EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Encrypting with token private key?

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#3268
Posted: 07/02/2007 18:12:00
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Hi,

I need to sign some data, but because the signed message must have some specific fields included I can't use your ElMessageSigner class so I will adapt Bouncycastle libraries to achieve the expected result. Of course then I need to generate message digest(TElHashFunction is doing it's job) and signature (that is encrypt message digest with private key) myself.

My question is:
Is it possible, using your library, to encrypt data with private key stored on PKCS#11 Token? If so, could you please provide an example? Or maybe I'm missing a thing and signaure generation process is not encrypting message digest with signer's private key?

Sincerely yours,
Tomasz Sawicki
#3269
Posted: 07/03/2007 01:28:07
by Ken Ivanov (EldoS Corp.)

You can access PKCS#11 token in two ways, using either PKCS#11 driver or Win32 CryptoAPI. The signing process is the same for both cases -- (a) to obtain the signing certificate and (b) to pass the source data and certificate to the input of signer object. The difference is that in first case (PKCS#11 driver) the certificate should be obtained from TElPKCS11CertStorage object, and in second case (CryptoAPI) it should be obtained from TElWin32CertStorage object.

You will find PKCS#11 samples in the following locations:

VCL edition:
SBB\Samples\PKI\PKCS11\

.NET edition:
SBB\Samples\C#|VB.NET\PKIBlackbox\CertTokenDemo\

ActiveX edition:
SBB\Samples\VB6\PKIBlackbox\PKCS11\

Quote
Or maybe I'm missing a thing and signaure generation process is not encrypting message digest with signer's private key?

Yes -- on the lowest abstraction level. Besides encrypted digest itself, the signature may contain additional fields, such as signer's certificate, complete certificate chain or additional attributes.

BTW, what exactly specific fields do you wish to add to the signature? Signatures created by TElMessageSigner are completely conformant to PKCS#7 (CMS) specification, so it can add all the fields declared by this specification.
#3272
Posted: 07/03/2007 15:15:31
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Quote

.NET edition:
SBB\Samples\C#|VB.NET\PKIBlackbox\CertTokenDemo\

Thank you. I used this sample a lot before I asked my questions. I know there is Signing function used in there.
Quote

Yes -- on the lowest abstraction level.

So, my question was: is it possible to generate the signature value (encrypting with private key) using SecureBlackbox with certificate on a token.
Help files for you library lists some classes (Low-level cryptography/Assymetric) but they are only "public based" classes.
Quote

BTW, what exactly specific fields do you wish to add to the signature?

1. EncapsulatedContentInfo's eContentType must be set to a specific OID: 1.2.616.1.101.4.1.1
2. SingerInfo's SingedAttr must be present and must include:
- signing-time attribute
- commitment-type-indication attribute set to 1.2.840.113549.1.9.16.6.5
- content-type attribute set to 1.2.616.1.101.4.1.1
- signing-certificate attribute (1.2.840.113549.1.9.16.2.12) must contain ESS SigningCertificate sequence (from RFC2634)
- and of course message-digest attribute

All this requirements come from ETSI TS 101 733 standard (Basic Electronic Signature) and our government regulations regarding the use of this signature (student identification card).

Can it be done using your ElMessageSigner class?

Thank you for your prompt responses.

Tomasz Sawicki
#3273
Posted: 07/04/2007 01:50:47
by Eugene Mayevski (EldoS Corp.)

Quote
Falundir wrote:
So, my question was: is it possible to generate the signature value (encrypting with private key) using SecureBlackbox with certificate on a token.
Help files for you library lists some classes (Low-level cryptography/Assymetric) but they are only "public based" classes.


This is misinterpretation of the terms. Public Key Cryptography stands for asymmetric algorithms, which operate with public *and* private keys.

"Encrypting with private key" is called signing and that's what you need to do. Unfortunately there's no way to do raw signing of the value with PKCS#11 at the moment (at least in .NET). We have the corresponding ToDo item in the list, but this will probably only go to SecureBlackbox 6, which is planned for autumn.


Sincerely yours
Eugene Mayevski
#3275
Posted: 07/04/2007 02:17:38
by Ken Ivanov (EldoS Corp.)

Quote
1. EncapsulatedContentInfo's eContentType must be set to a specific OID: 1.2.616.1.101.4.1.1

TElMessageSigner.ContentType property is responsible for this:

Signer.ContentType := StrToOID('1.2.616.1.101.4.1.1');

Quote
2. SingerInfo's SingedAttr must be present and must include:
- signing-time attribute

Can be set via TElMessageSigner.SigningTime property.
Quote
- commitment-type-indication attribute set to 1.2.840.113549.1.9.16.6.5
- content-type attribute set to 1.2.616.1.101.4.1.1
- signing-certificate attribute (1.2.840.113549.1.9.16.2.12) must contain ESS SigningCertificate sequence (from RFC2634)

Can be set manually using TElMessageSigner.AuthenticatedAttributes property.

Quote
- and of course message-digest attribute

This attribute is added automatically.
#3276
Posted: 07/04/2007 02:51:27
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Ok. I will give it a shot. After you mentioned Signer.ContentType property I checked it's existence directly through MS Visual ObjectBrowser instead of help file provided with SecureBlackbox package. I guess it's not quite complete or up-to-date yet.

Thanks again,
Tomasz Sawicki
#3277
Posted: 07/04/2007 03:35:18
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Quote

Can be set manually using TElMessageSigner.AuthenticatedAttributes property.

What's the correct way of adding an attribute to Signer.AuthenticatedAttributes property?

Once again the help file is inconsistent with the code (I'm talking about C# implementation). As I see Signer.AuthenticatedAttributes has only one method of adding attributes, that is: set_Attributes(int, byte[]). How to use it? It's not mentioned in help file and "Attributes" and "Values" properties which are mentioned in help file are not present in actual TElPKCS7Attributes class.

For example, how to add commitment-type-indication attribute (OID: 1.2.840.113549.1.9.16.2.16) and set it's value to 1.2.840.113549.1.9.16.6.5?
#3279
Posted: 07/04/2007 05:37:51
by Ken Ivanov (EldoS Corp.)

Please use the following code:
Code
signer.AuthenticatedAttributes.Count = 1;
// setting OID for the attribute
signer.AuthenticatedAttributes.set_Attributes(0, SBUtils.Unit.StrToOID(AttrOID));
// retrieving ArrayList responsible for storing attribute values
ArrayList valueList = signer.AuthenticatedAttributes.get_Values(0);
// each attribute value should be ASN.1-encoded according to its definition
byte[] fmtValue = SBMessages.Unit.FormatAttributeValue(SBASN1Tree.Unit.SB_ASN1_OBJECT, SBUtils.Unit.StrToOID(AttrValue));
valueList.Add(fmtValue);


Thank you for pointing us at the documentation issue. Setting up attributes is a non-trivial routine which needs certain explanations. I submitted the task to our to do list, so the corresponding how-to entry will appear soon.
#3284
Posted: 07/04/2007 14:42:45
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Thanks to your advice I finally managed to create the singature with all the fields I needed. Nice.

One last thing.
Is the .Net edition of your library sold with source code (or is there such an option)?

Sincerely yours,
Tomasz Sawicki
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 4848 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!