Is Smartcard Vendor’s low-level lib (dll or so) Required?

Question:  My question is regarding the SharedLib when initializing pkcs11 module. Is the smartcard vendor’s low-level lib (dll or so) required to be able to communicate with a smartcard or do you have some kind of generic lib or driver to achieve this?

Answer:  This is a good question.  On a non-Windows system, Chilkat would need to communicate with the smartcard (or USB token) via PKCS11.

Note: You don’t need to explicitly use the Chilkat PKCS11 class to communicate with the smartcard.  If, for example, you simply call Chilkat.Cert.LoadFromSmartcard on a non-Windows system, then internally Chilkat is using PKCS11.

For many smartcards, the OpenSC PKCS11 driver will work.  (See https://github.com/OpenSC/libp11)  This can be installed in the typical way.  For example:  sudo apt-get install -y opensc-pkcs11

Chilkat will discover what kind of smart card it is talking to by getting the ATR (via the PC/SC API, which is a standard for communicating with smartcard readers.  Chilkat contains an internal “database” of ATR’s and other intelligence to map to the appropriate PKCS11 lib for the given smart card.  This database is updated with each new version of Chilkat as customers encounter new cards that don’t “just work”.

The best way to begin is to simply call Chilkat.Cert.LoadFromSmartcard(“”), passing in an empty string, and let Chilkat scan for readers and smartcards to see if it automatically knows what to do.  (Be sure to set the Cert.SmartCardPin beforehand.)  If LoadFromSmarcard succeeded, examine the Cert properties, such as Cert.SubjectDN, to see if it loaded the cert you anticipated. If not, then you can specify more precisely which cert is wanted in the argument to LoadFromSmartcard.

If Cert.LoadFromSmartcard succeeded, then proceed with using the cert to create signatures (such as with CAdES, PAdES, or XAdES — i.e. CMS, PDF, XML DSig), and if all works, then everything is good.

If there are problems, then you can send Chilkat the verbose Cert.LastErrorText for the call to Cert.LoadFromSmartcard, and we can investigate, learn about your smartcard, the ATR, and the vendor driver files.  We’d update our internal database with the information discovered and provide a new build so that Chilkat automatically knows what to do for cards matching your given ATR going forward.  (It’s also possible for the application to explicitly specify the PCKS11 driver files, which might be needed if they are located in a non-standard directory.)

On a Windows system there are more options.  A smartcard (or USB token) can be accessed in three different ways:

  1. Microsoft CNG/CAPI  (See https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal )
  2. ScMinidriver
  3. PKCS11

The situation is similar for CNG and ScMinidriver.  For CNG there is the standard CSP (Cryptographic Service Provider) provided by Microsoft and vendors can also provide their own CSPs.   Some cards work with Microsoft’s standard CSP, whereas other cards require the specific vendor.

The ScMinidriver is the same:  Microsoft has a default minidriver DLL, but vendors provide their own.

For PKCS11, there is the default OpenSC DLL (just like for Linux/MacOS), and also some vendors provide their own.

Smartcard vendors will support various combinations.  For example, one might support CNG (i.e. CryptoAPI) + ScMinidriver.  Sometimes DLLs contain multiple interfaces, such as both ScMinidriver and CNG.

The smartcard industry has made a giant mess of it all.  But Chilkat aims to make it “just work”.   The intelligence is built in to Chilkat — so when your application calls Cert.LoadFromSmartcard(“”) on a Microsoft Windows system, Chilkat scans to see what is available.  It will find the readers and the installed smartcards on the readers, and will know what options are available — CNG, ScMinidriver, or PKCS11 and will use what works for the given smartcard (known by the ATR).

The same methods apply on Windows — if you encounter a smartcard that does not “just work” with Chilkat, then begin by sending the contents of the Cert.LastErrorText for the call to Cert.LoadFromSmartcard(“”) to Chilkat and we can work to add the intelligence to Chilkat to work out-of-the-box for that particular smartcard.   Over time, Chilkat just works for a greater and greater percentage of smart cards, but there will always be a new case where something needs to get added.