Create an Attribute Certificate object

You must sign in to post in the forums.
11/24/2012 9:17:00 PM
leopignataro
Gravatar
Total Posts 4
View Posts

Create an Attribute Certificate object

Hello.

 

I am trying to create an attribute certificate object in a smartcard. I have the following code. The AttributeCertificate class is from Bouncy Castle.

 

   var certBytes = System.IO.File.ReadAllBytes(@"C:\Oak\Certs\AttributeCertificate.cer");
   var cert = AttributeCertificate.GetInstance(DerSequence.FromByteArray(certBytes));

   CryptokiCollection template = new CryptokiCollection();
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509_ATTR_CERT));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.ACInfo.Holder.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.ACInfo.Issuer.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.ACInfo.SerialNumber.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, 13));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "Certificado CAU"));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, certBytes));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));

   CryptokiObject certificate = session.Objects.Create(template);

 

However, I get an exception in the last statement -- "Error n. 209" (TEMPLATE_INCONSISTENT)

 

I suspect that, for writing an attribute certificate, a different set of attributes must be set (I got those from the example on creating plain public key certificates), but I have no idea which attributes must be set.

 

Any ideas?

11/24/2012 11:50:11 PM
leopignataro
Gravatar
Total Posts 4
View Posts

Re: Create an Attribute Certificate object

Actually, I read in the PKCS#11 that the set of attributes is another one com completely. I am now using the following code:

 

   var certBytes = System.IO.File.ReadAllBytes(@"C:\Oak\Certs\AttributeCertificate.cer");
   var cert = AttributeCertificate.GetInstance(DerSequence.FromByteArray(certBytes));

   CryptokiCollection template = new CryptokiCollection();
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509_ATTR_CERT));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "AttCert"));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_OWNER, cert.ACInfo.Holder.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_AC_ISSUER, cert.ACInfo.Issuer.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.ACInfo.SerialNumber.GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_ATTR_TYPES, new DerSequence(new DerObjectIdentifier("2.5.4.72")).GetEncoded()));
   template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, certBytes));

   CryptokiObject certificate = session.Objects.Create(template);

 

However, the result is still the same. I have tried with various subsets of those attributes, but the result is always the same (error 209, TEMPLATE_INCONSISTENT)

11/25/2012 4:52:39 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: Create an Attribute Certificate object

The error TEMPLATE_INCONSISENT comes from the underlying PKCS#11. Usually it means that some of the attributes you set is not compliant with the others. Which PKCS#11 module are you using? 

Also, reading the page 79 of PKCS#11 2.20 specifications, the example in that page doesn't use MODIFIABLE attribute:

 

CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof(class)},
{CKA_CERTIFICATE_TYPE, &certType, sizeof(certType)};
{CKA_TOKEN, &true, sizeof(true)},
{CKA_LABEL, label, sizeof(label)-1},
{CKA_OWNER, owner, sizeof(owner)},
{CKA_VALUE, certificate, sizeof(certificate)}
};
11/25/2012 8:19:17 PM
leopignataro
Gravatar
Total Posts 4
View Posts

Re: Create an Attribute Certificate object

Thanks for the reply, Ugo.

 

I have tried with just those attributes suggested on the example contained in the PKCS#11 standard, and the result is still the same.

 

I am using SafeSign. The version of the PKCS#11 DLL (aetpkss1.dll) is 3.0.0.2299. Would you suggest an alternative?

11/25/2012 8:21:52 PM
leopignataro
Gravatar
Total Posts 4
View Posts

Re: Create an Attribute Certificate object

Oh, and the smart card is a G&D Sm@rt Cafe 3.1

You must sign in to post in the forums.