EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Using TElX509Certificate from smart card for authentification to a WS

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#13417
Posted: 05/22/2010 09:24:30
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Greetings,
I have played ouround with securebox PKI and I have to admit its a good product and I'm thinking about purchasing the license for my business projects. One thing that bothers me is it possible to achieve these scerario using it:

1)I have PKCS#11 smart card token that contains X509 certificates for authentification and signing. I have managed to obtain these certificates and export it to Windows user store(I suppose private key for the certificate doesnt leave the card).

What I need to do is the following:
Use the certificate that I obtain from the SC(TElX509Certificate object) for authentification to a WCF webservice. I can set my client certificate credentials for this WS call in code, but I have to pass it as X509Certificate2 object.

I found some info on how to convert X509Certificate2 to TElX509Certificate in this topic: http://www.eldos.com/forum/read.php?PAGEN_2=1&FID=7&TID=1508#nav_start_2.

I dont know if the vice versa conversion is possible,becouse Im not sure if the private key from the certificate is necessary to authentificate the client to a WCF service. I suppose it is,becouse somehow it should sign the request with the private key from the certificate. So in this case,I cant use convert to X509Certificate2 object and pass it as a certiciate parameter becouse the private key wont be copied in the object and the authentification process will fail.

I'm wondering what happens when the TElX509Certificate from the SC is copied to local user certiciate store???Obviously, the private key stays on the SC. Can I use this method:

Load the X509Certificate2 from the store and pass it as a credentials parameters to the WCF client. Will engine know that the private key that needs to be used to sign the request is on the smart card and can implicitly use to to sign the request?I would try to avoid this solution becouse when the client application is over,it should erase the certificate from the user store.

The wcf service functionality is simply to return a few strings of data that should simply be stored to a smart card.

I would prefer to load the certiciate from the SC in the program,somehow pass this certiicate for authentification to a WCF service, call the service,use the return value of the service call to store it on a smart card(using pkcs#11).

Can you please tell me if this task is possible. Becouse I have a short deadline, a my whole project system architecture depends on this solution, if its possible,I would gladly purchase the license for the SecureBlackBoxPKI??

Thanks in advance,

Tomislav
#13418
Posted: 05/22/2010 10:25:56
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Also, a simple follow up, is there a simpler way of implementing the service. The
reason why I chose the WCF becouse it offers a lot of options and automated xml settings and all the nice things.

Basically my service code just needs to authentificate the user, generate a string/document in some of this methods(irrelevant what it actually is,lets say its a simple xml containg some data that needs to be put on a card as a file), send this string back to the client,and client should be able to store this file as a string using PCKS#11 save object methods(I would prefer using SBB for this).
#13421
Posted: 05/22/2010 15:48:44
by Ken Ivanov (EldoS Corp.)

Thank you for your interest in our products.

The forum topic you have referenced is a bit outdated. As a matter of fact, the method explained there does work, but it only does for certificates with exportable private keys. As the cryptographic device is very likely to prohibit private key access, the method will not work with it. In SBB8 we introduced two special methods for converting TElX509Certificate to X509Certificate2 and vice versa. Please do the following to perform such conversion:
1) Get the TElX509Certificate object corresponding to the certificate stored on the cryptographic token with the use of TElWinCertStorage class,
2) Call its ToX509Certificate2() method.
#13426
Posted: 05/23/2010 08:10:08
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Innokentiy Ivanov wrote:
Thank you for your interest in our products.

The forum topic you have referenced is a bit outdated. As a matter of fact, the method explained there does work, but it only does for certificates with exportable private keys. As the cryptographic device is very likely to prohibit private key access, the method will not work with it. In SBB8 we introduced two special methods for converting TElX509Certificate to X509Certificate2 and vice versa. Please do the following to perform such conversion:
1) Get the TElX509Certificate object corresponding to the certificate stored on the cryptographic token with the use of TElWinCertStorage class,
2) Call its ToX509Certificate2() method.


Hi

Thanks for the quick response becouse its weekend day. I have found this method for conversion already. The thing that bothers me, will this conversion lead to
private key to be exported in this X509Certificate2 object, or just a reference to the private key on the card???

Becouse of my security design, I would prefer if the private key never leaves the card(and the x508Certificate2 that I convert to just stores a reference to the key).Is this possible?
#13429
Posted: 05/23/2010 10:15:58
by Ken Ivanov (EldoS Corp.)

No, this method does not export a private key (it only gets a reference to Windows certificate handle, which, in turn, also uses a reference to the "real" hardware key).

As a matter of fact, very few hardware tokens allow private key export, so all the SecureBlackbox code was designed to bypass accessing private keys directly wherever possible.
#13431
Posted: 05/23/2010 17:12:49
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Innokentiy Ivanov wrote:
No, this method does not export a private key (it only gets a reference to Windows certificate handle, which, in turn, also uses a reference to the "real" hardware key).

As a matter of fact, very few hardware tokens allow private key export, so all the SecureBlackbox code was designed to bypass accessing private keys directly wherever possible.


Hi,

The thing is,the exact thing I was afraid of,has happened when I used the certificate from the hardware token for a Service negotiation and authentification call.

To be more precise, this exception occured:

Code
The certificate 'CN=ClientSide' must have a private key. The process must have access rights for the private key.


I have done as you instructed,obtained the TElX509Certificate object from the token, converted it to X509Certificate2 using ToX509Certificate2() method.

Can you tell me,is there a some sort of workaround?This is crucial for my application and our business needs.To be able to use the certificate on the token for a WCF service authentification.
#13432
Posted: 05/23/2010 23:10:18
by Ken Ivanov (EldoS Corp.)

1) How exactly did you import the certificate to the system store? Was it done automatically (by the token driver), or you installed it there manually?

2) How exactly do you obtain the certificate object (TElX509Certificate) before converting it to X509Certificate2 (please show a piece of your code)?
#13433
Posted: 05/24/2010 01:49:12
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Innokentiy Ivanov wrote:
1) How exactly did you import the certificate to the system store? Was it done automatically (by the token driver), or you installed it there manually?

2) How exactly do you obtain the certificate object (TElX509Certificate) before converting it to X509Certificate2 (please show a piece of your code)?
Quote
Innokentiy Ivanov wrote:
1) How exactly did you import the certificate to the system store? Was it done automatically (by the token driver), or you installed it there manually?

2) How exactly do you obtain the certificate object (TElX509Certificate) before converting it to X509Certificate2 (please show a piece of your code)?


Actually I haven't import the certificate into the system store, I just obtained it from the card, converted to X5092Certificate object,and passed this object to a WCF proxy client credentials property. My main problem is,the application should be deployed on an E-kiosk terminal, which would be dealing with a lot of different users and smartcards. If for every user and every smart card inserted into the reader I would need to copy it's certificate to a system store(and upon removal of the card remove the certificate from the store),it would be a serious mess to deal with me.

My whole idea was if I could somehow read the certificate from the token,place it in RAM, and pass this certificate as a authentification parameter to a remote WEb service.The loading of certificate and connection to this web service is through the same application.

So a answer to your questions would be:

1)The driver(using opensc-pkcs11 library for this) doesn't not copy the certificate to a System store automatically. I have tried to make this work, but with no success.My main problem was how to setup MS CSP to use this PKCS#11 dll, and I haven't managed to do that. So my alternative was to manually load the certificate(but for reasons disclosed above, try to avoid to load in into the system store). I still ask myself is this way actually possible,with your product?

2)This is the code extract I used to load the certificate:

Quote


TElPKCS11CertStorage _certStorage;

//opening token slot session,succeedeed

TElX509Certificate pkcsCert = this._certStorage.get_Certificates(i);
X509Certificate2 certForAuth = pkcsCert.ToX509Certificate2(false);

//This is my client web service proxy
IncrementServiceClient client = new IncrementServiceClient();
client.ClientCredentials.ClientCertificate.Certificate = certForAuth;
int result = client.IncrementOne(2);




The last line(that calls the web service method), fails with above mentioned exception.
#13434
Posted: 05/24/2010 03:13:55
by Ken Ivanov (EldoS Corp.)

Thank you for the details.

Sorry for disappointing you, but the above code will not work if the X509Certificate2 object is obtained from TElX509Certificate originating from the TElPKCS11CertStorage storage. The private key (or a reference to it) is only preserved if the source TElX509Certificate object originates from either TElWinCertStorage or TElMemoryCertStorage storage.

That is, there are two possible ways you can go:

1) Access the certificate via TElWinCertStorage. Most hardware tokens come with their CSP's which map certificates to the Windows system stores. I must underline that you do not need to copy the certificates to the system store in this case; once the token is inserted into the slot, the certificate appears in the system store automatically. I am not sure whether OpenSC provides this functionality, but probably it makes sense to try to go on with native token drivers (if possible).

2) Access the service in a different way, omitting the use of X509Certificate2 object. Unfortunately, I am not aware of specifics of authentication to a WCF service; if the authentication is performed on HTTPS layer, SecureBlackbox can handle it with the SSLBlackbox components.
#13435
Posted: 05/24/2010 03:34:24
by Tomislav Jakopović (Basic support level)
Joined: 05/22/2010
Posts: 38

Quote
Innokentiy Ivanov wrote:
Thank you for the details.

Sorry for disappointing you, but the above code will not work if the X509Certificate2 object is obtained from TElX509Certificate originating from the TElPKCS11CertStorage storage. The private key (or a reference to it) is only preserved if the source TElX509Certificate object originates from either TElWinCertStorage or TElMemoryCertStorage storage.

That is, there are two possible ways you can go:

1) Access the certificate via TElWinCertStorage. Most hardware tokens come with their CSP's which map certificates to the Windows system stores. I must underline that you do not need to copy the certificates to the system store in this case; once the token is inserted into the slot, the certificate appears in the system store automatically. I am not sure whether OpenSC provides this functionality, but probably it makes sense to try to go on with native token drivers (if possible).

2) Access the service in a different way, omitting the use of X509Certificate2 object. Unfortunately, I am not aware of specifics of authentication to a WCF service; if the authentication is performed on HTTPS layer, SecureBlackbox can handle it with the SSLBlackbox components.


Hi,thats what I was afraid of. The thing is token on a smart card is an muscle card applet, and currently there's no CSP writen for it, so to access cryprographic functions of it, PKCS#11 API should be used(particularly opensc-pkcs11.dll ).

As a reply to your second statement, the thing is we are dont't necessarily need to deal with WCF services,in fact we havent developed web service yet, as we try to find whats the best technology that would suit for us to authentificate to web service using smart card token certificates. The only requirement for us it that has well defined interface(according to WS standards). We need to expose a couple of methods that accept a couple of parameters and return some sort of documents(xml files,pdf files...). that should be stored on smart card,for use in different applications.

As far as I know, SSL is mainly used for web pages interface,but our primary goal isn't to access web page resources, but to access some program API distributed on the Web.Is there any suggestion about which technology to use ,so we could make this authentification with token certificates to work, using your companies solution?
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 9663 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!