EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElX509Certificate from X509Certificate2 object

Posted: 02/11/2010 09:10:12
by Ken Ivanov (Team)

Thank you for contacting us.

Validation only requires public certificate to be present (no private key is needed). That is, you can serialize certificate to the DER format (TElX509Certificate.SaveToBuffer()), and then deserialize it into the X509Certificate2 instance (passing the obtained byte array to its constructor).
Posted: 11/17/2011 06:39:25
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9


can you suggest me a way to use the transparent conversion, that you mentioned above, from a X509Certificate2 object to TElX509Certificate, if the X509Certificate2 is with non-exportable private key?

I'll appreciate your help.

Regards, Velin
Posted: 11/17/2011 07:22:08
by Vsevolod Ievgiienko (Team)


If a private key is marked as "non-exportable" then you can't export it using an official API therefore it can not be converted to TElX509Certificate. If the private key is exportable then you can serialize X509Certificate2 using its Export(X509ContentType.Pfx) method and then deserialize it using TElX509Certificate.LoadFromBufferPFX method.
Posted: 11/17/2011 08:00:33
by Eugene Mayevski (Team)

Velin Achev wrote:
if the X509Certificate2 is with non-exportable private key?

Most likely such certificate was obtained via Windows Certificate Storage. Consequently, you can try to *find* it using TElWinCertStorage (you can use Issuer and SerialNumber fields or one or both of hashes). If you do this, you will get an instance of TElX509Certificate with accessible (though not exportable) private key.

Sincerely yours
Eugene Mayevski
Posted: 11/17/2011 08:31:35
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9

Thanks again for your quick responses,
but can you tell me if the possible operations are possible using SBB:

We've implemented the following operations using .net classes -
1) load certificate from win store,
2) switching the certificate private key (a RSACryptoServiceProvider) with a new one, while supplying the password...
3) so the certificate now has a new copy of its private key, but now has password, and at the moment of signing there's no password request. It works.

So I wonder if I can implement the same operations like these 3 steps with SBB.

Regards, Velin
Posted: 11/17/2011 08:35:37
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9

Just to mention that I haven't read Eugene's previous post of my previous post, because i haven't reloaded the page... But I still would like to skip the password requesting.
Posted: 11/17/2011 09:04:32
by Eugene Mayevski (Team)

And what is the sense of using X509Certificate2 in your context? As I understood, you obtain such instance from certificate storage, and you can do this using TElWinCertStorage as well. This way you will enter the password just once.

Sincerely yours
Eugene Mayevski
Posted: 11/17/2011 10:19:44
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9

That was our old implementation - we used X509Certificate2 objects to retrieve certificates. We used to get certificates either from store or smart card(1), create new private key object with password that we supply programatically or declarativelly(2) - so when the program needed to sign document with that certificate we did not have to enter password (there is no interaction with the password prompt).
Yes - I've tested TElWinCertStorage - and it works great - i load the certificate I need, but don't know if it is possible to "change" the private key object with a new one, and give it new password, as we did with X509Certificate2.

Posted: 11/17/2011 11:23:51
by Ken Ivanov (Team)

While there is no way to "substitute" a key with SecureBlackbox, you can

1) convert existing X509Certificate2 object to TElX509Certificate with the use of TElX509Certificate.FromX509Certificate2() method (independently of whether the key is exportable or not),

2) assign the private key password to TElX509Certificate.KeyMaterial.KeyExchangePIN and TElX509Certificate.KeyMaterial.SignaturePIN properties (however, this feature is unsupported by some cryptographic providers).
Posted: 04/18/2012 06:24:46
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello Ivanov
When I tried to use method FromX509Certificate2 I get following exception:

Attempt by security transparent method 'SBX509.TElX509Certificate.FromX509Certificate2(System.Security.Cryptography.X509Certificates.X509Certificate2)' to access security critical method 'System.Security.Cryptography.X509Certificates.X509Certificate.get_Handle()' failed.

Assembly 'SecureBlackbox, Version=, Culture=neutral, PublicKeyToken=5a62fa96d0ac431a' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may be the cause of this exception.

Converting from TElX509Certificate to X509Certificate2 works fine...



Topic viewed 14688 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!