EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElx509Certificate Alias and Token USB

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#36802
Posted: 05/26/2016 03:37:47
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Good morning,

after I have established a connection with pkcs#11 login to my token USB I have the necessity to check the certificate alias, in particular the "extension" of the Bit4id token (I attacched you a screenshot of what I need, in red square).

That screenshot is taken from the explore's certificate of Mozilla Firefox, and is the detailed window of 1 of the 2 certificates on board of the token USB.

Actually I cant find inside telx509Certificate class, a property that can help me :

I have tried Telx509Certificate.GetFriendlyName but returned an empty string

and x509Certificate2.PublicKey.Oid.FriendlyName that returned "RSA".

Have you any suggestion on how retrive that value?

Sincerly
Paolo


#36804
Posted: 05/26/2016 04:46:04
by Ken Ivanov (EldoS Corp.)

Hi Paolo,

Could you please clarify how exactly are you retrieving the TElX509Certificate object from the token? Do you use TElPKCS11CertStorage or TElWinCertStorage component?

Ken
#36805
Posted: 05/26/2016 04:58:24
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi Ken, I use a TElPKCS11CertStorage to iterate the 2 certificate inside the token.

at the moment I find the property the expose that value that I need the is inside this expression :

DirectCast((New System.Collections.ArrayList.ArrayListDebugView(sessionInfo.FObjectList)).Items(2),SBPKCS11Base.TElPKCS11X509CertificateObject).ObjectLabel

where object sessionInfo is obviusly a TElPKCS11SessionInfo object, but I saw that there is not a direct property to retrive that
#36806
Posted: 05/26/2016 05:25:45
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

I succefull retrive the 2 certificateObjects with this type TElPKCS11X509CertificateObject from the token.

is there a way to transform them into TElX509Certificate type?

Sincerly
#36807
Posted: 05/26/2016 06:08:39
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Another question :

where I can find the documentation about the exception raised with TElPKCS11SlotInfo and TElPKCS11SessionInfo class, for istance "Token not present" "Wrong PIN" etc?

thanks!
Paolo
#36817
Posted: 05/27/2016 03:08:08
by Ken Ivanov (EldoS Corp.)

Hi Paolo,

Indeed, there is no simple way to match ObjectLabel to the corresponding TElX509Certificate object. I believe the only technically feasible way at the moment is to iterate over TElPKCS11CertStorage.Objects[] list and compare binary forms of PKCS#11 certificate objects (TElPKCS11X509CertificateObject.Value) with that of your particular TElX509Certificate instance (TElX509Certificate.CertificateBinary/CertificateSize). This is obviously not the best approach in the world due to its heaviness and a perspective of a mix up if several identical certificates with different labels are stored on the same token.

I believe we'll manage to squeeze in a new property to TElX509Certificate class which would allow to read the label right from the certificate object.

Quote
where I can find the documentation about the exception raised with TElPKCS11SlotInfo and TElPKCS11SessionInfo class, for istance "Token not present" "Wrong PIN" etc?

All PKCS#11-specific exceptions thrown by PKCS#11 components are of EElPKCS11Error type. PKCS#11 defines a set of well-defined error codes, which you can read from the exception's ErrorCode parameter. I'm enclosing the complete list below:
Code
  SB_CKR_OK                                = $00000000;
  SB_CKR_CANCEL                            = $00000001;
  SB_CKR_HOST_MEMORY                       = $00000002;
  SB_CKR_SLOT_ID_INVALID                   = $00000003;
  SB_CKR_GENERAL_ERROR                     = $00000005;
  SB_CKR_FUNCTION_FAILED                   = $00000006;
  SB_CKR_ARGUMENTS_BAD                     = $00000007;
  SB_CKR_NO_EVENT                          = $00000008;
  SB_CKR_NEED_TO_CREATE_THREADS            = $00000009;
  SB_CKR_CANT_LOCK                         = $0000000A;
  SB_CKR_ATTRIBUTE_READ_ONLY               = $00000010;
  SB_CKR_ATTRIBUTE_SENSITIVE               = $00000011;
  SB_CKR_ATTRIBUTE_TYPE_INVALID            = $00000012;
  SB_CKR_ATTRIBUTE_VALUE_INVALID           = $00000013;
  SB_CKR_DATA_INVALID                      = $00000020;
  SB_CKR_DATA_LEN_RANGE                    = $00000021;
  SB_CKR_DEVICE_ERROR                      = $00000030;
  SB_CKR_DEVICE_MEMORY                     = $00000031;
  SB_CKR_DEVICE_REMOVED                    = $00000032;
  SB_CKR_ENCRYPTED_DATA_INVALID            = $00000040;
  SB_CKR_ENCRYPTED_DATA_LEN_RANGE          = $00000041;
  SB_CKR_FUNCTION_CANCELED                 = $00000050;
  SB_CKR_FUNCTION_NOT_PARALLEL             = $00000051;
  SB_CKR_FUNCTION_NOT_SUPPORTED            = $00000054;
  SB_CKR_KEY_HANDLE_INVALID                = $00000060;
  SB_CKR_KEY_SIZE_RANGE                    = $00000062;
  SB_CKR_KEY_TYPE_INCONSISTENT             = $00000063;
  SB_CKR_KEY_NOT_NEEDED                    = $00000064;
  SB_CKR_KEY_CHANGED                       = $00000065;
  SB_CKR_KEY_NEEDED                        = $00000066;
  SB_CKR_KEY_INDIGESTIBLE                  = $00000067;
  SB_CKR_KEY_FUNCTION_NOT_PERMITTED        = $00000068;
  SB_CKR_KEY_NOT_WRAPPABLE                 = $00000069;
  SB_CKR_KEY_UNEXTRACTABLE                 = $0000006A;
  SB_CKR_MECHANISM_INVALID                 = $00000070;
  SB_CKR_MECHANISM_PARAM_INVALID           = $00000071;
  SB_CKR_OBJECT_HANDLE_INVALID             = $00000082;
  SB_CKR_OPERATION_ACTIVE                  = $00000090;
  SB_CKR_OPERATION_NOT_INITIALIZED         = $00000091;
  SB_CKR_PIN_INCORRECT                     = $000000A0;
  SB_CKR_PIN_INVALID                       = $000000A1;
  SB_CKR_PIN_LEN_RANGE                     = $000000A2;
  SB_CKR_PIN_EXPIRED                       = $000000A3;
  SB_CKR_PIN_LOCKED                        = $000000A4;
  SB_CKR_SESSION_CLOSED                    = $000000B0;
  SB_CKR_SESSION_COUNT                     = $000000B1;
  SB_CKR_SESSION_HANDLE_INVALID            = $000000B3;
  SB_CKR_SESSION_PARALLEL_NOT_SUPPORTED    = $000000B4;
  SB_CKR_SESSION_READ_ONLY                 = $000000B5;
  SB_CKR_SESSION_EXISTS                    = $000000B6;
  SB_CKR_SESSION_READ_ONLY_EXISTS          = $000000B7;
  SB_CKR_SESSION_READ_WRITE_SO_EXISTS      = $000000B8;
  SB_CKR_SIGNATURE_INVALID                 = $000000C0;
  SB_CKR_SIGNATURE_LEN_RANGE               = $000000C1;
  SB_CKR_TEMPLATE_INCOMPLETE               = $000000D0;
  SB_CKR_TEMPLATE_INCONSISTENT             = $000000D1;
  SB_CKR_TOKEN_NOT_PRESENT                 = $000000E0;
  SB_CKR_TOKEN_NOT_RECOGNIZED              = $000000E1;
  SB_CKR_TOKEN_WRITE_PROTECTED             = $000000E2;
  SB_CKR_UNWRAPPING_KEY_HANDLE_INVALID     = $000000F0;
  SB_CKR_UNWRAPPING_KEY_SIZE_RANGE         = $000000F1;
  SB_CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  = $000000F2;
  SB_CKR_USER_ALREADY_LOGGED_IN            = $00000100;
  SB_CKR_USER_NOT_LOGGED_IN                = $00000101;
  SB_CKR_USER_PIN_NOT_INITIALIZED          = $00000102;
  SB_CKR_USER_TYPE_INVALID                 = $00000103;
  SB_CKR_USER_ANOTHER_ALREADY_LOGGED_IN    = $00000104;
  SB_CKR_USER_TOO_MANY_TYPES               = $00000105;
  SB_CKR_WRAPPED_KEY_INVALID               = $00000110;
  SB_CKR_WRAPPED_KEY_LEN_RANGE             = $00000112;
  SB_CKR_WRAPPING_KEY_HANDLE_INVALID       = $00000113;
  SB_CKR_WRAPPING_KEY_SIZE_RANGE           = $00000114;
  SB_CKR_WRAPPING_KEY_TYPE_INCONSISTENT    = $00000115;
  SB_CKR_RANDOM_SEED_NOT_SUPPORTED         = $00000120;
  SB_CKR_RANDOM_NO_RNG                     = $00000121;
  SB_CKR_BUFFER_TOO_SMALL                  = $00000150;
  SB_CKR_SAVED_STATE_INVALID               = $00000160;
  SB_CKR_INFORMATION_SENSITIVE             = $00000170;
  SB_CKR_STATE_UNSAVEABLE                  = $00000180;
  SB_CKR_CRYPTOKI_NOT_INITIALIZED          = $00000190;
  SB_CKR_CRYPTOKI_ALREADY_INITIALIZED      = $00000191;
  SB_CKR_MUTEX_BAD                         = $000001A0;
  SB_CKR_MUTEX_NOT_LOCKED                  = $000001A1;
  SB_CKR_VENDOR_DEFINED                    = $80000000;
  SB_CKR_SBPKCS11PROXY_UNHANDLED_EXCEPTION = $80000001;


Ken
#36819
Posted: 05/27/2016 03:40:09
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi Ken, thank you for the exaustive reply!

So, with this release I cant cast the TElPKCS11X509CertificateObject to a TElX509Certificate type?

Bye!
#36822
Posted: 05/27/2016 04:43:50
by Ken Ivanov (EldoS Corp.)

Hi Paolo,

I am afraid you can't, those two are unrelated and completely different types.

In the mean time, we've extended TElX509Certificate with the discussed properties, which will be available in the next SecureBlackbox 15 update.

Ken
#36823
Posted: 05/27/2016 05:53:03
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi Ken, when is supposed to be deployed update 15 (more or less) ?

I have a trial's beta key for update 15, is possible to eventually try this new feature?

Bye
#36824
Posted: 05/27/2016 07:03:58
by Ken Ivanov (EldoS Corp.)

Paolo,

We are working hard on version 15 and hope to release it within a month. A pre-release version that includes the update is likely to be available sooner (within 10 days).

Ken
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2608 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!