PKCS11 certificate
https://stackoverflow.com/questions/1398671
-
22-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Does Dot NET supports PKCS11 certificates for HSM devices. If not, are there any other third party utilities available which supports pkcs11 certificates?
Solution
Not sure what you mean by "HSM device", so you will need to check the specifics of your requirements.
Otherwise .NET does support PKCS9, but no sign of PKCS11 in core .NET (for the former System.Security.Cryptography.Pkcs namespace).
Outside of core .NET there are some search hits (e.g. http://msdn.microsoft.com/en-us/library/microsoft.clm.shared.profiletemplates.smartcardprovidertype(VS.85).aspx).
OTHER TIPS
This library does what you need: http://www.ncryptoki.com
For PKCS11 you can use open source Pkcs11Interop. It works fine and contains alot of unit tests with examples of usage.
I'm not a .NET specialist but according to Google PKIblackbox has a toolkit for .NET that speaks PCKS#11. Then there exist some PKCS#11-CSP wrappers which allow to access PKCS#11 modules via CryptoAPI, for what I assume .NET world has many helpers. One of such wrappers is CSP11
You can easily call PKCS11 APIs from .net using statements like this:
[DllImport("cryptoki.dll")]
static extern ushort C_Initialize(int reserved);
Windows, and .NET by the virtue of it being signed to be a Windows platform, has it's own alternatives to PKCS#11.
In .NET itself there is System.Security.Cryptography that has the concept of Key Storage Providers, in Windows there is CryptoAPI with its Cryptographic Service Providers and its smaller subset called minidrivers designed for Smart Cards.
In both cases applications built on the associated cryptographic APIs get to access cryptographic appliances like Hardware Security Modules that integrate with them.
All vendors will provide integration with one or more of these provider models so you can use these devices without the use of PKCS#11 if that is your interest.
If you need to use PKCS#11 for some reason, and there are cases where that might be needed, you should look at https://www.pkcs11interop.net/ as it provides a managed wrapper for the native PKCS#11 libraries provided by HSM vendors.
If you go down this route you can use SoftHSM (https://www.opendnssec.org/softhsm/) for testing if you don't have such a device handy, if you stay with the Windows cryptographic APIs you can do testing with the Virtual Smart Card solution that is included in Windows and this will do a reasonable job approximating the sort of issues you will have with a physical HSM.
