Hi,

I've to load some secret keys (DES, 3DES, AES) on a Luna HSM.

I'm able to do this with Java API but I havent find a way with c#.

Here's the code snippet for DES:

            DESCryptoServiceProvider tdes = new DESCryptoServiceProvider();
            tdes.GenerateKey();
            byte[] keyValue = tdes.Key;
          

            CryptokiCollection template = new CryptokiCollection();
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, keyValue));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ALWAYS_SENSITIVE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LOCAL, false));

          
            session.Objects.Create(template);

 

The response was always CKR_TEMPLATE_INCONSISTENT

I first tried with a small set of attributes, adding one at a time untill I've reached the set that seem have the key inserted with Java API:

Object
handle=5
CKA_CLASS=04000000
CKA_TOKEN=01
CKA_PRIVATE=01
CKA_LABEL=DACANC
CKA_KEY_TYPE=15000000
CKA_ID=00000139e3cd4f3b
CKA_SENSITIVE=01
CKA_ENCRYPT=01
CKA_DECRYPT=01
CKA_WRAP=01
CKA_UNWRAP=01
CKA_SIGN=01
CKA_VERIFY=01
CKA_DERIVE=00
CKA_START_DATE=
CKA_END_DATE=
CKA_VALUE_LEN=18000000
CKA_LOCAL=00
CKA_MODIFIABLE=01
CKA_EXTRACTABLE=01
CKA_ALWAYS_SENSITIVE=01
CKA_NEVER_EXTRACTABLE=00
CKA_CCM_PRIVATE=00
CKA_FINGERPRINT_SHA1=c6f41651262ef37ecbc0543931c4166abdbab842

Can you suggest me some more actions to do?

Thanks

Andrea

Thank you for the response, but it doesn't works.

I've cut off some attributes but the same error code.

CryptokiCollection template = new CryptokiCollection();
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, label));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_MODIFIABLE, false));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, keyValue));
            template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, false));

            session.Objects.Create(template);

TEMPLATE_INCONSISTENT even if decrypt,encrypt was set to false or modifiable and sensitive to true.

Have you got any idea?

Thanks

Andrea 

Hi,

I found the solution and I post it now for other people that have the same problem.

In Luna PCI is not possible to directly create a key (secret key nor private key); the key must be derived or cloned or unwrapped.

I've unwrapped the key that wey:

- generate on the fly a key on the token

- crypt the key with the just generated key

- unwrap the key on the token with the just generated key

- delete the temporary key

Hope this help

Andrea

Hi tomasfou,

the code I meant is something like this: 

public void storeKey(byte[] keyValue, String label, string algo)
{
    SecretKey wrappingKey = generaDES3ToWrap(session); // on the fly key
    session.EncryptInit(Mechanism.DES3_ECB, wrappingKey);
    byte[] bytes = session.Encrypt(keyValue); // encrypt the array with the generated key

    // Create a template with necessary properties
    CryptokiCollection template = new CryptokiCollection();
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
    if (algo.Equals("DES3") || algo.Equals("DES"))
    {
        template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES3));
    }
    else
    {
        template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_AES));
    }
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, label));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));

    Key wrappata = session.UnwrapKey(Mechanism.DES3_ECB, wrappingKey, bytes, template); // unwrap the template with the on the fly key
    session.Objects.Destroy(wrappingKey); // destroy the temporary key
}

// Generate a key on the fly
private SecretKey generaDES3ToWrap(Session session)
{
    string labelTempKey = "Temp key to wrap";
    CryptokiCollection template = new CryptokiCollection();
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_SECRET_KEY));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_KEY_TYPE, Key.CKK_DES3));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, labelTempKey));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_ENCRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DECRYPT, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SENSITIVE, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VERIFY, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_SIGN, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_WRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_UNWRAP, true));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_DERIVE, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_EXTRACTABLE, false));
    template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE_LEN, 24));
    Key key = session.GenerateKey(Mechanism.DES3_KEY_GEN, template);
    return (SecretKey)key;
}

I have the SAME code and it returns me error 272 when I try to save a 16 byte key.. why?