Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
sc-hsm-embedded PKCS#11 and CSP-Minidriver Module

Light-weight PKCS#11 library for using the SmartCard-HSM in Windows, Linux, MacOSX and embedded systems.

The module also supports various STARCOS based signature cards commonly used in Germany.

This module has been initially developed to support the integration of a SmartCard-HSM in
embedded systems with a little footprint. Rather than using a PC/SC daemon to manage
attached card readers and token, the smaller Card Terminal API (CT-API) can be used.

Over time the project has grown into a fully featured PKCS#11 and Microsoft CSP-Minidriver crypto middleware.

Supported Hardware
The module can be compiled for Linux, Windows and MacOSX. It supports the SmartCard-HSM USB-stick
and SmartCard-HSM cards inserted into a CCID compliant reader. When using the PC/SC interface
any compliant reader can be used.

The ctccid module uses standard functions from the CCID specification, so the driver may work
with other CCID compliant readers as well. However, the only reader used during tests is
the SCR 3310 and the USB-stick.

Further documentation is available at

Installation (Linux)
Download source and run

* autoreconf -fi
* configure
* make
* make install

Installation (Windows)
Select the 32-Bit or 64-Bit version depending on your version of Windows.
Installing the provided .msi file will make the sc-hsm-pkcs11.dll and sc-hsm-minidriver.dll
available in windows/system32. Test tools are installed in %PROGRAMFILES%/CardContact/SmartCard-HSM.

The 64-Bit version installs both, the 32-Bit and 64-Bit version of DLLs and test programs.

Open Firefox and Preferences/Privacy & Security, scroll down and press "Security Devices"
In the Device Manager press Load and enter "SmartCard-HSM" as module name
Select "sc-hsm-pkcs.dll" (Windows), "/usr/local/lib/" (Linux) or
/Library/sc-hsm-pkcs11/lib/sc-hsm-pkcs11.dylib" (Mac) as module filename.

Open Thunderbird and the Security Devices Manager
Select Load and enter "SmartCard-HSM" as Module Name
Select "sc-hsm-pkcs.dll" (Windows), "/usr/local/lib/" (Linux) or
/Library/sc-hsm-pkcs11/lib/sc-hsm-pkcs11.dylib" (Mac) as module filename.

Open the "Security Devices Manager"
Unload the entry under "SmartCard-HSM"

Running the test program
Open a console and change into the sc-hsm-pkcs11 directory.
Insert a SmartCard-HSM and enter

sc-hsm-pkcs11-test --module lib\sc-hsm-pkcs11.dll

For a STARCOS card you will need to define the token that shall be used for tests:

sc-hsm-pkcs11-test --module lib\sc-hsm-pkcs11.dll --token STARCOS.eUserPKI

Without a PIN given with the --pin parameter only tests are performed for which
no PIN is required.

A debugging version of the PKCS#11 module is provided to aid debugging of
card and card reader problems.

Please install the debug version and create a sc-hsm-embedded directory under
%HOME%/tmp on Linux/MacOSX and %HOMEDIR%/appdata/LocalLow on Windows.

System applications running under root will write logfiles to /var/tmp/sc-hsm-embedded.

On Linux you will need to use configure with --enable-debug.

Release 2.11
Add support for 4K version of the SmartCard-HSM (V3.x)
Add support for AES
Add support for TLS1.3

Release 2.10
Add write support for the SmartCard-HSM
Add CSP-Minidriver for Windows based applications
Add C_WaitForSlotEvent
Add public key operation with C_Verify*(), C_Encrypt*() and C_Digest*() functions
Removed support for obsolete Signtrust Cards.

Release 2.9
Added ATRs for BNotK cards

Release 2.8
Added support for ECC keys on DGN card
Added support for static slot ids
Fixed issue with leaked PIN value due to non-cleared buffers
Added multi-threading tests for ECC

Release 2.7
Added support for DGN HBA on Starcos 3.5

Release 2.6
Disabled QES token when running under Firefox.

Release 2.5
Added ATR for contactless SmartCard-HSMs.

Release 2.4
Removed probing of applications on unrecognized cards.

Release 2.3
Disabled QES2 on Signtrust 3.2 card as this is never used.
Added environment variable PKCS11_PREALLOCATE_VIRTUAL_SLOTS=<n> to create <n> virtual slots when the
primary slot is allocated for the first time. Without the flag a virtual slot is dynamically created if a
token with more than one PIN is detect. In that case the PKCS#11 module creates an additional virtual slot for
each additional PIN (usually the QES PINs). However, this dynamic behaviour collides with the way Firefox handles
the Friendly flag, which is only set for slots that are present at modul loading.

Release 2.2
Added support for Signtrust Starcos 3.2 card

Release 2.1
Added support for D-Trust Starcos 3.4 card
Added support for Signtrust Starcos 3.5 card

Release 2.0
Added support for Bundesnotarkammer Starcos 3.5 card
Added support for PC/SC card reader


PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards




No packages published

Contributors 4