Discuss this help topic in SecureBlackbox Forum
Use PKCS#11 (hardware) storages
PKCS#11 is an interface for communicating with hardware security modules (HSMs), often also referred to as smart cards, crypto-tokens or simply tokens. SecureBlackbox works with certificates and keys stored on hardware tokens via its TElPKCS11CertStorage component. TElPKCS11CertStorage, just as any other certificate storage, provides unified interface to certificate media.
To access certificates stored on a security device via the PKCS#11 interface you need to know the location of its PKCS#11 driver. This driver, typically a dynamically linked library (DLL), is normally installed with the token software package either to Windows System32 directory, or to the driver vendor's subdirectory in Program Files. Note that the platform for which the driver was compiled must match the platform for which your application is compiled. That is, if you compile your application for x64 target, you will need an x64 PKCS#11 driver. The majority of vendors deploy two copies of the driver, for x64 and x86 environments.
Among sample driver names are asepkcs.dll, pteidpkcs11.dll and aitpkc211.dll, but generally the name is unique to the vendor and its device type.
The following step-by-step instruction explains how to access device-based certificates. Note (.NET only), Before compiling and running your code, put the SecureBlackbox_PKCS11Proxy.dll assembly next to your application's binary. The proxy DLL dispatches calls from the managed .NET code to the unmanaged driver DLL and back, and ensures that the data are sent in the correct form.
TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
TElPKCS11CryptoProvider prov = new TElPKCS11CryptoProvider();
storage.CryptoProvider = prov;
storage.DLLName = @"C:\Windows\System32\asepkcs.dll";
Don't forget that the target of your application must match the target of the driver!
storage.Open();
This loads the driver and promotes the list of slots.
for (int i = 0; i < storage.Module.SlotCount; i++)
{
slotInfo = storage.Module.get_Slot(i);
if (slotInfo.TokenPresent)
{
cbSlots.Items.Add(slotInfo.SlotDescription);
}
}
TElPKCS11SessionInfo sessInfo = storage.OpenSession(slotIndex, true);
The second parameter set to true means that we are opening a read-only session.
It is recommended to always open read-only sessions, unless you need to modify the contents of the token (by adding or removing certificates or keys).
In most cases you don't need a PIN on this stage, though some tokens, very rarely, may show a customised PIN window.
TElX509Certificate firstCert = storage.get_Certificates(0);
sessInfo.Login(SBPKCS11Base.Unit.utUser, "1234");
The first parameter means that we are logging in as a normal user (there is another alternative, a security officer).
The second parameter passes the PIN.
TElX509Certificate firstCert = storage.get_Certificates(0);
cmsSig.Sign(firstCert, storage);
sessInfo.Logout();
storage.CloseSession(0);
storage.Close();
prov.Dispose();
storage.Dispose();