[Mono-list] Https (Webservice) authentication using PKCS#11 tokens

Mathias Tausig mathias.tausig at a-cert.at
Fri Feb 19 04:30:47 EST 2010


Hy Sebastien (and everybody else)!

Am 16.02.2010 15:37, schrieb Sebastien Pouliot:
> On Tue, 2010-02-16 at 15:17 +0100, Mathias Tausig wrote:
>> [...].
> 
>> The best concept that I could
>> make up so far, was to write a PKCS#11 wrapper and then subclass RSA.
> 
> Yep, that's the right thing to do.
> 
> Sebastien
> 

I have done that now (and no, I have not written a PKCS#11 wrapper in
the course of 2 days, I had already started the work before), but I am
facing a slight problem.
In Mono's implementation of X509Certificate2, when the key is accessed
via the PrivateKey property, the ExportParameter method of
AssymetricAlgorithm ist invoked (see
http://anonsvn.mono-project.com/viewvc/tags/mono-2-6-1/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2.cs
, line 213). When I implemented my Pkcs11RsaKey class, derived from RSA,
I chose to throw a CryptographicException whenever ExportParamters(true)
is called (since there is no possibility to actually read the private
parameters off a token). But if I do so, X509Certificate2.PrivateKey
returns null and the whole https - login process fails.

Since you wrote the whole Cryptographic namespace, maybe you could shed
some light, why this call to ExportParameters is neccesary.
Do you see any workaround for this, apart from simply returning the
public parameters from ExportParameters(true), as I have done now, to
make it work as a proof of concept?

cheers
Mathias


More information about the Mono-list mailing list