CertificateStorage Component
Properties Methods Events Config Settings Errors
The CertificateStorage component works with collections of certificates.
Syntax
TsbxCertificateStorage
Remarks
CertificateStorage can work with certificates residing on a variety of media. Among others, it can access certificates residing in files, Windows and macOS system stores, and PKCS#11 devices. All such kinds of media can be accessed via a simple, unified interface, which makes CertificateStorage a handy certificate access option. Most users of SecureBlackbox use this component to access certificates residing on hardware devices. CertificateStorage is also a good alternative to CertificateManager where the certificate file contains more than one certificate.
To access certificates stored on certain type of media, start with the Open method. Provide the location of your certificates via a uniform URI-like specifier. Once the storage has been opened, you can access the certificates contained in it via the Certificates property.
Iterate over certificates by using the Certificates property, or use filtering facilities such as Select and SelectChain. You can add certificates to the storage with the Add, AddFromFile, and AddPinned methods. In the latter case please assign the certificate object to be imported to the PinnedCert property.
Use CreateNew method to create a new storage. Note that not all storage kinds can be created.
When you have finished working with the certificate storage, close it with the Close method.
Certain types of stores must be kept open for the certificates to continue to be usable. This means that while you can
copy a certificate to a different storage, or assign it to a different component, you still must keep
the storage it originates from open for as long as you intend to use that certificate in your code.
This is because the storage is often a bridge between a certificate
and its private key, and by closing the storage early you are destroying this bridge prematurely. See the code example below:
// This code, although syntactically correct, will fail because the storage is closed too early:
storage.Open("pkcs11://user:12345@localhost/C:/Windows/System32/asepkcs.dll");
pdfSigner.SigningCertificate = storage.Certificates[0];
storage.Close(false); // the private key of the SigningCertificate gets lost after this call
pdfSigner.Sign(); // returns an error
// This code will work as expected
storage.Open("pkcs11://user:12345@localhost/C:/Windows/System32/asepkcs.dll");
pdfSigner.SigningCertificate = storage.Certificates[0];
pdfSigner.Sign();
storage.Close(false);
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
| Certificates | A collection of certificates contained in the storage. |
| FIPSMode | Reserved. |
| Opened | Indicates whether the storage is in the open state. |
| PinnedCert | A pinned certificate. |
| SelectedCertificates | A collection of selected certificates. |
| StorageID | A unique identifier of this storage. |
| StorageLocation | Specifies the location of the currently opened storage. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
| Add | Adds a certificate to the storage. |
| AddFromFile | Adds a certificate to the storage. |
| AddFromStream | Adds a certificate to the storage. |
| AddPinned | Adds the pinned certificate to the storage. |
| Clear | Removes all certificates from the storage. |
| Close | Closes the certificate storage. |
| Config | Sets or retrieves a configuration setting. |
| CreateNew | Creates a new storage. |
| DoAction | Performs an additional action. |
| ExportBytes | Exports the certificates in the chosen format. |
| ExportToFile | Exports the certificates to a file. |
| ExportToStream | Exports the certificate to a stream. |
| GetStorageProperty | Returns the value of a custom certificate storage property. |
| ImportBytes | Imports a certificates. |
| ImportFromFile | Loads a certificates from a file. |
| ImportFromStream | Loads a certificates from a stream. |
| ListStores | Returns a list of individual stores available within the storage. |
| Login | Signs in to a session or elevates the session rights. |
| Logout | Signs out of an opened session. |
| Open | Opens existing storage or creates one in memory. |
| Refresh | Refreshes all storage keychains. |
| Remove | Removes a certificate from the storage. |
| Select | Allows the selection of certificates from the system store. |
| SelectChain | Selects a chain of certificates given its index. |
| SetStorageProperty | Sets the value of a custom certificate storage property. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
| Error | Information about errors during certificate loading or saving. |
| Notification | This event notifies the application about an underlying control flow event. |
| PasswordNeeded | This event is fired when a decryption password is needed. |
Config Settings
The following is a list of config settings for the component with short descriptions. Click on the links for further details.
| AuthAttempts | The number of auth/login attempts to try. |
| PKCS11ActiveSlot | The index of the slot that the component is working with. |
| PKCS11NewPIN | Changes the current user's PIN. |
| PKCS11NewUserPIN | Registers a new user PIN. |
| PKCS11PIN | Sets the operation PIN. |
| PKCS11SlotCount | The number of slots exposed in the storage. |
| PKCS11SlotDescription[i] | A human-readable description of the slot. |
| PKCS11SlotLoggedIn[i] | Whether slot i has an active session associated with it. |
| PKCS11SlotPinNeeded[i] | Whether slot i requires you to provide a PIN to log in or sign. |
| PKCS11SlotReadOnly[i] | Whether slot i only supports read-only access. |
| PKCS11SlotTokenLabel[i] | The label assigned to the token. |
| PKCS11SlotTokenModel[i] | The token model. |
| PKCS11SlotTokenPresent[i] | Indicates whether there is a token in the slot. |
| PKCS11SlotTokenSerial[i] | The serial number of the token. |
| PKCS11SlotTokenVendorID[i] | The manufacturer ID of the inserted token. |
| PKCS11SlotVendorID[i] | Returns the manufacturer ID of the slot. |
| TempPath | Path for storing temporary files. |
| CheckKeyIntegrityBeforeUse | Enables or disable private key integrity check before use. |
| CookieCaching | Specifies whether a cookie cache should be used for HTTP(S) transports. |
| Cookies | Gets or sets local cookies for the component. |
| DefDeriveKeyIterations | Specifies the default key derivation algorithm iteration count. |
| EnableClientSideSSLFFDHE | Enables or disables finite field DHE key exchange support in TLS clients. |
| GlobalCookies | Gets or sets global cookies for all the HTTP transports. |
| HttpUserAgent | Specifies the user agent name to be used by all HTTP clients. |
| LogDestination | Specifies the debug log destination. |
| LogDetails | Specifies the debug log details to dump. |
| LogFile | Specifies the debug log filename. |
| LogFilters | Specifies the debug log filters. |
| LogFlushMode | Specifies the log flush mode. |
| LogLevel | Specifies the debug log level. |
| LogMaxEventCount | Specifies the maximum number of events to cache before further action is taken. |
| LogRotationMode | Specifies the log rotation mode. |
| MaxASN1BufferLength | Specifies the maximal allowed length for ASN.1 primitive tag data. |
| MaxASN1TreeDepth | Specifies the maximal depth for processed ASN.1 trees. |
| OCSPHashAlgorithm | Specifies the hash algorithm to be used to identify certificates in OCSP requests. |
| StaticDNS | Specifies whether static DNS rules should be used. |
| StaticIPAddress[domain] | Gets or sets an IP address for the specified domain name. |
| StaticIPAddresses | Gets or sets all the static DNS rules. |
| Tag | Allows to store any custom data. |
| TLSSessionGroup | Specifies the group name of TLS sessions to be used for session resumption. |
| TLSSessionLifetime | Specifies lifetime in seconds of the cached TLS session. |
| TLSSessionPurgeInterval | Specifies how often the session cache should remove the expired TLS sessions. |
| UseOwnDNSResolver | Specifies whether the client components should use own DNS resolver. |
| UseSharedSystemStorages | Specifies whether the validation engine should use a global per-process copy of the system certificate stores. |
| UseSystemOAEPAndPSS | Enforces or disables the use of system-driven RSA OAEP and PSS computations. |
| UseSystemRandom | Enables or disables the use of the OS PRNG. |
Certificates Property (CertificateStorage Component)
A collection of certificates contained in the storage.
Syntax
property Certificates: TsbxCertificateList read get_Certificates;
Remarks
Use this property to access all certificates contained in the opened storage.
This property is read-only and not available at design time.
Please refer to the Certificate type for a complete list of fields.FIPSMode Property (CertificateStorage Component)
Reserved.
Syntax
property FIPSMode: Boolean read get_FIPSMode write set_FIPSMode;
Default Value
false
Remarks
This property is reserved for future use.
Opened Property (CertificateStorage Component)
Indicates whether the storage is in the open state.
Syntax
property Opened: Boolean read get_Opened;
Default Value
false
Remarks
Use this property to check if the storage has been 'opened.' Different kinds of certificate storages imply different meanings for 'being opened', but generally a storage is open if it is available for operations.
Use Open method to open a storage.
This property is read-only and not available at design time.
PinnedCert Property (CertificateStorage Component)
A pinned certificate.
Syntax
property PinnedCert: TsbxCertificate read get_PinnedCert write set_PinnedCert;
Remarks
Use this property to pin a certificate before adding it to the storage with AddPinned method.
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.SelectedCertificates Property (CertificateStorage Component)
A collection of selected certificates.
Syntax
property SelectedCertificates: TsbxCertificateList read get_SelectedCertificates;
Remarks
This property contains a list of certificates returned by Select or SelectChain method.
This property is read-only and not available at design time.
Please refer to the Certificate type for a complete list of fields.StorageID Property (CertificateStorage Component)
A unique identifier of this storage.
Syntax
property StorageID: String read get_StorageID;
Default Value
''
Remarks
Use this property to get a unique ID of this storage. The format of ID may differ for different kinds of certificate storages, and may range from a file path for a file storage, to a URI-like ID for a PKCS#11 storage, to an empty value for an in-memory storage.
This property is read-only.
StorageLocation Property (CertificateStorage Component)
Specifies the location of the currently opened storage.
Syntax
property StorageLocation: String read get_StorageLocation;
Default Value
''
Remarks
Use this property to get the location of the active storage. The location indicates the nature of the storage and can be assigned with one of the below values (more values may be added in future):
| cslUnspecified | unspecified | |
| cslMemory | memory | in-memory storage |
| cslFile | file | file storage |
| cslSystem | system | OS-specific certificate storage (e.g. CryptoAPI) |
| cslPKCS11 | pkcs11 | PKCS#11 compatible device |
| cslKMIP | kmip | |
| cslApple | apple | Apple certificates storage (macOS and iOS only) |
| cslJava | java | java key storage |
This property is read-only.
Add Method (CertificateStorage Component)
Adds a certificate to the storage.
Syntax
procedure Add(Data: TBytes);
Remarks
Use this method to add a certificate supplied in its raw DER representation via the Data parameter.
AddFromFile Method (CertificateStorage Component)
Adds a certificate to the storage.
Syntax
procedure AddFromFile(Filename: String);
Remarks
Use this method to add a certificate stored in a file.
AddFromStream Method (CertificateStorage Component)
Adds a certificate to the storage.
Syntax
procedure AddFromStream(Stream: TStream);
Remarks
Use this method to add a certificate contained in a stream.
AddPinned Method (CertificateStorage Component)
Adds the pinned certificate to the storage.
Syntax
procedure AddPinned();
Remarks
This method adds a certificate attached to the PinnedCert property to the storage. This method is a handy way of adding certificates generated/returned by other components.
Clear Method (CertificateStorage Component)
Removes all certificates from the storage.
Syntax
procedure Clear();
Remarks
Use this method to empty the storage.
Close Method (CertificateStorage Component)
Closes the certificate storage.
Syntax
procedure Close(Save: Boolean);
Remarks
Use this method to close the storage component and clean up any resources associated with it.
This method releases all memory objects and handles associated with the certificates contained in the storage. Any certificate objects originating from the storage become invalid as soon as the storage is closed, and should not be used.
Save parameter only applies to certain types of stores, such as file stores. Set it to True to commit any changes to the underlying media. Note that PKCS#11 and Win32 storage types are of transactional nature and commit any changes immediately, so the value of the Save parameter does not make any difference with them.
Config Method (CertificateStorage Component)
Sets or retrieves a configuration setting.
Syntax
function Config(ConfigurationString: String): String;
Remarks
Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
CreateNew Method (CertificateStorage Component)
Creates a new storage.
Syntax
procedure CreateNew(StorageLocation: String; StorageID: String);
Remarks
Use this method to create new certificate storage.
StorageLocation specifies where the new storage should be created, and StorageID contains a unique storage identifier.
| cslUnspecified | unspecified | |
| cslMemory | memory | in-memory storage |
| cslFile | file | file storage |
| cslSystem | system | OS-specific certificate storage (e.g. CryptoAPI) |
| cslPKCS11 | pkcs11 | PKCS#11 compatible device |
| cslKMIP | kmip | |
| cslApple | apple | Apple certificates storage (macOS and iOS only) |
| cslJava | java | java key storage |
DoAction Method (CertificateStorage Component)
Performs an additional action.
Syntax
function DoAction(ActionID: String; ActionParams: String): String;
Remarks
DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.
The unique identifier (case insensitive) of the action is provided in the ActionID parameter.
ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....
ExportBytes Method (CertificateStorage Component)
Exports the certificates in the chosen format.
Syntax
function ExportBytes(Password: String; Format: Integer): TBytes;
Remarks
Use this method to save the certificates in one of the formats defined below.
Pass the encryption password via the Password parameter if needed.
| cfmUnknown | 0 | Unknown certificate format |
| cfmDER | 1 | DER file format. Applicable to certificates, certificate requests, private keys. Encryption not supported |
| cfmPEM | 2 | PEM file format. Applicable to certificates, certificate requests, private keys. Encryption supported for private keys. |
| cfmPFX | 3 | PFX/PKCS#12 file format. Applicable to certificates. Encryption supported. |
| cfmSPC | 4 | SPC file format. Applicable to certificates. Encryption not supported. |
| cfmPVK | 5 | PVK file format. Applicable to private keys. Encryption not supported. |
| cfmPKCS8 | 6 | PKCS#8 file format. Applicable to private keys. Encryption supported. |
| cfmNET | 7 | NET file format. Applicable to private keys. Encryption not supported. |
Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.
ExportToFile Method (CertificateStorage Component)
Exports the certificates to a file.
Syntax
procedure ExportToFile(CertFile: String; Password: String; Format: Integer);
Remarks
Use this method to save the certificates to a file in one of the formats given below. Pass the encryption password via the Password parameter.
| cfmUnknown | 0 | Unknown certificate format |
| cfmDER | 1 | DER file format. Applicable to certificates, certificate requests, private keys. Encryption not supported |
| cfmPEM | 2 | PEM file format. Applicable to certificates, certificate requests, private keys. Encryption supported for private keys. |
| cfmPFX | 3 | PFX/PKCS#12 file format. Applicable to certificates. Encryption supported. |
| cfmSPC | 4 | SPC file format. Applicable to certificates. Encryption not supported. |
| cfmPVK | 5 | PVK file format. Applicable to private keys. Encryption not supported. |
| cfmPKCS8 | 6 | PKCS#8 file format. Applicable to private keys. Encryption supported. |
| cfmNET | 7 | NET file format. Applicable to private keys. Encryption not supported. |
Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.
ExportToStream Method (CertificateStorage Component)
Exports the certificate to a stream.
Syntax
procedure ExportToStream(CertStream: TStream; Password: String; Format: Integer);
Remarks
Use this method to save the certificate to a stream in one of the formats given below. Pass the encryption password via the Password parameter.
| cfmUnknown | 0 | Unknown certificate format |
| cfmDER | 1 | DER file format. Applicable to certificates, certificate requests, private keys. Encryption not supported |
| cfmPEM | 2 | PEM file format. Applicable to certificates, certificate requests, private keys. Encryption supported for private keys. |
| cfmPFX | 3 | PFX/PKCS#12 file format. Applicable to certificates. Encryption supported. |
| cfmSPC | 4 | SPC file format. Applicable to certificates. Encryption not supported. |
| cfmPVK | 5 | PVK file format. Applicable to private keys. Encryption not supported. |
| cfmPKCS8 | 6 | PKCS#8 file format. Applicable to private keys. Encryption supported. |
| cfmNET | 7 | NET file format. Applicable to private keys. Encryption not supported. |
Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.
GetStorageProperty Method (CertificateStorage Component)
Returns the value of a custom certificate storage property.
Syntax
function GetStorageProperty(Name: String): String;
Remarks
This method, together with SetStorageProperty, provides an extensible way of managing the certificate storage's settings that are not available through the primary properties of the component. The list of settings may be extended in future, in response to emergence of new storage variants and recognition of non-obvious storage usage scenarios.
The following certificate storage properties can be read using this method:
| PKCS11SlotCount | Returns the number of slots available in an opened PKCS#11 storage. |
| PKCS11ActiveSlot | Returns the index of the PKCS#11 slot that is currently being accessed. |
| PKCS11PIN | The PIN for the storage and/or operation, previously set with SetStorageProperty call. |
| PKCS11TextEncodingMode | The string encoding mode to apply to the PIN when passing it to C_Login() method. This can be changed by passing the relevant setting to SetStorageProperty. |
| PKCS11Slot | The slot number to open, set previously with SetStorageProperty. |
| PKCS11Login | The user account to sign in with, set previously with SetStorageProperty |
| PKCS11SlotLoggedIn[i] | Returns true if there is an active session associated with slot number i. |
| PKCS11SlotPinNeeded[i] | Returns true if you need to provide a PIN to sign in to the session for slot i. |
| PKCS11SlotReadOnly[i] | Returns the availability of the slot for write operations. |
| PKCS11SlotVendorID[i] | Returns the manufacturer name associated with the slot. |
| PKCS11SlotDescription[i] | A human-readable description of the slot. |
| PKCS11SlotTokenPresent[i] | Indicates whether there is a token in the slot. |
| PKCS11SlotTokenVendorID[i] | The manufacturer ID of the inserted token. |
| PKCS11SlotTokenLabel[i] | The label assigned to the token. |
| PKCS11SlotTokenModel[i] | The token model. |
| PKCS11SlotTokenSerial[i] | The serial number of the token. |
| PKCS11SlotTokenFlags[i] | The value of the PKCS#11 token flags parameter. |
ImportBytes Method (CertificateStorage Component)
Imports a certificates.
Syntax
procedure ImportBytes(CertBytes: TBytes; Password: String; Clear: Boolean);
Remarks
Use this method to load a certificates from a byte array. Provide the password via the Password parameter. This method supports certificates in DER, PEM, PFX, and SPC formats.
ImportFromFile Method (CertificateStorage Component)
Loads a certificates from a file.
Syntax
procedure ImportFromFile(Path: String; Password: String; Clear: Boolean);
Remarks
This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.
Use the Path parameter to provide a path to the certificate, and Password to specify the password.
ImportFromStream Method (CertificateStorage Component)
Loads a certificates from a stream.
Syntax
procedure ImportFromStream(CertStream: TStream; Password: String; Clear: Boolean);
Remarks
This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.
Use the CertStream parameter to provide a stream containing the certificate data, and Password to specify the password.
ListStores Method (CertificateStorage Component)
Returns a list of individual stores available within the storage.
Syntax
function ListStores(): String;
Remarks
Use this method to query a list of individual stores available in the opened storage.
The contents of the list depends on the type of the store used and the parameters it is opened with. For system (CryptoAPI) stores the method returns a list of available system stores for the chosen access type, as returned by Windows (e.g. MY, ADDRESSBOOK, CA). For PKCS#11 stores the method returns a list of slot descriptions for all slots published by the driver.
The store names are separated from each other with a CRLF sequence.
Login Method (CertificateStorage Component)
Signs in to a session or elevates the session rights.
Syntax
procedure Login(SessionType: Integer; Pin: String; ReadOnly: Boolean);
Remarks
Use this method to sign in to a session with a required access type. Note that in some cases you
may call this method more than one time for a specific session to elevate your access rights, for example:
// open an unauthenticated session
storage.Login(stUnauthenticated, "", false);
// elevate the access rights for the session
storage.Login(stUser, "password", false);
Sessions are currently supported for PKCS#11 storage types only.
| stUnauthenticated | 0 | |
| stUser | 1 | |
| stAdministrator | 2 |
Logout Method (CertificateStorage Component)
Signs out of an opened session.
Syntax
procedure Logout(CloseSesion: Boolean);
Remarks
Use this method to sign out of a session. Pass true to CloseSession to shut the session down altogether.
This method is currently support for PKCS#11 storage type only.
Open Method (CertificateStorage Component)
Opens existing storage or creates one in memory.
Syntax
procedure Open(StorageID: String);
Remarks
Use this method to open the storage with the given StorageID. Certificate storages can come from several different locations, detailed below.
Memory
A storage can be created in memory by passing an empty string ("").
File
A storage can be opened from a file using one of two syntaxes:
- C:\Certs\certs.pem
- file://C:/Certs/certs.pem
Windows System
A storage can be opened from the Windows System using this syntax: system://{user}@{host}/?{params}
user is one of these values:
- currentuser
- localmachine
- currentservice
params are chosen from this list:
- store (required), is the name of the Windows store to access (e.g. "MY")
- readonly, whether to access the store with only read permissions. Use 0 for false, and 1 for true.
PKCS#11 Device
A storage can be opened from a PKCS#11 device using this syntax: pkcs11://{user}:{pin}@/{driverpath}?{params}
user is the username used to access the device; typically it's either "user" or "admin".
pin is the pin code used to access the device.
driverpath is the path to the driver used to access the device.
params are chosen from this list:
- slot, the token slot to access on the device. If not provided, one will be chosen automatically. If set to -1, no session will be opened.
- readonly, whether to access the device with only read permissions. Use 0 for false, and 1 for true.
- login, whether to sign in to the device with a PIN. Use 0 or no to avoid signing in, or 1 or yes to enforce it. When not specified, the yes mode is used.
macOS
A keychain can be opened on macOS using this syntax: macos://:{password}@/{keychain}?{params}
This is the right way to perform cryptographic operations using private keys, including non-exportable private keys. By now, only certificates with RSA keys are supported, other certificates are not listed and are not used.
keychain is the path to a keychain file. If no keychain specified, the default keychain is opened.
password is the keychain access password. If no password is provided, it will be asked by macOS UI if necessary. To access a keychain in readonly mode, no password is needed usually.
params are chosen from this list:
- readonly, whether to access the keychain with only read permissions. Use 0 for false, and 1 for true.
iOS
A keychain can be opened on iOS using this syntax: ios:///?{params}
iOS doesn't support keychains located in files. By now, only certificates with RSA keys are supported, other certificates are not listed and are not used.
params are chosen from this list:
- readonly, whether to access the keychain with only read permissions. Use 0 for false, and 1 for true.
KMIP Server
A storage can be opened from a KMIP server using this syntax: mailto:{password}@{remotehost}:{remoteport}/?{params}
password is the password use to authenticate to the server.
remotehost is the FQDN to the server.
remoteport is the server port to connect to.
params are chosen from this list:
- encoder, the message encoding used to communicate with the server. Possible values are:
- 1 (XML)
- 2 (JSON)
- 3 (TTLV)
Apple
A storage can be opened on macOS using this syntax: apple:///{path}/?{params}
This is a legacy way to work with keychains on macOS and iOS.
path is the path for storage file.
params are chosen from this list:
- keychainindex, key chain index. If not provided, one will be set to 0.
- readonly, whether to access the storage with only read permissions. Use 0 for false, and 1 for true.
params are chosen from this list:
- readonly, whether to access the storage with only read permissions. Use 0 for false, and 1 for true.
In Xamarin projects for iOS keychain support should be enabled manually. To do this: 1. Double click on Entitlements.plist file, go to "Entitlements" tab and turn "Enable Keychain" option on. 2. Go to project options, select "iOS Bundle Signing", choose correct configuration and platform and set "Custom Entitlements" to "Entitlements.plist" value.
Azure Key Vault
A storage can be opened from the Azure Key Vault service using this syntax: vault://{clientid}:{clientsecret}@{vaultname}.{vaulthost}/
clientid is the client id obtained from Azure Portal when registering an app.
clientsecret is the client secret obtained from Azure Portal when registering an app.
vaultname is the name of the vault to connect to.
vaulthost is the Cloud environment where the vault is located; supported environments are:
| Cloud environment | vaulthost |
| Azure Cloud | vault.azure.net |
| Azure China Cloud | vault.azure.cn |
| Azure US Government | vault.usgovcloudapi.net |
| Azure German Cloud | vault.microsoftazure.de |
Refresh Method (CertificateStorage Component)
Refreshes all storage keychains.
Syntax
procedure Refresh();
Remarks
Call this method to refresh the storage.
Remove Method (CertificateStorage Component)
Removes a certificate from the storage.
Syntax
procedure Remove(Index: Integer);
Remarks
Use this method to remove the certificate from the storage given its index.
Select Method (CertificateStorage Component)
Allows the selection of certificates from the system store.
Syntax
procedure Select(Filter: String; PrivateKeyNeeded: Boolean; MaxCount: Integer);
Remarks
This function allows the user to select certificates from the system store by Filter and save them to SelectedCertificates. PrivateKeyNeeded specifies whether the method only should consider certificates having associated private keys. MaxCount limits the number of certificates selected.
The supported filters are listed below. Split the name and value of a specific filter with colon (:). Use | separator to pass more than one filter. During the search, the filters are joined using OR logic.
- subjectkeyid: the subject key identifier, in hexadecimal format.
- cakeyid: the key identifier of the issuing certificate, in hexadecimal format.
- serialnumber: the serial number of the certificate, in hexadecimal format.
- keyusage: certificate key usage flags. Use bitwise OR to specify several key usage flags using the values shown below.
- fingerprint: certificate fingerprint in hexadecimal format. MD5, SHA1, SHA256, and SHA512 fingerprints are supported.
- email: the e-mail parameter of the certificate subject.
- subject: the subject of the certificate, either as an RDN, or as its common name parameter.
- issuer: the issuer of the certificate, either as an RDN or a common name.
- ui (Windows system stores only): whether to use UI dialog to select a certificate. Supported values: true, false, 1, 0. All other filters are ignored if this filter is specified.
- * (asterisk): selects all certificates. This filter should always be used as a single character, not as a name:value pair.
Examples of filters
ui:1 - use Windows certificate selection dialog to let the user select a certificate visually.
* - select all certificates.
email:user@server.com - select all certificates with subject RDNs containing this e-mail address.
fingerprint:0a1b3c4d5e6f708192a3b4c5d6e7f8091a2b3c4d - select all certificates with this SHA1 fingerprint.
subject:/C=US/O=Big Company Inc/CN=Signing Certificate - select all certificates with the specified subject RDN.
keyusage:3|email:user@server.com - select all certificates with key usages of Digital Signature or Non-Repudiation, or those having this e-mail address in their subject.
Key usage flags
| ckuUnknown | 0x00000 | Unknown key usage |
| ckuDigitalSignature | 0x00001 | Digital signature |
| ckuNonRepudiation | 0x00002 | Non-repudiation |
| ckuKeyEncipherment | 0x00004 | Key encipherment |
| ckuDataEncipherment | 0x00008 | Data encipherment |
| ckuKeyAgreement | 0x00010 | Key agreement |
| ckuKeyCertSign | 0x00020 | Certificate signing |
| ckuCRLSign | 0x00040 | Revocation signing |
| ckuEncipherOnly | 0x00080 | Encipher only |
| ckuDecipherOnly | 0x00100 | Decipher only |
| ckuServerAuthentication | 0x00200 | Server authentication |
| ckuClientAuthentication | 0x00400 | Client authentication |
| ckuCodeSigning | 0x00800 | Code signing |
| ckuEmailProtection | 0x01000 | Email protection |
| ckuTimeStamping | 0x02000 | Timestamping |
| ckuOCSPSigning | 0x04000 | OCSP signing |
| ckuSmartCardLogon | 0x08000 | Smartcard logon |
| ckuKeyPurposeClientAuth | 0x10000 | Kerberos - client authentication |
| ckuKeyPurposeKDC | 0x20000 | Kerberos - KDC |
SelectChain Method (CertificateStorage Component)
Selects a chain of certificates given its index.
Syntax
procedure SelectChain(Index: Integer);
Remarks
Use this method to select a certificate chain given its index.
SetStorageProperty Method (CertificateStorage Component)
Sets the value of a custom certificate storage property.
Syntax
procedure SetStorageProperty(Name: String; Value: String);
Remarks
This method, together with GetStorageProperty, provides an extensible way of managing the certificate storage's settings that are not available through the primary properties of the component. The list of settings may be extended in future, in response to emergence of new storage variants and recognition of non-obvious storage usage scenarios.
The following certificate storage properties can be read using this method:
| PKCS11PIN | Use this property to provide your PIN on the fly for an operation requiring the private key (e.g. signing). This may be useful if the PIN was not provided on the Open stage. |
| PKCS11NewUserPIN | Setting this property will register a new PIN to the HSM user account. This property is the way to administratively reset the user's PIN, and can only be set from under the 'admin' session. |
| PKCS11NewPIN | Setting this property will change the current users's PIN to the provided value. Most HSMs require the user to be signed in to perform this operation. This is the way to change your own PIN, either for admin or regular user accounts. |
| PKCS11TextEncodingMode | The string encoding mode to apply to the PIN when passing it to C_Login() method. This can be changed by passing the relevant setting to SetStorageProperty. |
| PKCS11Slot | Specifies the slot number to open, from 0 to (PKCS11SlotCount - 1). Use the 'auto' value to let the component pick the slot automatically, or -1 to stop the component from opening any slots. |
| PKCS11Login | Provides a PKCS#11 user ID to sign in with. The following options are available: 'user' (normal user), 'so' (security officer), or 'no' (do not sign in). |
Error Event (CertificateStorage Component)
Information about errors during certificate loading or saving.
Syntax
type TErrorEvent = procedure ( Sender: TObject; ErrorCode: Integer; const Description: String ) of Object;
property OnError: TErrorEvent read FOnError write FOnError;
Remarks
Reports exceptional conditions during certificate loading or exporting.
ErrorCode contains an error code and Description contains a textual description of the error.
Notification Event (CertificateStorage Component)
This event notifies the application about an underlying control flow event.
Syntax
type TNotificationEvent = procedure ( Sender: TObject; const EventID: String; const EventParam: String ) of Object;
property OnNotification: TNotificationEvent read FOnNotification write FOnNotification;
Remarks
The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.
The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.
PasswordNeeded Event (CertificateStorage Component)
This event is fired when a decryption password is needed.
Syntax
type TPasswordNeededEvent = procedure ( Sender: TObject; const NeededFor: String; var Password: String; var Cancel: Boolean ) of Object;
property OnPasswordNeeded: TPasswordNeededEvent read FOnPasswordNeeded write FOnPasswordNeeded;
Remarks
The component fires this event when a password is needed to decrypt a certificate or a private key.
In the handler of this event, assign the password to the Password parameter, or set Cancel to true to abort the operation.
The NeededFor parameter identifies the certificate for which the password is requested.
Certificate Type
Provides details of an individual X.509 certificate.
Remarks
This type provides access to X.509 certificate details.
Fields
Bytes
TBytes (read-only)
Default Value: ""
Returns the raw certificate data in DER format.
CA
Boolean
Default Value: False
Indicates whether the certificate has a CA capability (a setting in the BasicConstraints extension).
CAKeyID
TBytes (read-only)
Default Value: ""
A unique identifier (fingerprint) of the CA certificate's private key.
Authority Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates produced by the same issuer, but with different public keys.
CRLDistributionPoints
String
Default Value: ""
Locations of the CRL (Certificate Revocation List) distribution points used to check this certificate's validity.
Curve
String
Default Value: ""
Specifies the elliptic curve of the EC public key.
| SB_EC_SECP112R1 | SECP112R1 | |
| SB_EC_SECP112R2 | SECP112R2 | |
| SB_EC_SECP128R1 | SECP128R1 | |
| SB_EC_SECP128R2 | SECP128R2 | |
| SB_EC_SECP160K1 | SECP160K1 | |
| SB_EC_SECP160R1 | SECP160R1 | |
| SB_EC_SECP160R2 | SECP160R2 | |
| SB_EC_SECP192K1 | SECP192K1 | |
| SB_EC_SECP192R1 | SECP192R1 | |
| SB_EC_SECP224K1 | SECP224K1 | |
| SB_EC_SECP224R1 | SECP224R1 | |
| SB_EC_SECP256K1 | SECP256K1 | |
| SB_EC_SECP256R1 | SECP256R1 | |
| SB_EC_SECP384R1 | SECP384R1 | |
| SB_EC_SECP521R1 | SECP521R1 | |
| SB_EC_SECT113R1 | SECT113R1 | |
| SB_EC_SECT113R2 | SECT113R2 | |
| SB_EC_SECT131R1 | SECT131R1 | |
| SB_EC_SECT131R2 | SECT131R2 | |
| SB_EC_SECT163K1 | SECT163K1 | |
| SB_EC_SECT163R1 | SECT163R1 | |
| SB_EC_SECT163R2 | SECT163R2 | |
| SB_EC_SECT193R1 | SECT193R1 | |
| SB_EC_SECT193R2 | SECT193R2 | |
| SB_EC_SECT233K1 | SECT233K1 | |
| SB_EC_SECT233R1 | SECT233R1 | |
| SB_EC_SECT239K1 | SECT239K1 | |
| SB_EC_SECT283K1 | SECT283K1 | |
| SB_EC_SECT283R1 | SECT283R1 | |
| SB_EC_SECT409K1 | SECT409K1 | |
| SB_EC_SECT409R1 | SECT409R1 | |
| SB_EC_SECT571K1 | SECT571K1 | |
| SB_EC_SECT571R1 | SECT571R1 | |
| SB_EC_PRIME192V1 | PRIME192V1 | |
| SB_EC_PRIME192V2 | PRIME192V2 | |
| SB_EC_PRIME192V3 | PRIME192V3 | |
| SB_EC_PRIME239V1 | PRIME239V1 | |
| SB_EC_PRIME239V2 | PRIME239V2 | |
| SB_EC_PRIME239V3 | PRIME239V3 | |
| SB_EC_PRIME256V1 | PRIME256V1 | |
| SB_EC_C2PNB163V1 | C2PNB163V1 | |
| SB_EC_C2PNB163V2 | C2PNB163V2 | |
| SB_EC_C2PNB163V3 | C2PNB163V3 | |
| SB_EC_C2PNB176W1 | C2PNB176W1 | |
| SB_EC_C2TNB191V1 | C2TNB191V1 | |
| SB_EC_C2TNB191V2 | C2TNB191V2 | |
| SB_EC_C2TNB191V3 | C2TNB191V3 | |
| SB_EC_C2ONB191V4 | C2ONB191V4 | |
| SB_EC_C2ONB191V5 | C2ONB191V5 | |
| SB_EC_C2PNB208W1 | C2PNB208W1 | |
| SB_EC_C2TNB239V1 | C2TNB239V1 | |
| SB_EC_C2TNB239V2 | C2TNB239V2 | |
| SB_EC_C2TNB239V3 | C2TNB239V3 | |
| SB_EC_C2ONB239V4 | C2ONB239V4 | |
| SB_EC_C2ONB239V5 | C2ONB239V5 | |
| SB_EC_C2PNB272W1 | C2PNB272W1 | |
| SB_EC_C2PNB304W1 | C2PNB304W1 | |
| SB_EC_C2TNB359V1 | C2TNB359V1 | |
| SB_EC_C2PNB368W1 | C2PNB368W1 | |
| SB_EC_C2TNB431R1 | C2TNB431R1 | |
| SB_EC_NISTP192 | NISTP192 | |
| SB_EC_NISTP224 | NISTP224 | |
| SB_EC_NISTP256 | NISTP256 | |
| SB_EC_NISTP384 | NISTP384 | |
| SB_EC_NISTP521 | NISTP521 | |
| SB_EC_NISTB163 | NISTB163 | |
| SB_EC_NISTB233 | NISTB233 | |
| SB_EC_NISTB283 | NISTB283 | |
| SB_EC_NISTB409 | NISTB409 | |
| SB_EC_NISTB571 | NISTB571 | |
| SB_EC_NISTK163 | NISTK163 | |
| SB_EC_NISTK233 | NISTK233 | |
| SB_EC_NISTK283 | NISTK283 | |
| SB_EC_NISTK409 | NISTK409 | |
| SB_EC_NISTK571 | NISTK571 | |
| SB_EC_GOSTCPTEST | GOSTCPTEST | |
| SB_EC_GOSTCPA | GOSTCPA | |
| SB_EC_GOSTCPB | GOSTCPB | |
| SB_EC_GOSTCPC | GOSTCPC | |
| SB_EC_GOSTCPXCHA | GOSTCPXCHA | |
| SB_EC_GOSTCPXCHB | GOSTCPXCHB | |
| SB_EC_BRAINPOOLP160R1 | BRAINPOOLP160R1 | |
| SB_EC_BRAINPOOLP160T1 | BRAINPOOLP160T1 | |
| SB_EC_BRAINPOOLP192R1 | BRAINPOOLP192R1 | |
| SB_EC_BRAINPOOLP192T1 | BRAINPOOLP192T1 | |
| SB_EC_BRAINPOOLP224R1 | BRAINPOOLP224R1 | |
| SB_EC_BRAINPOOLP224T1 | BRAINPOOLP224T1 | |
| SB_EC_BRAINPOOLP256R1 | BRAINPOOLP256R1 | |
| SB_EC_BRAINPOOLP256T1 | BRAINPOOLP256T1 | |
| SB_EC_BRAINPOOLP320R1 | BRAINPOOLP320R1 | |
| SB_EC_BRAINPOOLP320T1 | BRAINPOOLP320T1 | |
| SB_EC_BRAINPOOLP384R1 | BRAINPOOLP384R1 | |
| SB_EC_BRAINPOOLP384T1 | BRAINPOOLP384T1 | |
| SB_EC_BRAINPOOLP512R1 | BRAINPOOLP512R1 | |
| SB_EC_BRAINPOOLP512T1 | BRAINPOOLP512T1 | |
| SB_EC_CURVE25519 | CURVE25519 | |
| SB_EC_CURVE448 | CURVE448 |
Fingerprint
TBytes (read-only)
Default Value: ""
Contains the fingerprint (a hash imprint) of this certificate.
FriendlyName
String (read-only)
Default Value: ""
Contains an associated alias (friendly name) of the certificate.
Handle
Int64
Default Value: 0
Allows to get or set a 'handle', a unique identifier of the underlying property object. Use this property to assign objects of the same type in a quicker manner, without copying them fieldwise.
When you pass a handle of one object to another, the source object is copied to the destination rather than assigned. It is safe to get rid of the original object
after such operation.
pdfSigner.setSigningCertHandle(certMgr.getCertHandle());
HashAlgorithm
String
Default Value: ""
Specifies the hash algorithm to be used in the operations on the certificate (such as key signing)
| SB_HASH_ALGORITHM_SHA1 | SHA1 | |
| SB_HASH_ALGORITHM_SHA224 | SHA224 | |
| SB_HASH_ALGORITHM_SHA256 | SHA256 | |
| SB_HASH_ALGORITHM_SHA384 | SHA384 | |
| SB_HASH_ALGORITHM_SHA512 | SHA512 | |
| SB_HASH_ALGORITHM_MD2 | MD2 | |
| SB_HASH_ALGORITHM_MD4 | MD4 | |
| SB_HASH_ALGORITHM_MD5 | MD5 | |
| SB_HASH_ALGORITHM_RIPEMD160 | RIPEMD160 | |
| SB_HASH_ALGORITHM_CRC32 | CRC32 | |
| SB_HASH_ALGORITHM_SSL3 | SSL3 | |
| SB_HASH_ALGORITHM_GOST_R3411_1994 | GOST1994 | |
| SB_HASH_ALGORITHM_WHIRLPOOL | WHIRLPOOL | |
| SB_HASH_ALGORITHM_POLY1305 | POLY1305 | |
| SB_HASH_ALGORITHM_SHA3_224 | SHA3_224 | |
| SB_HASH_ALGORITHM_SHA3_256 | SHA3_256 | |
| SB_HASH_ALGORITHM_SHA3_384 | SHA3_384 | |
| SB_HASH_ALGORITHM_SHA3_512 | SHA3_512 | |
| SB_HASH_ALGORITHM_BLAKE2S_128 | BLAKE2S_128 | |
| SB_HASH_ALGORITHM_BLAKE2S_160 | BLAKE2S_160 | |
| SB_HASH_ALGORITHM_BLAKE2S_224 | BLAKE2S_224 | |
| SB_HASH_ALGORITHM_BLAKE2S_256 | BLAKE2S_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_160 | BLAKE2B_160 | |
| SB_HASH_ALGORITHM_BLAKE2B_256 | BLAKE2B_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_384 | BLAKE2B_384 | |
| SB_HASH_ALGORITHM_BLAKE2B_512 | BLAKE2B_512 | |
| SB_HASH_ALGORITHM_SHAKE_128 | SHAKE_128 | |
| SB_HASH_ALGORITHM_SHAKE_256 | SHAKE_256 | |
| SB_HASH_ALGORITHM_SHAKE_128_LEN | SHAKE_128_LEN | |
| SB_HASH_ALGORITHM_SHAKE_256_LEN | SHAKE_256_LEN |
Issuer
String (read-only)
Default Value: ""
The common name of the certificate issuer (CA), typically a company name.
IssuerRDN
String
Default Value: ""
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer.
KeyAlgorithm
String
Default Value: "0"
Specifies the public key algorithm of this certificate.
| SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION | rsaEncryption | |
| SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTION | md2withRSAEncryption | |
| SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION | md5withRSAEncryption | |
| SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION | sha1withRSAEncryption | |
| SB_CERT_ALGORITHM_ID_DSA | id-dsa | |
| SB_CERT_ALGORITHM_ID_DSA_SHA1 | id-dsa-with-sha1 | |
| SB_CERT_ALGORITHM_DH_PUBLIC | dhpublicnumber | |
| SB_CERT_ALGORITHM_SHA224_RSA_ENCRYPTION | sha224WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION | sha256WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA384_RSA_ENCRYPTION | sha384WithRSAEncryption | |
| SB_CERT_ALGORITHM_SHA512_RSA_ENCRYPTION | sha512WithRSAEncryption | |
| SB_CERT_ALGORITHM_ID_RSAPSS | id-RSASSA-PSS | |
| SB_CERT_ALGORITHM_ID_RSAOAEP | id-RSAES-OAEP | |
| SB_CERT_ALGORITHM_RSASIGNATURE_RIPEMD160 | ripemd160withRSA | |
| SB_CERT_ALGORITHM_ID_ELGAMAL | elGamal | |
| SB_CERT_ALGORITHM_SHA1_ECDSA | ecdsa-with-SHA1 | |
| SB_CERT_ALGORITHM_RECOMMENDED_ECDSA | ecdsa-recommended | |
| SB_CERT_ALGORITHM_SHA224_ECDSA | ecdsa-with-SHA224 | |
| SB_CERT_ALGORITHM_SHA256_ECDSA | ecdsa-with-SHA256 | |
| SB_CERT_ALGORITHM_SHA384_ECDSA | ecdsa-with-SHA384 | |
| SB_CERT_ALGORITHM_SHA512_ECDSA | ecdsa-with-SHA512 | |
| SB_CERT_ALGORITHM_EC | id-ecPublicKey | |
| SB_CERT_ALGORITHM_SPECIFIED_ECDSA | ecdsa-specified | |
| SB_CERT_ALGORITHM_GOST_R3410_1994 | id-GostR3410-94 | |
| SB_CERT_ALGORITHM_GOST_R3410_2001 | id-GostR3410-2001 | |
| SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_1994 | id-GostR3411-94-with-GostR3410-94 | |
| SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_2001 | id-GostR3411-94-with-GostR3410-2001 | |
| SB_CERT_ALGORITHM_SHA1_ECDSA_PLAIN | ecdsa-plain-SHA1 | |
| SB_CERT_ALGORITHM_SHA224_ECDSA_PLAIN | ecdsa-plain-SHA224 | |
| SB_CERT_ALGORITHM_SHA256_ECDSA_PLAIN | ecdsa-plain-SHA256 | |
| SB_CERT_ALGORITHM_SHA384_ECDSA_PLAIN | ecdsa-plain-SHA384 | |
| SB_CERT_ALGORITHM_SHA512_ECDSA_PLAIN | ecdsa-plain-SHA512 | |
| SB_CERT_ALGORITHM_RIPEMD160_ECDSA_PLAIN | ecdsa-plain-RIPEMD160 | |
| SB_CERT_ALGORITHM_WHIRLPOOL_RSA_ENCRYPTION | whirlpoolWithRSAEncryption | |
| SB_CERT_ALGORITHM_ID_DSA_SHA224 | id-dsa-with-sha224 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA256 | id-dsa-with-sha256 | |
| SB_CERT_ALGORITHM_SHA3_224_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-sha3-512 | |
| SB_CERT_ALGORITHM_SHA3_224_ECDSA | id-ecdsa-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_ECDSA | id-ecdsa-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_ECDSA | id-ecdsa-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_ECDSA | id-ecdsa-with-sha3-512 | |
| SB_CERT_ALGORITHM_SHA3_224_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-224 | |
| SB_CERT_ALGORITHM_SHA3_256_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-256 | |
| SB_CERT_ALGORITHM_SHA3_384_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-384 | |
| SB_CERT_ALGORITHM_SHA3_512_ECDSA_PLAIN | id-ecdsa-plain-with-sha3-512 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA3_224 | id-dsa-with-sha3-224 | |
| SB_CERT_ALGORITHM_ID_DSA_SHA3_256 | id-dsa-with-sha3-256 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_RSA_ENCRYPTION | id-rsassa-pkcs1-v1_5-with-blake2b512 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA | id-ecdsa-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA | id-ecdsa-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA | id-ecdsa-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA | id-ecdsa-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA | id-ecdsa-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA | id-ecdsa-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA | id-ecdsa-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA | id-ecdsa-with-blake2b512 | |
| SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s128 | |
| SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s160 | |
| SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s224 | |
| SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA_PLAIN | id-ecdsa-plain-with-blake2s256 | |
| SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b160 | |
| SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b256 | |
| SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b384 | |
| SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA_PLAIN | id-ecdsa-plain-with-blake2b512 | |
| SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_224 | id-dsa-with-blake2s224 | |
| SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_256 | id-dsa-with-blake2s256 | |
| SB_CERT_ALGORITHM_EDDSA_ED25519 | id-Ed25519 | |
| SB_CERT_ALGORITHM_EDDSA_ED448 | id-Ed448 | |
| SB_CERT_ALGORITHM_EDDSA_ED25519_PH | id-Ed25519ph | |
| SB_CERT_ALGORITHM_EDDSA_ED448_PH | id-Ed448ph | |
| SB_CERT_ALGORITHM_EDDSA | id-EdDSA | |
| SB_CERT_ALGORITHM_EDDSA_SIGNATURE | id-EdDSA-sig |
KeyBits
Integer (read-only)
Default Value: 0
Returns the length of the public key.
KeyFingerprint
TBytes (read-only)
Default Value: ""
Returns a fingerprint of the public key contained in the certificate.
KeyUsage
Integer
Default Value: 0
Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.
This value is a bit mask of the following values:
| ckuUnknown | 0x00000 | Unknown key usage |
| ckuDigitalSignature | 0x00001 | Digital signature |
| ckuNonRepudiation | 0x00002 | Non-repudiation |
| ckuKeyEncipherment | 0x00004 | Key encipherment |
| ckuDataEncipherment | 0x00008 | Data encipherment |
| ckuKeyAgreement | 0x00010 | Key agreement |
| ckuKeyCertSign | 0x00020 | Certificate signing |
| ckuCRLSign | 0x00040 | Revocation signing |
| ckuEncipherOnly | 0x00080 | Encipher only |
| ckuDecipherOnly | 0x00100 | Decipher only |
| ckuServerAuthentication | 0x00200 | Server authentication |
| ckuClientAuthentication | 0x00400 | Client authentication |
| ckuCodeSigning | 0x00800 | Code signing |
| ckuEmailProtection | 0x01000 | Email protection |
| ckuTimeStamping | 0x02000 | Timestamping |
| ckuOCSPSigning | 0x04000 | OCSP signing |
| ckuSmartCardLogon | 0x08000 | Smartcard logon |
| ckuKeyPurposeClientAuth | 0x10000 | Kerberos - client authentication |
| ckuKeyPurposeKDC | 0x20000 | Kerberos - KDC |
KeyValid
Boolean (read-only)
Default Value: False
Returns True if the certificate's key is cryptographically valid, and False otherwise.
OCSPLocations
String
Default Value: ""
Locations of OCSP (Online Certificate Status Protocol) services that can be used to check this certificate's validity, as recorded by the CA.
OCSPNoCheck
Boolean
Default Value: False
Accessor to the value of the certificate's ocsp-no-check extension.
Origin
Integer (read-only)
Default Value: 0
Returns the origin of this certificate.
PolicyIDs
String
Default Value: ""
Contains identifiers (OIDs) of the applicable certificate policies.
The Certificate Policies extension identifies a sequence of policies under which the certificate has been issued, and which regulate its usage.
PrivateKeyBytes
TBytes (read-only)
Default Value: ""
Contains the certificate's private key. It is normal for this property to be empty if the private key is non-exportable.
PrivateKeyExists
Boolean (read-only)
Default Value: False
Indicates whether the certificate has an associated private key.
PrivateKeyExtractable
Boolean (read-only)
Default Value: False
Indicates whether the private key is extractable.
PublicKeyBytes
TBytes (read-only)
Default Value: ""
Contains the certificate's public key in DER format.
QualifiedStatements
TsbxQualifiedStatementsTypes
Default Value: 0
Returns the qualified status of the certificate.
SelfSigned
Boolean (read-only)
Default Value: False
Indicates whether the certificate is self-signed (root) or signed by an external CA.
SerialNumber
TBytes
Default Value: ""
Returns the certificate's serial number.
SigAlgorithm
String (read-only)
Default Value: ""
Indicates the algorithm that was used by the CA to sign this certificate.
Subject
String (read-only)
Default Value: ""
The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.
SubjectAlternativeName
String
Default Value: ""
Returns or sets the value of the Subject Alternative Name extension of the certificate.
SubjectKeyID
TBytes
Default Value: ""
Contains a unique identifier (fingerprint) of the certificate's private key.
Subject Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates containing a particular public key. In SecureBlackbox, the unique identifier is represented with a SHA1 hash of the bit string of the subject public key.
SubjectRDN
String
Default Value: ""
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).
ValidFrom
String
Default Value: ""
The time point at which the certificate becomes valid, in UTC.
ValidTo
String
Default Value: ""
The time point at which the certificate expires, in UTC.
Constructors
>
constructor Create();
Creates a new object with default field values.
Config Settings (CertificateStorage Component)
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.CertificateStorage Config Settings
Base Config Settings
You can switch this property off to improve performance if your project only uses known, good private keys.
Supported values are:
| off | No caching (default) | |
| local | Local caching | |
| global | Global caching |
This setting only applies to sessions negotiated with TLS version 1.3.
Supported values are:
| file | File | |
| console | Console | |
| systemlog | System Log (supported for Android only) | |
| debugger | Debugger (supported for VCL for Windows and .Net) |
Supported values are:
| time | Current time | |
| level | Level | |
| package | Package name | |
| module | Module name | |
| class | Class name | |
| method | Method name | |
| threadid | Thread Id | |
| contenttype | Content type | |
| content | Content | |
| all | All details |
Supported filter names are:
| exclude-package | Exclude a package specified in the value | |
| exclude-module | Exclude a module specified in the value | |
| exclude-class | Exclude a class specified in the value | |
| exclude-method | Exclude a method specified in the value | |
| include-package | Include a package specified in the value | |
| include-module | Include a module specified in the value | |
| include-class | Include a class specified in the value | |
| include-method | Include a method specified in the value |
| none | No flush (caching only) | |
| immediate | Immediate flush (real-time logging) | |
| maxcount | Flush cached entries upon reaching LogMaxEventCount entries in the cache. |
Supported values are:
| none | None (by default) | |
| fatal | Severe errors that cause premature termination. | |
| error | Other runtime errors or unexpected conditions. | |
| warning | Use of deprecated APIs, poor use of API, 'almost' errors, other runtime situations that are undesirable or unexpected, but not necessarily "wrong". | |
| info | Interesting runtime events (startup/shutdown). | |
| debug | Detailed information on flow of through the system. | |
| trace | More detailed information. |
The default value of this setting is 100.
| none | No rotation | |
| deleteolder | Delete older entries from the cache upon reaching LogMaxEventCount | |
| keepolder | Keep older entries in the cache upon reaching LogMaxEventCount (newer entries are discarded) |
Supported values are:
| none | No static DNS rules (default) | |
| local | Local static DNS rules | |
| global | Global static DNS rules |
This setting only applies to certificates originating from a Windows system store.
Trappable Errors (CertificateStorage Component)
CertificateStorage Errors
| 1048577 Invalid parameter value (SB_ERROR_INVALID_PARAMETER) | |
| 1048578 Component is configured incorrectly (SB_ERROR_INVALID_SETUP) | |
| 1048579 Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE) | |
| 1048580 Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE) | |
| 1048581 Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY) | |
| 1048581 Cancelled by the user (SB_ERROR_CANCELLED_BY_USER) |