Pkcs11 Delphi DLL Reference Documentation

Pkcs11

Current Version: 10.0.0

A wrapper around the Cryptographic Token Interface (Cryptoki API) for thePKCS11 architecture of smart cards and tokens. This class provides functions for accessing, adding, deleting, and performing operations on data, certificates, and keys. It integrates with other Chilkat classes to allow for smartcards and tokens to be used in various protocols (TLS, SSH, PDF, etc.), across different operating systems and programming languages.

This class is introduced in Chilkat v9.5.0.88.

Create/Dispose

var
myObject: HCkPkcs11;

begin
myObject := CkPkcs11_Create();

// ...

CkPkcs11_Dispose(myObject);
end;
function CkPkcs11_Create: HCkPkcs11; stdcall;

Creates an instance of the HCkPkcs11 object and returns a handle (i.e. a Pointer). The handle is passed in the 1st argument for the functions listed on this page.

procedure CkPkcs11_Dispose(handle: HCkPkcs11); stdcall;

Objects created by calling CkPkcs11_Create must be freed by calling this method. A memory leak occurs if a handle is not disposed by calling this function.

Properties

DebugLogFilePath
procedure CkPkcs11_getDebugLogFilePath(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
procedure CkPkcs11_putDebugLogFilePath(objHandle: HCkPkcs11; newPropVal: PWideChar); stdcall;
function CkPkcs11__debugLogFilePath(objHandle: HCkPkcs11): PWideChar; stdcall;

If set to a file path, causes each Chilkat method or property call to automatically append it's LastErrorText to the specified log file. The information is appended such that if a hang or crash occurs, it is possible to see the context in which the problem occurred, as well as a history of all Chilkat calls up to the point of the problem. The VerboseLogging property can be set to provide more detailed information.

This property is typically used for debugging the rare cases where a Chilkat method call hangs or generates an exception that halts program execution (i.e. crashes). A hang or crash should generally never happen. The typical causes of a hang are:

  1. a timeout related property was set to 0 to explicitly indicate that an infinite timeout is desired,
  2. the hang is actually a hang within an event callback (i.e. it is a hang within the application code), or
  3. there is an internal problem (bug) in the Chilkat code that causes the hang.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
LastErrorHtml
procedure CkPkcs11_getLastErrorHtml(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
function CkPkcs11__lastErrorHtml(objHandle: HCkPkcs11): PWideChar; stdcall;

Provides information in HTML format about the last method/property called. If a method call returns a value indicating failure, or behaves unexpectedly, examine this property to get more information.

See the notes about PWideChar memory ownership and validity.

top
LastErrorText
procedure CkPkcs11_getLastErrorText(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
function CkPkcs11__lastErrorText(objHandle: HCkPkcs11): PWideChar; stdcall;

Provides information in plain-text format about the last method/property called. If a method call returns a value indicating failure, or behaves unexpectedly, examine this property to get more information.

See the notes about PWideChar memory ownership and validity.

top
LastErrorXml
procedure CkPkcs11_getLastErrorXml(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
function CkPkcs11__lastErrorXml(objHandle: HCkPkcs11): PWideChar; stdcall;

Provides information in XML format about the last method/property called. If a method call returns a value indicating failure, or behaves unexpectedly, examine this property to get more information.

See the notes about PWideChar memory ownership and validity.

top
LastMethodSuccess
function CkPkcs11_getLastMethodSuccess(objHandle: HCkPkcs11): wordbool; stdcall;
procedure CkPkcs11_putLastMethodSuccess(objHandle: HCkPkcs11; newPropVal: wordbool); stdcall;

Indicate whether the last method call succeeded or failed. A value of True indicates success, a value of False indicates failure. This property is automatically set for method calls. It is not modified by property accesses. The property is automatically set to indicate success for the following types of method calls:

  • Any method that returns a string.
  • Any method returning a Chilkat object, binary bytes, or a date/time.
  • Any method returning a standard boolean status value where success = True and failure = False.
  • Any method returning an integer where failure is defined by a return value less than zero.

Note: Methods that do not fit the above requirements will always set this property equal to True. For example, a method that returns no value (such as a "void" in C++) will technically always succeed.

top
NumCerts
function CkPkcs11_getNumCerts(objHandle: HCkPkcs11): Integer; stdcall;
Introduced in version 9.5.0.88

The number of certificates contained on the smart card or USB token. This property is set when FindAllCerts is called.

top
SharedLibPath
procedure CkPkcs11_getSharedLibPath(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
procedure CkPkcs11_putSharedLibPath(objHandle: HCkPkcs11; newPropVal: PWideChar); stdcall;
function CkPkcs11__sharedLibPath(objHandle: HCkPkcs11): PWideChar; stdcall;
Introduced in version 9.5.0.88

On Windows systems, then should be set to the name of the DLL file (if the DLL is located in C:\Windows\System32), or it can be the full path to the DLL.

On Linux, MacOSX, or other non-Windows systems, this can also be either the full path to the .so or .dylib, or just the .so or .dylib filename. On these systems, Chilkat calls the dlopen system function to load the shared library. If just the filename is passed in, the directories searched are those indicated in the dlopen function description at https://man7.org/linux/man-pages/man3/dlopen.3.html

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
SigContextPin
procedure CkPkcs11_getSigContextPin(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
procedure CkPkcs11_putSigContextPin(objHandle: HCkPkcs11; newPropVal: PWideChar); stdcall;
function CkPkcs11__sigContextPin(objHandle: HCkPkcs11): PWideChar; stdcall;
Introduced in version 9.5.0.97

If the smart card or token requires a signature context login within the signing operation, then set this property to the context-specific signature PIN. Most smart cards do not need this. Don't set this property unless you know for sure your smart card needs it.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
UncommonOptions
procedure CkPkcs11_getUncommonOptions(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
procedure CkPkcs11_putUncommonOptions(objHandle: HCkPkcs11; newPropVal: PWideChar); stdcall;
function CkPkcs11__uncommonOptions(objHandle: HCkPkcs11): PWideChar; stdcall;
Introduced in version 9.5.0.99

This is a catch-all property to be used for uncommon needs. This property defaults to the empty string. It can be set to a list of one or more of the following comma separated keywords:

  • Pkcs11DiscoverSkipTokenInfo - Introduced in v9.5.0.99. Applies to the Discover method. If this keyword is present, then Discover will only return the slot information and will not make potentially time-consuming calls to get TokenInfo or information about supported mechanisms.
  • Pkcs11DiscoverSkipMechanisms - Introduced in v9.5.0.99. Applies to the Discover method. If this keyword is present, then Discover will get slot and token info, but will not make potentially time-consuming calls to get information about supported mechanisms.

See the notes about PWideChar memory ownership and validity.

top
VerboseLogging
function CkPkcs11_getVerboseLogging(objHandle: HCkPkcs11): wordbool; stdcall;
procedure CkPkcs11_putVerboseLogging(objHandle: HCkPkcs11; newPropVal: wordbool); stdcall;

If set to True, then the contents of LastErrorText (or LastErrorXml, or LastErrorHtml) may contain more verbose information. The default value is False. Verbose logging should only be used for debugging. The potentially large quantity of logged information may adversely affect peformance.

top
Version
procedure CkPkcs11_getVersion(objHandle: HCkPkcs11; outPropVal: HCkString); stdcall;
function CkPkcs11__version(objHandle: HCkPkcs11): PWideChar; stdcall;

Version of the component/library, such as "9.5.0.94"

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top

Methods

CloseSession
function CkPkcs11_CloseSession(objHandle: HCkPkcs11): wordbool; stdcall;
Introduced in version 9.5.0.88

Closes the session on the token (i.e. smart card).

Note: Memory leaks can occur if the session is not properly closed.

Returns True for success, False for failure.

More Information and Examples
top
CreatePkcs11Object
function CkPkcs11_CreatePkcs11Object(objHandle: HCkPkcs11;
    attrs: HCkJsonObject): LongWord; stdcall;
Introduced in version 9.5.0.96

Creates an object and returns the handle. The attrs specifies the attributes that define the object to be created. See the linked examples below for more information.

top
DestroyObject
function CkPkcs11_DestroyObject(objHandle: HCkPkcs11;
    hObject: LongWord): wordbool; stdcall;
Introduced in version 9.5.0.96

Destroys an object (deletes it from the HSM). hObject is the object's handle.

Returns True for success, False for failure.

top
Discover
function CkPkcs11_Discover(objHandle: HCkPkcs11;
    onlyTokensPresent: wordbool;
    json: HCkJsonObject): wordbool; stdcall;
Introduced in version 9.5.0.88

Discovers the readers, smart cards, and USB tokens accessible via PKCS11 on the computer (using the DLL/shared lib specified by SharedLibPath). The onlyTokensPresent specifies if only slots (readers) with tokens (smart cards) present should be returned. The information is written to the json. (For details, see the example below.)

Returns True for success, False for failure.

top
ExportPublicKey
function CkPkcs11_ExportPublicKey(objHandle: HCkPkcs11;
    keyHandle: LongWord;
    pubKey: HCkPublicKey): wordbool; stdcall;
Introduced in version 9.5.0.96

Export a public key given a public or private key handle. The pubKey is loaded with the exported public key.

See the example linked below for more details.

Returns True for success, False for failure.

More Information and Examples
top
FindAllCerts
function CkPkcs11_FindAllCerts(objHandle: HCkPkcs11): wordbool; stdcall;
Introduced in version 9.5.0.88

Finds all certificates contained on the smart card (or USB token). This sets the NumCerts property. Each certificate can be obtained by calling GetCert(index) where the 1st cert is at index 0.

Important: Private keys will not be seen unless the PKCS11 session is authenticated. To authenticate, your application must call Login after calling OpenSession.

Returns True for success, False for failure.

top
FindAllKeys
function CkPkcs11_FindAllKeys(objHandle: HCkPkcs11;
    keyClass: PWideChar;
    json: HCkJsonObject): wordbool; stdcall;
Introduced in version 9.5.0.96

Finds all keys contained on the smart card (or USB token). The keyClass indicates the kind of keys to return, and can be one of the following:

  • public
  • private
  • secret
  • otp

Information about the keys is returned in json.

Important: Private keys will not be seen unless the PKCS11 session is authenticated. To authenticate, your application must call Login after calling OpenSession.

Returns True for success, False for failure.

top
FindCert
function CkPkcs11_FindCert(objHandle: HCkPkcs11;
    certPart: PWideChar;
    partValue: PWideChar;
    cert: HCkCert): wordbool; stdcall;
Introduced in version 9.5.0.88

Finds the certificate where the given certPart equals the partValue. Possible values for certPart are: "privateKey", "subjectDN", "subjectDN_withTags", "subjectCN", "serial", or "serial:issuerCN". If certPart equals "privateKey", then pass an empty string in partValue. Specifying "privateKey" means to return the first certificate having a private key.

The cert is loaded with the certificate if successful.

Important: Private keys will not be seen unless the PKCS11 session is authenticated. To authenticate, your application must call Login after calling OpenSession.

Note: If successful, the cert will be linked internally with this PKCS11 session such that certificate can be used for signing on the smart card when used in other Chilkat classes such as XmlDSigGen, Pdf, Crypt2, Mime, MailMan, etc.

Returns True for success, False for failure.

top
FindObject
function CkPkcs11_FindObject(objHandle: HCkPkcs11;
    jsonTemplate: HCkJsonObject): LongWord; stdcall;
Introduced in version 9.5.0.96

General function for finding an object such as a private key. Returns the handle of the first matching object, or 0 if not found.

More Information and Examples
top
GenEcKey
function CkPkcs11_GenEcKey(objHandle: HCkPkcs11;
    publicAttrs: HCkJsonObject;
    privateAttrs: HCkJsonObject;
    jsonOut: HCkJsonObject;
    pubKey: HCkPublicKey): wordbool; stdcall;
Introduced in version 9.5.0.96

Generate an EC key pair suitable for signing data and verifying signatures. The private key is created on the HSM (smart card or token), and the public key is returned in pubKey. The publicAttrs and privateAttrs contain attributes for the public and private keys respectively. The PKCS11 public and private key handles are returned in jsonOut. Handles are used to reference a PKCS11 object, such as a public or private key, and are valid during the PKCS11 session. To use the key in future PKCS11 sessions, your application would need to find the object to get a new handle.

See the example linked below for more details.

Returns True for success, False for failure.

top
GenRsaKey
function CkPkcs11_GenRsaKey(objHandle: HCkPkcs11;
    publicAttrs: HCkJsonObject;
    privateAttrs: HCkJsonObject;
    jsonOut: HCkJsonObject;
    pubKey: HCkPublicKey): wordbool; stdcall;
Introduced in version 9.5.0.96

Generate an RSA key pair suitable for signing data and verifying signatures. The private key is created on the HSM (smart card or token), and the public key is returned in pubKey. The publicAttrs and privateAttrs contain attributes for the public and private keys respectively. The PKCS11 public and private key handles are returned in jsonOut. Handles are used to reference a PKCS11 object, such as a public or private key, and are valid during the PKCS11 session. To use the key in future PKCS11 sessions, your application would need to find the object to get a new handle.

See the example linked below for more details.

Returns True for success, False for failure.

top
GenSecretKey
function CkPkcs11_GenSecretKey(objHandle: HCkPkcs11;
    keyType: PWideChar;
    jsonTemplate: HCkJsonObject): LongWord; stdcall;
Introduced in version 9.5.0.96

Generates a symmetric encryption key. The keyType is the key type, which can be one of the following values:

  • AES
  • AES XTS
  • Blowfish
  • Twofish
  • ChaCha20

The jsonTemplate is a template that specifies attributes about the key to be generated. See the example at the link below.

The handle to the generated key is returned. A value of 0 is returned on failure.

More Information and Examples
top
GetCert
function CkPkcs11_GetCert(objHandle: HCkPkcs11;
    index: Integer;
    cert: HCkCert): wordbool; stdcall;
Introduced in version 9.5.0.88

Loads cert with the Nth certificate indicated by index. The 1st certificate is at index 0. The FindAllCerts method must be called beforehand to load the certs from the smart card into this object. After calling FindAllCerts, the NumCerts property is set and each certificate can be retrieved by calling GetCert.

Returns True for success, False for failure.

top
ImportPrivateKey
function CkPkcs11_ImportPrivateKey(objHandle: HCkPkcs11;
    privKey: HCkPrivateKey;
    jsonTemplate: HCkJsonObject): LongWord; stdcall;
Introduced in version 9.5.0.96

Imports a private key onto the HSM. Returns the handle of the unwrapped key, or 0 if failed. See the linked example below for more details.

More Information and Examples
top
ImportSshKey
function CkPkcs11_ImportSshKey(objHandle: HCkPkcs11;
    sshKey: HCkSshKey;
    jsonTemplate: HCkJsonObject): LongWord; stdcall;
Introduced in version 9.5.0.96

Imports an SSH private key onto the HSM. Returns the handle of the unwrapped key, or 0 if failed.

More Information and Examples
top
Initialize
function CkPkcs11_Initialize(objHandle: HCkPkcs11): wordbool; stdcall;
Introduced in version 9.5.0.88

Initializes the PKCS#11 library. Should be called after specifying the SharedLibPath. The DLL (or .so/.dylib) is dynamically loaded and the PKCS#11 lib is initialized.

Returns True for success, False for failure.

More Information and Examples
top
InitPin
function CkPkcs11_InitPin(objHandle: HCkPkcs11;
    pin: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.89

Initializes the normal user's PIN. This must be called from the security officer's (SO) logged-in session.

Note: To unblock a smart card, login to the SO (Security Officer) session using the PUK, and then call this with the new user PIN.

Returns True for success, False for failure.

More Information and Examples
top
InitToken
function CkPkcs11_InitToken(objHandle: HCkPkcs11;
    slotId: Integer;
    pin: PWideChar;
    tokenLabel: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.89

Initializes a token. slotId is the slot ID of the token's slot.

If the token has not been initialized (i.e. new from the factory), then the pPin parameter becomes the initial value of the SO (Security Officer) PIN. If the token is being reinitialized, the pin parameter is checked against the existing SO PIN to authorize the initialization operation.

When a token is initialized, all objects that can be destroyed are destroyed (i.e., all except for “indestructible” objects such as keys built into the token). Also, access by the normal user is disabled until the SO sets the normal user’s PIN. Depending on the token, some “default” objects may be created, and attributes of some objects may be set to default values.

Returns True for success, False for failure.

top
Login
function CkPkcs11_Login(objHandle: HCkPkcs11;
    userType: Integer;
    pin: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.88

Authenticates a session with a PIN. The userType can be one of the following integer values:

  1. Security Officer (0)
  2. Normal User (1)
  3. Context Specific (2)

Except for special circumstances, you'll always login as the Normal User.

Returns True for success, False for failure.

More Information and Examples
top
Logout
function CkPkcs11_Logout(objHandle: HCkPkcs11): wordbool; stdcall;
Introduced in version 9.5.0.88

Logs out from a token (smart card).

Returns True for success, False for failure.

More Information and Examples
top
OpenSession
function CkPkcs11_OpenSession(objHandle: HCkPkcs11;
    slotId: Integer;
    readWrite: wordbool): wordbool; stdcall;
Introduced in version 9.5.0.88

Opens a session on the token (i.e. smart card). The slotId is the ID of the slot (not the index). Set slotId equal to -1 to choose the first available non-empty slot. The readWrite indicates whether the session should be read-only or read-write.

The PKCS11 terminology is confusing:

  • A "slot" corresponds to a connected smart card reader or USB hardware token, such as a Feitian ePass3003Auto token.
  • A "token" corresponds to the smart card inserted into the reader. If we have a USB hardware token, such as the epass3003Auto (or many others), then technically there is always a "smart card" inserted, because the USB hardware token is effectively both the reader and smart card wrapped in one inseparable device.
  • The PKCS11 DLL (or .so shared lib, or .dylib) is the vendor supplied PKCS11 implementation (driver) that provides the low-level "C" PKCS11 functions (called by Chilkat internally).
  • Generally, the number of slots will equal the number of connected smart cards or tokens belonging to the vendor of the DLL, or compatible with the DLL. In most cases you'll have your single reader with a single smart card inserted, and therefore only one slot exists.
  • Some PKCS11 DLLs are provided by a 3rd party and support many smart cards. For example, A.E.T. Europe B.V.'s "SafeSign Identity Client Standard Version 3.5" DLL is "aetpkss1.dll". It supports the following tokens:
    • Defensiepas
    • Defensiepas 2
    • G&D Convego Join 4.01 40k/80k
    • G&D SkySIM Hercules
    • G&D SkySIM Scorpius
    • G&D Sm@rtCafé Expert 3.2
    • G&D Sm@rtCafé Expert 4.0
    • G&D Sm@rtCafé Expert 5.0
    • G&D Sm@rtCafé Expert 6.0
    • G&D Sm@rtCafé Expert 7.0
    • G&D Sm@rtCafé Expert 64
    • Gemalto Desineo ICP D72 FXR1 Java
    • Gemalto IDCore 30
    • Gemalto MultiApp ID v2.1
    • Gemalto Optelio D72 FR1
    • Gemalto TOP DL v2
    • Infineon Oracle JCOS Ed.1
    • JCOP21 v2.3
    • Morpho IDealCitiz v2.1
    • Morpho JMV ProCL V3.0
    • NXP J2A080 / J2A081 (JCOP 2.4.1 R3)
    • NXP JD081 (JCOP 2.4.1 R3)
    • NXP J3A080 (JCOP 2.4.1 R3)
    • NXP JCOP 2.4.2 R3
    • NXP JCOP 3 SecID P60
    • Oberthur IDOne Cosmo v7.0
    • RDW ABR kaart
    • Rijkspas
    • Rijkspas 2
    • Sagem YpsID s2
    • Sagem YpsID s3
    • StarSign Crypto USB Token S
    • Swissbit PS-100u SE
    • UZI-pas
    • UZI-pas 2

Returns True for success, False for failure.

More Information and Examples
top
QuickSession
function CkPkcs11_QuickSession(objHandle: HCkPkcs11;
    userType: Integer;
    pin: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.96

Quickly establishes a session on the 1st unempty slot, with or without login. If the pin is the empty string, then no login will take place. The userType can be one of the following integer values:

  1. Security Officer (0)
  2. Normal User (1)
  3. Context Specific (2)

Except for special circumstances, you should always select Normal User. If pin is the empty string, then no login takes place and userType is ignored.

Calling this method takes the place of making separate calls to Initialize, OpenSession, and Login.

Returns True for success, False for failure.

top
SetPin
function CkPkcs11_SetPin(objHandle: HCkPkcs11;
    oldPin: PWideChar;
    newPin: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.89

Modifies the PIN of the user that is currently logged in, or the Normal User PIN if the session is not logged in.

Returns True for success, False for failure.

top