EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS11 questions

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 05/27/2009 05:21:18
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

I'm trying to convert a v++ program to delphi (not much of a problem) but i'm running into problems on 2 places:

1) The code uses a MaxPinLen and MinPinLen. Both are present in the TPKCS11TokenInfo stucture but are not published in the session. Would it be possible to add there two in a future version of sbb?
Is there an easy way to get these two properties without changing eldos code?
(for the moment i can hardcode the 2 as they dont change with the cards we have)

2) I'm truely out of ideas how to implement the C_SignInit and C_Sign (line 308 and further). I tried the Session.CryptoProvider.SignInit but then i have no clue how to pass the private key to it. Can you help me with this part please?


[ Download ]
Posted: 05/27/2009 06:05:43
by Ken Ivanov (Team)

Thank you for contacting us.

SecureBlackbox already contains all the necessary code for accessing PKCS11-compatible tokens, so you do not have to port C++ code to Delphi yourself. Please see the CryptoTokenDemo sample included to the distribution.
Posted: 05/27/2009 06:15:44
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

I know, i'm porting it to the eldos pkcs11 components. Same questions remain.
Posted: 05/27/2009 06:28:02
by Ken Ivanov (Team)

I seem to have been a bit inexact. The code you are trying to port is already available in SBB. You can easily use SBB classes to perform the task that is done by the attached code, without the need of porting it. Use TElPKCS11CertStorage component to open the session, get the needed certificate or key, and then TElRSAPublicKeyCrypto to sign the data.
Posted: 05/27/2009 07:38:43
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

Innokentiy Ivanov wrote:
Use TElPKCS11CertStorage component to open the session, get the needed certificate or key, and then TElRSAPublicKeyCrypto to sign the data.

Oh darn as simple as that, wish i knew my way in sbb better. The sign function gave some trouble so i used the SignDetached. I assume the following code does the job.

Thanks and greetings,

ALen := 128;
AData := '0123456789';
ASignature := StringOfChar(#0, ALen);
//TODO: SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION in 2010 with next generation
ACrypto.CryptoType := rsapktPKCS1;
ACrypto.KeyMaterial := AAuthenticationCertificate.KeyMaterial;
ACrypto.SignDetached(@AData[1], 10, @ASignature[1], ALen);

if ACrypto.VerifyDetached(@AData[1], 10, @ASignature[1], ALen) <> pkvrSuccess
then raise Exception.Create('Invalid Signing');
Posted: 05/27/2009 08:00:20
by Ken Ivanov (Team)

Yes, SignDetached() function is the right one. I'd also introduced certain improvements to the code:
1) Create TElRSAPublicKeyCrypto object using the constructor that expects an empty parameter set,
2) Set the appropriate hash algorithm using the HashAlgorithm property of the Crypto object,
3) Enable UseAlgorithmPrefix flag to be fully compatible with PKCS#1 specification:
  InBuf, OutBuf : string;
  Size : integer
  Crypto : TElRSAPublicKeyCrypto;

InBuf := '0123456789';
Crypto := TElRSAPublicKeyCrypto.Create();
    Crypto.KeyMaterial := AAuthenticationCertificate.KeyMaterial;
    Crypto.InputIsHash := false;
    Crypto.HashAlgorithm := SB_ALGORITHM_DGST_SHA1; // you are free to replace SHA1 with SB_ALGORITHM_DGST_SHA256 in future
    Crypto.UseAlgorithmPrefix := true;
    Size := 0;
    Crypto.SignDetached(@InBuf[1], Length(InBuf), nil, Size);
    SetLength(OutBuf, Size);
    Crypto.SignDetached(@InBuf[1], Length(InBuf), @OutBuf[1], Size);
    Assert(Crypto.VerifyDetached(@InBuf[1], Length(InBuf), @OutBuf[1], Size) = pkvrSuccess);
Posted: 05/27/2009 08:27:59
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

Thank you, this works great. I can finally delete the akward c++ examples and move on to implement this in the main application ;)

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.



Topic viewed 1551 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!