EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Digitale signature PKCS11 and saving PKCS7

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 03/21/2014 07:30:10
by ludo ludo (Basic support level)
Joined: 03/21/2014
Posts: 3


Do you have a sample to generate a digital signature in CMS (pkcs7)
using a certificate stored on hsm and can only be accessed by
pkcs11 with pincode?

Kind regrads
Posted: 03/21/2014 07:37:11
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

We have separate samples that show how to work with PKCS#11 and how to create PKCS#7/CMS signatures. You can easily combine them to implement what you need.

All needed samples are located in \EldoS\SecureBlackbox.<edition>\Samples\<language>\PKIBlackbox folder.
Posted: 03/24/2014 05:23:43
by ludo ludo (Basic support level)
Joined: 03/21/2014
Posts: 3


I tried to sign a document using a certificate on a PKCS#11 store,

I can access all information I need there is a pin code required

I 'm ussing "Session.Login((int) SBPKCS11Base.Unit.utUser, paramPin);"

to set the pin code, but when I use Signer.Sign a Dialogbox appear with

the request of the pincode, how can I avoid this dialogbox?

Kind regards

Posted: 03/24/2014 05:33:27
by Eugene Mayevski (EldoS Corp.)

Is it the same session that you set the pin for and the one via which the certificate is retrieved? It can happen that you used different ones and if the PKCS#11 DLL doesn't cache pins for a process, then the dialog box is shown.

Can you please post a code snippet that shows how you access PKCS#11 (from login to sign calls)?

Sincerely yours
Eugene Mayevski
Posted: 03/24/2014 05:43:46
by ludo ludo (Basic support level)
Joined: 03/21/2014
Posts: 3


Snippet code

private void btnSecureBlackbox_Click(object sender, EventArgs e)
            TElPKCS11CertStorage Storage;
            TElPKCS11SessionInfo Session;
            TElPKCS11SlotInfo SlotInfo;
            TElX509Certificate Cert = null;
            TElMessageSigner Signer = new TElMessageSigner() ;

            String paramPKCS11DLL = @"C:\Windows\System32\beidpkcs11.dll";
            String paramSlotToOpen = "VASCO DP905v1.1 1";
            String paramCertificate = "Ludovic De Clercq (Signature)";
            String paramPin = "1234";

            int SlotNumber = -1;


            Storage = new TElPKCS11CertStorage();
            Storage.DLLName = paramPKCS11DLL;


            // Find the slot
            for (int i = 0; i < Storage.Module.SlotCount; i++)

                if (Storage.Module.get_Slot(i).SlotDescription == paramSlotToOpen)
                    SlotNumber = i;

            if (SlotNumber != -1 && Storage.Module.get_Slot(SlotNumber).TokenPresent)
                Session = Storage.OpenSession(SlotNumber, true);

                Session.Login((int) SBPKCS11Base.Unit.utUser, paramPin);

                // Search the required Certificate
                for (int i = 0; i < Storage.Count; i++)
                    if (Storage.get_Certificates(i).SubjectName.CommonName ==paramCertificate)
                        Cert = Storage.get_Certificates(i);

                if (Cert != null)
                    // Sign
                    TElMemoryCertStorage CertStorage = new TElMemoryCertStorage();
                    Signer.CertStorage = CertStorage;
                    Signer.UsePSS = false;

                    const String msg = "This is the message to be signed.";

                    ASCIIEncoding myAscii = new ASCIIEncoding();
                    byte[] msgBytes = myAscii.GetBytes(msg);

                    byte[]  OutBuffer;
                    int OutSize = 9000;
                    OutBuffer = new byte[OutSize];

                    Signer.IncludeChain = true;
                    var res = Signer.Sign(msgBytes, ref OutBuffer, ref OutSize, false);



Posted: 03/24/2014 06:08:51
by Eugene Mayevski (EldoS Corp.)

The code is perfectly correct.

I think that you need to
a) check the settings of the PKCS#11 driver (they often come with some GUI) -- maybe there's a setting to cache or not to cache the PIN
b) contact hardware vendor's support for comments.

Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.



Topic viewed 1583 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!