pfx Certificates

You must sign in to post in the forums.
9/28/2010 10:37:35 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

See in the Contacts page and write to the techy address

9/28/2010 10:48:37 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

I have just sent it source code. Thank you.

9/28/2010 11:31:40 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

In the code you sent me there is GenerateKeyPair only (there isn't a pfx loading sample) but from this sample I see the it uses the following attributes that we miss:

CKA_KEY_TYPE with value: CKK_RSA

CKA_SIGN with value true

CKA_DECRYPT with value true

try to add the following lines:

template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN, True));
template.Add(New ObjectAttribute(ObjectAttribute.CKA_DECRYPT, True));

9/28/2010 12:05:14 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

  Ugo, one step more. Now the error is TEMPLATE_INCOMPLETE. I have been reading PKCS#11 technical document and I have tested to add CKA_SIGN_RECOVER attribute, but the message is the same. I have tested to add CKA_NEVER_EXTRACTABLE and CKA_ALWAYS_SENSITIVE as you said before. I think is an attibute in relation to new attributes you have added. This is the snippet I have at this moment:

 

Function ImportKeyPair(ByVal Session As Session, ByVal cert As String, ByVal password As String, ByVal id As String, ByVal label As String, ByVal priv As Boolean, ByVal modifiable As Boolean) As PrivateKey
    Dim certificate As X509Certificate2
    certificate = New X509Certificate2(cert, password, X509KeyStorageFlags.Exportable)
    If (Not certificate.HasPrivateKey) Then
         Throw New Exception("Certificate doesn't have private key. Import failed!")
    End If
    Dim keyPair As RSA
    Dim keyParams As RSAParameters
    Dim template As CryptokiCollection
    Dim priKey As PrivateKey
    keyPair = certificate.PrivateKey
    keyParams = keyPair.ExportParameters(True)
    template = New CryptokiCollection()
    template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
   ' ******** Para HID Crescendo C700
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SIGN_RECOVER, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_DECRYPT, True))
   ' ********

   template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))

   template.Add(New ObjectAttribute(ObjectAttribute.CKA_NEVER_EXTRACTABLE, True))
   template.Add(New ObjectAttribute(ObjectAttribute.CKA_ALWAYS_SENSITIVE, True))
   priKey = Session.Objects.Create(template)
   ImportKeyPair = priKey

End Function
 

9/28/2010 1:05:49 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

It's very hard this HID token :(

try to add the attribute CKA_SENSITIVE

let me know...

Ugo

9/28/2010 1:45:40 PM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, we are not lucky either. With this new attribute the error is the same, TEMPLATE_INCOMPLETE. I hope HID can give more information. Thanks a lot.

9/29/2010 9:13:38 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, finally I decided to begin again and I have seen the problem with Private Key. It was the attribute Token. I must set to False. With these attributes it works:

template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, certificate.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, False))

template.Add(New ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, keyParams.Exponent))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.D))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_PRIVATE, priv))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, modifiable))
 

I think I commented these attributes one by one in past, but perhaps I supposed Token wan clearly True like in other tokens...

Now I have to fight with Certificate because I get the error Template_Inconsistent.  I will contact with you once I get it without errors. Thanks a lot.

9/29/2010 9:57:31 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I was wrong. It doesn´t give any error, but the private key is not loaded in smart card. I supposte CKA_TOKEN must be True in order the private key is loaded in smart card.  In relation to Certificate I have been able to download it adding another attribute (CKA_CERTIFICATE_TYPE):

template.Add(New ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_ID, id))
'template.Add(New ObjectAttribute(ObjectAttribute.CKA_LABEL, label))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_TOKEN, tRUE))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData))
template.Add(New ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, True))
 

I will wait until HID says something.

Thanks.

9/29/2010 10:16:23 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: pfx Certificates

Yes, of course. if you don't specify CKA_TOKEN=true the private key is not loaded in the token by it is loaded as temporary, session object.

I was reading the PKCS#11 specification again. I read the following about RSA Private Keys:

"Table 36: RSA Private Key Attribute:

CKA_MODULUS, Big integer Modulus n
CKA_PUBLIC_EXPONENT Big integer Public exponent e
CKA_PRIVATE_EXPONENT Big integer Private exponent d
CKA_PRIME_1 Big integer Prime p
CKA_PRIME_2 Big integer Prime q
CKA_EXPONENT_1 Big integer Private exponent d modulo p-1
CKA_EXPONENT_2 Big integer Private exponent d modulo q-1
CKA_COEFFICIENT Big integer CRT coefficient q-1 mod p

Tokens vary in what they actually store for RSA private keys. Some tokens store all of the above attributes, which can assist in performing rapid RSA computations. Other tokens might store only the CKA_MODULUS and CKA_PRIVATE_EXPONENT values. Because of this, Cryptoki is flexible in dealing with RSA private key objects. When a token generates an RSA private key, it stores whichever of the fields in Table 36 it keeps track of. Later, if an application asks for the values of the key’s various attributes, Cryptoki supplies values only for attributes whose values it can obtain (i.e., if Cryptoki is asked for the value of an attribute it cannot obtain, the request fails). Note that a Cryptoki implementation may or may not be able and/or willing to supply various attributes of RSA private keys which are not actually stored on the token. E.g., if a particular token stores values only for the CKA_PRIVATE_EXPONENT, CKA_PRIME_1, and CKA_PRIME_2 attributes, then Cryptoki is certainly able to report values for all the attributes above (since they can all be computed efficiently from these three values). However, a Cryptoki implementation may or may not actually do this extra computation. The only attributes from Table 36 for which a Cryptoki implementation is required to be able to return values are CKA_MODULUS and CKA_PRIVATE_EXPONENT.
If an RSA private key object is created on a token, and more attributes from Table 36 are supplied to the object creation call than are supported by the token, the extra attributes are likely to be thrown away.
If an attempt is made to create an RSA private key object on a token with insufficient attributes for that particular token, then the object creation
call fails and returns CKR_TEMPLATE_INCOMPLETE."

This means that you should try with different sets of attributes.

For example try to remove CKA_PUBLIC_EXPONENT

9/29/2010 11:19:30 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I have tried you have said to me, but the error is the same (TEMPLATE_INCOMPLETE). I have removed CKA_PUBLIC_EXPONENT and the same problem. I have tried adding CKA_PRIME_1 and CKA_PRIME_2 attributes and the same... I have resent an e-mail to HID remembering the problem and giving more information. Thanks a lot. Once I received an e-mail I will contact with you. Rgds.

10/5/2010 10:19:39 AM
fcirera
Gravatar
Total Posts 26
View Posts

Re: pfx Certificates

Ugo, I´m still waiting a response from HID. Thank you very much.

You must sign in to post in the forums.