AM_MD5

Using Cryptographic Hardware

This code looks just like regular code. Whether you are signing with software or hardware, it looks the same. See the sample files in the sample\pkcs11 directory.

We are using the hardware chooser we created. To perform RSA signatures (with

MD5) we need to include in our chooser. Our original chooser contained

AM_MD5 and AM_PKCS11_RSA_PRIVATE_SIGN. The new hardware chooser contains all the AMs from the original chooser, plus, because of the PKCS 11 AM and HI (arguments to the call B_CreateHardwareChooser), it can perform the signing using hardware.

Remember, there is the original chooser, containing all the AMs you will need plus an inactive hardware AM. There is the software replacement chooser, containing only those AMs that can be used as substitutes for hardware. And finally, there is the hardware chooser Crypto-C created. It contains everything the original chooser did, plus it will have a new AM (created "on-the-fly") that looks a lot like the inactive AM, except it is connected to the hardware. We do not make the "inactive" AM active, because a regular chooser is static: it is created when you link the application. You do not link in the token at link time. You connect to the hardware token at run time, so that is the only time possible to create an AM.

You must destroy what you create. Remember, we created two choosers, we recommend that you destroy them in the reverse order that they were created.

B_DestroyHardwareChooser (&hwChooserSign);

B_DestroyHardwareChooser (&hwChooserGen);

B_DestroyAlgorithmObject (&rsaGen);

B_DestroyAlgorithmObject (&signer);

B_DestroyKeyObject (&pubKey);

B_DestroyKeyObject (&priKey);

When Crypto-C destroys hwChooserSign, it will not close the session or log off of the token. Remember, when we created that hardware chooser, we had a session already established. Crypto-C will not close a session or log off unless it opened the session or logged on. When Crypto-C destroys hwChooserGen, it will close the session and log off.

Incidentally, the following is code similar to how Crypto-C initalizes, creates a session, and logs in to a Cryptoki device in a Windows environment. (It is not the actual code, but you can get a sense of how it works.)

1 4 2

R S A B S A F E C r y p t o - C D e v e l o p e r ’s G u i d e

Page 164
Image 164
RSA Security 5.2.2 manual Using Cryptographic Hardware