EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElX509Certificate - Load certificate from his serialNumber

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35313
Posted: 12/28/2015 11:04:47
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi guys.

I'm trying your application (in particular the x509 section), for signing xml documents.

I'm trying to follow the "flow" of my existing application, which require to save the serial number of an existing SmartCard's certificate to a file (DONE) and next retrive that number and silently load the certificate to avoid a prompt interface every time users restart my application.

The question is : is there a method or a function to do it? I cant find inside the TElX509Certificate subroutines (under Load.. functions).

Thanks for your help.

Best regards.
Paolo
#35314
Posted: 12/28/2015 11:14:44
by Eugene Mayevski (EldoS Corp.)

Thank you for your interest in our products.

1) The certificate is uniquely identified not by the Serial Number alone (collisions are possible) but by the combination of the serial number and Issuer Name. So you need to save both, even if now you have just one Issuer for certificates on the card.

2) When you access the device, the user is asked for permission for your code to access the certificate and/or the private key (depending on how the device is configured). This is done each time and this is a security measure which you want to circumvent.

Here's the sequence of steps you need to take to make signing smooth and seamless:
1) Capture and save the serial number and issuer name combination
2) Use PKCS#11 interface to the device. This will let you pass the password/PIN to the device in code rather than via GUI
3) When you need to sign the XML, use TElPKCS11CertStorage to find and access the certificate. Create an instance of TElMemoryCertStorage and add the found certificate to this instance. This is needed to give only the intended certificates to the signing code.
4) Ask the user for a PIN once per application start, and when accessing TElPKCS11CertStorage provide this PIN in Login() method.
5) perform signing using the accessed certificate as much as you need during the session.
6) Login to the device and the entered PINs don't survive application restart, which means that you will need to either save the PIN somewhere (this is extremely bad idea unless you have a specific scenario of running the code in a tightly controlled environment) or ask the user on each application start.


Sincerely yours
Eugene Mayevski
#35316
Posted: 12/28/2015 11:26:08
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Thanks for your fast response Eugene.

Indeed I'll always ask for PIN every time application (at start or at the first need) run, to preserve security.

I'll try to follow your step.. see you in a while :)

Best regards.
Paolo
#35323
Posted: 12/28/2015 12:52:56
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi again,

I'm still looking at what you mean on point 2)

Quote

2) Use PKCS#11 interface to the device. This will let you pass the password/PIN to the device in code rather than via GUI


Any suggestion?

Best regards
Paolo
#35324
Posted: 12/28/2015 12:57:57
by Eugene Mayevski (EldoS Corp.)

Quote
Reev wrote:
I'm still looking at what you mean on point 2)


Described in step 3. Use TElPKCS11CertStorage class.


Sincerely yours
Eugene Mayevski
#35325
Posted: 12/30/2015 06:20:09
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi, I'm going forward on your solution and all is fine atm.

I've only a problem on reload the certificate with his Private key on a second launch of the application.

At the first, I've ask the user for the certificate and save it using .SaveToBufferPEM() and a FileStream.

Than trying to save Private Key using .SaveKeyToBuffer (or .SaveKeyToBufferPEM) make no result (and no save on a phisical file), so when I reload the certificate using .LoadFromStreamPEM, the certificate is correctly returned but the property .PrivateKeyExists returned False (previusly was True when I load the certificate using user interface).

Is there a method that I missing to use?

Sincerly
Paolo
#35326
Posted: 12/30/2015 06:54:06
by Eugene Mayevski (EldoS Corp.)

To put it simply - the hardware device won't give you the private key. You can use it, but not extract it. You need to re-think your strategy in regards to using such certificate. Definitely saving the key to the disk is not a good idea from the security standpoint anyway.


Sincerely yours
Eugene Mayevski
#35327
Posted: 12/30/2015 07:57:43
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Well, I still cant save private key as you suggest, I agree with you that is not a good idea.. thats not a problem. I just need a safe method to reload a given certificate (using your methods) without ask everytime the user to prompt it and make him boring to a multiple choice at every restart of my application.

Sincerly.
Paolo
#35328
Posted: 12/30/2015 08:13:04
by Eugene Mayevski (EldoS Corp.)

Well, I've describe the steps needed, above.

1) You don't save a certificate. Save it's Issuer name and a serial number, to locate the certificate later
2) the user MUST enter the password/PIN on each start of the application or use of the key. You want to solve the problem, which doesn't really exist, by breaking security and making it void. This won't work. The best you can do is, as I said above, use a PKCS#11 interface and provide PIN in code. Then you would be able to ask the user once at a start of the application.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 3043 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!