New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to sign with the current token certificate #158
Comments
Following the "I sign some data and verify the signature" to verify the cert solution, I was actually able to create multiple signatures for each key found through this code (I create multiple I can't know in advance which one will work):
Later on, verifying the data against a hard-coded public key I extracted from testing the I wanted to verify the signature before returning it, but I get zero results with the following search:
Is there any way I can verify the signed data then? |
If the key already exists on your device, then you can acquire its object handle with It is highly recommended that before you start using Pkcs11Interop you get familiar at least with "Chapter 2 - Scope", "Chapter 6 - General overview" and "Chapter 10 - Objects" of PKCS#11 v2.20 specification (or equivalent chapters of any previous or subsequent specification version). |
The current sample for signing creates it's own key pair:
Of course, as I open the session for read, the last line fails.
Supposedly I already have certificate on my eToken, how can I use it to sign data?
The root cause that took me here:
Some long story that maybe allows me to change the implementation I'm doing, this may be offtopic on the issue but may direct me to the right solution instead of the workaround I'm implementing.
I have a working sample code in Java that "verifies" the eToken certificate. Using the same dll I'm using, it finds the right KeyStore by checking every slot and using the pin. Then it lists all the certificate aliases and for each one it retrieves the certificate and does the following check:
I was able to create this code using different resources that I would use to check all the Windows KeyStore certificates:
I would call that function using the certs obtained from the WindowsKeystore. Note that here I would not use the PIN as the sample Java code does.
It worked good until I discovered that if I find the hardware cert on the windows certificates list and installing it, the function would give true, but you could not use this newly installed certificate as It doesn't includes keys.
So I did some workaround. Sign some random data using .Net CryptoServiceProvider:
I then could sign data using that RSACryptoServiceProvider and I would get the public key from there and hard code it into my code to verify different tokens but this code prompts the user with the underliing software (Safenet Authentification Client) if the hardware is not present. Also if I would not provide the password, it will prompt the user as well. I want to avoid any kind of user interaction. "Hardware is present && can sign && can verify the signature with my hardcoded pub key" is success, else fail. Possibly, special message for case "Hardware is not present".
Pkcs11Interop allows me to test if token present and use the password right away but don't find in the samples how to use the existing certificate in the hardware to do the really intended verification or to just sign data, the samples generates new pairs into the device and I think this operation should be read only.
Thanks in advance. This an awesome and very complete lib
The text was updated successfully, but these errors were encountered: