pfx Certificates

9/23/2010 8:51:58 AM
Gravatar
Total Posts 26

pfx Certificates

Dear Ugo: I would like you to confirm if it is possible to load a pfx certificate from a file to smart card. I need to change PIN and PUK too. I have been able to select the slot, the token, open Session and change PIN, but I don´t know how to change PUK and load the certificate from a file. Would it be possible to store a photo with your API?  Do you have an example in Visual Basic 6 or Visual Basic Net? Thank you very much in advanced. Kind regards.

9/23/2010 3:47:49 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Hi fcifera,

yes, you can import a pfx in the smart card using NCryptoki.
Also you can import an array of bytes (for example a photo) as Data object.
Refer the VB.NET snippets shown below.

Regarding the PUK you must log as SecurityOffice (USER_SO) and than call Session.SetPIN(oldPin, newPin).

Regards,

Ugo Chirico
http://www.ugochirico.com

Code snippets.

Function ImportKeyPair(ByVal Session As Session, ByVal cert As Byte(), ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey

Dim certificate As X509Certificate2
certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)

If (Not certificate.HasPrivateKey) Then
Throw New Exception("Certificate doesn't have private key. Import failed!")
End If

Dim keyPair As RSA
Dim keyParams As RSAParameters
Dim template As CryptokiCollection
Dim priKey As PrivateKey

keyPair = certificate.PrivateKey

keyParams = keyPair.ExportParameters(True)
template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
priKey = Session.Objects.Create(template)

ImportKeyPair = priKey
End Function

Function ImportData(ByVal session As Session, ByVal databuffer As Byte(), ByVal label As String, ByVal app As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As Data

Dim template As CryptokiCollection
Dim data As Data

template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_DATA))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_APPLICATION, app))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, databuffer))

data = CType(session.Objects.Create(template), Data)

ImportData = data
End Function
9/23/2010 4:01:39 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Thank you, Ugo, but I don´t have the following classes: X509Certificate2, RSA and RSAParameters. I have the following references: Ncryptoki y NCryptokiMngd. I use Imports Cryptware.Cryptoki to import NameSpace. Thanks again.

9/23/2010 4:28:32 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Add these imports:

Imports System.Security.Cryptography.X509Certificates
Imports System.Security.Cryptography

 

Regards,

Ugo

9/23/2010 4:31:43 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Thank you, Ugo.

9/23/2010 4:34:20 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I´m very sorry, but I have to develop it in Visual Basic 6 and .Net. In case of Visual Basic 6, X509Certificate2 is not available. How can I load a certificate from a file and the photo? Thanks again.

9/23/2010 6:05:52 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

In Visual Basic 6 there is nothing similar to X509Certificate2 nor another way to manage pfx as simple as .net.

You could write in .net a class that manages a pfx and returns an array of bytes and the other info you need, give to that class COM visibility and call it from you VB6 code.

For the photo is simpler. You have must read the photo as normal file putting the content in a byte() variable and call the same procedure I sent you in the last post.

 

Regards,

Ugo

 

 

9/23/2010 6:24:44 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I have tested the snippet you sent to me to load a pfx file in a smart card. I have changed an argument of the function. I use Byval cert as string instead of ByVal cert as byte(), because I will send the full path with the name of pfx file. This is the modified snippet:

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
     Dim certificate As X509Certificate2
     certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
     If (Not certificate.HasPrivateKey) Then
           Throw New Exception("Certificate doesn't have private key. Import failed!")
     End If
     Dim keyPair As RSA
     Dim keyParams As RSAParameters
     Dim template As CryptokiCollection
     Dim priKey As PrivateKey
     keyPair = certificate.PrivateKey
     keyParams = keyPair.ExportParameters(True)
    template = New CryptokiCollection()
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
    priKey = Session.Objects.Create(template)
   ImportKeyPair = priKey
End Function

 

And this is line I use to call the function:

 

ImportKeyPair(sess, "c:\temp\consuelo.pfx", "12345", "", "", True, True)
 

 

This is the error I get in line "priKey = Session.Objects.Create(template):

 

ErrorCode=209
ErrorString="TEMPLATE_INCONSISTENT"

 

Do you know why?

 

Thanks a lot.

 

 

9/23/2010 8:36:49 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

TEMPLATE_INCONSISTENT comes from the underlying native PKCS#11 module you are using: aetpkss1.dll.
This error can happen when one of the attributes has a wrong value. In your case it might be the attribute CKA_MODIFIABLE that you set to true. Maybe aetpkss1.dll accept only not modifiable key pairs. Try to set it to false.

Regards,

Ugo

9/23/2010 8:48:56 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Thank you, Ugo. I will try it.

9/24/2010 9:08:57 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I have tried you have said to me and the problem persists. I have tried with another cryptographic smart card (ACOS5), instead of with HID C700 crescendo, and the problem is the same. The only thing I have changed to test ACOS5 card is the following line:

 

Dim Criptoki As New Cryptoki("acospkcs11.dll")

 

Rgds,
 

9/24/2010 12:20:10 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

I didn't see that you set Label = "" and ID = "".

You cannot create a key pair with ID and Label empty. You should set them to a valid value.

Let me know...

Ugo

9/24/2010 1:43:54 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I tried with values in this parameters in past but the result was the same. I have tested again with this line:

ImportKeyPair(sess, "c:\temp\consuelo.pfx", "1234", "Id Certificado", "Example certificate", True, True)

 

In PKCS#11 documentation I can read CKA_Label is the "Description of the object (default empty)", in this case the certificate, so I think I can write what I want. In relation to CKA_ID I can read it its "Key identifier for public/private key pair (default empty)". For me it is not clear if I can stablish this attribute with de content I want.

 

I have tested with CKA_MODIFIABLE = False and the same problem :-(

 

When I open the session I use this line:

sess = tok.OpenSession(Session.CKF_RW_SESSION Or Session.CKF_SERIAL_SESSION)

intDevolución = sess.Login(Session.CKU_USER, "1234")

 

and intDevolución=0 (correct)
 

Thank you very much.

 

Rgds,
 

9/24/2010 6:19:08 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I have been reading PKCS#11 technical document and there is something I don´t understand. This is the snippet you sent to me (with the change I did in parameter Byval cert As string in order to sent a path with the pfx file):

 

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
Try
Dim certificate As X509Certificate2
certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
If (Not certificate.HasPrivateKey) Then
Throw New Exception("Certificate doesn't have private key. Import failed!")
End If
MessageBox.Show(certificate.GetExpirationDateString)
MessageBox.Show(certificate.Issuer)
Dim keyPair As RSA
Dim keyParams As RSAParameters
Dim template As CryptokiCollection
Dim priKey As PrivateKey
keyPair = certificate.PrivateKey
keyParams = keyPair.ExportParameters(True)
template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
priKey = Session.Objects.Create(template)
ImportKeyPair = priKey
End Function

 

My doubt is the following: with the template you create, does the pfx file copy to smart card? I don´t understand why CKA_CLASS is CryptokiObject.CKO_PRIVATE_KEY instead of CryptokiObject.CKO_CERTIFICATE.

 

With the software tools the manufacturer gives, I can see in token the certificate and private key. I delete them from Manufacturer tools and I try again with this code, but I can´t... I give you more information. With Manufacturer Tools I have to select "Import digital ID" instead of "Import certificate". When I import digital ID I can see the certificate and private key.

 

I have not been able to avoid 209 error (TEMPLATE_INCONSISTENT) with this snippet.

 

Thanks again.

 

Rgds,

 

9/25/2010 12:47:55 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

First of all you should know that a pfx is a PKCS#12 container that contains the private key, the public key as well as the related certificate. Thus, importing a pfx means importing the private key and the certificate (and maybe also the public key if you need it separately from the certificate)

To import the key pair you can use the function ImportKeyPair I sent you (modified as you did). Then you should import the certificate with the other function ImportCertificate.

Now, the problem you have is related to some of the attributes you specified in the template. Any PKCS#11 token implements the PKCS#11 standard specifications in its own way. This means that attributes may varies from one implementation to another.
You got that error because one of attributes in the tamplate is considered not valid from you PKCS#11 module (for example, with my SmartOS CK PKCS#11 it works) or because there are some missing attributes (For example CKA_NEVER_EXTRACTABLE or CKA_ALWAYS_SENSITIVE, refer to PKCS#11 specifications in the function C_CreateObject and RSA Private Key Object)

So you should try by removing one attribute a time to see what is considered invalid. If it still doesn't work try to add one of the missing attributes specified in the PKCS#11 specification (for example CKA_NEVER_EXTRACTABLE or CKA_ALWAYS_SENSITIVE, and so on).

 

Let me know...

Ugo

9/27/2010 10:22:57 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, this is crazy. I have tested with 3 different smart cards (HID Crescendo C700 (HID), ACOS5 (ACS) and Touch&Sign 2048 (bit4id)). With the first one (the smart card I want to work) I have commented one by one the attributes of your snippet and the problem is the same (Template_Inconsistent). I have added CKA_ALWAYS_SENSITIVE and CKA_EXTRACTABLE (one by one too) and the problem persists.

I have tried with ACOS5 card and the error is different (ATTIBUTE_TYPE_INVALID). I have commented one by one the attributes and the problem is the same.

I have tried with Touch&Sign 2048 and "it works", but this is not the card we want to use. Anyway, do you have the snippet to load the certificate once the private key is loaded?

I think the only solution I have is talking to HID in order to get necessary attributes for private key and certificate.

Thank you.

9/27/2010 6:35:44 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

I know what you are experimenting :)

The best way is to ask to HID what are the required attributes.

This is the snippet to load a certificate:

Function ImportCertificate(ByVal session As Session, ByVal cert As X509Certificate2, ByVal id As String, ByVal label As String, ByVal modifiable As Boolean) As CryptokiObject

Dim template As CryptokiCollection
Dim certif As Certificate


template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))

certif = session.Objects.Create(template)

ImportCertificate = certif

End Function

 

Regards,

Ugo

9/27/2010 6:45:18 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Thank you, Ugo. This is very frustrating. Everybody says I must Use CryptoAPI instead of PKCS#11, because it is very difficult to manage if you don´t use C++.  You have helped me a lot, so I think we are next to the solution. I will wait.

Thank you, again.

Rgds,

9/27/2010 6:58:23 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

People says that you cannot use PKCS#11 without C++ because they don't know NCryptoki.

I made NCryptoki exactly to allow people to use PKCS#11 without C++.

CryptoAPI can be used to import a pfx in the card if you have a CSP (Cryptographic Service Provider) for that smart card. If not you must use a PKCS#11. Also, CryptoAPI allows to manage only certificates and keys. It doesn't supply any function to load a photo or other kind of data on the smart card. 

NCryptoki supplies all you need to fully manage a smart card, from certificates to key, to photo.

Do you have any sample from HID that shows how to load a private key?

9/28/2010 8:45:37 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Thank you, Ugo. Yes, I have an example HID sent to me. Can you give me your e-mail address?

9/28/2010 10:37:35 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

See in the Contacts page and write to the techy address

9/28/2010 10:48:37 AM
Gravatar
Total Posts 26

Re: pfx Certificates

I have just sent it source code. Thank you.

9/28/2010 11:31:40 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

In the code you sent me there is GenerateKeyPair only (there isn't a pfx loading sample) but from this sample I see the it uses the following attributes that we miss:

CKA_KEY_TYPE with value: CKK_RSA

CKA_SIGN with value true

CKA_DECRYPT with value true

try to add the following lines:

template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN, True));
template.Add(New ObjectAttribute(ObjectAttribute.CKA_DECRYPT, True));

9/28/2010 12:05:14 PM
Gravatar
Total Posts 26

Re: pfx Certificates

  Ugo, one step more. Now the error is TEMPLATE_INCOMPLETE. I have been reading PKCS#11 technical document and I have tested to add CKA_SIGN_RECOVER attribute, but the message is the same. I have tested to add CKA_NEVER_EXTRACTABLE and CKA_ALWAYS_SENSITIVE as you said before. I think is an attibute in relation to new attributes you have added. This is the snippet I have at this moment:

 

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
    Dim certificate As X509Certificate2
    certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
    If (Not certificate.HasPrivateKey) Then
         Throw New Exception("Certificate doesn't have private key. Import failed!")
    End If
    Dim keyPair As RSA
    Dim keyParams As RSAParameters
    Dim template As CryptokiCollection
    Dim priKey As PrivateKey
    keyPair = certificate.PrivateKey
    keyParams = keyPair.ExportParameters(True)
    template = New CryptokiCollection()
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
   ' ******** Para HID Crescendo C700
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN_RECOVER, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_DECRYPT, True))
   ' ********

   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))

   template.Add(New ObjectAttribute(ObjectAttribute.CKA_NEVER_EXTRACTABLE, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_ALWAYS_SENSITIVE, True))
   priKey = Session.Objects.Create(template)
   ImportKeyPair = priKey

End Function
 

9/28/2010 1:05:49 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

It's very hard this HID token :(

try to add the attribute CKA_SENSITIVE

let me know...

Ugo

9/28/2010 1:45:40 PM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, we are not lucky either. With this new attribute the error is the same, TEMPLATE_INCOMPLETE. I hope HID can give more information. Thanks a lot.

9/29/2010 9:13:38 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, finally I decided to begin again and I have seen the problem with Private Key. It was the attribute Token. I must set to False. With these attributes it works:

template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, False))

template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
 

I think I commented these attributes one by one in past, but perhaps I supposed Token wan clearly True like in other tokens...

Now I have to fight with Certificate because I get the error Template_Inconsistent.  I will contact with you once I get it without errors. Thanks a lot.

9/29/2010 9:57:31 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I was wrong. It doesn´t give any error, but the private key is not loaded in smart card. I supposte CKA_TOKEN must be True in order the private key is loaded in smart card.  In relation to Certificate I have been able to download it adding another attribute (CKA_CERTIFICATE_TYPE):

template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
'template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, tRUE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, True))
 

I will wait until HID says something.

Thanks.

9/29/2010 10:16:23 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Yes, of course. if you don't specify CKA_TOKEN=true the private key is not loaded in the token by it is loaded as temporary, session object.

I was reading the PKCS#11 specification again. I read the following about RSA Private Keys:

"Table 36: RSA Private Key Attribute:

CKA_MODULUS, Big integer Modulus n
CKA_PUBLIC_EXPONENT Big integer Public exponent e
CKA_PRIVATE_EXPONENT Big integer Private exponent d
CKA_PRIME_1 Big integer Prime p
CKA_PRIME_2 Big integer Prime q
CKA_EXPONENT_1 Big integer Private exponent d modulo p-1
CKA_EXPONENT_2 Big integer Private exponent d modulo q-1
CKA_COEFFICIENT Big integer CRT coefficient q-1 mod p

Tokens vary in what they actually store for RSA private keys. Some tokens store all of the above attributes, which can assist in performing rapid RSA computations. Other tokens might store only the CKA_MODULUS and CKA_PRIVATE_EXPONENT values. Because of this, Cryptoki is flexible in dealing with RSA private key objects. When a token generates an RSA private key, it stores whichever of the fields in Table 36 it keeps track of. Later, if an application asks for the values of the key’s various attributes, Cryptoki supplies values only for attributes whose values it can obtain (i.e., if Cryptoki is asked for the value of an attribute it cannot obtain, the request fails). Note that a Cryptoki implementation may or may not be able and/or willing to supply various attributes of RSA private keys which are not actually stored on the token. E.g., if a particular token stores values only for the CKA_PRIVATE_EXPONENT, CKA_PRIME_1, and CKA_PRIME_2 attributes, then Cryptoki is certainly able to report values for all the attributes above (since they can all be computed efficiently from these three values). However, a Cryptoki implementation may or may not actually do this extra computation. The only attributes from Table 36 for which a Cryptoki implementation is required to be able to return values are CKA_MODULUS and CKA_PRIVATE_EXPONENT.
If an RSA private key object is created on a token, and more attributes from Table 36 are supplied to the object creation call than are supported by the token, the extra attributes are likely to be thrown away.
If an attempt is made to create an RSA private key object on a token with insufficient attributes for that particular token, then the object creation
call fails and returns CKR_TEMPLATE_INCOMPLETE.
"

This means that you should try with different sets of attributes.

For example try to remove CKA_PUBLIC_EXPONENT

9/29/2010 11:19:30 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I have tried you have said to me, but the error is the same (TEMPLATE_INCOMPLETE). I have removed CKA_PUBLIC_EXPONENT and the same problem. I have tried adding CKA_PRIME_1 and CKA_PRIME_2 attributes and the same... I have resent an e-mail to HID remembering the problem and giving more information. Thanks a lot. Once I received an e-mail I will contact with you. Rgds.

10/5/2010 10:19:39 AM
Gravatar
Total Posts 26

Re: pfx Certificates

Ugo, I´m still waiting a response from HID. Thank you very much.