Sample code for 30+ languages & platforms
Tcl

RSA Sign using a Private Key on a USB Token or Smartcard

See more Apple Keychain Examples

Create an RSA signature using a private key stored on a USB token or smartcard.

Note: On MacOS and iOS, this example requires Chilkat v10.1.2 or later when the Apple Keychain is used as the underlying means to do the signing.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# Assuming the smartcard/USB token is installed with the correct drivers from the manufacturer,
# this code can work on multiple platforms including Windows, MacOS, Linux, and iOS.

# Chilkat automatically detects and determines the way in which the HSM is used,
# which can be by PKCS11, Apple Keychain, Microsoft CNG / Crypto API, or ScMinidriver.

set cert [new_CkCert]

# Set the token/smartcard PIN prior to loading.
CkCert_put_SmartCardPin $cert "123456"

# Specify the certificate by its common name.
set success [CkCert_LoadFromSmartcard $cert "cn=chilkat-rsa-2048"]
if {$success == 0} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkCert $cert
    exit
}

puts "Signing with cert: [CkCert_subjectCN $cert]"

# Create data to be hashed and signed.
set bd [new_CkBinData]

for {set i 0} {$i <= 100} {incr i} {
    CkBinData_AppendEncoded $bd "000102030405060708090A0B0C0D0E0F" "hex"
}

set rsa [new_CkRsa]

# Use the certificate's private key for signing.
set success [CkRsa_SetX509Cert $rsa $cert 1]
if {$success == 0} then {
    puts [CkRsa_lastErrorText $rsa]
    delete_CkCert $cert
    delete_CkBinData $bd
    delete_CkRsa $rsa
    exit
}

# Sign the SHA-256 hash of the contents of bd.
set bdSig [new_CkBinData]

set success [CkRsa_SignBd $rsa $bd "sha256" $bdSig]
if {$success == 0} then {
    puts [CkRsa_lastErrorText $rsa]
    delete_CkCert $cert
    delete_CkBinData $bd
    delete_CkRsa $rsa
    delete_CkBinData $bdSig
    exit
}

# The RSA signature is equal in length to the size of the RSA key.
puts "Output signature size in bits = [expr [CkBinData_get_NumBytes $bdSig] * 8]"

# We can save the signature for later verification..
CkBinData_WriteFile $bdSig "rsaSignatures/test1.sig"

# See the example to verify the RSA signature:
# Verfies an RSA Signature

delete_CkCert $cert
delete_CkBinData $bd
delete_CkRsa $rsa
delete_CkBinData $bdSig