What is an etoken?

I need to write a code to check the validity of the digital certificate present in an etoken. I am not familiar with etokens. Can anyone please answer my following开发者_StackOverflow questions,

1. How to access the digital certificate content from etoken?
2. Can we access the private key stored in etoken?
3. When we plug the etoken to an computer then does it copy the digital certificate on the computer or not? If yes then where does it copy it?

I need to write C++ program for the same. Can we use Cryptographic API's (like CrypImportKey() CryptExportKey() ) provided by Microsoft for the above requirement?

---

"etoken" was the name of one of first USB cryptotokens produced by Aladdin. What you are asking for is usually referred to as security token. This is a hardware device with it's own memory, in which certificates and private keys are stored.

Tokens need drivers to be installed in order to work properly. The driver set includes implementation of CSP (Cryptographic Service Provider) for CryptoAPI. CSP does the job of presenting certificates, stored in the token, to CryptoAPI. To answer your questions:

1. Via CryptoAPI or PKCS#11 interface (drivers for both are supplied by the vendor).
2. You can perform certain operations with the private key by calling the appropriate API. But the key itself is not extractable.
3. I can't say for sure but for me it looks like certificates are copied to in-memory certificate store for speed of operations.

---

In relation to your second question, I believe it is possible to access the private key on the security token. The security token had to be pre-programmed and loaded with a private key somehow. Also, the last time we renewed our certificate, we did it online, using the issuer's web interface which installed an ActiveX module that uploaded the new certificate to the device. I don't know if this procedure also uploaded a new key but possibly not, since I don't believe you need to change your private key to create a new public certificate for yourself (which needs to be signed by the issuer to be trusted I believe).

Sorry I might not make much sense as I am new to the whole idea of Public Key Infrastructure.

If someone else could validate/invalidate my claims, please share your knowledge.

EDIT: I found this hardware hack for Alladin devices: http://seclists.org/bugtraq/2000/May/48 Basically, it is possible to read the date on the eToken but it requires a direct hardware interface to the device's on-board memory.