Private key

You must sign in to post in the forums.
6/8/2012 12:28:27 PM
acab
Gravatar
Total Posts 8
View Posts

Private key

Hi,

i'm trying to store in my hsm luna pci a private key from a generated certificate.

Using bouncycastle library for create a certificate the code looks like this:

 

var keypairgen = new RsaKeyPairGenerator();
keypairgen.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 1024));

var keypair = keypairgen.GenerateKeyPair();

var gen = new X509V3CertificateGenerator();

var CN = new X509Name("CN=" + label);

var SN = BigInteger.ProbablePrime(120, new Random());

gen.SetSerialNumber(SN);

gen.SetSubjectDN(CN);

gen.SetIssuerDN(CN);

gen.SetNotAfter(DateTime.MaxValue);
gen.SetNotBefore(DateTime.Now.Subtract(new TimeSpan(7, 0, 0, 0)));
gen.SetSignatureAlgorithm("SHA1WithRSA");
gen.SetPublicKey(keypair.Public);

var newCert = gen.Generate(keypair.Private);

 

X509Certificate2 cert = new X509Certificate2(DotNetUtilities.ToX509Certificate((Org.BouncyCastle.X509.X509Certificate)newCert));
CryptokiCollection certTemplate = new CryptokiCollection();
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));

certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, false));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));

certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, Encoding.ASCII.GetBytes(label)));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SerialNumber));
certTemplate.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));
session.Objects.Create(certTemplate);

 

So far all works fine. Now i wantstore the private key of the certificate but i got CKR_TEMPLATE_INCONSISTENT error with following code:

 

PrivateKeyInfo privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(keypair.Private);
byte[] serializedKey = privateKeyInfo.ToAsn1Object().GetDerEncoded();
 CryptokiCollection templatePub = new CryptokiCollection();
 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));
 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "SS" + label));
 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
 //templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
 //templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
 //templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, serializedKey));
 session.Objects.Create(templatePub);

 

 

What can i do wrong?

Could you please help me?

Thanks in advance.

 

Regards

Andrea

6/8/2012 2:19:16 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: Private key

 the problem is this:

 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, serializedKey));

PrivateKey object doesn't have a VALUE attribute. Intead, it has CKA_MODULUS and CKA_PRIVATE_EXPONENT

So you should write instead:

 templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS, modulus));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, privateExponent)) ;
6/8/2012 2:58:33 PM
acab
Gravatar
Total Posts 8
View Posts

Re: Private key

Hi,

thank you for the response.

I've tried with modulus and exponent this way:

 

RsaPrivateCrtKeyParameters keyParams = (RsaPrivateCrtKeyParameters)keypair.Private;

CryptokiCollection templatePub = new CryptokiCollection();

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_RSA));

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "SS" + label));

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));

templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_MODULUS, keyParams.Modulus.ToByteArray()));
templatePub.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE_EXPONENT, keyParams.Exponent.ToByteArray()));        session.Objects.Create(templatePub);

 

but no luck, same error.

 

May be I forgot something?

 

Thanks

Andrea

 

6/8/2012 3:08:25 PM
Ugo Chirico
Gravatar
Total Posts 300
View Posts
Ugo Chirico http://www.ugochirico.com

Re: Private key

May be still some other attribute needed in template such as CKA_ID, CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_MODIFIABLE, and so on.

The attributes depends on the underlying PKCS#11 module.

Try to add one of the missing attributes at a time until it works.

 

 

6/8/2012 4:22:34 PM
acab
Gravatar
Total Posts 8
View Posts

Re: Private key

Hi,

sorry but i can't get work the code, i get always the same error.

It is possible that i get better luck doing the reverse, I can generate a key pair the create a certificate with the just created keys?

 

Thanks a lot.

Andrea

You must sign in to post in the forums.