secret key load

9/24/2012 11:31:51 AM
Gravatar
Total Posts 8

secret key load

Hi,

I've to load some secret keys (DES, 3DES, AES) on a Luna HSM.

I'm able to do this with Java API but I havent find a way with c#.

Here's the code snippet for DES:

 

            DESCryptoServiceProvider tdes = new DESCryptoServiceProvider();
            tdes.GenerateKey();
            byte[] keyValue = tdes.Key;
          

            CryptokiCollection template = new CryptokiCollection();
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, keyValue));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ALWAYS_SENSITIVE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LOCAL, false));

          
            session.Objects.Create(template);

 

The response was always CKR_TEMPLATE_INCONSISTENT

I first tried with a small set of attributes, adding one at a time untill I've reached the set that seem have the key inserted with Java API:

 

Object
handle=5
CKA_CLASS=04000000
CKA_TOKEN=01
CKA_PRIVATE=01
CKA_LABEL=DACANC
CKA_KEY_TYPE=15000000
CKA_ID=00000139e3cd4f3b
CKA_SENSITIVE=01
CKA_ENCRYPT=01
CKA_DECRYPT=01
CKA_WRAP=01
CKA_UNWRAP=01
CKA_SIGN=01
CKA_VERIFY=01
CKA_DERIVE=00
CKA_START_DATE=
CKA_END_DATE=
CKA_VALUE_LEN=18000000
CKA_LOCAL=00
CKA_MODIFIABLE=01
CKA_EXTRACTABLE=01
CKA_ALWAYS_SENSITIVE=01
CKA_NEVER_EXTRACTABLE=00
CKA_CCM_PRIVATE=00
CKA_FINGERPRINT_SHA1=c6f41651262ef37ecbc0543931c4166abdbab842

 

Can you suggest me some more actions to do?

 

Thanks

Andrea

9/24/2012 12:20:36 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: secret key load

CKR_TEMPLATE_INCONSISTENT means that something in the attribute set is not coherent.

try to set CKA_SENSITIVE=False and CKA_EXTRACTABLE=True

9/24/2012 1:52:14 PM
Gravatar
Total Posts 8

Re: secret key load

Thank you for the response, but it doesn't works.

I've cut off some attributes but the same error code.

CryptokiCollection template = new CryptokiCollection();
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, keyValue));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, false));

            session.Objects.Create(template);

 

TEMPLATE_INCONSISTENT even if decrypt,encrypt was set to false or modifiable and sensitive to true.

Have you got any idea?

Thanks

Andrea 

9/24/2012 4:06:33 PM
Gravatar
Total Posts 8

Re: secret key load

It is possible that I have to include some Safenet class attribute from the Safenet class?

Thanks

Andrea

10/5/2012 8:48:13 AM
Gravatar
Total Posts 8

Re: secret key load

Hi,

I found the solution and I post it now for other people that have the same problem.

In Luna PCI is not possible to directly create a key (secret key nor private key); the key must be derived or cloned or unwrapped.

I've unwrapped the key that wey:

- generate on the fly a key on the token

- crypt the key with the just generated key

- unwrap the key on the token with the just generated key

- delete the temporary key

 

Hope this help

Andrea

12/14/2012 5:43:23 PM
Gravatar
Total Posts 2

Re: secret key load

Hi Andrea,

 

Would it be possible to share the commands that you have used to successfully unwrap the key?

- generate on the fly a key on the token
- crypt the key with the just generated key
- unwrap the key on the token with the just generated key
- delete the temporary key

 

Thanks,

12/18/2012 4:55:27 PM
Gravatar
Total Posts 8

Re: secret key load

Hi tomasfou,

the code I meant is something like this: 

public void storeKey(byte[] keyValue, String label, string algo)
{
    SecretKey wrappingKey = generaDES3ToWrap(session); // on the fly key
    session.EncryptInit(Mechanism.DES3_ECB, wrappingKey);
    byte[] bytes = session.Encrypt(keyValue); // encrypt the array with the generated key
    // Create a template with necessary properties
    CryptokiCollection template = new CryptokiCollection();
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
    if (algo.Equals("DES3") || algo.Equals("DES"))
    {
        template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES3));
    }
    else
    {
        template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_AES));
    }
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
    Key wrappata = session.UnwrapKey(Mechanism.DES3_ECB, wrappingKey, bytes, template); // unwrap the template with the on the fly key
    session.Objects.Destroy(wrappingKey); // destroy the temporary key
}
// Generate a key on the fly
private SecretKey generaDES3ToWrap(Session session)
{
    string labelTempKey = "Temp key to wrap";
    CryptokiCollection template = new CryptokiCollection();
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES3));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, labelTempKey));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE_LEN, 24));
    Key key = session.GenerateKey(Mechanism.DES3_KEY_GEN, template);
    return (SecretKey)key;
}
12/18/2012 6:06:42 PM
Gravatar
Total Posts 2

Re: secret key load

Thank you.  In my case, I was able to find the command syntax and use the "cmu importkey" command to take the key in.  

# cmu importkey -in file.pem -keyalg RSA

 

11/3/2015 9:35:46 AM
Gravatar
Total Posts 33

Re: secret key load

I have the SAME code and it returns me error 272 when I try to save a 16 byte key.. why?

11/11/2015 2:56:51 PM
Gravatar
Total Posts 30

Re: secret key load

<span data-scayt_word="PKCS" data-scaytid="2">PKCS#11 error codes are described in our wiki:

http://wiki.ncryptoki.com/How-NCryptoki-manages-PKCS-11-errors.ashx