EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS#11 AlwaysAuthenticate and Login to token, question

Posted: 01/24/2013 03:26:12
by Jan BiaƂokozowicz (Standard support level)
Joined: 08/20/2012
Posts: 8

My problem is following:

When using tokens that require "relogin" or "additional login" after each sign operation iam checking for AlwaysAuthenticate property on
TElPKCS11PrivateKeyObject. And its good because i know if i need to relogin.
(CKA_ALWAYS_AUTHENTICATE attribute on private key object)

Problem is in TElPKCS11SessionInfo.Login procedure:

As i see in source:

// since only one login is required per application, do optional login
if FSlot.FLoggedIn = 0 then
all that login stufff :)

So as i understand doing multiple logins after "main" login is not possible ?
Am i missing something ?

I use VCL version of SecureBlackBox, TElPkcs11CertStorage component.
Posted: 01/24/2013 03:32:26
by Ken Ivanov (Team)


I am afraid per-operation authentication is not supported by our components. We will check the possibilities of adding support for it in the near time though.
Posted: 01/24/2013 05:07:21
by Jan BiaƂokozowicz (Standard support level)
Joined: 08/20/2012
Posts: 8

It would be great, cause we want to use this functionality. Our customer wants to sign about 300 documents at once.

We wait for any news.
Posted: 01/25/2013 11:21:17
by Ken Ivanov (Team)


I'd just like to confirm that the feature you requested has been added to the components and will be available in the upcoming SecureBlackbox update (expected to be released within several days). To pass a PIN to a particular private key operation, please use the OperationPIN option of the PKCS#11 cryptoprovider's options object:

TElPKCS11CryptoProviderOptions(TElPKCS11CryptoProvider(Session.CryptoProvider).Options).OperationPIN := '1234';
Posted: 02/26/2013 10:14:00
by walter Schrabmair (Basic support level)
Joined: 12/15/2012
Posts: 43

Ken, could you point out where in THE ThinySignerPKCS11 this line should be added?
Would be great if you will find a solution.
Posted: 02/26/2013 10:18:53
by Ken Ivanov (Team)


Anywhere after the storage is opened and before the signing or decryption operation in invoked.
Posted: 03/08/2013 06:45:24
by walter Schrabmair (Basic support level)
Joined: 12/15/2012
Posts: 43

I just got a second Smartcard Reader, which uses the CCID Class driver for its USB interface. ONe QUestion: WHen I enter the Smart card I can see this card in the Sys cert storage in the Tiny PDF signer. When I want to use this cert I just have to enter the Cert PIN and I can sign.

I thought a Smart Card would be a PKCS#11 token, where I must use the PKCS11Signer demo. WHat is the difference between PKCS11 and win sys cert storage? SO I can use the SM cert withouth the pkcs11 dll library totally.

Thanks for delighting me.
Posted: 03/08/2013 12:25:52
by Ken Ivanov (Team)


Both CryptoAPI (system stores) and PKCS#11 are unified higher-level interfaces for accessing certificates residing on hardware security modules. Depending on the token you use and the specifics of your product you can use either of the interfaces or both of them at the same time.

Both interfaces can be viewed as a proxy between your application and the low-level driver of the token. Whenever you make PKCS11 calls to the token, the token's PKCS11 driver converts them to the form understandable by the low-level driver and then passes them to that driver. Whenever you access the token via CryptoAPI, the same job is performed by the CryptoAPI's CSP module.

Depending on the vendor, the token may or may not support each of the method - i.e. it might not come with a PKCS#11 driver (and you won't be able to access it via PKCS#11 interface in this case), or it might not install the appropriate CSP to the system (making it impossible to use it via CryptoAPI).

This way, if your token can be accessed via Windows system stores mechanism and you are happy with it, there is no requirement for you to use PKCS11.
Posted: 03/08/2013 13:23:41
by walter Schrabmair (Basic support level)
Joined: 12/15/2012
Posts: 43

Thanks a lot, Ken for your informative statement.
Do you think, that when I use CryptoAPI I can use the OperationPIN property?
(as mentented earlier)

Posted: 03/08/2013 16:21:14
by Ken Ivanov (Team)

OperationPIN is specific to PKCS#11 cryptoprovider. You can try passing the PIN via the TElX509Certificate.KeyMaterial.KeyExchangePIN and TElX509Certificate.KeyMaterial.SignaturePIN properties when using certificates originating from Windows system stores.



Topic viewed 3644 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!