PKCS11 doesn't read properly certifcate from cryptography card reader

PKCS11.ListSlots, PKCS11.ListTokens, PKCS11.ListObjects all works properly.
When try use PKCS11.ListCertificates get several random chars. The same for PKCS11.ShowCert. Certificate is quite new (2 weeks) and works with desktop application from certificate vendor.

OS: Windows 10 Home
Environment : Delphi 10.4.2
Platform : Windows 32 bit
TMS Cryptography Pack v4.3.2.5

Can you send some code and snapshots?


This is simple test code created after problem with sign xml document in demo app. Demo returns error "Wrong certificate (v3 required)". After debuging demo found that PKCS11 has problem reading certificate from card.

procedure TForm1.Button1Click(Sender: TObject);
PKCS11 : TPKCS11 ;

Slots : TStringList ;
Tokens : TStringList ;
Objects : TStringList ;
Certs : TStringList ;
CertImg : TStringList ;


PKCS11 := TPKCS11.Create('c:\Program Files (x86)\Certum\SimplySign Desktop\proCertum SmartSign\cryptoCertum3PKCS.dll') ;

Slots := PKCS11.ListSlots ;

MemoSlots.Text := Slots.Text ;

PKCS11.currentSlotIndex := 0 ;

Tokens := PKCS11.ListTokens ;

MemoTokens.Text := Tokens.Text ;

Objects := PKCS11.ListObjects ;

MemoObjects.Text := Objects.Text ;

PKCS11.currentObjectIndex := 10 ;

Certs := PKCS11.ListCertificates ;

MemoCerts.Text := Certs.Text ;

CertImg := PKCS11.ShowCert(10) ;

MemoCertImg.Text := CertImg.Text ;

PKCS11.Free ;
end ; { try .. finally }

end ;

Some additional info:

  1. Certificate created for polish owner (Midle-East Europe, national chars).
  2. Cryptography Pack upgraded to After this PKCS11.DLLpath property. stop working. Path to DLL must specify in Create.
  3. Desktop application in 32-but version so DLL too.

Form1.pdf (54.0 KB)

The last line of the cert text could be some hexadecimal string. Can you convert it with functions in MiscObj.pas?


I don't know if it is You want?

I made:
CertImg.SaveToFile('aqq.txt') ;

and view this file in TotalCommander lister as HEX.

Most likely. I was interested in the sequence starting on the 3rd line with 07 E4 1D 06...
Unfortunately, it doesn't look like an ASN.1 sequence (usually starting with 30...).
I need to investigate with my own certificate.


O.K. Last row.

Did you try the demo with "Generate AdES" and the following parameters?

  • PAdES
  • Path to your PKCS DLL
  • PIN code
  • Enveloped
  • Any PDF file to sign
  • Any name for the signed file

It works fine with my USB token that is Version X.509 V3.


My result.


Can you take a snapshot like this one?

I don't need the serial number.


Wersja : V3

Algorytm podpisu: sha256RSA

Algorytm wyznaczania skrótu podpisu: sha256

Wystawca: = VATPL-5170359458
CN = Certum QCA 2017
O = Asseco Data Systems S.A.
C = PL

Ważny od: ‎wtorek, ‎31 ‎października ‎2023 09:44:55

Ważny do: ‎piątek, ‎30 ‎października ‎2026 09:44:55

Podmiot: C = PL
SN = Dziurman
G = Stanisław
CN = Stanisław Dziurman

Klucz publiczny: RSA(3072Bits)

Looks very good.

The only difference is the key size (3072). I need to check whether this can be the cause of the problem.

Hi, the 'garbage' is actually the PKCS label that shows below the PKCS identifier un your cert app.
It looks like this on mine:

Can you check yours? It could look like 07e41d06-14616fc7-...

Running your code (tweaked), I get this:


How can I do it?

You should have an app in your widget toolbar (arrow icon close to the wifi icon at the bottom) that can read what is in your USB token. The icon of mine looks like a chip.


I have only CardManager but it not show so detailed info.

Can you add this to your code:

MyString := PKCS11.ExtractCertificate(10);

and send me the Base64 value in ContentMemo (you need to add a TMemo on the GUI)?


I have certificate in *.pem file. Content is the same as returned by Your code.

Stanisław (1.9 KB)

Additionally content from Your code. (1.8 KB)

Thanks, it is a version 3 certificate that decodes well.

The issue is with the parser code that gets a value from an incorrect index and then raises an error on the version.

I will fix this but it won't fix the 'garbage' from the cert ID string.