Cryptographic Provider
The Cryptographic Provider provides fundamental cryptographic services such as random number generation, authentication, and digital signature generation.
Access Control Rules
Before it calls any Cryptographic Provider function, the client application must first establish a security context with the Cryptographic Provider Provider Module by:
-
Calling the discovery function, gscBsiGetCryptoProperties(), to return a CRYPTOAcr structure defining the access control rules for a CP service.
-
Establishing the security context according to the retrieved ACR using the gscBsiUtilAcquireContext() function.
Function Summary
Access Control
| Method | Description |
|---|---|
| gscBsiGetCryptoProperties() | Retrieves the access control rules and private cryptographic key length managed by the Cryptographic Provider Module. |
Challenge
| Method | Description |
|---|---|
| gscBsiGetChallenge() | Retrieves a randomly generated challenge from the card. |
SKI
| Method | Description |
|---|---|
| gscBsiSkiInternalAuthenticate() | Computes the symmetric key cryptography crypto- gram in response to a challenge generated by the client application. |
PKI
| Method | Description |
|---|---|
| gscBsiPkiCompute() | Performs a private key computation on a message digest using the private key associated with the specified PKI applet. |
| gscBsiPkiGetCertificate() | Reads the certificate. |
Function Details
gscBsiGetChallenge()
Retrieves a randomly generated challenge from the specified applet. Use this function only for strong key management requirements when you do not want the External Authentication key exposed in clear text. It is the first step for a strong authentication of the application to the card. The client application should then return the encrypted challenge to the card through a call to the gscBsiUtilAcquireContext() function. For further information about strong authentication, see Access Control Rules.
Syntax:
BSI_RETURN gscBsiGetChallenge(
IN BSI_CARD_HANDLE hCard,
IN BSI_BYTE_PTR uszAID,
IN BSI_ULONG unAIDLen,
INOUT BSI_BYTE_PTR uszChallenge,
INOUT BSI_ULONG_PTR unChallengeLen);Parameters:
| Parameters | Description |
|---|---|
| hCard | [in] Card connection handle returned by a successful call to the gscBsiUtilConnect() function. |
| uszAID | [in] ASCII hex encoded AID value of the applet. |
| unAIDLen | [in] Length of the applet AID value including the NULL terminator. |
| uszChallenge |
[in, out] Buffer to be filled by the function with the generated challenge. Calling application must pre-allocate this buffer. For further information, see This buffer is returned ASCII hex encoded. |
| unChallengeLen | [in, out] Pointer to an unsigned long integer to be set by the function with the returned challenge length. This includes the NULL terminator. |
Returns:
BSI_OK
BSI_BAD_AID
BSI_BAD_HANDLE
BSI_BAD_PARAM
BSI_CARD_REMOVED
BSI_INSUFFICIENT_BUFFER
BSI_NO_CARDSERVICE
BSI_SC_LOCKED
BSI_UNKNOWN_ERRORgscBsiGetCryptoProperties()
Retrieves the access control rules and private cryptographic key length managed by the Cryptographic Provider Module.
Syntax:
BSI_RETURN gscBsiGetCryptoProperties(
IN BSI_CARD_HANDLE hCard,
IN BSI_BYTE_PTR uszAID,
IN BSI_ULONG unAIDLen,
INOUT BSI_CRYPTO_ACR_PTR strctCRYPTOacr,
INOUT BSI_ULONG_PTR punKeyLen);Parameters:
| Parameters | Description |
|---|---|
| hCard | [in] Card connection handle returned by a successful call to the gscBsiUtilConnect() function. |
| uszAID | [in] ASCII hex encoded AID value of the cryptographic (PKI or SKI) applet. |
| unAIDLen | [in] Length of cryptographic applet AID value including the NULL terminator. |
| strctCRYPTOacr | [in, out] Pointer to a structure to be set by the function with the access control rules defined for the services provided by this cryptographic applet. Caller must allocate structure. This parameter is not returned if the pointer is set to NULL. |
| punKeyLen |
[in, out] Pointer to an unsigned long integer to be set by the function to the key length in bytes. Depending on applet type, it can be:
If this pointer is set to NULL, then this parameter is not returned. |
Returns:
BSI_OK
BSI_BAD_AID
BSI_BAD_HANDLE
BSI_BAD_PARAM
BSI_CARD_REMOVED
BSI_NO_CARDSERVICE
BSI_SC_LOCKED
BSI_UNKNOWN_ERRORgscBsiPkiCompute()
Performs a private key computation on a message digest using the private key associated with the specified PKI applet.
Syntax:
BSI_RETURN gscBsiPkiCompute(
IN BSI_CARD_HANDLE hCard,
IN BSI_BYTE_PTR uszAID,
IN BSI_ULONG unAIDLen,
IN BSI_BYTE ucAlgoID,
IN BSI_BYTE_PTR uszMessage,
IN BSI_ULONG unMessageLen,
INOUT BSI_BYTE_PTR uszResult,
INOUT BSI_ULONG_PTR unResultLen);Parameters:
| Parameters | Description |
|---|---|
| hCard | [in] Card connection handle returned by a successful call to the gscBsiUtilConnect() function. |
| uszAID | [in] ASCII hex encoded AID value of the PKI applet. |
| unAIDLen | [in] Length of PKI applet AID value including the NULL terminator. |
| ucAlgoID | [in] Algorithm Identifier. In this version of the interoperability specification, the only algorithm supported is RSA_NO_PAD. (For further information, see .) |
| uszMessage | [in] ASCII hex encoded message to be computed. |
| unMessageLen | [in] Length of message to be computed. This value must be equal to the key length returned by the gscBsiGetCryptoProperties() function (64 or 128 bytes), plus 1 for the NULL terminator. |
| uszResult |
[in, out] Buffer to be filled by the function with the computed message. Calling application must pre-allocate this buffer. For further information, see . This buffer is returned ASCII hex encoded. |
| unResultLen | [in, out] Pointer to an unsigned long integer to be set by the function with the length of the computed message length including the NULL terminator. |
Returns:
BSI_OK
BSI_ACCESS_DENIED
BSI_BAD_AID
BSI_BAD_ALGO_ID
BSI_BAD_HANDLE
BSI_BAD_PARAM
BSI_CARD_REMOVED
BSI_INSUFFICIENT_BUFFER
BSI_NO_CARDSERVICES
BSI_SC_LOCKED
BSI_UNKNOWN_ERRORgscBsiPkiGetCertificate()
Reads a certificate from the card.
Syntax:
BSI_RETURN CALLBACK gscBsiPkiGetCertificate(
IN BSI_CARD_HANDLE hCard,
IN BSI_BYTE_PTR uszAID,
IN BSI_ULONG unAIDLen,
OUT BSI_BYTE_PTR uszCertificate,
INOUT BSI_ULONG_PTR unCertificateLen);Parameters:
| Parameters | Description |
|---|---|
| hCard | [in] Card connection handle returned by a successful call to the gscBsiUtilConnect() function. |
| uszAID | [in] ASCII hex encoded AID value of the PKI applet whose certificate is to be read. |
| unAIDLen | [in] Length of the PKI applet AID value including the NULL terminator. |
| uszCertificate |
[out] Buffer to be filled by the function with the read certificate. Calling application must pre-allocate this buffer. For further information, see . This buffer is returned ASCII hex encoded. |
| unCertificateLen | [in, out] Pointer to an unsigned long integer to be set by the function with the read certificate length. This includes the NULL terminator. |
Returns:
BSI_OK
BSI_ACCESS_DENIED
BSI_BAD_AID
BSI_BAD_HANDLE
BSI_BAD_PARAM
BSI_CARD_REMOVED
BSI_INSUFFICIENT_BUFFER
BSI_NO_CARDSERVICE
BSI_READ_ERROR
BSI_SC_LOCKED
BSI_UNKNOWN_ERRORgscBsiSkiInternalAuthenticate()
Computes a symmetric key cryptography authenticator in response to a challenge generated by the client application.
Syntax:
BSI_RETURN gscBsiSkiInternalAuthenticate(
IN BSI_CARD_HANDLE hCard,
IN BSI_BYTE_PTR uszAID,
IN BSI_ULONG unAIDLen,
IN BSI_BYTE ucAlgoID,
IN BSI_BYTE_PTR uszChallenge,
IN BSI_ULONG unChallengeLen,
OUT BSI_BYTE_PTR uszCryptogram,
INOUT BSI_ULONG_PTR unCryptogramLen);Parameters:
| Parameters | Description |
|---|---|
| hCard | [in] Card connection handle returned by a successful call to the gscBsiUtilConnect() function. |
| uszAID | [in] ASCII hex encoded AID value of the SKI applet. |
| unAIDLen | [in] Length of the SKI applet AID value including the NULL terminator. |
| ucAlgoID |
[in] Algorithm Identifier. In this version of the interoperability specification, the algorithms supported for this operation are DES3_ECB (Algorithm Identifier 0x81) and DES3_CBC (Algorithm Identifier 0x82). For further information, see Cryptographic Algorithms. |
| uszChallenge | [in] ASCII hex encoded challenge generated by the application and submitted to the card. Set this parameter to NULL if the cryptogram is synchronous. |
| unChallengeLen | [in] The length of the ASCII hex encoded challenge including the NULL terminator. In this version of the specification, the challenge length can be up to 8 bytes. Hence the value of unChallengeLen can be up to 17 (2*8+1). |
| uszCryptogram |
[out] Buffer to be filled by the function with the computed cryptogram. Calling application must pre-allocate this buffer. For further information, see . This buffer is returned ASCII hex encoded. |
| unCryptogramLen |
[in, out] Pointer to an unsigned long integer to be set by the function to the cryptogram length computed by the SKI applet. This includes the NULL terminator. The result of a DES computation is always 8 bytes. Some cards truncate the cryptogram so that the gscBsiSkiInternalAuthenticate() function cannot be used to encrypt data. |
Returns:
BSI_OK
BSI_ACCESS_DENIED
BSI_BAD_AID
BSI_BAD_ALGO_ID
BSI_BAD_HANDLE
BSI_BAD_PARAM
BSI_CARD_REMOVED
BSI_INSUFFICIENT_BUFFER
BSI_NO_CARDSERVICE
BSI_SC_LOCKED
BSI_TERMINAL_AUTH
BSI_UNKNOWN_ERROR
