EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKCS#11 provider caching problems?

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#3378
Posted: 07/17/2007 10:52:35
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Hi,

Consider three scenarios. In all of them I'm using C#\PKIBlackbox\CertTokenDemo.

1.
I have one SmartCard Reader with SmartCard (a PKCS#11 token) inserted. In CertTokenDemo I open the storage by choosing apropriate PKCS#11 provider library. Next I start a slot session - certificate shows up on the list. I choose a certificate and perform signing operation on some file. Everything is ok.
I close the storage, remove the token and insert another one (of the same provider). I repeat all the steps as above: open storage, open session, another certificate shows up, sign the file. Whoops: "Error 8194 when signing the file".
If I restart the application before new card is inserted the second signing operation works ok.

2.
I have one SmartCard Reader with no token inserted. In CertTokenDemo I open the storage and try to start the session. Of course "Token no found in specified slot" error pop up.
I close the storage, insert the token (I'm sure that certificate is present on it) and open the storage again. I try to start a session. Whoops: "Token no found in specified slot".

3.
I have TWO SmartCard readers with the token inserted into one of them. In CertTokenDemo I open the storage and try to start the session. Everything is ok, certificate shows up in the list.
I close the storage. I remove the token and insert it to second reader. I open the storage again and try to start a session with another slot (the one corresponding to the second reader). Whoops: "Token no found in specified slot".
If I restart the application before I switch the card between readers everything works ok.

Above scenarios are the same for two different PKCS#11 providers I use. The question is:
Is loaded provider library caching some information about slots and tokens? Is there any option in TElPKCS11CertStorage forcing a Close operation to clear that cache (maybe by completely unloading the provider library from memory)?

Any help would be appreciated.

Tomasz Sawicki
#3379
Posted: 07/17/2007 11:15:33
by Eugene Mayevski (EldoS Corp.)

Of course you can close and re-open the PKCS#11 library and this should clean the internal state.
Also (it's a separate action) you need to remove all certificates, if they were copied from the PKCS#11 storage. I.e. if you just access the certificate using Storage.Certificates[] property, then there's no problem (those certificates are cleaned up when you close the storage). If you use any certificate copy procedure, then the second certificate "remembers" the old device.


Sincerely yours
Eugene Mayevski
#3381
Posted: 07/17/2007 13:59:38
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

I don't copy any of the certificates anywhere. As I said, I'm using your CertTokenDemo and provider libraries simply copied from another computer.
So there is:
Storage.DLLName = OpenDialog.FileName;
Storage.Open();

and in the end:
Storage.Close();
Storage.Dispose();


Quote

Of course you can close and re-open the PKCS#11 library and this should clean the internal state.

Can you please advice on how to do that? CertTokenDemo apparently doesn't do that, so what should be added to this sample application to accomplish that?

Tomasz Sawicki
#3382
Posted: 07/17/2007 14:32:54
by Eugene Mayevski (EldoS Corp.)

Quote
Falundir wrote:
I'm using your CertTokenDemo and provider libraries simply copied from another computer.


Provider libraries most often have to be installed. Just copying is not enough.

Quote
Falundir wrote:
Can you please advice on how to do that? CertTokenDemo apparently doesn't do that, so what should be added to this sample application to accomplish that?


Storage.Close then Storage.Open?


Sincerely yours
Eugene Mayevski
#3383
Posted: 07/18/2007 00:19:00
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Quote

Storage.Close then Storage.Open

That is exactly what CertTokenDemo does. Please refer to my previous post. Closing the storage don't clear the internal state of library (or unload it). It's even visible with "bare eyes" - the first Storage.Open() lasts much longer than subsequent calls. Only restarting CertTokenDemo gives expected result but of course it's not the solution.
Quote

Provider libraries most often have to be installed. Just copying is not enough.

It's not the case this time.
#3384
Posted: 07/18/2007 04:23:39
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi Falundir,

I've also faced the same "problems" you're having, both these ones of this topic and the "detection of card or reader removal". I'll tell you how did i manage to get rid of these problems although you seem to have seen the solution already.

As you've see the solution to the problem you're facing in this topic is to free (dispose) the PKCS#11 library, and re-create it via code (I do this with TLists in Delphi, and ArrayList in C#). It's a little bit more work but the user don't get a big delay, it's nearly 0 secs.

For the second problem (card/reader removal) In Delphi as i have the code I always make a new routine in SBPKCS11Base.pas similar to .Refresh procedure, but with the call SetTokenData(RTokenInfo); commented out (I don't need it, I'm just checking the status) to reduce the time. Then with a timer set to 5 seconds I call my modified fast-refresh procedure that only wastes 100ms and catch if the token/reader is not present and free the library and make the appropiate things (delete that certificates from the list, notify user, etc.).

I suppose that it may be interesting for Eldos people to introduce a "Fast boolean parameter" in that .Refresh procedure of PKCS11Base to be able to do this check faster (So i don't have to make that new routine every update).

Hope to have cleared you some things from the final-programmer point of view. Of course somethings maybe improved in Eldos side, but we can also get rid of these things without a lot of overhead.

Regards,

#3385
Posted: 07/18/2007 05:16:44
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Hi Santiago,

Quote

As you've see the solution to the problem you're facing in this topic is to free (dispose) the PKCS#11 library, and re-create it via code (I do this with TLists in Delphi, and ArrayList in C#).

First of all, I don't load this library myself - Storage.Open() does it. So I can't dispose it - Storage.Close() or Storage.Dispose() should do it. For now I'm evaluating this product and I don't have the source code of PKIBlackbox library do change it myself.
I also tried to load and free the library this way:
Code
[DllImport("kernel32.dll")]
public static extern IntPtr LoadLibrary(string dllToLoad);

...

pDll = LoadLibrary(@dllName);
Storage.DLLName = dllName;
Storage.Open();

and
Code
[DllImport("kernel32.dll")]
public static extern bool FreeLibrary(IntPtr hModule);

...

Storage.Close();
Storage.Dispose();
FreeLibrary(pDll);
pDll = IntPtr.Zero;

hoping that PKIBlackbox will somehow use the library instance I've loaded, but it doesn't change a thing.

Please provide more details on how you are freeing and re-creating PKCS#11 library and use it with TElPKCS11CertStorage object.

As for the problem with detecting insertion or removal I already managed to overcome it by using external PC/SC .Net wrapper (Subsembly) which supports events - works perfectly.

Thank you for your input.

Tomasz Sawicki
#3386
Posted: 07/18/2007 05:57:02
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Well, you could try this snippet of code to finalize the PKCS#11 (I'm translating it from Delphi to C# on the fly so there may be mistakes):

Session: your variable with the active session (TElPKCS11SessionInfo)
ModuleList: See in SBPKCS11Base

Code
Storage.Close(); //close the PKCS#11 Storage
if (Session!=null) {
//try to 100% close the active session
Session.Logout();
Storage.CloseSession(0);
}
Session=null;
if (Storage!=null) {
//FreeAndNil
Storage.Dispose(); Storage=null;
for (int i=0; i<SBPKCS11Base.ModuleList.ModuleCount;i++)
{
SBPKCS11Base.ModuleList.UnloadModule(SBPKCS11Base.ModuleList.Modules[I]);
}
}


Regards
#3387
Posted: 07/18/2007 06:16:08
by Tomasz Sawicki (Standard support level)
Joined: 06/14/2007
Posts: 19

Thank you very much Santiago. That was the Holy Grail I was looking for! Now all three scenarios from the first post are working as expected.

Time to place the order:)

Tomasz Sawicki
#3388
Posted: 07/18/2007 06:18:31
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

It was nothing, pleased to help.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 7431 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!