CertificateStorage Component

Properties   Methods   Events   Config Settings   Errors  

The CertificateStorage component works with collections of certificates.

Syntax

TsbxCertificateStorage

Remarks

CertificateStorage can work with certificates residing on a variety of media. Among others, it can access certificates residing in files, Windows and macOS system stores, and PKCS#11 devices. All such kinds of media can be accessed via a simple, unified interface, which makes CertificateStorage a handy certificate access option. Most users of SecureBlackbox use this component to access certificates residing on hardware devices. CertificateStorage is also a good alternative to CertificateManager where the certificate file contains more than one certificate.

To access certificates stored on certain type of media, start with the Open method. Provide the location of your certificates via a uniform URI-like specifier. Once the storage has been opened, you can access the certificates contained in it via the Certificates property.

Iterate over certificates by using the Certificates property, or use filtering facilities such as Select and SelectChain. You can add certificates to the storage with the ImportBytes, ImportFromFile, and ImportPinned methods. In the latter case please assign the certificate object to be imported to the PinnedCert property.

Use CreateNew method to create a new storage. Note that not all storage kinds can be created.

When you have finished working with the certificate storage, close it with the Close method.

Certain types of stores must be kept open for the certificates to continue to be usable. This means that while you can copy a certificate to a different storage, or assign it to a different component, you still must keep the storage it originates from open for as long as you intend to use that certificate in your code. This is because the storage is often a bridge between a certificate and its private key, and by closing the storage early you are destroying this bridge prematurely. See the code example below: // This code, although syntactically correct, will fail because the storage is closed too early: storage.Open("pkcs11://user:12345@localhost/C:/Windows/System32/asepkcs.dll"); pdfSigner.SigningCertificate = storage.Certificates[0]; storage.Close(false); // the private key of the SigningCertificate gets lost after this call pdfSigner.Sign(); // returns an error // This code will work as expected storage.Open("pkcs11://user:12345@localhost/C:/Windows/System32/asepkcs.dll"); pdfSigner.SigningCertificate = storage.Certificates[0]; pdfSigner.Sign(); storage.Close(false);

Property List

---

The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the component with short descriptions. Click on the links for further details.

Certificates Property (CertificateStorage Component)

A collection of certificates contained in the storage.

Syntax

property Certificates: TsbxCertificateList read get_Certificates;

Remarks

Use this property to access all certificates contained in the opened storage.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

CRLs Property (CertificateStorage Component)

A collection of CRLs contained in the storage.

Syntax

property CRLs: TsbxCRLList read get_CRLs;

Remarks

Use this property to access all CRLs contained in the opened storage.

This property is read-only and not available at design time.

Please refer to the CRL type for a complete list of fields.

FIPSMode Property (CertificateStorage Component)

Reserved.

Syntax

property FIPSMode: Boolean read get_FIPSMode write set_FIPSMode;

Default Value

false

Remarks

This property is reserved for future use.

OCSPs Property (CertificateStorage Component)

A collection of OCSP responses contained in the storage.

Syntax

property OCSPs: TsbxOCSPResponseList read get_OCSPs;

Remarks

Use this property to access all OCSP responses contained in the opened storage.

This property is read-only and not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

Opened Property (CertificateStorage Component)

Indicates whether the storage is in the open state.

Syntax

property Opened: Boolean read get_Opened;

Default Value

false

Remarks

Use this property to check if the storage has been 'opened.' Different kinds of certificate storages imply different meanings for 'being opened', but generally a storage is open if it is available for operations.

Use Open method to open a storage.

This property is read-only and not available at design time.

PinnedCert Property (CertificateStorage Component)

A pinned certificate.

Syntax

property PinnedCert: TsbxCertificate read get_PinnedCert write set_PinnedCert;

Remarks

Use this property to pin a certificate before adding it to the storage with ImportPinned method.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

PinnedCRL Property (CertificateStorage Component)

A pinned CRL object.

Syntax

property PinnedCRL: TsbxCRL read get_PinnedCRL write set_PinnedCRL;

Remarks

Use this property to pin a CRL before adding it to the storage with ImportPinned method.

This property is not available at design time.

Please refer to the CRL type for a complete list of fields.

PinnedOCSP Property (CertificateStorage Component)

A pinned OCSP response object.

Syntax

property PinnedOCSP: TsbxOCSPResponse read get_PinnedOCSP write set_PinnedOCSP;

Remarks

Use this property to pin an OCSP response before adding it to the storage with ImportPinned method.

This property is not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

SelectedCertificates Property (CertificateStorage Component)

A collection of selected certificates.

Syntax

property SelectedCertificates: TsbxCertificateList read get_SelectedCertificates;

Remarks

This property contains a list of certificates returned by Select or SelectChain method.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

StorageID Property (CertificateStorage Component)

A unique identifier of this storage.

Syntax

property StorageID: String read get_StorageID;

Default Value

''

Remarks

Use this property to get a unique ID of this storage. The format of ID may differ for different kinds of certificate storages, and may range from a file path for a file storage, to a URI-like ID for a PKCS#11 storage, to an empty value for an in-memory storage.

This property is read-only.

StorageLocation Property (CertificateStorage Component)

Specifies the location of the currently opened storage.

Syntax

property StorageLocation: String read get_StorageLocation;

Default Value

''

Remarks

Use this property to get the location of the active storage. The location indicates the nature of the storage and can be assigned with one of the below values (more values may be added in future):

This property is read-only.

Clear Method (CertificateStorage Component)

Removes all certificates from the storage.

Syntax

procedure Clear();

Remarks

Use this method to empty the storage.

Close Method (CertificateStorage Component)

Closes the certificate storage.

Syntax

procedure Close(Save: Boolean);

Remarks

Use this method to close the storage component and clean up any resources associated with it.

This method releases all memory objects and handles associated with the certificates contained in the storage. Any certificate objects originating from the storage become invalid as soon as the storage is closed, and should not be used.

Save parameter only applies to certain types of stores, such as file stores. Set it to True to commit any changes to the underlying media. Note that PKCS#11 and Win32 storage types are of transactional nature and commit any changes immediately, so the value of the Save parameter does not make any difference with them.

Config Method (CertificateStorage Component)

Sets or retrieves a configuration setting.

Syntax

function Config(ConfigurationString: String): String;

Remarks

Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

CreateNew Method (CertificateStorage Component)

Creates a new storage.

Syntax

procedure CreateNew(StorageLocation: String; StorageID: String);

Remarks

Use this method to create new certificate storage.

StorageLocation specifies where the new storage should be created, and StorageID contains a unique storage identifier.

DoAction Method (CertificateStorage Component)

Performs an additional action.

Syntax

function DoAction(ActionID: String; ActionParams: String): String;

Remarks

DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

ExportBytes Method (CertificateStorage Component)

Exports the certificates in the chosen format.

Syntax

function ExportBytes(What: Integer; Format: Integer; Password: String): TBytes;

Remarks

Use this method to save the certificates in one of the formats defined below.

Pass the encryption password via the Password parameter if needed.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

ExportToFile Method (CertificateStorage Component)

Exports the certificates to a file.

Syntax

procedure ExportToFile(What: Integer; FileName: String; Format: Integer; Password: String);

Remarks

Use this method to save the certificates to a file in one of the formats given below. Pass the encryption password via the Password parameter.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

ExportToStream Method (CertificateStorage Component)

Exports the certificate to a stream.

Syntax

procedure ExportToStream(What: Integer; CertStream: TStream; Format: Integer; Password: String);

Remarks

Use this method to save the certificate to a stream in one of the formats given below. Pass the encryption password via the Password parameter.

Note that not all formats support encryption, and some (like PEM) only support partial encryption (key only). Keep this in mind when considering which format to choose for storing your certificates.

GetStorageProperty Method (CertificateStorage Component)

Returns the value of a custom certificate storage property.

Syntax

function GetStorageProperty(Name: String): String;

Remarks

This method, together with SetStorageProperty, provides an extensible way of managing the certificate storage's settings that are not available through the primary properties of the component. The list of settings may be extended in future, in response to emergence of new storage variants and recognition of non-obvious storage usage scenarios.

The following certificate storage properties can be read using this method:

ImportBytes Method (CertificateStorage Component)

Imports a certificate.

Syntax

procedure ImportBytes(CertBytes: TBytes; Password: String; Clear: Boolean);

Remarks

Use this method to load a certificate or certificates from a byte array. Provide the password via the Password parameter. The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

This method supports certificates in DER, PEM, PFX, and SPC formats. Multi-certificate blobs certificate files are supported.

Use the Clear parameter to tell the component whether it should empty the storage before importing the new certificates.

Hint: use this method with Clear set to false to mimic the behavior of the previous version's Add() method.

ImportFromFile Method (CertificateStorage Component)

Loads a certificate from a file.

Syntax

procedure ImportFromFile(Path: String; Password: String; Clear: Boolean);

Remarks

This method can load certificates saved in a file in one of the following formats: DER, PEM, PFX, SPC.

Use the Path parameter to provide a path to the certificate file, and Password to specify the password.

The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

This method supports certificates in DER, PEM, PFX, and SPC formats. Multi-certificate blobs certificate files are supported.

Use the Clear parameter to tell the component whether it should empty the storage before importing the new certificates.

Hint: use this method with Clear set to false to mimic the behavior of the previous version's AddFromFile() method.

ImportFromStream Method (CertificateStorage Component)

Loads a certificate from a stream.

Syntax

procedure ImportFromStream(CertStream: TStream; Password: String; Clear: Boolean);

Remarks

This method can load certificates saved in one of the following formats: DER, PEM, PFX, SPC.

Use the CertStream parameter to provide a stream containing the certificate data, and Password to specify the password. The Password parameter is optional. If it is omitted and it is later discovered that the certificate is password-encrypted, the PasswordNeeded event will be fired to request it.

This method supports certificates in DER, PEM, PFX, and SPC formats. Multi-certificate blobs certificate files are supported.

Use the Clear parameter to tell the component whether it should empty the storage before importing the new certificates.

Hint: use this method with Clear set to false to mimic the behavior of the previous version's AddFromStream() method.

ImportPinned Method (CertificateStorage Component)

Adds the pinned certificate to the storage.

Syntax

procedure ImportPinned(Clear: Boolean);

Remarks

This method adds a certificate attached to the PinnedCert property into the storage. This method is a handy way of adding certificates generated/returned by other components.

Use the Clear parameter to tell the component whether it should empty the storage before importing the new certificate.

Hint: use this method with Clear set to false to mimic the behavior of the previous version's AddPinned() method.

ListStores Method (CertificateStorage Component)

Returns a list of individual stores available within the storage.

Syntax

function ListStores(): String;

Remarks

Use this method to query a list of individual stores available in the opened storage.

The contents of the list depends on the type of the store used and the parameters it is opened with. For system (CryptoAPI) stores the method returns a list of available system stores for the chosen access type, as returned by Windows (e.g. MY, ADDRESSBOOK, CA). For PKCS#11 stores the method returns a list of slot descriptions for all slots published by the driver.

The store names are separated from each other with a CRLF sequence.

Login Method (CertificateStorage Component)

Signs in to a session or elevates the session rights.

Syntax

procedure Login(SessionType: Integer; Pin: String; ReadOnly: Boolean);

Remarks

Use this method to sign in to a session with a required access type. Note that in some cases you may call this method more than one time for a specific session to elevate your access rights, for example: // open an unauthenticated session storage.Login(stUnauthenticated, "", false); // elevate the access rights for the session storage.Login(stUser, "password", false); Sessions are currently supported for PKCS#11 storage types only.

Logout Method (CertificateStorage Component)

Signs out of an opened session.

Syntax

procedure Logout(CloseSesion: Boolean);

Remarks

Use this method to sign out of a session. Pass true to CloseSession to shut the session down altogether.

This method is currently support for PKCS#11 storage type only.

Open Method (CertificateStorage Component)

Opens existing storage or creates one in memory.

Syntax

procedure Open(StorageID: String);

Remarks

Use this method to open the storage with the given StorageID. Certificate storages can come from several different locations, detailed below.

Memory

A storage can be created in memory by passing an empty string ("").

File

A storage can be opened from a file using one of two syntaxes:

• C:\Certs\certs.pem
• file://C:/Certs/certs.pem

Windows System

A storage can be opened from the Windows System using this syntax: system://{user}@{host}/?{params}

user is one of these values:

• currentuser
• localmachine
• currentservice

host is either "localhost", an IP address, or FQDN.

params are chosen from this list:

• store (required), is the name of the Windows store to access (e.g. "MY")
• readonly, whether to access the store with only read permissions. Use 0 for false, and 1 for true.

Example: system://currentuser@localhost/?store=MY&readonly=1

PKCS#11 Device

A storage can be opened from a PKCS#11 device using this syntax: pkcs11://{user}:{pin}@/{driverpath}?{params}

user is the username used to access the device; typically it's either "user" or "admin".

pin is the pin code used to access the device.

driverpath is the path to the driver used to access the device.

params are chosen from this list:

• slot, the token slot to access on the device. If not provided, one will be chosen automatically. If set to -1, no session will be opened.
• readonly, whether to access the device with only read permissions. Use 0 for false, and 1 for true.
• login, whether to sign in to the device with a PIN. Use 0 or no to avoid signing in, or 1 or yes to enforce it. When not specified, the yes mode is used.

Example: pkcs11://user:1234@/c:/windows/system32/asepkcs.dll?slot=0&readonly=1

macOS

A keychain can be opened on macOS using this syntax: macos://:{password}@/{keychain}?{params}

This is the right way to perform cryptographic operations using private keys, including non-exportable private keys. By now, only certificates with RSA keys are supported, other certificates are not listed and are not used.

keychain is the path to a keychain file. If no keychain specified, the default keychain is opened.

password is the keychain access password. If no password is provided, it will be asked by macOS UI if necessary. To access a keychain in readonly mode, no password is needed usually.

params are chosen from this list:

• readonly, whether to access the keychain with only read permissions. Use 0 for false, and 1 for true.

Example: macos://:f00Keys@/Users/test/Documents/test.keychain?readonly=0

iOS

A keychain can be opened on iOS using this syntax: ios:///?{params}

iOS doesn't support keychains located in files. By now, only certificates with RSA keys are supported, other certificates are not listed and are not used.

params are chosen from this list:

• readonly, whether to access the keychain with only read permissions. Use 0 for false, and 1 for true.

Example: ios:///?readonly=1

KMIP Server

A storage can be opened from a KMIP server using this syntax: mailto:{password}@{remotehost}:{remoteport}/?{params}

password is the password use to authenticate to the server.

remotehost is the FQDN to the server.

remoteport is the server port to connect to.

params are chosen from this list:

• encoder, the message encoding used to communicate with the server. Possible values are:
  • 1 (XML)
  • 2 (JSON)
  • 3 (TTLV)

Example: mailto:password@kmip.website.com:5696/?encoder=1

Apple

A storage can be opened on macOS using this syntax: apple:///{path}/?{params}

This is a legacy way to work with keychains on macOS and iOS.

path is the path for storage file.

params are chosen from this list:

• keychainindex, key chain index. If not provided, one will be set to 0.
• readonly, whether to access the storage with only read permissions. Use 0 for false, and 1 for true.

Example: apple:///Users/test/Documents/test.storage?readonly=1 A storage can be opened on iOS using this syntax: apple:///?{params}

params are chosen from this list:

• readonly, whether to access the storage with only read permissions. Use 0 for false, and 1 for true.

Example: apple:///?readonly=1

In Xamarin projects for iOS keychain support should be enabled manually. To do this: 1. Double click on Entitlements.plist file, go to "Entitlements" tab and turn "Enable Keychain" option on. 2. Go to project options, select "iOS Bundle Signing", choose correct configuration and platform and set "Custom Entitlements" to "Entitlements.plist" value.

Azure Key Vault

A storage can be opened from the Azure Key Vault service using this syntax: vault://{clientid}:{clientsecret}@{vaultname}.{vaulthost}/

clientid is the client id obtained from Azure Portal when registering an app.

clientsecret is the client secret obtained from Azure Portal when registering an app.

vaultname is the name of the vault to connect to.

vaulthost is the Cloud environment where the vault is located; supported environments are:

Example: vault://xxxx:yyyy@myvault.vault.azure.net/

Refresh Method (CertificateStorage Component)

Refreshes all storage keychains.

Syntax

procedure Refresh();

Remarks

Call this method to refresh the storage.

Remove Method (CertificateStorage Component)

Removes a certificate from the storage.

Syntax

procedure Remove(Index: Integer);

Remarks

Use this method to remove the certificate from the storage given its index.

RemoveCRL Method (CertificateStorage Component)

Removes a CRL from the storage.

Syntax

procedure RemoveCRL(Index: Integer);

Remarks

Use this method to remove a CRL from the storage given its index.

RemoveOCSP Method (CertificateStorage Component)

Removes an OCSP response from the storage.

Syntax

procedure RemoveOCSP(Index: Integer);

Remarks

Use this method to remove an OCSP response from the storage given its index.

Reset Method (CertificateStorage Component)

Resets the component settings.

Syntax

procedure Reset();

Remarks

Reset is a generic method available in every component.

Select Method (CertificateStorage Component)

Allows the selection of certificates from the system store.

Syntax

procedure Select(Filter: String; PrivateKeyNeeded: Boolean; MaxCount: Integer);

Remarks

This function allows the user to select certificates from the system store by Filter and save them to SelectedCertificates. PrivateKeyNeeded specifies whether the method only should consider certificates having associated private keys. MaxCount limits the number of certificates selected.

The supported filters are listed below. Split the name and value of a specific filter with colon (:). Use | separator to pass more than one filter. During the search, the filters are joined using OR logic.

• subjectkeyid: the subject key identifier, in hexadecimal format.
• cakeyid: the key identifier of the issuing certificate, in hexadecimal format.
• serialnumber: the serial number of the certificate, in hexadecimal format.
• keyusage: certificate key usage flags. Use bitwise OR to specify several key usage flags using the values shown below.
• fingerprint: certificate fingerprint in hexadecimal format. MD5, SHA1, SHA256, and SHA512 fingerprints are supported.
• email: the e-mail parameter of the certificate subject.
• subject: the subject of the certificate, either as an RDN, or as its common name parameter.
• issuer: the issuer of the certificate, either as an RDN or a common name.
• ui (Windows system stores only): whether to use UI dialog to select a certificate. Supported values: true, false, 1, 0. All other filters are ignored if this filter is specified.
• * (asterisk): selects all certificates. This filter should always be used as a single character, not as a name:value pair.

Examples of filters

ui:1 - use Windows certificate selection dialog to let the user select a certificate visually.

* - select all certificates.

email:user@server.com - select all certificates with subject RDNs containing this e-mail address.

fingerprint:0a1b3c4d5e6f708192a3b4c5d6e7f8091a2b3c4d - select all certificates with this SHA1 fingerprint.

subject:/C=US/O=Big Company Inc/CN=Signing Certificate - select all certificates with the specified subject RDN.

keyusage:3|email:user@server.com - select all certificates with key usages of Digital Signature or Non-Repudiation, or those having this e-mail address in their subject.

Key usage flags

SelectChain Method (CertificateStorage Component)

Selects a chain of certificates given its index.

Syntax

procedure SelectChain(Index: Integer);

Remarks

Use this method to select a certificate chain given its index.

SetStorageProperty Method (CertificateStorage Component)

Sets the value of a custom certificate storage property.

Syntax

procedure SetStorageProperty(Name: String; Value: String);

Remarks

This method, together with GetStorageProperty, provides an extensible way of managing the certificate storage's settings that are not available through the primary properties of the component. The list of settings may be extended in future, in response to emergence of new storage variants and recognition of non-obvious storage usage scenarios.

The following certificate storage properties can be read using this method:

Error Event (CertificateStorage Component)

Information about errors during certificate loading or saving.

Syntax

type TErrorEvent = procedure (
  Sender: TObject;
  ErrorCode: Integer;
  const Description: String
) of Object;

property OnError: TErrorEvent read FOnError write FOnError;

Remarks

Reports exceptional conditions during certificate loading or exporting.

ErrorCode contains an error code and Description contains a textual description of the error.

Notification Event (CertificateStorage Component)

This event notifies the application about an underlying control flow event.

Syntax

type TNotificationEvent = procedure (
  Sender: TObject;
  const EventID: String;
  const EventParam: String
) of Object;

property OnNotification: TNotificationEvent read FOnNotification write FOnNotification;

Remarks

The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.

This component can fire this event with the following EventID values:

PasswordNeeded Event (CertificateStorage Component)

This event is fired when a decryption password is needed.

Syntax

type TPasswordNeededEvent = procedure (
  Sender: TObject;
  const NeededFor: String;
  var Password: String;
  var Cancel: Boolean
) of Object;

property OnPasswordNeeded: TPasswordNeededEvent read FOnPasswordNeeded write FOnPasswordNeeded;

Remarks

The component fires this event when a password is needed to decrypt a certificate or a private key.

In the handler of this event, assign the password to the Password parameter, or set Cancel to true to abort the operation.

The NeededFor parameter identifies the certificate for which the password is requested.

Certificate Type

Encapsulates an individual X.509 certificate.

Remarks

This type keeps and provides access to X.509 certificate details.

Fields

Constructors

>

constructor Create();

CRL Type

Represents a Certificate Revocation List.

Remarks

CRLs store information about revoked certificates, i.e., certificates that have been identified as invalid by their issuing certificate authority (CA) for any number of reasons.

Each CRL object lists certificates from a single CA and identifies them by their serial numbers. A CA may or may not publish a CRL, may publish several CRLs, or may publish the same CRL in multiple locations.

Unlike OCSP responses, CRLs only list certificates that have been revoked. They do not list certificates that are still valid.

Fields

Constructors

>

constructor Create();

OCSPResponse Type

Represents a single OCSP response originating from an OCSP responder.

Remarks

OCSP is a protocol that allows verification of certificate status in real-time, and is an alternative to Certificate Revocation Lists (CRLs).

An OCSP response is a snapshot of the certificate status at a given time.

Fields

Constructors

>

constructor Create();

Config Settings (CertificateStorage Component)

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

CertificateStorage Config Settings

Base Config Settings

Trappable Errors (CertificateStorage Component)

CertificateStorage Errors