EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TELSSHKey from Token

Posted: 12/20/2014 10:25:27
by marco hagen (Premium support level)
Joined: 11/09/2013
Posts: 33

Hi Eldos,

We have a X509 cert which holds an SSH key, we can access this via:

        Dim bSSHKEY As Byte() = New Byte() {}
        x509.SaveKeyToBufferPEM(bSSHKEY, Password)
        key.LoadPrivateKey(bSSHKEY, bSSHKEY.Length, Password)

This is working fine when we load the cert from PFX...

Now if we store this certificate on a Safenet Token the above does now work any more because the SaveKeyToBufferPEM is empty (not allowed by the token). Now is there another way to get to this? when TELSSHKey.import is used connecting to the server fails.

Posted: 12/20/2014 10:57:30
by Eugene Mayevski (Team)

We have SecureBlackbox.PKISSH.dll assembly which contains SBSSHPKCS11KeyStorage namespace which contains TElSSHPKCS11KeyStorage class which lets you add SSH keys to PKCS#11 devices and use *SSH keys* stored on devices for SSH authentication.

So if you can re-save the SSH key to the hardware using TElSSHPKCS11KeyStorage.Add method, then the rest should be trivial.

There might be a way to reuse the key material of the certificate in the SSH key but this is something that only developers can tell you and they will be available on monday.

Sincerely yours
Eugene Mayevski
Posted: 12/20/2014 11:27:59
by Ken Ivanov (Team)

Hi Marco,

Depending on the exact approach the key material is used in your SSH environment (as a generic key or as an X.509 certificate, this is not clear from your code) and the way the certificate is accessed, there are several methods you can use:

1. Import the key material from the certificate into an SSH key object with the use of TElSSHKey.Import() method. You might need to set the TElSSHClient.CertAuthMode property to camRawPublicKey if your server expects generic public key (and not X.509-based) authentication.

2. Access the key itself with the use of TElSSHPKCS11KeyStorage component, skipping the certificate step at all. This will work if your key is accessible via PKCS#11 interface and generic public key authentication is expected by the server.

Posted: 12/20/2014 12:05:27
by marco hagen (Premium support level)
Joined: 11/09/2013
Posts: 33

Hi Eugene, Ken,

Thank you, the TSBSSHCertAuthMode.camRawPublicKey setting makes the imported cert work....

Saving as a SSH key to the eToken would have been an option but this is even better.




Topic viewed 600 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!