EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to do a GET witj SSL client auth through TElPKCS11CertStorage (ref_cl_httpsclient.xml)

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35162
Posted: 12/03/2015 05:14:53
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Quote
Ken Ivanov wrote:
Hi Pablo,

Have you logged into the session when accessing your certificate (with Login() method)? Most hardware devices require you to log in before giving access to the private keys.

Ken


Yes

Code

Dim sInfo As TElPKCS11SessionInfo = pkcs11Cs.OpenSession(0, False)
sInfo.Login(0, "0000")


Is there any way to ensure the PK is stored in the HSM?

thanks
#35163
Posted: 12/03/2015 05:30:54
by Ken Ivanov (EldoS Corp.)

Iterating over Objects[] property of the TElPKCS11CertStorage class (from 0 to ObjectCount - 1) will give you information about raw objects stored on the device. Just have a look if any object of TElPKCS11PrivateKeyObject type is there.

What else you can do is add a pcsoWeakenedKeySearchCriteria option to the PKCS11Options flag set (use 'Or' operation to add the option) and check if the private key is attached to the certificate in that way. Adding this criteria may help the component to match the certificate to its private key.

By the way, if your PFX contains more than one certificate, you might have added a wrong certificate to the token (e.g. a CA one). PFX containers from modern CAs often contain the whole certificate chain, and by loading such container into a TElX509Certificate object you only load the first certificate in the PFX and lose the rest. It is a better idea to load PFX containers into a TElMemoryCertStorage object and search for the needed certificate there.

Ken
#35164
Posted: 12/03/2015 05:43:25
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Quote
Ken Ivanov wrote:
Iterating over Objects[] property of the TElPKCS11CertStorage class (from 0 to ObjectCount - 1) will give you information about raw objects stored on the device. Just have a look if any object of TElPKCS11PrivateKeyObject type is there.

What else you can do is add a pcsoWeakenedKeySearchCriteria option to the PKCS11Options flag set (use 'Or' operation to add the option) and check if the private key is attached to the certificate in that way. Adding this criteria may help the component to match the certificate to its private key.

By the way, if your PFX contains more than one certificate, you might have added a wrong certificate to the token (e.g. a CA one). PFX containers from modern CAs often contain the whole certificate chain, and by loading such container into a TElX509Certificate object you only load the first certificate in the PFX and lose the rest. It is a better idea to load PFX containers into a TElMemoryCertStorage object and search for the needed certificate there.

Ken


Well,

after lookin into the login method documentation

Quote

Only regular user can manipulate private token objects. The role of the Security Officer is to initialize a token and to set the regular user’s PIN


I had

sInfo.Login(0, "0000")

replacing it by

sInfo.Login(1, "0000")

private key object is listed and ssl client authentication do it succesfully

Thanks for your great support, it´s a good point having account in order to purchase the producto
#35165
Posted: 12/03/2015 05:58:37
by Ken Ivanov (EldoS Corp.)

Pablo,

Great, thank you for letting us know. We are glad that your problem is solved now.

Ken

Reply

Statistics

Topic viewed 3836 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!