Pks11Interop X509 certificate

Ștefan Filip

unread,

Mar 4, 2019, 11:40:42 AM3/4/19

to pkcs11...@googlegroups.com

Hello,

I am working on a software that uses an API that is secured with a smart card. The manufacturer of the smart card is Athen (and the description is Athena IDProtect).

The problem is that when I use the certificate read from the user store, Windows requires me to enter the authentication PIN of the card (using the Smart Card dialog). Once I enter the PIN, I don’t need to enter the PIN again while the process is alive. But I would like to bypass this step and authenticate the card automatically, so if for some user the service gets restarted it doesn’t require human interaction.

So I looked into your library and managed to login on it using the user PIN and even obtain the X509Certificate2 from the smart card. However, if I use that certificate to authenticate my requests to the API I get back an error. The certificate object seems to be exactly the same as the one I read using the `new X509Store(StoreLocation.CurrentUser)` except for the fact that is does not have a PrivateKey set (the one read from the current’s user store location has the PrivateKey set).

I’ve been struggling to find an answer to this issue today and I was hoping maybe you could help me with a hint on how to bypass that Smart Card PIN dialog. Thanks in advance!

Regards,

Stefan Filip

Jaroslav Imrich

unread,

Mar 4, 2019, 3:38:24 PM3/4/19

to Pkcs11Interop, stefy...@gmail.com

Hello,

So I looked into your library and managed to login on it using the user PIN and even obtain the X509Certificate2 from the smart card. However, if I use that certificate to authenticate my requests to the API I get back an error. The certificate object seems to be exactly the same as the one I read using the `new X509Store(StoreLocation.CurrentUser)` except for the fact that is does not have a PrivateKey set (the one read from the current’s user store location has the PrivateKey set).

You cannot use PKCS#11 API in places where CAPI / X509Certificate2::PrivateKey is required. Those are two very distinct APIs that usually cannot and should not be mixed together.

However I remember someone reporting that when they logged in via PKCS#11 API and kept the session open, then Windows did not ask for PIN when CAPI / X509Certificate2::PrivateKey was used. However IMO it was rather lucky implementation coincidence than conscious feature.

I’ve been struggling to find an answer to this issue today and I was hoping maybe you could help me with a hint on how to bypass that Smart Card PIN dialog. Thanks in advance!

If your API requires X509Certificate2 then forget about using PKCS#11. I'm not sure about the Athena cards but I've been able to pass the PIN to other cards using CspParameters [0] class.

[0] https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.cspparameters?view=netframework-4.7.2

Regards, Jaroslav

Ștefan Filip

unread,

Mar 4, 2019, 3:53:42 PM3/4/19

to Jaroslav Imrich, Pkcs11Interop

Hi Jaroslav,

Thanks for your response and detailed explanations!

I’m going to try and use the suggested approach using CspParameters using this example tomorrow -

https://stackoverflow.com/questions/28772599/x509certificate2-access-to-a-private-key-into-a-security-token.

Hopefully it will work on my Athena card. :D

Thanks again!

Regards,

Stefan

Reply all

Reply to author

Forward