EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to map certificate from USB token to Windows Store ("personal")

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#8608
Posted: 01/13/2009 10:31:38
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

We are using PKIBlackbox for .Net. We need to map a certiifcate from USB token to Windows store (to "Personal"). Can you give a hint how to do that?

Again, we don't want to add a certificate permantnetly to the winstore, we just want to "map" certificate from token to Windows store, and when users plug out a token, certificate is not more avalible.

So far we were using PKCS11 interface to work with usb token.

Thanks,
#8609
Posted: 01/13/2009 10:51:08
by Eugene Mayevski (EldoS Corp.)

To "map" the certificate from hardware token to Windows certificate storage you would need to create a CSP (Certificate Storage Provider), the work that is done in C++ and requires serious knowledge of CryptoAPI. This can not be done in C# and this can not be done with SecureBlackbox. Creation of custom CSP is possible, but usually requires lots of time and makes little sense for most users: the hardware vendors usually ship both PKCS#11 and CryptoAPI interfaces.

If you are a hardware vendor yourself that needs to create a custom CSP, then we can offer custom service in this aspect.


Sincerely yours
Eugene Mayevski
#8620
Posted: 01/14/2009 01:24:50
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

Thanks for responce.
Actualy we are not hardware vendor, we are developing a software in .NET with PKI infrastructure. We do use token which supports both interfaces PKCS#11 and CriptoAPI. Right now we have integrated token with our applicaiton via ElPKCS11CertStorage class.
Actualy what I need is to have certificate in WindowStore only when token is pluged in! and when user plug out token then certificate should be removed from store. That is it. And my question was how to do that using PKCS#11 interface (or may be Cripto API...).
Actualy I can manually do that by using "Add"\"Remove" functions of ElWinCertStorage class, but as I understood these methods add certificate to store "permanently", but I need to have it there temporary.
Thanks
#8621
Posted: 01/14/2009 01:59:06
by Eugene Mayevski (EldoS Corp.)

Quote
Arsen Gevorgyan wrote:
Actualy what I need is to have certificate in WindowStore only when token is pluged in! and when user plug out token then certificate should be removed from store. That is it. And my question was how to do that using PKCS#11 interface (or may be Cripto API...).


This is the job of CryptoAPI provider, shipped by the hardware vendor, to do this. Most vendors have an option in their CryptoAPI module that lets you specify, if the certificate (without the private key of course) stays visible to the OS when the token is removed. This option is controlled via vendor-provided GUI, not in code. So there's not much you can do in this aspect.

The only idea that comes to my mind is to use ElWinCertStorage class to locate the certificates, which you see via PKCS#11, and if the token is removed (you need to detect this yourself, as PKCS#11 doesn't specify the way to do this), delete the certificates via ElWinCertStorage. This should work. But if your application is shut down, then obviously the certificate will stay in Windows Certificate Storage.

Quote
Arsen Gevorgyan wrote:
Actualy I can manually do that by using "Add"\"Remove" functions of ElWinCertStorage class, but as I understood these methods add certificate to store "permanently", but I need to have it there temporary.


You don't need to add the certificate to windows certificate storage, this is done by cryptoapi provider automatically. As for removal, see above.


Sincerely yours
Eugene Mayevski
#8622
Posted: 01/14/2009 04:32:09
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

Well, the matter is that I am not using any GUI from my token proider. I have developed my own GUI (due to localization, etc), and actualy what I need is just to get a hint about classes that I should use from Crypto API to add my token to windows store.

I understand the solution with Add\Remove, however I don't want to be depended from from the call of the "Remove" function.
#8623
Posted: 01/14/2009 04:55:36
by Eugene Mayevski (EldoS Corp.)

Quote
Arsen Gevorgyan wrote:
Well, the matter is that I am not using any GUI from my token proider. I have developed my own GUI (due to localization, etc), and actualy what I need is just to get a hint about classes that I should use from Crypto API to add my token to windows store.


Besides the obvious add/remove way, there are no other easy ways (you can write your own CSP for the device, and this will solve your problem). The reason is that the CSP doesn't "add" a certificate to Windows Certificate Storage, but makes the certificate visible as if it were in the storage.


Sincerely yours
Eugene Mayevski
#8627
Posted: 01/14/2009 08:21:33
by Arsen Gevorgyan (Standard support level)
Joined: 01/09/2009
Posts: 8

Seems my CSP is doing everything what I need, however I don't have enough knowladge of MS Cripto API to manipulate with third-party CSP. Can somebody give a hint how to initialize CSP and what classes in .NET (3.5) I should use to manipulate with CSP?
#8628
Posted: 01/14/2009 08:31:02
by Eugene Mayevski (EldoS Corp.)

With this question you should use MSDN newsgroups and forums. You will find CryptoAPI specialists there.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 3474 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!