support for non-openpgp cards

Simon Josefsson jas at
Thu Nov 18 23:35:20 CET 2004

Zeljko Vrba <zvrba at> writes:

> Pr=E1gai, R=F3bert wrote:
> | Hi Zeljko,
> |
> | big welcome for the pkcs11 patch for gnupg! We use cryptoflex
> | e-gate 32k cards here and planned to make such a patch, too. You
> | were the quicker:) My question: is the MUSCLE pkcs11 library
> | required for this patch or any other pkcs11 (e.g. opensc-pkcs11)
> | library will do the job?
> |
> |
> I believe that any PKCS#11 implementation for that card should work in
> theory.
> Unfortunately, I have seen few PKCS#11 implementations (even
> commercial) that correctly implement PKCS#11 spec in all relevant
> aspects. So that supporting different PKCS#11 _implementation_ (even
> for the same card) could result in big code changes..
> So, what _in theory_ should be ONE source, _in practice_ that source
> gets many #ifdefs for various PKCS#11 implementations.. :(

IMHO, you should not care about broken implementations.  There is a
well-defined PKCS#11 specification, even including header files.
Write code for the specification.  If something doesn't work because
someone isn't implementing the specification, that's their problem.
Polluting GnuPG code with #ifdef would make GnuPG users pay the price
of other's bad work.

To make things work in the real world, and not just a dream world
where everyone implement the specification, you can write a module
that translate from broken PKCS#11 to correct PKCS#11.  IMHO, this is
much better than coding for broken PKCS#11 directly.

But hey, I'm not doing any work, so if you are, you get to chose the
strategy. ;-)

There is a GNU PKCS#11 package:

Alas, it uses OpenSSL.


More information about the Gnupg-devel mailing list