Cryptographic Token Interface Standard

PKCS#11


Virtual Slots and Tokens

Exposing multiple PINs requires the creation of a virtual slot and token pair for each PIN supported by the Cryptoki library. To the library there is a single slot and card, but to the application it appears that there are multiple slots and tokens. Since libraries are not allowed to add slots dynamically, all virtual slots must be allocated from the beginning when C_Initialize is called. When a card is inserted in a reader, the library determines how many PINs are on the card and then inserts that many virtual cards in the virtual slots. For instance, if the library supports up to two PINs on a card, and a card with a single PIN is inserted, only one of the two virtual slots will appear to have had a card inserted.

Virtual slots that represent the same physical device are tied together using the slotDescription field in the CK_SLOT_INFO structure. All virtual slots for the same device must have the same slotDescription value as the real slot would have had. This allows applications that know about the behavior to handle the virtual slots and cards as a single device with multiple PINs. As a result the library must make sure that the slotDescription value is unique far all real slots.

PINs on a card are identified using the tokenLabel field in the CK_TOKEN_INFO structure. The tokenLabel value is generated from a combination of the real value and the PIN label. The format is "<token label> (<pin label>)" (i.e. "Electronic ID (PIN1)"). As a result, the user can know which PIN to use even if the application does not know about multiple PINs. This requires that the application to show the tokenLabel value when it wants a PIN. Fortunately, most applications do this. Using the above format, the combined token and PIN label is limited to 29 bytes (32 minus white space and parenthesis).


RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v211