RSA Security 5.2.2 Manual

A SERVICE OF

next previous

Using Cryptographic Hardware

142 RSA BSAFE Crypto-C Developer’s Guide

This code looks just like regular code. Whether you are signing with software or

hardware, it looks the same. See the sample files in the

sample\pkcs11 directory.

We are using the hardware chooser we created. To perform RSA signatures (with

MD5) we need to include

AM_MD5 in our chooser. Our original chooser contained

AM_MD5 and AM_PKCS11_RSA_PRIVATE_SIGN. The new hardware chooser contains all the

AMs from the original chooser, plus, because of the PKCS 11 AM and HI (arguments

to the call

B_CreateHardwareChooser), it can perform the signing using hardware.

Remember, there is the original chooser, containing all the AMs you will need plus an

inactive hardware AM. There is the software replacement chooser, containing only

those AMs that can be used as substitutes for hardware. And finally, there is the

hardware chooser Crypto-C created. It contains everything the original chooser did,

plus it will have a new AM (created "on-the-fly") that looks a lot like the inactive AM,

except it is connected to the hardware. We do not make the "inactive" AM active,

because a regular chooser is static: it is created when you link the application. You do

not link in the token at link time. You connect to the hardware token at run time, so

that is the only time possible to create an AM.

You must destroy what you create. Remember, we created two choosers, we

recommend that you destroy them in the reverse order that they were created.

When Crypto-C destroys

hwChooserSign

, it will not close the session or log off of the

token. Remember, when we created that hardware chooser, we had a session already

established. Crypto-C will not close a session or log off unless it opened the session or

logged on. When Crypto-C destroys

hwChooserGen

, it will close the session and log off.

Incidentally, the following is code similar to how Crypto-C initalizes, creates a

session, and logs in to a Cryptoki device in a Windows environment. (It is not the

actual code, but you can get a sense of how it works.)

B_DestroyHardwareChooser (&hwChooserSign);

B_DestroyHardwareChooser (&hwChooserGen);

B_DestroyAlgorithmObject (&rsaGen);

B_DestroyAlgorithmObject (&signer);

B_DestroyKeyObject (&pubKey);

B_DestroyKeyObject (&priKey);