Smart cards come in many shapes and forms. There's also a number of different interfaces used for communication with the smart-cards. In case of this guide, we will refer primarily to smart cards which provide a common interface for using them called PKCS#11.

Depending on its capabilities, the smart-card can contain different information or data. More common data types include private keys, public keys, and certificates. Contents which can be placed on a smart-card can vary between different brands/models.

The low-level interface for communicating with the smart cards utilises the APDU commands. These commands have a standard structure, but their meaning in case of a particular card may and will vary between different manufacturers. There's a small set of these commands that are standardised (selecting an applet on the smart-card etc). Due to usually proprietary nature of this low-level interface, a number of high-level API's have been developed in the past. One of these is PKCS#11.

The PKCS#11 API is commonly implemented by the manufacturers of different cards. Commonly for each card you get you'll also need to obtain the library implementing this API. The 'good' thing is that if the library is properly implemented, and the software you're using supports the use of PKCS#11, you can easily integrate your operations with the card.

Different cards may also have different features when it comes down to the PKCS#11 functionality. Some may or may not support special PIN codes intended for security officers, some may support multiple PIN codes each protecting different private key, some may support just a single PIN code. Difference of supported private key sizes is another big factor. Most cards won't exceed the 2048 bits limit.

This part of the book will deal with some of the tools and procedures for working with smart-cards, primarily concentrating on the PKCS#11 implementation coming from the OpenSC project. The following cards will be covered:

  • Aventra MyEID
  • Feitian PKI
  • Feitian ePass2003