EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElX509Certificate class and X509Certificate2 from .NET

Posted: 05/28/2008 02:09:27
by Damjan Slapar (Basic support level)
Joined: 05/28/2008
Posts: 2


we are considering evaluating and eventually also using the Secureblackbox library in our application but even before that I'd like to clarify that we can solve our problem.

We are using smart card (client application) on Widows platform with PKCS#11 (cryptoki) API support. The certificates on the smart card are PIN protected. We would like to use the certificate to authenticate application to the server (SSL/TLS).

1) As I understand, SecureBlackbox is a wrapper also around the PKCS#11 API?
2) In that case, I'd use ElX509Certificate class to access the certificate on the smart card?
3) You have support for more certificates on one smart card?
4) How do you handle the PIN protected certificates?
5) Can I pass on the certificate from ElX509Certificate class to be used in X509Certificate2 and later on to use all .NET function to authenticate client or sign XML, for example? (again, how is the PIN protected certificate handled)

Tnx in advance for your effort.

Best regards,
Damjan Slapar,
Marg d.o.o.
Posted: 05/28/2008 02:52:26
by Eugene Mayevski (Team)

1) Yes.
2) Yes.
3) Please clarify the question.
4) Depends on how you access the certificates. If you use ElPKCS11CertStorage class, you need to call Login method of ElPKCS11Module class (accessible via ElPKCS11CertStorage) and pass the PIN to it. This must be done before you can open the storage and use the certificates. In case of ElWinCertStorage class CryptoAPI asks the user for a password/PIN and there's no uniform way to pass the PIN in code.
Damjan Slapar wrote:
Can I pass on the certificate from ElX509Certificate class to be used in X509Certificate2

No, as .NET certificate class directly accesses CryptoAPI. SecureBlackbox provides more than .NET Framework, when it comes to certificates. You can use our classes to sign XML. And you can use our transport classes (ElHTTPSClient, ElSimpleFTPSClient etc.) to connect to the remote server.

Sincerely yours
Eugene Mayevski
Posted: 05/28/2008 03:11:34
by Damjan Slapar (Basic support level)
Joined: 05/28/2008
Posts: 2

1) Ok.
2) Ok.
3) The smart cards we will be using can (and eventually will) hold up to 4 certificates (different issuers). I guess there is a way to enumerate through certificates on the smart card and "select' the right one to use?
4) OK, we need ElPKCS11CerSTorage and we can ask user in advance to enter the PIN. In case we would have a direct communication between the reader and the card with regards to the PIN entrance (PIN does not leave the reader) than it is agian transparent for us, right?
5) Oh, I get it know. This will do, but we will of course need to change the current calls with regards to establishing SSL session.

Tnx for prompt response.

Posted: 05/28/2008 03:26:46
by Eugene Mayevski (Team)

3) Of course. ElPKCS11CertStorage provides access to all certificates.

Sincerely yours
Eugene Mayevski



Topic viewed 3184 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!