trustable p11-capi binaries, 32-bit and 64-bit

BLUF: The Open Source Software library "p11-capi" is a LGPLv2 module that allows Firefox to talk to smartcards (like the DoD CAC) on Windows computers. This is particularly useful on Windows 7, which natively supports some US Government smartcards, but does not provide the cross-platform API used by programs like Firefox. I am providing 32-bit and 64-bit binaries that translate CAPI middleware to PKCS#11 middleware as a convenience.

NOTE: 2016-05-19 (Issue Fixed)

Go here: https://github.com/risacher/p11-capi

Since at least 2013, there have been reports of p11-capi failing to authenticate to some web sites. (I observed this problem with some sites, but not others.) Investigation indicated that the hashing algorithm being selected during the client authentication signing operation was a Suite B algorithm SHA256, which is only supported by the "Microsoft Base Smart Card Crypto Provider" with some trickery. The updated version on GitHub includes the necessary trickery that fixes this issue.

Function

There are two main interfaces for computer applications to interface with smartcards and other hardware security modules. The PKCS#11 interface is a cross-platform, de-facto industry standard API. Microsoft CAPI is a proprietary interface only supported on Windows platforms, but as Windows has significant market-share in large enterprises that use smartcards, it is more frequently supported.

The use of p11-capi allows programs (such as Firefox) that use the industry-standard PKCS#11 API to perform cryptographic operations with Hardware Security Modules, such as the DoD Common Access Card (CAC), or Federal Personal Identity Verification (PIV). This is particularly useful under Windows 7 or later, which have built-in support for smartcards via CAPI, but do not provide PKCS#11 support.

Trust

You should be cautious about installing software that performs cryptographic functions and interfaces with your smartcard. Malicious back doors could be used to steal your identity. As such, I provide an assertion, digitally signed with my US Government-issued PKI certificate, that I compiled this software and inspected the source code. This assertion is a signed Portable Document Format (PDF) file, and the signature can be validated with any PDF reader that supports digital signatures. (As of this writing, Mozilla Firefox's built-in PDF renderer does not. Adobe Acrobat does.) The signature will only validate correctly if your computer trusts the US DoD Certificate Authorities.

I describe these binaries as "trustable" in that you should be able to verify that the versions you are using were compiled by a US government employee in some trustable way. Whether you trust me is up to you.

ASSERTION

I, Daniel Risacher, an employee of the United States Department of Defense, in the office of the DoD Chief Information Officer, compiled binaries of the software library p11-capi for Win32 (on 2016-10-24) and Win64 (on 2016-11-10) platforms.

The source code that I compiled can be retrieved at: https://github.com/risacher/p11-capi/tree/. This code is derived from Stef Walter's project which I obtained from git://thewalter.net/p11-capi. I modified Stef Walter's code to add support for SHA-256, SHA-384, and SHA-512. I inspected the upstream code for obvious back doors. The code was cross-compiled for Microsoft Windows with the w64-mingw32 toolchain on Ubuntu 14.04 LTS.

The SHA256 checksums of the compiled binaries are: 133e74cd9ea57467da1b25b54bb9511eb3d8d02164f39d23243efdc9941e4909 w32/p11capi_w32.dll 69ca3f2c0ae5189e3a205fa1dabb78593a96538d4b11dcfeefab399e7f3631fc w64/p11capi_w64.dll

Daniel.R.Risacher.CIV@mail.mil

magnus@alum.mit.edu