EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Crytocards on windows

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#13306
Posted: 05/14/2010 06:05:32
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

I am adding support for crytocards -in general- in a windows app, and I am a little confused with all kind of drivers, methods, standards... I think I have managed to make a picture of how it all should be done, but I would appreciate a confirmation on how I undertood it all.

1) PKCS#11 drives are not the way crytocard work in windows, it is only used in Linux and Mac, so I think it is better to totally forget about it.

2) The easy and "good for all" way is to use the certificates installed in windows, let them be cryptocards or files, then add the certificate to a memory cert storage, and use them to sign forgetting about if they came from a crytocard or not.

3) As far as i have read, adding this windows installed certificate into a memstorage will make it all for me, as the object internally knows where this certificate "lives" and will make the corresponding calls to its api for me when i sign a file using this memstorage.

4) If I add a certificate form a WinCertStorage into a MemeStorage... can I free the first and still use the certificate from memory? (so i can use a temporary WinStorage freed just after the user choose his certificate).

A simple "yes, you are basically right" could make me sleep better, so thanxs in advance to any "power user" willing to cast some light on this.
#13308
Posted: 05/14/2010 06:28:27
by Eugene Mayevski (EldoS Corp.)

1) This is not so. PKCS#11 is a standard way to use cryptographic hardware (cryptocards and USB cryptotokens) on many systems. This is the interface that is provided via the DLL created by device vendor. Probably all vendors have PKCS#11 interface DLL for Windows. And PKCS#11 interface is way more powerful, than the one CryptoAPI offers.

2) This is so only until you need to do anything beyond simple signing.

3) Yes. The same will happen with the certificate accessed via PKCS#11 interface.

4) Yes, you can remove Windows cert.storage after copying the certificate.


Sincerely yours
Eugene Mayevski
#13309
Posted: 05/14/2010 06:30:45
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Quote
1) PKCS#11 drives are not the way crytocard work in windows, it is only used in Linux and Mac, so I think it is better to totally forget about it.

PKCS#11 is a platform-independent format. It can be used on a number of various platforms, including Windows, Unix, MAC and many others. Many of our customers use PKCS#11 on Windows (for different reasons). In some cases PKCS#11 is the only possible way to access a cryptocard, as some vendors do not provide custom CSP's with them.

Quote
2) The easy and "good for all" way is to use the certificates installed in windows, let them be cryptocards or files, then add the certificate to a memory cert storage, and use them to sign forgetting about if they came from a crytocard or not.

Windows provides an unified mechanism for accessing certificates stored in various physical sources. However, a vendor of a particular token must provide a driver ("CSP") to make the token "visible" by Windows. In fact, most of such CSP's talk to cryptocards via PKCS#11 interface, so you may consider Windows system store as a kind of higher-level abstraction.

Memory certificate storage allows to maintain your own list of certificates (all others deal with particular storages, such as the system or a cryptocard).

Quote
3) As far as i have read, adding this windows installed certificate into a memstorage will make it all for me, as the object internally knows where this certificate "lives" and will make the corresponding calls to its api for me when i sign a file using this memstorage.

Yes, exactly.

Quote
4) If I add a certificate form a WinCertStorage into a MemeStorage... can I free the first and still use the certificate from memory? (so i can use a temporary WinStorage freed just after the user choose his certificate).

Yes, you can. All the information needed to access the certificate is kept within an individual TElX509Certificate object. However, the same is *not* true for the certificates originating from TElPKCS11CertStorage.
#13310
Posted: 05/14/2010 06:49:42
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

Thanxs you both for your quick response.

My goal is just signing with the certificates on the cryptocards, no need to add, modify, delete.. nothing beyond signing is necessary.

About the PKCS#11 dll on windows systems, it is unclear to me that it will come with the majority of available cards + card reader... actually I am doing test using eDNI from Spain, and only gives such dll form linux and Mac systems (or they have it renamed and not visible to the user on some system dir), and I will not control witch cards my customers will use, so i could not find the appropiate dll in general, this is why I dissmiss this option.

So, if I stick to WinCertStorages it all is hiden form my code and easier for the final user.

A question about using those WinCertStorages:

1) To locate the hardware certificates, can I just create a WinCertStorage and sohw all certificates on it that have a PrivateKeyExists=1 (don't mind if file certs also show up)? Is there some property I should set first to do it (StorageType for instance). There are some properties that seems to be related to harware certificates, but from the definition on the help I can't tell whether I need to deal with them or not.

Thanxs in advance,
Sergio Hernandez.
#13313
Posted: 05/14/2010 07:23:47
by Ken Ivanov (EldoS Corp.)

Quote
My goal is just signing with the certificates on the cryptocards, no need to add, modify, delete.. nothing beyond signing is necessary.

Well, the exact operations do not matter actually. If the vendor of the token does not provide a Windows CSP, you will be unable to use it via TElWinCertStorage (any of its functions).

As far as I know, the card you are asking about supports access via both PKCS11 and CryptoAPI interfaces.

Quote
1) To locate the hardware certificates, can I just create a WinCertStorage and sohw all certificates on it that have a PrivateKeyExists=1 (don't mind if file certs also show up)? Is there some property I should set first to do it (StorageType for instance). There are some properties that seems to be related to harware certificates, but from the definition on the help I can't tell whether I need to deal with them or not.

As I said above, Windows system store can be treated as higher-level abstract interface to the certificates originating from different sources (hardware tokens, files, registry etc.). There is no unified way to find out whether a particular certificates resides on a hardware token or in some other place.
#13316
Posted: 05/14/2010 08:22:58
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

Thanxs a lot, I have it happily working, and the extra code for accesing all those cards is minimal... your components are a pleasure to work with!

Before I always used file certs with MemStorage.LoadFromStream(...), now, to use the first of the certificates -that are valid for signing- installed in your windows, just added it:

WinStorage.SystemStores.Add('MY');
for i:= 0 to WinStorage.Count-1 do begin
if WinStorage.Certificates[i].PrivateKeyExists then begin
MemStorage.Add(WinStorage.Certificates[i]);
break;
end;
end;

After that "add" the rest of the signing proceure code is 100% untouched (and working)!

I didn't imagine it could be so easy.
#13321
Posted: 05/14/2010 12:11:30
by Ken Ivanov (EldoS Corp.)

Hmm, what exactly component are you using for signing? Though SBB allows to create signatures signed with several certificates, some third-party processing software (e.g. Adobe Reader) do not understand such signatures. As there can be several certificates containing private key present in the MY store, there is a risk of adding several signing certificates to the MemStorage.

Just wished to warn you -- this might be not a problem for your particular case.
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 1081 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!