EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HSM Private Key but Certificate on disk

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 11/11/2011 10:32:56
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

I need to PKCS#7 sign using a certificate chain available on disk (DER), but the certificate has no private key. The key is stored on an HSM, available via PKCS#11 (or CNG).

Im looking at the
ElMessageSigner class for the PKCS#7
ElFileCertStorage to access the certificate.
ElPKCS11CertStorage to access the HSM

but ...

Note, that most devices don't give away the private key, so you won't be able to save the private key to the stream or buffer (although signing/decryption operations are possible if supported by the device itself).

.... so if I want to get the HSM to sign, what can I call in your API to get a sign(in, out, len, detached) to work.

Many thanks.
Posted: 11/11/2011 10:39:26
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Basically, you need to do the following:

1) Use TElPKCS11CertStorage to open the HSM and retrieve a certificate [containing a reference to the corresponding private key] from it,

2) Use TElX509Certificate to read certificates comprising the chain from disk (as they are DER encoded, you will need to read each certificate individually),

3) Create a brand new TElMemoryCertStorage object and Add() all the certificates to it,

4) Assign the TElMemoryCertStorage to TElMessageSigner.CertStorage property.
Posted: 11/11/2011 12:27:03
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

TelPKCS11CertStorage.Count = 0 !
TelPKCS11CertStorage.KeyCount = 12 !

I have Keys in the HSM, but the Certificates are on disk.

Can SecureBlackBox be told to reattach the pairing ? (either by modifying the loaded TElX509Certificate object, or passing this through the certificate store somehow).

Posted: 11/11/2011 12:39:06
by Eugene Mayevski (EldoS Corp.)

I am wondering how (from technical point of view) one can match the certificate and it's private key when they are separated in the way that you have.

Sincerely yours
Eugene Mayevski
Posted: 11/11/2011 12:44:54
by Ken Ivanov (EldoS Corp.)

Yes, but you will need to know the correct key object to attach to the signing certificate (and this must be a private key object).

Please do the following to construct the signing certificate object:

1. Load public part of the certificate into a brand new instance of TElX509Certificate.

2. Initialize and open the PKCS#11 storage.

3. Find the correct TElKeyMaterial object in the TElPKCS11CertStorage instance and pass it to TElX509Certificate.SetKeyMaterial() method. You will need to cast the parameter to TElPublicKeyMaterial type.

4. Now the TElX509Certificate contains the certificate capable of signing. Remember that you *must not* close the PKCS#11 storage until all the signing operations are completed.
Posted: 11/11/2011 12:47:38
by Ken Ivanov (EldoS Corp.)

UPD. There are some ways of matching private key on the token to the public one in the certificate. One of the simplest way is to compare public moduli of both keys, if those are RSA ones.
Posted: 11/14/2011 11:30:21
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

Thanks for this.

Yes, sorry, I missed out the useful information that these are RSA keys so they are matchable.

I have found the key through the PublicModulus that matches the loaded certificate and called SetKeyMaterial() so now I just need to check the sign to see if this works ...

In order to confirm the signature output matches our old solution I need to create my PKCS#7 with the ContentType, MessageDigest, and SigningTime Authenticated Attributes.

SigningTime and MessageDigest were easy to add ;
TElMessageSigner.SigningTime = DateTime.Now;
TElMessageSigner.SigningOptions = SBMessages.Unit.soInsertSigningTime | SBMessages.Unit.soInsertMessageDigests;

But how do I get it to add the ContentType, as there is no SigningOptions enum and AuthenticatedAttributes doesnt have an Add() method ?

Many Thanks
Posted: 11/14/2011 11:54:58
by Vsevolod Ievgiienko (EldoS Corp.)


You can add values to AuthenticatedAttributes this way:

PKCS7Signer.AuthenticatedAttributes.Count := PKCS7Signer.AuthenticatedAttributes.Count + 1;
FPKCS7Signer.AuthenticatedAttributes.Attributes[idx] := ...;
FPKCS7Signer.AuthenticatedAttributes.Values[0] := ...;
FPKCS7Signer.AuthenticatedAttributes.Values[1] := ...;
Posted: 11/15/2011 04:25:40
by Aarron Shaughnessy (Standard support level)
Joined: 11/11/2011
Posts: 14

Am I missing a cast somewhere. ElMessageSigner.AuthenticatesAttributes doesnt contain a Values array. Indeed it only has a Count property.

Ive got set_Attributes(), but no set_Values().

Posted: 11/15/2011 05:02:25
by Ken Ivanov (EldoS Corp.)

Each attribute can contain more than one associated value, therefore the ArrayList class is used to represent attribute values. Please use the following syntax:

ElMessageSigner.AuthenticatedAttributes.get_Values(i).Add(<ASN.1-encoded value>);
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.



Topic viewed 4010 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!