Sign CSR (PKCS#10) with SHA256

You must sign in to post in the forums.
5/23/2013 8:30:14 PM
eder_souza
Gravatar
Total Posts 5
View Posts

Sign CSR (PKCS#10) with SHA256

Hi people,
I would like to check if someone can help me with a doubt.

I'm trying to issue a digital certificate using a Safenet eToken Pro and now I can generate a 2048 bits RSA key Pair and generate a CSR signed using SHA1, but here, in Brazil, is necessary to sign a CSR with SHA256.

 

The point is, I need to send through method SignInit the name of the algorithm that I will use to sign the hash and in the Mechanism class only exist SHA1_RSA_PKCS.

 

session.SignInit(Mechanism.SHA1_RSA_PKCS, privateKey);

 

I checked with pkcs11-tool (openSC) and my token supports SHA256_RSA_PKCS, but I can't send this option through the SignInit method.

I will appreciate any help.

Thank you.


Eder Souza
ederapsouza@yahoo.com.br

5/27/2013 2:31:18 AM
eder_souza
Gravatar
Total Posts 5
View Posts

Re: Sign CSR (PKCS#10) with SHA256

Hello guys,I will answer my question about signing the CSR using SHA256.

I created a new Mechanism object called SHA256_RSA_PKCS with Mechanism.SHA1_RSA_PKCS and I changed the Mechanismtype to 64 (code below).

 

Mechanism SHA256_RSA_PKCS = Mechanism.SHA1_RSA_PKCS;

SHA256_RSA_PKCS.MechanismType = 64;

 

After I used this new object in Session.SignInit and all works ok!

 

session.SignInit(SHA256_RSA_PKCS, privateKey);

 

Now I will see how I can install the digital certificate issued inside the token. :)

 

Eder Souza

5/27/2013 3:34:27 AM
eder_souza
Gravatar
Total Posts 5
View Posts

Re: Sign CSR (PKCS#10) with SHA256

Hi Guys,

I will share my code to generate a CSR signed with SHA256 and to install the digital certificate issued. See the code below. This code works very well with Safenet eToken.

 

   private void generateCSR(object sender, EventArgs e)
   {


            Mechanism SHA256_RSA_PKCS = Mechanism.SHA1_RSA_PKCS;

            SHA256_RSA_PKCS.MechanismType = 64;

            Session session = null;
            try
            {
                Cryptoki cryptoki = new Cryptoki("eTPKCS11.dll");
                cryptoki.Initialize();

                session = cryptoki.Slots[0].Token.OpenSession(Session.CKF_SERIAL_SESSION | Session.CKF_RW_SESSION, null, null);
                session.Login(Session.CKU_USER, "12345");


                CryptokiCollection templatePub = new CryptokiCollection();
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PUBLIC_KEY));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, false));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "SERASA"));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));
                templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 2048));
                //templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, 0x010001));

                CryptokiCollection templatePri = new CryptokiCollection();
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "SERASA"));
                templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "1"));
 

                Key[] keys = session.GenerateKeyPair(Mechanism.RSA_PKCS_KEY_PAIR_GEN, templatePub, templatePri);


                RSAPrivateKey privateKey = (RSAPrivateKey)keys[1];

                RSAPublicKey publicKey = (RSAPublicKey)keys[0];

                X509Name distinguishedName = new X509Name("OU=Consultoria, O=ICP-Brasil, C=BR, E=esouza@esafer.com, CN=Eder Souza");
               CertificationRequestInfo reqInfo = new CertificationRequestInfo(distinguishedName,
                         new SubjectPublicKeyInfo(new AlgorithmIdentifier(PkcsObjectIdentifiers.RsaEncryption, DerNull.Instance),
                         new RsaPublicKeyStructure(new BigInteger(1, publicKey.Modulus), new BigInteger(1

                         publicKey.PublicExponent)).GetDerEncoded())

                        ,null);

              session.SignInit(SHA256_RSA_PKCS, privateKey);

              byte[] signature = session.Sign(reqInfo.GetDerEncoded());

              CertificationRequest pkcs10 = new CertificationRequest(reqInfo, new AlgorithmIdentifier(PkcsObjectIdentifiers.Sha256WithRsaEncryption,

              DerNull.Instance), new DerBitString(signature));

             txtCSR.Text = System.Convert.ToBase64String(pkcs10.GetDerEncoded());

             session.Logout();


}
catch (Exception ex)
{
     MessageBox.Show(ex.Message);
     if (session.IsLoggedIn)
            session.Logout();

}

}

private void installCert(object sender, EventArgs e)
{
Session session = null;
try
{
Cryptoki cryptoki = new Cryptoki("eTPKCS11.dll");
cryptoki.Initialize();

session = cryptoki.Slots[0].Token.OpenSession(Session.CKF_SERIAL_SESSION | Session.CKF_RW_SESSION, null, null);
session.Login(Session.CKU_USER, "12345");
Token token = session.Token;
TokenInfo info = token.Info;
txtCSR.Text = "";
txtCSR.Text = "Firmaware Version: " + info.FirmwareVersion + Environment.NewLine + "Hardware Version: " + info.HardwareVersion + Environment.NewLine + "Serial Number: " + info.SerialNumber + Environment.NewLine + "Model: " + info.Model + Environment.NewLine + "Total Free Memory: " + info.FreePrivateMemory;

// read the certificate
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(txtCert.Text));

// gets the id in binary format
byte[] id = Encoding.ASCII.GetBytes("1");

// creates the template
CryptokiCollection template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_TRUSTED, false));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, false));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "SERASA"));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, id));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData));
//template.Add(new ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer));
//template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData));

// creates the certificate object in the token
CryptokiObject certificate = session.Objects.Create(template);
session.Logout();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
if(session.IsLoggedIn)
session.Logout();
}

 

5/28/2013 9:14:58 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: Sign CSR (PKCS#10) with SHA256

Many thanks for sharing your solution with us!

You must sign in to post in the forums.