This section describes the requirements to develop the four types of applications that can plug into the Solaris cryptographic framework.
To develop a user-level consumer, a developer needs to keep the following items in mind:
Include <security/cryptoki.h>.
Make all calls through the PKCS #11 interfaces only.
Link with libpkcs11.so.
Libraries should not call the C_Finalize() function.
See Chapter 9, Writing User-Level Cryptographic Applications and Providers for more information.
To develop a user-level provider, a developer needs to keep the following items in mind:
Design the provider to stand alone. Although the provider shared object need not be a full-fledged library to which applications link, all necessary symbols must exist in the provider. Assume that the provider is to be opened by dlopen(3C) in RTLD_GROUP and RTLD_NOW mode.
Create a PKCS #11 Cryptoki implementation in a shared object. This shared object should include necessary symbols rather than depend on consumer applications.
It is highly recommended though not required to provide a _fini() routine for data cleanup. This method is required to avoid collisions between C_Finalize() calls when an application or shared library loads libpkcs11 and other provider libraries concurrently. See Avoiding Data Cleanup Collisions in User-Level Providers.
Apply for a certificate from Sun Microsystems, Inc. See To Request a Certificate for Signing a Provider.
Use the certificate with elfsign to sign the binary. See To Sign a Provider.
Package the shared object according to Sun conventions. See Appendix F, Packaging and Signing Cryptographic Providers.
To develop a kernel-level consumer, a developer needs to keep the following items in mind:
Include <sys/crypto/common.h> and <sys/crypto/api.h>.
Make all calls through the kernel programming interface.
To develop a kernel-level provider, a developer needs to keep the following items in mind:
Include <sys/crypto/common.h> and <sys/crypto/api.h>.
Import required routines for registering, unregistering, and providing status.
Export required routines to provide entry points for kernel cryptographic framework.
Export data structure with descriptions of supported algorithms.
Create loadable kernel module.
Apply for a certificate from Sun Microsystems, Inc. See To Request a Certificate for Signing a Provider
Use the certificate with elfsign to sign the binary. See To Sign a Provider.
Package the kernel module according to Sun conventions. See Appendix F, Packaging and Signing Cryptographic Providers.