pfx Certificates

You must sign in to post in the forums.
9/23/2010 8:51:58 AM
fcirera
Gravatar
Total Posts 26
View Posts

pfx Certificates

Dear Ugo: I would like you to confirm if it is possible to load a pfx certificate from a file to smart card. I need to change PIN and PUK too. I have been able to select the slot, the token, open Session and change PIN, but I don´t know how to change PUK and load the certificate from a file. Would it be possible to store a photo with your API?  Do you have an example in Visual Basic 6 or Visual Basic Net? Thank you very much in advanced. Kind regards.

9/23/2010 3:47:49 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Hi fcifera,

yes, you can import a pfx in the smart card using NCryptoki.
Also you can import an array of bytes (for example a photo) as Data object.
Refer the VB.NET snippets shown below.

Regarding the PUK you must log as SecurityOffice (USER_SO) and than call Session.SetPIN(oldPin, newPin).

Regards,

Ugo Chirico
http://www.ugochirico.com

Code snippets.

Function ImportKeyPair(ByVal Session As Session, ByVal cert As Byte(), ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey

 Dim certificate As X509Certificate2
 certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)

 If (Not certificate.HasPrivateKey) Then
 Throw New Exception("Certificate doesn't have private key. Import failed!")
 End If

 Dim keyPair As RSA
 Dim keyParams As RSAParameters
 Dim template As CryptokiCollection
 Dim priKey As PrivateKey

 keyPair = certificate.PrivateKey

 keyParams = keyPair.ExportParameters(True)
 template = New CryptokiCollection()
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
 priKey = Session.Objects.Create(template)

 ImportKeyPair = priKey
 End Function

Function ImportData(ByVal session As Session, ByVal databuffer As Byte(), ByVal label As String, ByVal app As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As Data

 Dim template As CryptokiCollection
 Dim data As Data

 template = New CryptokiCollection()
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_DATA))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_APPLICATION, app))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
 template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, databuffer))

 data = CType(session.Objects.Create(template), Data)

 ImportData = data
 End Function
9/23/2010 4:01:39 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Thank you, Ugo, but I don´t have the following classes: X509Certificate2, RSA and RSAParameters. I have the following references: Ncryptoki y NCryptokiMngd. I use Imports Cryptware.Cryptoki to import NameSpace. Thanks again.

9/23/2010 4:28:32 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Add these imports:

Imports System.Security.Cryptography.X509Certificates
Imports System.Security.Cryptography

 

Regards,

Ugo

9/23/2010 4:31:43 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Thank you, Ugo.

9/23/2010 4:34:20 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I´m very sorry, but I have to develop it in Visual Basic 6 and .Net. In case of Visual Basic 6, X509Certificate2 is not available. How can I load a certificate from a file and the photo? Thanks again.

9/23/2010 6:05:52 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

In Visual Basic 6 there is nothing similar to X509Certificate2 nor another way to manage pfx as simple as .net.

You could write in .net a class that manages a pfx and returns an array of bytes and the other info you need, give to that class COM visibility and call it from you VB6 code.

For the photo is simpler. You have must read the photo as normal file putting the content in a byte() variable and call the same procedure I sent you in the last post.

 

Regards,

Ugo

 

 

9/23/2010 6:24:44 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I have tested the snippet you sent to me to load a pfx file in a smart card. I have changed an argument of the function. I use Byval cert as string instead of ByVal cert as byte(), because I will send the full path with the name of pfx file. This is the modified snippet:

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
     Dim certificate As X509Certificate2
     certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
     If (Not certificate.HasPrivateKey) Then
           Throw New Exception("Certificate doesn't have private key. Import failed!")
     End If
     Dim keyPair As RSA
     Dim keyParams As RSAParameters
     Dim template As CryptokiCollection
     Dim priKey As PrivateKey
     keyPair = certificate.PrivateKey
     keyParams = keyPair.ExportParameters(True)
    template = New CryptokiCollection()
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
    priKey = Session.Objects.Create(template)
   ImportKeyPair = priKey
End Function

 

And this is line I use to call the function:

 

ImportKeyPair(sess, "c:\temp\consuelo.pfx", "12345", "", "", True, True)
 

 

This is the error I get in line "priKey = Session.Objects.Create(template):

 

ErrorCode=209
ErrorString="TEMPLATE_INCONSISTENT"

 

Do you know why?

 

Thanks a lot.

 

 

9/23/2010 8:36:49 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

TEMPLATE_INCONSISTENT comes from the underlying native PKCS#11 module you are using: aetpkss1.dll.
This error can happen when one of the attributes has a wrong value. In your case it might be the attribute CKA_MODIFIABLE that you set to true. Maybe aetpkss1.dll accept only not modifiable key pairs. Try to set it to false.

Regards,

Ugo

9/23/2010 8:48:56 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Thank you, Ugo. I will try it.

9/24/2010 9:08:57 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I have tried you have said to me and the problem persists. I have tried with another cryptographic smart card (ACOS5), instead of with HID C700 crescendo, and the problem is the same. The only thing I have changed to test ACOS5 card is the following line:

 

Dim Criptoki As New Cryptoki("acospkcs11.dll")

 

Rgds,
 

You must sign in to post in the forums.