Clever Geek Handbook

PKCS11 certificate

Does Dot NET support PKCS11 certificates for HSM devices. If not, are there any other third party utilities that support pkcs11 certificates?

+2


source to share


6 answers


Not sure what you mean by "HSM device" so you will need to check the specifics of your requirements.

Otherwise .NET supports PKCS9, but no sign of PKCS11 in mainstream .NET (for legacy System.Security.Cryptography.Pkcs

namespace).



Outside of mainstream .NET, there are some searches (e.g. http://msdn.microsoft.com/en-us/library/microsoft.clm.shared.profiletemplates.smartcardprovidertype(VS.85).aspx ).

0


source


This library does what you need: http://www.ncryptoki.com



+2


source


For PKCS11, you can use the open source Pkcs11Interop . It works great and contains a lot of unit tests with examples of use.

+1


source


I'm not a .NET expert, but according to Google, PKIblackbox has a .NET toolkit that says PCKS # 11. Then there are some PKCS # 11-CSP wrappers that allow access to PKCS # 11 modules via CryptoAPI as I assume that there are many helpers in the .NET world. One of these wrappers is CSP11

0


source


You can easily call PKCS11 API from .net using instructions like this:

    [DllImport("cryptoki.dll")]
    static extern ushort C_Initialize(int reserved);
0


source


Windows and .NET have their own PKCS # 11 alternatives because it signs as a Windows platform.

.NET itself has System.Security.Cryptography which has the concept of Key Storage Providers, Windows has CryptoAPI with its own cryptographic service providers and a smaller subset of it called mini receivers dedicated to smart cards.

In both cases, applications built on related cryptographic APIs gain access to cryptographic devices such as hardware security modules that integrate with them.

All vendors will provide integration with one or more of these vendor models, so you can use these devices without using PKCS # 11 if you're interested.

If you need to use PKCS # 11 for some reason, and there are times when you might need it, you should look at https://www.pkcs11interop.net/ as it provides a managed wrapper for native PKCS # 11 libraries provided by HSM vendors.

If you go down this route you can use SoftHSM ( https://www.opendnssec.org/softhsm/ ) to test, if you don't have such a device, if you are left with Windows crypto APIs you can test with the Virtual Smart Card solution that comes with Windows, and that would be a reasonable job approaching the problems you would have with a physical HSM.

0


source






More articles:


All Articles