...
As we see objects stored on the token are accessible in different ways whereas session objects can be always created / destroyed creating private session objects is still limited to user mode!.
| A session object lives as long as its origin session stays alive and is accessible by all other sessions accessing that slot in an application specific context - other applications may have their own session objects but do not have any access to foreign application specific created session objects.. Other slot specific sessions are also allowed to destroy a session object even when they do not have created it! |
| During a public session only public session objects can be created / destroyed During a user session public and private session objects can be created / destroyed
|
| Anchor | ||||
|---|---|---|---|---|
|
...
So far we've learned some PKCS#11 basics and are ready to exercise some workflows. As we already know we need a user read / write session in order to write private objects and at least a public read / write session to write public objects to the token. This small example tells us how to initialize the library and create a user read / write session. More information about e.g. how to gernerate or to import a keypair can be read in 3 and 5.
Before we can initialize the library we have to receive the PKCS#11 function addresses. This is done by calling C_GetFunctionList using an instance of CK_FUNCTION_LIST_PTR as parameter. After C_GetFunctionList returns successfully we can use the CK_FUNCTION_LIST_PTR for calling the PKCS#11 defined functions.
First we have to initialize the library by using the CK_FUNCTION_LIST_PTR to call C_Initialize. For this call we use NULL as parameter. The library then starts to communicate with the SCARD interface (also known as PCSC-lite) and retrieves all available smartcard information from the OS.
Now we have to call C_GetSlotList in order to get the available smartcard readers and their IDs. We can use CK_TRUE as first parameter in order to receive all slots having a smartcard inserted.
After receiving a valid slot having a token / smartcard inserted we can use its ID to create a session. For creating a session we call C_OpenSession having one previously received slotID and CKF_SERIAL_SESSION | CKF_RW_SESSION as two of the five parameters.
| For our implementation it is mandatory to call C_OpenSession with CKF_SERIAL_SESSION |
Now we are ready to change the session state from public read write to user read write by calling C_Login. Then we are ready for creating / destroying token objects or using the smartcards crypto functionality like encrypt decrypt can even be called in public mode when using public key cryptography.
We can revert all these steps by calling the following functions in the specified order:
...