateObject",             PARAM_ACCESS_USE},
  {"CreateRequest",            PARAM_ACCESS_USE},
  {"CreateToken",              PARAM_ACCESS_USE},
  {"Decrypt",                  PARAM_ACCESS_USE},
  {"DeleteCertificate",        PARAM_ACCESS_USE},
  {"DeleteKey",                PARAM_ACCESS_USE},
  {"DeleteToken",              PARAM_ACCESS_USE},
  {"DeriveKey",                PARAM_ACCESS_USE},
  {"DestroyObject",            PARAM_ACCESS_USE},
  {"Digest",                   PARAM_ACCESS_USE},
  {"DisableTrace",             PARAM_ACCESS_USE},
  {"EnableTrace",              PARAM_ACCESS_USE},
  {"Encrypt",                  PARAM_ACCESS_USE},
  {"Expand",                   PARAM_ACCESS_FULL},
  {"Export",                   PARAM_ACCESS_USE},
  {"FindObject",               PARAM_ACCESS_USE},
  {"GenerateChallenge",        PARAM_ACCESS_USE},
  {"GenerateKey",              PARAM_ACCESS_USE},
  {"GetLocationData",          PARAM_ACCESS_FULL},
  {"InitToken",                PARAM_ACCESS_USE},
  {"IsRefreshing",             PARAM_ACCESS_USE},
  {"LoadContent",              PARAM_ACCESS_USE},
  {"LoadData",                 PARAM_ACCESS_FULL},
  {"Login",                    PARAM_ACCESS_USE},
  {"Logout",                   PARAM_ACCESS_USE},
  {"OpenFile",                 PARAM_ACCESS_FULL},
  {"OpenTrace",                PARAM_ACCESS_USE},
  {"Reset",                    PARAM_ACCESS_USE},
  {"Refresh",                  PARAM_ACCESS_USE},
  {"ResetToken",               PARAM_ACCESS_USE},
  {"ResetUserData",            PARAM_ACCESS_FULL},
  {"SaveFile",                 PARAM_ACCESS_FULL},
  {"SetLicense",               PARAM_ACCESS_FULL},
  {"SetLocationData",          PARAM_ACCESS_FULL},
  {"ShowMessage",              PARAM_ACCESS_USE},
  {"Sign",                     PARAM_ACCESS_LOW},
  {"UnlockPassword",           PARAM_ACCESS_USE},
  {"UpdateObject",             PARAM_ACCESS_USE},
  {"Verify",                   PARAM_ACCESS_USE},
  {"View",                     PARAM_ACCESS_FULL},
  {"ViewCertificate",          PARAM_ACCESS_USE},
  {"WriteKey",                 PARAM_ACCESS_USE},
  {"WriteCertificate",         PARAM_ACCESS_USE},