EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How do I provide password to USB Based Token to retrieve ceriticate?

HSM-based certificates can be accessed in two different ways - either through a Windows CSP (a 'proxy' module installed by the token driver into the operating system), or through a native PKCS#11 driver. Depending on the way you choose, you should use different methods to provide the PIN.

The CSP-based access is achieved with TElWinCertStorage component. First, you look for the appropriate certificate in the 'MY' ('Personal') system certificate store, where the certificate is mapped by the token CSP. Once you've located the certificate in the TElWinCertStorage.Certificates[] list, you set its PIN via the TElX509Certificate.KeyMaterial.KeyExchangePIN and SignaturePIN properties (please assign the PIN to both properties). This should eliminate the PIN windows shown by the token driver.

Note that workability of this method depends on implementation of the token's CSP by the vendor. In some cases, setting KeyExchangePIN and SignaturePIN properties does not work and you are forced to use a different method to provide the PIN.

An alternative way to provide the PIN programmatically is to access the token via a lower-level PKCS#11 interface, which is provided by the TElPKCS11CertStorage component. When using the PKCS#11 storage, you pass the PIN to the session object's Login() method.

SecureBlackbox distribution contains two samples which illustrate both approaches. TinySigner illustrates the use of the TElWinCertStorage object, while TinySignerPKCS11 shows how to access the HSM-based certificates via PKCS#11 interface. The code of the first sample has to be modified to get use of PINs by adding two lines of code that set the KeyExchangePIN and SignaturePIN properties for the chosen certificate. The second (TinySignerPKCS11) sample supports PIN provision out of the box.

TElWinCertStorage class is available in all packages. TElPKCS11CertStorage class requires a license for PKIBlackbox package or for one of the packages that include PKIBlackbox.

Return to the list


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!