Digitaly sign a message from an SafeNet Ikey USB Token.

[KrazySmile]

Hey every one, im trying to Digitaly sign a message from an SafeNet
Ikey USB Token.
Im using C# .NET 2.0

And i can do it. it prompt for the correct certificate, and asks the
pin, and signs a message
My problem: its a web application, so it got to be all automatic
without any user input.
I can choose the certificate from the windows store ( when you place
the token in usb, it automaticly inserts the certificate in the
store ).
what i can't do, is to put the pin.

ive tryed and tryed several methods unsuccessfuly.
is it need to use a pkcs11 api to manualy do all the signing?
or i can do it with .net ?

Anyone can point me in the right direction please?

Regards

[Andrew Badera]

OK, having done some research here recently, I think you're stuck with:

XP/2.0: xenroll COM DLL
Vista/2.0: certenroll COM DLL
OR p/invoke calls for the above
3.0/3.5 you can use CardSpace.

However, if you find otherwise, I'd love to hear about it! Good luck!

--
--Andy Badera
http://andrew.badera.us/
and...@badera.us
(518) 641-1280
Google me: http://www.google.com/search?q=andrew+badera

[Andrew Badera]

Also, I'd be curious to see your cert params and the code you use to programmatically pick up the cert, if you wouldn't mind sharing. I'm debating PKI versus my own "simple" key server mechanism ... PKI seems overkill, but if cert handling is seamless and non-interactive, maybe that means I can avoid creating my OWN PKI ...

On 2/8/08, KrazySmile <krazys...@gmail.com> wrote:

[KrazySmile]

xenroll
dont know it. gonna do some digging about it.
really thought it would be possible with the 2.0 altough.
Using the correct CspParameters...

Thanks.


About the code, Sure. Dont know if it it the correct way, or if in any
way will help you, but here it is:

If prior to the execution of the app you already know the certificate
you want ( in my case, it is always the same certificate ), you can do
something like this:


-----------------------------------------------------------------------
X509Certificate2 card = GetCertificateByThumbprint(thumbprint);
...

public X509Certificate2 GetCertificateByThumbprint(string
thumbprint)
{

//Do the searching of Certificate and send it back
X509Store store = new X509Store(StoreName.My,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certColl =
//
store.Certificates.Find(X509FindType.FindBySubjectName,

store.Certificates.Find(X509FindType.FindByThumbprint,
thumbprint, false);
if (certColl.Count == 0)
{
store.Close();
return null;
}

store.Close();
return certColl[0];
}
-----------------------------------------------------------------------


instead of the popup choosing the certificate, i tell him to look for
a specific certificate with
store.Certificates.Find(X509FindType.FindByThumbprint) //There's more
possibilities in X509FindType

Hope this helps.


Regards

On Feb 9, 9:45 am, "Andrew Badera" <and...@badera.us> wrote:
> Also, I'd be curious to see your cert params and the code you use to
> programmatically pick up the cert, if you wouldn't mind sharing. I'm
> debating PKI versus my own "simple" key server mechanism ... PKI seems
> overkill, but if cert handling is seamless and non-interactive, maybe that
> means I can avoid creating my OWN PKI ...
>

> On 2/8/08, KrazySmile <krazysmil...@gmail.com> wrote:
>
>
>
>
>
> > Hey every one, im trying to Digitaly sign a message from an SafeNet
> > Ikey USB Token.
> > Im using C# .NET 2.0
>
> > And i can do it. it prompt for the correct certificate, and asks the
> > pin, and signs a message
> > My problem: its a web application, so it got to be all automatic
> > without any user input.
> > I can choose the certificate from the windows store ( when you place
> > the token in usb, it automaticly inserts the certificate in the
> > store ).
> > what i can't do, is to put the pin.
>
> > ive tryed and tryed several methods unsuccessfuly.
> > is it need to use a pkcs11 api to manualy do all the signing?
> > or i can do it with .net ?
>
> > Anyone can point me in the right direction please?
>
> > Regards
>
> --

> --Andy Baderahttp://andrew.badera.us/

[Andrew Badera]

Have you ever had to work with Windows PKI? I'm curious about the certificate request and acceptance process ... any info would be greatly appreciated. Even digging through what you have below gives me a better sense of X509 in general, thanks!

--
--Andy Badera

[KrazySmile]

No i havent worked with Windows PKI.
My studies on Cryptopgraphy are kinda limited, altough i know a few
stuff.

About the xenroll.dll, do you know any good link with an example so i
can easily start?

Thanks.

On Feb 12, 3:25 pm, "Andrew Badera" <and...@badera.us> wrote:
> Have you ever had to work with Windows PKI? I'm curious about the
> certificate request and acceptance process ... any info would be greatly
> appreciated. Even digging through what you have below gives me a better
> sense of X509 in general, thanks!
>

[Andrew Badera]

Wish I did, I had a lot of trouble finding good references two-three weeks ago when I was looking. Let me see if I bookmarked anything worthwhile, and get back to ya.

--
--Andy Badera

[KrazySmile]

That would be really great. Thanks Andrew

I getting kinda crazy with this.
i have the hole program working, and i can sign a message with the usb
token (all using .net functions, no extra *.dll)
i just dont want him to ask me the stupid PIN!!! that, i can't do.

If anyone has any ideia, i would be really apreciated.

Regards.

On Feb 13, 5:23 pm, "Andrew Badera" <and...@badera.us> wrote:
> Wish I did, I had a lot of trouble finding good references two-three weeks
> ago when I was looking. Let me see if I bookmarked anything worthwhile, and
> get back to ya.
>

[Andrew Badera]

You might find some value here:

http://msdn2.microsoft.com/en-gb/library/bb931379(VS.85).aspx

Though it's talking in terms of mapping xenroll (XP) to certenroll (Vista), I think it was one of the better demo sources I found that wasn't purely C++.

And possibly here:

http://support.microsoft.com/kb/922706

I suspect a lot of xenroll information has been deprecated along with the object itself, in favor of certenroll ... I'll keep digging, if you find anything though, let me know please!

--
--Andy Badera

[KrazySmile]

Hey there.

from an example on msdn on how to use cspparameter i get this:
--------------------------------------------------------------------------------------------
// Create a new CspParameters object that identifies a
// Smart Card CryptoGraphic Provider.
// The 1st parameter comes from HKEY_LOCAL_MACHINE\Software\Microsoft
\Cryptography\Defaults\Provider Types.
// The 2nd parameter comes from HKEY_LOCAL_MACHINE\Software\Microsoft
\Cryptography\Defaults\Provider.
CspParameters csp = new CspParameters(1, "Datakey RSA CSP");
csp.Flags = CspProviderFlags.UseDefaultKeyContainer;

//password do token
System.Security.SecureString pwd = new System.Security.SecureString();
pwd.AppendChar('1'); pwd.AppendChar('2'); pwd.AppendChar('3');
pwd.AppendChar('4');
csp.KeyPassword = pwd;

csp.KeyNumber = (int)KeyNumber.Signature;

// Initialize an RSACryptoServiceProvider object using
// the CspParameters object.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp);

// Create some data to sign.
byte[] data = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 };

Console.WriteLine("Data : " + BitConverter.ToString(data));

// Sign the data using the Smart Card CryptoGraphic Provider.
byte[] sig = rsa.SignData(data, "SHA1");

Console.WriteLine("Signature : " + BitConverter.ToString(sig));

// Verify the data using the Smart Card CryptoGraphic Provider.
bool verified = rsa.VerifyData(data, "SHA1", sig);

Console.WriteLine("Verified : " + verified);
--------------------------------------------------------------------------------------------
And, it it working, meaning, it does not ask me the pin for the
smartcard.


so, now that i know that it does work, i need to find a way to do the
same in :
--------------------------------------------------------------------------------------------
(from http://msdn2.microsoft.com/en-us/library/aa480472.aspx)
static public byte[] SignMsg(Byte[] msg, X509CertificateEx signerCert)
{
// Place message in a ContentInfo object.
// This is required to build a SignedCms object.
ContentInfo contentInfo = new ContentInfo(msg);

// Instantiate SignedCms object with the ContentInfo
// above.
// Has default SubjectIdentifierType IssuerAndSerialNumber.
// Has default Detached property value false, so message is
// included in the encoded SignedCms.
SignedCms signedCms = new SignedCms(contentInfo);

// Formulate a CmsSigner object, which has all the needed
// characteristics of the signer.
CmsSigner cmsSigner = new CmsSigner(signerCert);

// Sign the PKCS #7 message.
signedCms.ComputeSignature(cmsSigner);

// Encode the PKCS #7 message.
return signedCms.Encode();
}
--------------------------------------------------------------------------------------------


i need to create a new CmsSigner with a CspParameters like in the RSA
example above.
something like:
CmsSigner cmsSigner = new CmsSigner(cps);

and it compiles just fine, just... stills asks for the pin, and (after
input the pin) the byte[] that it returns, is not right.
From this i must assume that creating a CmsSigner like that, does not
do the job.


Ant thought on that?

On Feb 15, 11:06 am, "Andrew Badera" <and...@badera.us> wrote:
> You might find some value here:
>
> http://msdn2.microsoft.com/en-gb/library/bb931379(VS.85).aspx
>
> Though it's talking in terms of mapping xenroll (XP) to certenroll (Vista),
> I think it was one of the better demo sources I found that wasn't purely
> C++.
>
> And possibly here:
>
> http://support.microsoft.com/kb/922706
>
> I suspect a lot of xenroll information has been deprecated along with the
> object itself, in favor of certenroll ... I'll keep digging, if you find
> anything though, let me know please!
>