5.3.1 Introduction

This section copes with hardware token support in GnuTLS using PKCS #11 [PKCS11] PKCS #11 is plugin API allowing applications to access cryptographic operations on a token, as well as to objects residing on the token. A token can be a real hardware token such as a smart card, or it can be a software component such as Gnome Keyring. The objects residing on such token can be certificates, public keys, private keys or even plain data or secret keys. Of those certificates and public/private key pairs can be used with GnuTLS. Its main advantage is that it allows operations on private key objects such as decryption and signing without accessing the key itself.

Moreover it can be used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in fig:pkcs11-vision.

Figure 5.3: PKCS #11 module usage.