EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Please help pki

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#16882
Posted: 06/30/2011 06:15:10
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

Hello,

I need some help with yours pki demos.
Frankly,my experience with pki is 0 and I dont know where to start.


Here is what I intend to do:

I have a pki token from alladin, registered at digisign. The certificate is installed corectly.

Now, how do I choose the certificate in Delphi6 and validate it on this site? https://www.siui.ro/OCSP/validator?username=

(They gave me an user and password)

They said that after the validation, this site will provide a jeton with time limit. With this jeton, I will be able to access the wsdl services for verify social security number, send xml files with our insured patients and so on.
(The web services are
https://www.siui.ro/svapntws/services/SiuiWS
https://www.siui.ro/svapntws/services/SiuiValidateWS
https://www.siui.ro/svapntws/services/SiuiInsuredWS)



On their site, there is an example on dot net :
Code
// configurare opŃiuni generale http
ServicePointManager.ServerCertificateValidationCallback = ServerCertificateBypass;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 |
SecurityProtocolType.Tls; // default in .NET
// creare cerere web https
var url = String.Format("https://www.siui.ro/OCSP/validator?username={0}", userName);
var request = (HttpWebRequest)WebRequest.Create( new Uri(url) );
// configurare cerere web
request.Accept = "*/*";
request.KeepAlive = true;
request.AllowAutoRedirect = false;
request.PreAuthenticate = true;
// preluare Proxy din Internet Explorer
request.Proxy = ProxyHelper.GetSystemWebProxy();
// adăugare certificat digital
request.ClientCertificates.Add(userCertifcate);
// configurare autentificare pe bază de utilizator si parolă
var credentials = new CredentialCache();
credentials.Add( uri, "Basic", new NetworkCredential( userName .password ) );
request.Credentials = credentials;
// suprasciere CookieContainer pentru a păstra cookie-urile
request.CookieContainer = CookieJar; // CookieJar este un CookieContainer static
// obŃinere răspuns de la serviciul web
var response = request.GetResponse();
// extragere jeton de sesiune din antetul răspunsului https
return response.Headers["OSCP_RESPONSE"];


Do you have some examples for this kind of app?

Thank you,
Florin MANEA
#16883
Posted: 06/30/2011 06:26:42
by Ken Ivanov (EldoS Corp.)

Thank you for getting in touch with us.

Apparently, you should use the TElHTTPSClient class to submit a request to get a "jeton". I think the best way for you would be to start with HTTPGet sample (Samples\C#\HTTPBlackbox\HTTPGet) in this regard. Note that the sample "as is" won't work for you, because it is not configured to perform any user authentication. You will need to extend it with the following:

1) Set up Username and Password properties to match the credentials you received from the service provider.

2) Load the certificate from the token. This should be done with TElPKCS11CertStorage object. There is another sample (Samples\C#\PKIBlackbox\CertTokenDemo) that illustrates how to open the storage and access certificates stored on it.

3) Bind the certificate to the TElHTTPSClient object. To do this, (a) create a brand new TElMemoryCertStorage object, and (b) add the token-based certificate object (which can be accessed via TElPKC11CertStorage.Certificates[] property) to the created memory storage via its Add() method. Next, assign the TElMemoryCertStorage object to ClientCertStorage property of the TElHTTPSClient object.
#16884
Posted: 06/30/2011 07:57:06
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

Thank you for the promt reply.

There are equivalent demos for delphi? You indicate me C# but Delphi is all I know.

In Delphi samples I saw ../HTTPBlackBox/Client but I cant find some equivalent \C#\PKIBlackbox\CertTokenDemo
#16885
Posted: 06/30/2011 08:04:27
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

The demo you need is located in \EldoS\SecureBlackbox\Samples\Delphi\PKIBlackbox\PKCS11\Manager folder.
#16886
Posted: 06/30/2011 09:01:14
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

Hello,

I cant find any pcks #11.dll required by \PKIBlackbox\PKCS11\Manager on my computer.
Alladin etoken installed was a msi package.
Or should I reinstall it?
#16887
Posted: 06/30/2011 09:05:36
by Ken Ivanov (EldoS Corp.)

PKCS#11 DLL is installed along with the driver of the token. Please refer to the documentation of the token to find out the exact name of the driver DLL.
#16888
Posted: 06/30/2011 10:04:38
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

I tried all the dll founded in ..\CommonFiles\Aladdin Shared\eToken\PKIClient
All I got was this error:
'..PCKS#11 provider DLL does'nt export all required function (erro code is 0)'


..hmm,there is a light at the end of the tunel?
#16889
Posted: 06/30/2011 10:12:06
by Ken Ivanov (EldoS Corp.)

Actually, PKCS#11 drivers are usually installed directly to the System32 folder, not to the installation folder of the firmware. Not sure about the situation these days, but a few years ago eToken's PKCS#11 DLL used to be named as etpkcs11.dll.
#16890
Posted: 06/30/2011 10:21:33
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

You are a genious!
I found etpkcs11.dll exactly where you said.

OK, now I have to translate in code your advices.
Quote
1) Set up Username and Password properties to match the credentials you received from the service provider.

2) Load the certificate from the token. This should be done with TElPKCS11CertStorage object. There is another sample (Samples\C#\PKIBlackbox\CertTokenDemo) that illustrates how to open the storage and access certificates stored on it.

3) Bind the certificate to the TElHTTPSClient object.


Thank you for your support!
#16920
Posted: 07/01/2011 11:41:56
by florin manea (Basic support level)
Joined: 06/30/2011
Posts: 10

Hello,
I am back after a lot of failures.
Code
2) Load the certificate from the token. This should be done with TElPKCS11CertStorage object. There is another sample (Samples\C#\PKIBlackbox\CertTokenDemo) that illustrates how to open the storage and access certificates stored on it.


On PKIBlackbox\PKCS11\CertStorage example, I d & droped a new object TElMemoryCertStorage.
I saw that after the etpkcs11.dll is loaded, I can choose the certificate and enter the password.

Now, I've presume that step 2 as you told me = modify RefreshCertificates procedure. So I've added one line: ElMemoryCertStorage1.Add(cert);
see coments below

Code
procedure TfrmMain.RefreshCertificates;
var
  i : integer;
  Cert: TElX509Certificate;
  Item: TListItem;
  S : string;
  function GetAlgStr(alg : integer): string;
  begin
    case alg of
      SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION : Result := 'RSA';
      SB_CERT_ALGORITHM_ID_DSA : Result := 'DSA';
      SB_CERT_ALGORITHM_DH_PUBLIC : Result := 'DH';
    else
      Result := 'Unknown';
    end;
  end;
begin
  lvCerts.Items.Clear;
  for i := 0 to Storage.Count - 1 do
  begin
    Cert := Storage.Certificates[i];
    Item := lvCerts.Items.Add;
    Item.ImageIndex := 3;
    { Subject }
    S := Cert.SubjectName.CommonName;
    if S = '' then
      S := Cert.SubjectName.Organization;
    Item.Caption := S;
    { Issuer }
    S := Cert.IssuerName.CommonName;
    if S = '' then
      S := Cert.IssuerName.Organization;
    Item.SubItems.Add(S);
    { Validity period }
    Item.SubItems.Add(DateToStr(Cert.ValidFrom));
    Item.SubItems.Add(DateToStr(Cert.ValidTo));
    { Algorithm }
    S := GetAlgStr(Cert.PublicKeyAlgorithm);
    S := S + ' (' + IntToStr(Cert.GetPublicKeySize) + ' bits)';
  
   /////////////////////////////////////
   // this is the load of the certificate , after I selected it from lvCerts
   ElMemoryCertStorage1.Add(cert);
   /////////////////////////////

    if Cert.PrivateKeyExists then
      S := S + ' (priv)';
    Item.SubItems.Add(S);
  end;
end;



3.Also, I copied the code from HTTPGet example in CertStorage example.
HTTPSClient has both CertStorage and ClientCertStorage autocompleted with object TElMemoryCertStorage.

On object HTTPSClient, I saw many fields for user and pwd.
Where should I complete the user and pwd: at webtunel or above at SRPUser?


Really sorry for stressing you,
Florin
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 4562 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!