pfx Certificates

You must sign in to post in the forums.
9/24/2010 9:08:57 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I have tried you have said to me and the problem persists. I have tried with another cryptographic smart card (ACOS5), instead of with HID C700 crescendo, and the problem is the same. The only thing I have changed to test ACOS5 card is the following line:

 

Dim Criptoki As New Cryptoki("acospkcs11.dll")

 

Rgds,
 

9/24/2010 12:20:10 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

I didn't see that you set Label = "" and ID = "".

You cannot create a key pair with ID and Label empty. You should set them to a valid value.

Let me know...

Ugo

9/24/2010 1:43:54 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I tried with values in this parameters in past but the result was the same. I have tested again with this line:

ImportKeyPair(sess, "c:\temp\consuelo.pfx", "1234", "Id Certificado", "Example certificate", True, True)

 

In PKCS#11 documentation I can read CKA_Label is the "Description of the object (default empty)", in this case the certificate, so I think I can write what I want. In relation to CKA_ID I can read it its "Key identifier for public/private key pair (default empty)". For me it is not clear if I can stablish this attribute with de content I want.

 

I have tested with CKA_MODIFIABLE = False and the same problem :-(

 

When I open the session I use this line:

sess = tok.OpenSession(Session.CKF_RW_SESSION Or Session.CKF_SERIAL_SESSION)

intDevolución = sess.Login(Session.CKU_USER, "1234")

 

and intDevolución=0 (correct)
 

Thank you very much.

 

Rgds,
 

9/24/2010 6:19:08 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I have been reading PKCS#11 technical document and there is something I don´t understand. This is the snippet you sent to me (with the change I did in parameter Byval cert As string in order to sent a path with the pfx file):

 

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
Try
Dim certificate As X509Certificate2
certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
If (Not certificate.HasPrivateKey) Then
Throw New Exception("Certificate doesn't have private key. Import failed!")
End If
MessageBox.Show(certificate.GetExpirationDateString)
MessageBox.Show(certificate.Issuer)
Dim keyPair As RSA
Dim keyParams As RSAParameters
Dim template As CryptokiCollection
Dim priKey As PrivateKey
keyPair = certificate.PrivateKey
keyParams = keyPair.ExportParameters(True)
template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
priKey = Session.Objects.Create(template)
ImportKeyPair = priKey
End Function

 

My doubt is the following: with the template you create, does the pfx file copy to smart card? I don´t understand why CKA_CLASS is CryptokiObject.CKO_PRIVATE_KEY instead of CryptokiObject.CKO_CERTIFICATE.

 

With the software tools the manufacturer gives, I can see in token the certificate and private key. I delete them from Manufacturer tools and I try again with this code, but I can´t... I give you more information. With Manufacturer Tools I have to select "Import digital ID" instead of "Import certificate". When I import digital ID I can see the certificate and private key.

 

I have not been able to avoid 209 error (TEMPLATE_INCONSISTENT) with this snippet.

 

Thanks again.

 

Rgds,

 

9/25/2010 12:47:55 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

First of all you should know that a pfx is a PKCS#12 container that contains the private key, the public key as well as the related certificate. Thus, importing a pfx means importing the private key and the certificate (and maybe also the public key if you need it separately from the certificate)

To import the key pair you can use the function ImportKeyPair I sent you (modified as you did). Then you should import the certificate with the other function ImportCertificate.

Now, the problem you have is related to some of the attributes you specified in the template. Any PKCS#11 token implements the PKCS#11 standard specifications in its own way. This means that attributes may varies from one implementation to another.
You got that error because one of attributes in the tamplate is considered not valid from you PKCS#11 module (for example, with my SmartOS CK PKCS#11 it works) or because there are some missing attributes (For example CKA_NEVER_EXTRACTABLE or CKA_ALWAYS_SENSITIVE, refer to PKCS#11 specifications in the function C_CreateObject and RSA Private Key Object)

So you should try by removing one attribute a time to see what is considered invalid. If it still doesn't work try to add one of the missing attributes specified in the PKCS#11 specification (for example CKA_NEVER_EXTRACTABLE or CKA_ALWAYS_SENSITIVE, and so on).

 

Let me know...

Ugo

9/27/2010 10:22:57 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, this is crazy. I have tested with 3 different smart cards (HID Crescendo C700 (HID), ACOS5 (ACS) and Touch&Sign 2048 (bit4id)). With the first one (the smart card I want to work) I have commented one by one the attributes of your snippet and the problem is the same (Template_Inconsistent). I have added CKA_ALWAYS_SENSITIVE and CKA_EXTRACTABLE (one by one too) and the problem persists.

I have tried with ACOS5 card and the error is different (ATTIBUTE_TYPE_INVALID). I have commented one by one the attributes and the problem is the same.

I have tried with Touch&Sign 2048 and "it works", but this is not the card we want to use. Anyway, do you have the snippet to load the certificate once the private key is loaded?

I think the only solution I have is talking to HID in order to get necessary attributes for private key and certificate.

Thank you.

9/27/2010 6:35:44 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

I know what you are experimenting :)

The best way is to ask to HID what are the required attributes.

This is the snippet to load a certificate:

Function ImportCertificate(ByVal session As Session, ByVal cert As X509Certificate2, ByVal id As String, ByVal label As String, ByVal modifiable As Boolean) As CryptokiObject

Dim template As CryptokiCollection
Dim certif As Certificate

template = New CryptokiCollection()
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))

certif = session.Objects.Create(template)

ImportCertificate = certif

End Function

 

Regards,

Ugo

9/27/2010 6:45:18 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Thank you, Ugo. This is very frustrating. Everybody says I must Use CryptoAPI instead of PKCS#11, because it is very difficult to manage if you don´t use C++.  You have helped me a lot, so I think we are next to the solution. I will wait.

Thank you, again.

Rgds,

9/27/2010 6:58:23 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

People says that you cannot use PKCS#11 without C++ because they don't know NCryptoki.

I made NCryptoki exactly to allow people to use PKCS#11 without C++.

CryptoAPI can be used to import a pfx in the card if you have a CSP (Cryptographic Service Provider) for that smart card. If not you must use a PKCS#11. Also, CryptoAPI allows to manage only certificates and keys. It doesn't supply any function to load a photo or other kind of data on the smart card. 

NCryptoki supplies all you need to fully manage a smart card, from certificates to key, to photo.

Do you have any sample from HID that shows how to load a private key?

9/28/2010 8:45:37 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Thank you, Ugo. Yes, I have an example HID sent to me. Can you give me your e-mail address?

9/28/2010 10:37:35 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

See in the Contacts page and write to the techy address

You must sign in to post in the forums.