EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Generate Key Pair Directly On a usb token in version (7.0.155)

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#9741
Posted: 04/19/2009 23:32:11
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

I want to generate key pair on token directly,then use public key for generate a certificate request.
I think, it is possible with cryptoProvider class(TElPKCS11CryptoProv­ider) but i dont know how to use it because there isnt any discription for this class in eldos helpDocument. I want to know is it developed in new version? tanx
#9742
Posted: 04/19/2009 23:56:13
by Ken Ivanov (EldoS Corp.)

Yes, SecureBlackbox 7 supports raw key generation. Please use the following code (Delphi notation):

var
KeyMaterial : TElRSAKeyMaterial;
begin
KeyMaterial := TElRSAKeyMaterial.Create(FSessionInfo.CryptoProvider);
try
KeyMaterial.Generate(1024);
finally
FreeAndNil(KeyMaterial);
end;
end;

FSessionInfo is a TElPKCS11SessionInfo object that corresponds to the opened PKCS11 session. Use TElPKCS11CertStorage class to open and log into the session.
#9743
Posted: 04/20/2009 01:00:27
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

ok tanx. i will check it. how can i generate a request ? actually i wan to generate a request that maked from token keypair then sent it to my ca app for issue ok? Do you know how can i do this?
#9745
Posted: 04/20/2009 03:38:11
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

I checked your solution in C#.net but i got this error. you can see my code ass follow.please help me. tanx alot.
eror:
PKCS#11 error in function #59 (error code is 209)

my code :
TElRSAKeyMaterial keyMaterial = new TElRSAKeyMaterial(session.CryptoProvider);
keyMaterial.HashAlgorithm = SBUtils.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION;

try { keyMaterial.Generate(1024); }
catch (Exception err)
{
MessageBox.Show(err.Message);
}
#9749
Posted: 04/20/2009 04:42:10
by Ken Ivanov (EldoS Corp.)

The error you are receiving:
Quote
PKCS#11 error in function #59 (error code is 209)

sounds in English like that: "PKCS#11 error in function C_GenerateKeyPair() (error is CKR_TEMPLATE_INCONSISTENT)". This error is usually returned if the token driver does not understand one or more parameters in the attributes template passed to the keypair generation function. This issue requires further investigation; I have created a Helpdesk ticket for you. Let's continue the discussion there.
#12131
Posted: 01/20/2010 06:44:19
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

Hi.
I checked beta version 7.1 to generate a self sign certificate directly in a token.at first the key pair has generated on the token but after that i got this error : "Secret key not found".
you can see my code as below. please tell me how i can do it.

CODE :

Code
TElX509CertificateEx Cert = new TElX509CertificateEx(null);
            Cert.SubjectRDN.Count = 6;
            Cert.SerialNumber = SBUtils.Unit.BytesOf("11");
            Cert.UseUTF8 = true;

            for (int i = 0; i <= 5; i++) Cert.SubjectRDN.set_Tags(i, SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);


            Cert.SubjectRDN.set_OIDs(0, SBUtils.Unit.SB_CERT_OID_COUNTRY);
            Cert.SubjectRDN.set_Values(0, SBUtils.Unit.BytesOfString("IR"));

            Cert.SubjectRDN.set_OIDs(1, SBUtils.Unit.SB_CERT_OID_STATE_OR_PROVINCE);
            Cert.SubjectRDN.set_Values(1, SBUtils.Unit.BytesOfString("Tehran"));

            Cert.SubjectRDN.set_OIDs(2, SBUtils.Unit.SB_CERT_OID_LOCALITY);
            Cert.SubjectRDN.set_Values(2, SBUtils.Unit.BytesOfString("Tehran"));

            Cert.SubjectRDN.set_OIDs(3, SBUtils.Unit.SB_CERT_OID_ORGANIZATION);
            Cert.SubjectRDN.set_Values(3, SBUtils.Unit.BytesOfString("RSA"));

            Cert.SubjectRDN.set_OIDs(4, SBUtils.Unit.SB_CERT_OID_ORGANIZATION_UNIT);
            Cert.SubjectRDN.set_Values(4, SBUtils.Unit.BytesOfString("RSAUnit"));

            Cert.SubjectRDN.set_OIDs(5, SBUtils.Unit.SB_CERT_OID_COMMON_NAME);
            Cert.SubjectRDN.set_Values(5, SBUtils.Unit.BytesOfString("TestCert"));

            Cert.ValidFrom = DateTime.Now.ToUniversalTime();
            Cert.ValidTo = DateTime.Now.ToUniversalTime().AddYears(1);



            //selfSign
            Cert.CAAvailable = false;
            Cert.IssuerRDN.Count = 6;

            for (int i = 0; i <= 5; i++) Cert.IssuerRDN.set_Tags(i, SBASN1Tree.Unit.SB_ASN1_PRINTABLESTRING);

            Cert.IssuerRDN.set_OIDs(0, SBUtils.Unit.SB_CERT_OID_COUNTRY);
            Cert.IssuerRDN.set_Values(0, SBUtils.Unit.BytesOfString("IR"));

            Cert.IssuerRDN.set_OIDs(1, SBUtils.Unit.SB_CERT_OID_STATE_OR_PROVINCE);
            Cert.IssuerRDN.set_Values(1, SBUtils.Unit.BytesOfString("Tehran"));

            Cert.IssuerRDN.set_OIDs(2, SBUtils.Unit.SB_CERT_OID_LOCALITY);
            Cert.IssuerRDN.set_Values(2, SBUtils.Unit.BytesOfString("Tehran"));

            Cert.IssuerRDN.set_OIDs(3, SBUtils.Unit.SB_CERT_OID_ORGANIZATION);
            Cert.IssuerRDN.set_Values(3, SBUtils.Unit.BytesOfString("RSA"));

            Cert.IssuerRDN.set_OIDs(4, SBUtils.Unit.SB_CERT_OID_ORGANIZATION_UNIT);
            Cert.IssuerRDN.set_Values(4, SBUtils.Unit.BytesOfString("RSAUnit"));

            Cert.IssuerRDN.set_OIDs(5, SBUtils.Unit.SB_CERT_OID_COMMON_NAME);
            Cert.IssuerRDN.set_Values(5, SBUtils.Unit.BytesOfString("TestCert"));


            //Add crl point to Certificate
            //Begin
            Cert.Extensions.CRLDistributionPoints.Count = 2;
            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.Add();
            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.Add();
            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.get_Names(0).NameType = TSBGeneralName.gnUniformResourceIdentifier;
            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.get_Names(1).NameType = TSBGeneralName.gnUniformResourceIdentifier;
            //Directory.CreateDirectory(Application.StartupPath + "\\CRL");

            string URL = string.Empty;


            URL = "http://" + Environment.MachineName + "/CRL/" + "TestCert" + ".crl";



            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name
                .get_Names(0).UniformResourceIdentifier = URL;
            Cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name
                .get_Names(1).UniformResourceIdentifier = "file://\\\\" + Environment.MachineName + "\\CRL\\" + "TestCert" + ".crl";

            Cert.Extensions.Included = 0x1000 | 4;
            //End

            Cert.Extensions.KeyUsage.CRLSign = true;
            Cert.Extensions.KeyUsage.DigitalSignature = true;
            Cert.Extensions.KeyUsage.KeyCertSign = true;
            Cert.CryptoProvider = session.CryptoProvider;
            Cert.Generate(SBUtils.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION,1024/32);
#12132
Posted: 01/20/2010 07:02:11
by Ken Ivanov (EldoS Corp.)

1) Have you logged into the session with a valid PIN prior to generating the certificate?
2) Does the code I have referenced in the second message of this topic work without errors for you?
3) Please upgrade to the latest available SBB build (7.2.168) prior to testing. It is a good idea to always try the latest available build.
#12133
Posted: 01/20/2010 07:48:05
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

1) yes , i have logged into the session with a valid pin.
2) yes, it works. but i want to generate certificate on my token,not only key pair.
i can generate key pair on my token, but i can`t generate a self sign certificate directly on it.
3) thank you, i`ll check it asap.
#12135
Posted: 01/20/2010 08:42:48
by reza Goki (Standard support level)
Joined: 02/25/2008
Posts: 30

I checked new SBB build (7.2.168) but i got the same error :
secret key not found.
please tell me what i can do now?
#12139
Posted: 01/20/2010 09:58:20
by Eugene Mayevski (EldoS Corp.)

I am sorry but none of your questions will be answered until you assign the license ticket obtained upon purchase of the license to your user account.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 5894 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!