EldoS | Feel safer!

Software components for data protection, secure storage and transfer

USB Token insertion/removal detection

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 11/08/2009 09:39:12
by Guido Aspesani (Basic support level)
Joined: 11/07/2009
Posts: 7

I'm evaluating the purchase of SecureBlackBox package, but I encountered a strange problem.

I have a USB Token, and I am trying to detect his insertion/removal from within the application.

First I have looked at the OnSlotEvent event, but the event is never fired (I have set MonitorSlotEvent := True; )
I have wondered why, and a possible answer is that my particular hardware does not have a physical slot and a token that can be inserted/removed, but can be inserted/removed as a whole, so I have to check the presence of the slot, not of the token.

So I tried a 'poll' approach:
Open a TElPKCS11CertStorage object, check the SlotCount property, if zero then close the Storage, and repeat.

Doing so I have noticed a strange behavior:
Once the TElPKCS11CertStorage is created and opened for the first time, the 'state' of the SlotCount property never change.
I mean, if the token is inserted AFTER the first Open, even closing and re-opening the Store doesn't detects the token.
Neither freeing the object and recreating it. I have to exit from the application (close the program) and re-execute it.
Doing so the token is correctly detected but, if removed, the SlotCount property is always = 1 (obviously I have closed and re-opend the store)

Am I missing something obvious?

This is a huge problem. I can't ask my customers to exit the application just to insert the token.

I can provide you with more details, just ask!

Thanks in advance

Posted: 11/09/2009 01:38:29
by Ken Ivanov (Team)

Thank you for contacting us.

The problem is caused by the "specifics" of your token driver, who does not provide renewed information about the slots without reloading the driver. Please do the following to resolve the issue:

1) when creating the storage object, create an individual TElPKCS11CryptoProvider object and assign it to the TElPKCS11CertStorage.CryptoProvider property:

FStorage := TElPKCS11CertStorage.Create(nil);
FStorage.CryptoProvider := TElPKCS11CryptoProvider.Create(nil);

2) release that object along with destruction of the storage:

CP : TElCustomCryptoProvider;
CP := FStorage.CryptoProvider;

3) always recreate the storage to refresh the list of available slots.
Posted: 11/09/2009 04:56:12
by Guido Aspesani (Basic support level)
Joined: 11/07/2009
Posts: 7

Thank you for the QUICK reply.

Your suggestion works perfectly!
Now I am able to 'poll' successfully the device.

I will continue to evaluate your library, a little bit more happy knowing that I can count on a good support!

Best regarda

Guido Aspesani
Posted: 06/25/2011 14:48:23
by Constantin Danilov (Standard support level)
Joined: 06/25/2011
Posts: 5

We are evaluating now your library in our project and we have the same
issue(this is a c# project).

The driver is not reloaded even after i call this function :
private void CleanUp()
            var pcks11Storage = _certStore as TElPKCS11CertStorage;
            if (pcks11Storage != null)
                pcks11Storage.CryptoProvider = null;
            _certStore = null;

Do you know what I can do to force the driver to reload in a .net world?

I'll apreciate any feedback.

Best regards,
Constantin Danilov
Altavia Software
Posted: 06/25/2011 15:18:03
by Ken Ivanov (Team)

Thank you for getting in touch with us.

Are you creating a separate (dedicated) TElPKCS11CryptoProvider object for each TElPKCS11CertStorage object you use? It is a must to prevent caching of the driver DLL.
Posted: 06/25/2011 15:23:44
by Constantin Danilov (Standard support level)
Joined: 06/25/2011
Posts: 5

Yes, this is the code for creation of the storage :
var pkcs11Store = new TElPKCS11CertStorage();
            pkcs11Store.CryptoProvider = new SBCryptoProvPKCS11.TElPKCS11CryptoProvider();
            pkcs11Store.DLLName = storeConfigurationElement.DllPath;
            WriteLog("OpenPKCS11Store -> DllPath:{0}", pkcs11Store.DLLName);
            catch (Exception ex)
                throw new HandledException(ex.Message);
Posted: 06/25/2011 15:39:54
by Ken Ivanov (Team)

Thanks for answering.

Could you please provide us a little more details about the problem:

1) What exactly token(s) are you facing the issue with? Newer drivers from Athena appear to leave some of dependent DLLs in memory (even though the driver itself unloads correctly), thus requiring additional actions to be performed to unload them completely. Other devices/drivers might be subject for similar problem too.

2) How exactly do you recognize that the driver is not unloaded?
Posted: 06/25/2011 16:07:51
by Constantin Danilov (Standard support level)
Joined: 06/25/2011
Posts: 5

We are using Gemalto GemSafe Token from our partners CertEurope : http://www.certeurope.fr/acces-direct-v3-installation.php

Here is the first output from my unit test when the token is not plugged in: http://screencast.com/t/6o99RmKv

The output is the same after inserting the token : http://screencast.com/t/Imp5VIJX

If I do a reloading of my tests (CTRL+R) the output changes and my test pass: http://screencast.com/t/JnN5awGtt

So there is obviously a problem to get the slots information renewed in the storage after the token was plugged in...
I'm cleaning up the references and recreating the storage each time accessing the token info, but there is a problem and I don't know if it's a .Net problem with memory management or there is the token driver problem...

Appreciate your quick feedback!
Posted: 06/25/2011 16:32:20
by Ken Ivanov (Team)

Thank you very much for the detailed explanation. Now we have the complete picture of the issue.

First of all, let's check whether the driver DLL itself unloads correctly. You can do this with the help of Mark Russinovich's Process Explorer tool (now available for download at http://technet.microsoft.com/en-us/sy.../bb896653). The tool allows to view the DLLs loaded into address spaces of running processes. Please check whether the driver is unloaded from the address space of the process of your application after your CleanUp() method completes.
Posted: 06/27/2011 03:41:03
by Constantin Danilov (Standard support level)
Joined: 06/25/2011
Posts: 5

I've done some testing with Process Explorer and .net Memory Profiler :

1. The driver .dll is not unloaded from nunit.exe memory after test fails: http://screencast.com/t/WMpHYqnH

The refactored CleanUp() Method :
private void ReleaseStore(TElPKCS11CertStorage store)
            if (store != null)
                WriteLog("SmartKeyCertificateStore:ReleaseStore -> CryptoProvider!=null : {0}", store.CryptoProvider != null);
                Session = null;
                store.CryptoProvider = null;
                store = null;


2. When using memory profiler, there is a live instance of TElPKCS11CertStorage wich is not released because of a global reference in your library: http://screencast.com/t/LPojCd9K

3. After reloading test in nunit (CTRL+R) the driver .dll is still there in memory: http://screencast.com/t/lycPmRxeK

4. Taking a new snapshot with profiler reveals that the instance of TelPkcs11CertStorage was removed from memory : http://screencast.com/t/9ijbNI1w1

5. Plug in the USB token and the test pass : http://screencast.com/t/eS4gX9AN

1. The problem is in TelPkcs11CertStorage wich is not released by Garbage Collector due to some global references to it from the SBB library(the .dll driver still in memory after test reload and the certificates gets loaded on second pass - so no driver problem I think).

2. I can reproduce the problem also in the TinySignerPKCS11_VS2010 sample provided with the SecureBlackbox installation, if not closing the form after click on Sign document.

I'll continue to integrate the SBB library in our project and waiting for news about this problem as soon as possible...
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.



Topic viewed 4737 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!