EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Smartcard based Signature

Posted: 08/24/2010 03:30:10
by Dust Michael (Standard support level)
Joined: 08/24/2010
Posts: 4

The German law dictates a “secure-signature-creation device” for digital signatures (the keys are created on an external chip card). I plan to use a mass-signature-card (pin request per operation and not per signature). These devices restrict direct access to the *.pfx file.

Are there known issuers in using this devices in combination with the PDF-Blackbox components?
Posted: 08/24/2010 03:54:14
by Eugene Mayevski (Team)

If the device supports PKCS#11 interface or CryptoAPI, then you should not have problems with it. The only issue would be that the user will be requested to enter the pin all the time.

More specific answer requires more details about the technologies used (i.e. what the device supports, whether you plan to use RSA key or certificate for signing etc.)

Sincerely yours
Eugene Mayevski
Posted: 08/24/2010 05:24:53
by Dust Michael (Standard support level)
Joined: 08/24/2010
Posts: 4

I think the devices support the CryptoAPI. For singning I use a certificate stored on the smartcard (created by a trustcenter).

So mass-signature-cards are not supported? If I want to print 10 invoices I would have to enter the pin 10 times?
Posted: 08/24/2010 05:50:27
by Eugene Mayevski (Team)

This depends on interface.

In PKCS#11 PIN is usually passed in code to open the session (and provide access to card or USB token data). In this case the PIN is passed by your application so you need to ask the user for a pin only once. This is so unless PKCS#11 driver shows it's own (internal) PIN entry dialog OR the device has it's own keypad and asks the user to use the keypad and enter a pin all the time.

In CryptoAPI you don't have a way (cryptoapi doesn't offer one) to provide the PIN in code. The user will need to enter it as much as the device requires. And yes, this is a big problem for mass signing, and this is why many developers choose PKCS#11 interface to work with smartcards.

Sincerely yours
Eugene Mayevski
Posted: 09/08/2010 03:16:45
by SmartAccess  (Standard support level)
Joined: 04/13/2010
Posts: 2


One question about CryptoAPI: The way to provide the PIN is calling CryptSetProvParam with PP_KEYEXCHANGE_PIN as parameter. As Microsoft recommends, the call to CryptAcquireContext with CRYPT_SILENT will not show any Window. We have done this sucessfully in some developments.

Does have SBB any way to provide the PIN this way to CSPs throug CryptoAPI?.
Posted: 09/08/2010 05:07:09
by Ken Ivanov (Team)

Passing a PIN from code is not supported by SBB components at the moment (first of all, due to very little number of CSPs that support this feature), sorry. Could you please specify the CSP you are using (the one that does support setting PIN with CryptSetProvParam())?

Please also note that CRYPT_SILENT flag should be used very carefully. Some CSPs that normally show various dialogs silently fail if CRYPT_SILENT flag is used.



Topic viewed 1435 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!