hsm compatibility

You must sign in to post in the forums.
9/23/2010 3:52:59 AM
smokimk
Gravatar
Total Posts 6
View Posts

hsm compatibility

Hi,

Is NCryptoki compatible with Thales NShield Solo?
Is there known software emulator HSM that is compatible with NCryptoki for development purposes? Maybe with Mozilla NSS or OpenDNSSEC?

Thanks in advance, 
Pance

9/23/2010 3:23:04 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

Hi Smokink,

NCryptoki is compatible with any PKCS#11 token.
Because Thales NShield Solo supplies a PKCS#11 interface NCryptoki is compatible with it.

As HSM emulator you can use SoftHSM (compiled for windows platform) from OpenDNSSEC or any other HSM emulator that has a PKCS#11 interface.

Regards,

Ugo Chirico
http://www.ugochirico.com

9/24/2010 1:06:15 AM
smokimk
Gravatar
Total Posts 6
View Posts

Re: hsm compatibility

I compiled SoftHSM under windows in cygwin (windows 7, 64bit). I created tokens and initialized them through softhsm command under cygwin. Now, how can I connect to this HSM through NCryptoki? When I start your example (under visual studio 2008, C#, .NET 2.0) on the line Cryptoki cryptoki = new Cryptoki("smaoscki.dll"); it throws an exception BadImageFormatException with the following message:

Could not load file or assembly 'file:///C:\Users\mine\Desktop\NCryptoki\NCryptoki\examples\C#\TestNCryptoki\bin\Debug\NCryptokiMngd.dll' or one of its dependencies. An attempt was made to load a program with an incorrect format.

 

Thanks in advance, 
Pance

9/24/2010 1:16:54 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

Hi,

first of all, in the Cryptoki constructor instead of smaoscki.dll you should write the path to the SoftHSM PKCS#11 dll (I don't remember the name).

Then, because you are working on a 64bit you must use the 64bit version of the NCryptoki dlls, that you find in the zip under lib/x64.

let me know...

Regards,

Ugo Chirico
http://www.ugochirico.com

9/24/2010 1:31:59 AM
smokimk
Gravatar
Total Posts 6
View Posts

Re: hsm compatibility

Can't find softhsm dll file, cygwin created exe files (softhsm and softhsm-keyconv). I can see that cygwin create dll files when I compiled sqlite3 for example, but for softhsm I can't find dll files. In the compiled dir I can find different c, o, am, po and the mentioned exe files.

Pance

9/24/2010 12:37:33 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

On windows any PKCS#11 module must be implemented as dll.

I don't know SoftHSM in depth, but compiling it by Cygwin is as you are working on a linux system, this is why you don't get a dll.

You should read the SoftHSM documentation to see how to compile it on windows and ho to get the related PKCS#11 dll to access it.

 

Let me know...

 

Ugo

10/8/2010 1:56:33 PM
smokimk
Gravatar
Total Posts 6
View Posts

Re: hsm compatibility

I got the hardware hsm so I will continue testing with it. The HSM is NCipher NFast pcie module. I'm trying the code with the C# examples and on the line

Key[] keys = session.GenerateKeyPair(Mechanism.RSA_PKCS_KEY_PAIR_GEN, templatePub, templatePri);

it is giving me exception "Error n. 209". I tested the pkcs#11 through nfast test binaries, and it is creating rsa keys successfully. What can be the problem?

 

Thanks in advance,
Pance

10/8/2010 10:10:52 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

Hi,

the error 209 (0xD1) means CKR_TEMPLATE_INCONSISTENT (you can see all the error codes in the class CryptokiException)
This error means that the template you used in the call to GenerateKeyPair has some invalid or missing attributes.

The sample code I supply together with NCryptoki shows how to call GenerateKeyPair for a generic token/HSM with a minimum set of attributes, but each token/HSM wants a specific set of attributes in the tamplate (for example CKA_SENSITIVE set to true or CKA_MODIFIABLE set to true).

Read the documentation of your HSM to know what attributes are needed.

 

Regards,

Ugo Chirico

10/9/2010 2:50:38 PM
smokimk
Gravatar
Total Posts 6
View Posts

Re: hsm compatibility

I found the correct attributes to create key pair. Now when I created the keypair in hsm I need to get the private key, but the I get ATTRIBUTE_SENSITIVE exceptions for the private key parameters. These are the attributes used:

 

CryptokiCollection templatePub = new CryptokiCollection();
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PUBLIC_KEY));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, key_label));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS_BITS, 1024));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, "123"));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PUBLIC_EXPONENT, "101"));

CryptokiCollection templatePri = new CryptokiCollection();
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, false));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_ALWAYS_SENSITIVE, false));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, false));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
templatePri.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, key_label));

When I set CKA_EXTRACTABLE to false then it gives me INCONSISTENT exception.

Thanks in advance, 
Pance

10/9/2010 6:50:36 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

not all HSMs and tokens allow to extract a generated private key (for security reasons). This is why your HSM doesn't allow to set EXTRACTABLE to true and raises an exception when you try to export it.

If you need to have in the HSM an exportable private key you first must create the key pair in another way and then import the private key in the HSM.

Regards,

Ugo

10/10/2010 7:39:47 PM
smokimk
Gravatar
Total Posts 6
View Posts

Re: hsm compatibility

I managed to export the private keys from HSM by using security override.

What is the difference between C_Sign and C_SignRecover? As I read in the pkcs#11 docs, the second is a sign where the data can be recovered from the signature. I think I need this in my implementation, but the NCryptoki is returning code 112 from the SignRecoverInit operation (where I'm giving in the Mechanism.SHA1_RSA_PKCS and the private RSA key. If this method was successful, how can I recover the data from the signature? 

Thanks in advance, 
Pance

10/11/2010 9:08:15 AM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: hsm compatibility

error 112 (0x70) means CKR_MECHANISM_INVALID.
This means that the mechanism you used Mechanism.SHA1_RSA_PKCS is not valid for your HSM for SignRecover function.

The list of all errors with its meaning is in CryptokiException class.

 

You must sign in to post in the forums.