EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HSM Private Key but Certificate on disk

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#18156
Posted: 11/11/2011 10:32:56
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

I need to PKCS#7 sign using a certificate chain available on disk (DER), but the certificate has no private key. The key is stored on an HSM, available via PKCS#11 (or CNG).

Im looking at the
ElMessageSigner class for the PKCS#7
ElFileCertStorage to access the certificate.
ElPKCS11CertStorage to access the HSM

but ...

Quote
Note, that most devices don't give away the private key, so you won't be able to save the private key to the stream or buffer (although signing/decryption operations are possible if supported by the device itself).


.... so if I want to get the HSM to sign, what can I call in your API to get a sign(in, out, len, detached) to work.

Many thanks.
#18157
Posted: 11/11/2011 10:39:26
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Basically, you need to do the following:

1) Use TElPKCS11CertStorage to open the HSM and retrieve a certificate [containing a reference to the corresponding private key] from it,

2) Use TElX509Certificate to read certificates comprising the chain from disk (as they are DER encoded, you will need to read each certificate individually),

3) Create a brand new TElMemoryCertStorage object and Add() all the certificates to it,

4) Assign the TElMemoryCertStorage to TElMessageSigner.CertStorage property.
#18159
Posted: 11/11/2011 12:27:03
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

TelPKCS11CertStorage.Count = 0 !
TelPKCS11CertStorage.KeyCount = 12 !

I have Keys in the HSM, but the Certificates are on disk.

Can SecureBlackBox be told to reattach the pairing ? (either by modifying the loaded TElX509Certificate object, or passing this through the certificate store somehow).

Thanks
#18160
Posted: 11/11/2011 12:39:06
by Eugene Mayevski (EldoS Corp.)

I am wondering how (from technical point of view) one can match the certificate and it's private key when they are separated in the way that you have.


Sincerely yours
Eugene Mayevski
#18161
Posted: 11/11/2011 12:44:54
by Ken Ivanov (EldoS Corp.)

Yes, but you will need to know the correct key object to attach to the signing certificate (and this must be a private key object).

Please do the following to construct the signing certificate object:

1. Load public part of the certificate into a brand new instance of TElX509Certificate.

2. Initialize and open the PKCS#11 storage.

3. Find the correct TElKeyMaterial object in the TElPKCS11CertStorage instance and pass it to TElX509Certificate.SetKeyMaterial() method. You will need to cast the parameter to TElPublicKeyMaterial type.

4. Now the TElX509Certificate contains the certificate capable of signing. Remember that you *must not* close the PKCS#11 storage until all the signing operations are completed.
#18162
Posted: 11/11/2011 12:47:38
by Ken Ivanov (EldoS Corp.)

UPD. There are some ways of matching private key on the token to the public one in the certificate. One of the simplest way is to compare public moduli of both keys, if those are RSA ones.
#18179
Posted: 11/14/2011 11:30:21
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

Thanks for this.

Yes, sorry, I missed out the useful information that these are RSA keys so they are matchable.

I have found the key through the PublicModulus that matches the loaded certificate and called SetKeyMaterial() so now I just need to check the sign to see if this works ...

In order to confirm the signature output matches our old solution I need to create my PKCS#7 with the ContentType, MessageDigest, and SigningTime Authenticated Attributes.

SigningTime and MessageDigest were easy to add ;
TElMessageSigner.SigningTime = DateTime.Now;
TElMessageSigner.SigningOptions = SBMessages.Unit.soInsertSigningTime | SBMessages.Unit.soInsertMessageDigests;

But how do I get it to add the ContentType, as there is no SigningOptions enum and AuthenticatedAttributes doesnt have an Add() method ?

Many Thanks
#18180
Posted: 11/14/2011 11:54:58
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

You can add values to AuthenticatedAttributes this way:

Code
PKCS7Signer.AuthenticatedAttributes.Count := PKCS7Signer.AuthenticatedAttributes.Count + 1;
FPKCS7Signer.AuthenticatedAttributes.Attributes[idx] := ...;
FPKCS7Signer.AuthenticatedAttributes.Values[0] := ...;
FPKCS7Signer.AuthenticatedAttributes.Values[1] := ...;
...
#18184
Posted: 11/15/2011 04:25:40
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

Am I missing a cast somewhere. ElMessageSigner.AuthenticatesAttributes doesnt contain a Values array. Indeed it only has a Count property.

Ive got set_Attributes(), but no set_Values().

Thanks
#18186
Posted: 11/15/2011 05:02:25
by Ken Ivanov (EldoS Corp.)

Each attribute can contain more than one associated value, therefore the ArrayList class is used to represent attribute values. Please use the following syntax:

ElMessageSigner.AuthenticatedAttributes.get_Values(i).Add(<ASN.1-encoded value>);
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 4005 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!