HSM 生成自签名证书报告 "wrapping key handle invalid" 错误
HSM generate self-signed cert report "wrapping key handle invalid" error
使用 HSM(使用 PKCS11 标准 API)生成自签名证书报告 "wrapping key handle invalid" 错误(错误代码 113、CKR_WRAPPING_KEY_HANDLE_INVALID)。当使用 GUI ctbrowser 工具生成或使用类似于他们的演示的代码时,都会发生这种情况。
这里是一个重现问题的代码示例,它生成一个 RSA 密钥对,然后尝试用它们生成一个自签名证书。
int main()
{
int rv;
CK_CHAR pwd[] = "password";
static char pubkeyLabel[256]="demoPub";
static char prvkeyLabel[256]="demoPrv";
static CK_BYTE id[256];
static CK_BBOOL isTok = TRUE;
static CK_BBOOL True = TRUE;
static CK_BBOOL False = FALSE;
CK_SESSION_HANDLE hSession;
CK_OBJECT_HANDLE hPubKey;
CK_OBJECT_HANDLE_PTR phPubKey = &hPubKey;
CK_OBJECT_HANDLE hSignerKey;
CK_OBJECT_HANDLE_PTR phSignerKey = &hSignerKey;
CK_OBJECT_HANDLE hCert;
CK_OBJECT_HANDLE_PTR phCert = &hCert;
CK_MECHANISM mechanism = { 0, NULL, 0 };
static CK_SIZE mBits=2048;
static char edate[] = {'2','0','2','0','1','2','3','1'};
static char certLabel[128]="demo_cert";
static char subject[256]="C=XX,ST=XX,L=XX,O=MEOW,OU=HSM,CN=TESTCERT";
CK_ATTRIBUTE publicKeyTemplate[] = {
{CKA_TOKEN, &isTok, 1},
{CKA_PRIVATE, &False, 1},
{CKA_LABEL, pubkeyLabel, sizeof(pubkeyLabel)},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_MODULUS_BITS, &mBits, sizeof(mBits)},
{CKA_ENCRYPT, &False, 1},
{CKA_VERIFY, &True, 1},
{CKA_WRAP, &False, 1},
{CKA_DERIVE, &True, 1},
{CKA_EXTRACTABLE, &True, 1},
{CKA_EXPORTABLE, &True, 1}
};
CK_ATTRIBUTE privateKeyTemplate[] = {
{CKA_TOKEN, &isTok, 1},
{CKA_LABEL, prvkeyLabel, sizeof(prvkeyLabel)},
{CKA_PRIVATE, &True, 1},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_ID, id, sizeof(id)},
{CKA_SENSITIVE, &True, 1},
{CKA_DECRYPT, &False, 1},
{CKA_SIGN, &True, 1},
{CKA_UNWRAP, &True, 1},
{CKA_WRAP, &False, 1},
{CKA_EXTRACTABLE, &False, 1},
{CKA_EXPORTABLE, &False, 1}
};
CK_ATTRIBUTE certTemplate[] = {
{CKA_TOKEN, &True, 1},
{CKA_PRIVATE, &False, 1},
{CKA_LABEL, certLabel, sizeof(certLabel)},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_ISSUER_STR, subject, sizeof(subject)},
{CKA_END_DATE, edate, sizeof(edate)},
{CKA_EXTRACTABLE, &True, 1},
{CKA_EXPORTABLE, &True, 1}
};
printf("Generate cert %s from %s, signed by %s.\n", certLabel, pubkeyLabel, prvkeyLabel);
rv = C_Initialize(NULL_PTR);
if ( rv ) return rv;
rv = C_OpenSession(0, CKF_RW_SESSION|CKF_SERIAL_SESSION, NULL, NULL, &hSession);
rv = C_Login(hSession, CKU_USER, pwd, 8);
publicKeyTemplate[2].valueLen = (CK_SIZE)strlen((char*)pubkeyLabel);
publicKeyTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
privateKeyTemplate[1].valueLen = (CK_SIZE)strlen((char*)prvkeyLabel);
privateKeyTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
rv = C_GenerateKeyPair(hSession, &mechanism,
publicKeyTemplate, NUMITEMS(publicKeyTemplate),
privateKeyTemplate, NUMITEMS(privateKeyTemplate),
phPubKey, phSignerKey);
printf("Keypair generated with rv=%x\n", rv);
mechanism.mechanism = CKM_SHA256_RSA_PKCS;
rv = C_SignInit(hSession, &mechanism, hSignerKey);
printf("cert signer initiated with rv=%x\n", rv);
mechanism.mechanism = CKM_ENCODE_X_509;
certTemplate[2].valueLen = (CK_SIZE)strlen((char*)certLabel);
certTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
certTemplate[4].valueLen = (CK_SIZE)strlen((char*)subject)+1;
rv = C_DeriveKey(hSession, &mechanism,
hPubKey,
certTemplate, NUMITEMS(certTemplate),
phCert);
printf("cert generation finished with rv=%x\n", rv);
return 0;
}
由于整个过程不涉及任何包装,我不知道如何调试它。有谁知道它有什么问题吗? (注意:插槽已预先存在并已初始化。)
问题是由于缺少 CKA_SERIAL_NUMBER,根据受版权保护的 PKCS11 API 指南(ProtectToolkit C 程序员手册,版权所有 © Eracom Technologies),当未提供序列号时,错误CKR_WRAPPING_KEY_HANDLE_INVALID 将被退回。
因此,要么将 CKA_USAGE_COUNT 添加到签名密钥,要么通过在证书模板中指示 CKA_SERIAL_NUMBER/CKA_SERIAL_NUMBER_INT 来指示证书的序列号将解决问题。
使用 HSM(使用 PKCS11 标准 API)生成自签名证书报告 "wrapping key handle invalid" 错误(错误代码 113、CKR_WRAPPING_KEY_HANDLE_INVALID)。当使用 GUI ctbrowser 工具生成或使用类似于他们的演示的代码时,都会发生这种情况。
这里是一个重现问题的代码示例,它生成一个 RSA 密钥对,然后尝试用它们生成一个自签名证书。
int main()
{
int rv;
CK_CHAR pwd[] = "password";
static char pubkeyLabel[256]="demoPub";
static char prvkeyLabel[256]="demoPrv";
static CK_BYTE id[256];
static CK_BBOOL isTok = TRUE;
static CK_BBOOL True = TRUE;
static CK_BBOOL False = FALSE;
CK_SESSION_HANDLE hSession;
CK_OBJECT_HANDLE hPubKey;
CK_OBJECT_HANDLE_PTR phPubKey = &hPubKey;
CK_OBJECT_HANDLE hSignerKey;
CK_OBJECT_HANDLE_PTR phSignerKey = &hSignerKey;
CK_OBJECT_HANDLE hCert;
CK_OBJECT_HANDLE_PTR phCert = &hCert;
CK_MECHANISM mechanism = { 0, NULL, 0 };
static CK_SIZE mBits=2048;
static char edate[] = {'2','0','2','0','1','2','3','1'};
static char certLabel[128]="demo_cert";
static char subject[256]="C=XX,ST=XX,L=XX,O=MEOW,OU=HSM,CN=TESTCERT";
CK_ATTRIBUTE publicKeyTemplate[] = {
{CKA_TOKEN, &isTok, 1},
{CKA_PRIVATE, &False, 1},
{CKA_LABEL, pubkeyLabel, sizeof(pubkeyLabel)},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_MODULUS_BITS, &mBits, sizeof(mBits)},
{CKA_ENCRYPT, &False, 1},
{CKA_VERIFY, &True, 1},
{CKA_WRAP, &False, 1},
{CKA_DERIVE, &True, 1},
{CKA_EXTRACTABLE, &True, 1},
{CKA_EXPORTABLE, &True, 1}
};
CK_ATTRIBUTE privateKeyTemplate[] = {
{CKA_TOKEN, &isTok, 1},
{CKA_LABEL, prvkeyLabel, sizeof(prvkeyLabel)},
{CKA_PRIVATE, &True, 1},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_ID, id, sizeof(id)},
{CKA_SENSITIVE, &True, 1},
{CKA_DECRYPT, &False, 1},
{CKA_SIGN, &True, 1},
{CKA_UNWRAP, &True, 1},
{CKA_WRAP, &False, 1},
{CKA_EXTRACTABLE, &False, 1},
{CKA_EXPORTABLE, &False, 1}
};
CK_ATTRIBUTE certTemplate[] = {
{CKA_TOKEN, &True, 1},
{CKA_PRIVATE, &False, 1},
{CKA_LABEL, certLabel, sizeof(certLabel)},
{CKA_SUBJECT_STR, subject, sizeof(subject)},
{CKA_ISSUER_STR, subject, sizeof(subject)},
{CKA_END_DATE, edate, sizeof(edate)},
{CKA_EXTRACTABLE, &True, 1},
{CKA_EXPORTABLE, &True, 1}
};
printf("Generate cert %s from %s, signed by %s.\n", certLabel, pubkeyLabel, prvkeyLabel);
rv = C_Initialize(NULL_PTR);
if ( rv ) return rv;
rv = C_OpenSession(0, CKF_RW_SESSION|CKF_SERIAL_SESSION, NULL, NULL, &hSession);
rv = C_Login(hSession, CKU_USER, pwd, 8);
publicKeyTemplate[2].valueLen = (CK_SIZE)strlen((char*)pubkeyLabel);
publicKeyTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
privateKeyTemplate[1].valueLen = (CK_SIZE)strlen((char*)prvkeyLabel);
privateKeyTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
rv = C_GenerateKeyPair(hSession, &mechanism,
publicKeyTemplate, NUMITEMS(publicKeyTemplate),
privateKeyTemplate, NUMITEMS(privateKeyTemplate),
phPubKey, phSignerKey);
printf("Keypair generated with rv=%x\n", rv);
mechanism.mechanism = CKM_SHA256_RSA_PKCS;
rv = C_SignInit(hSession, &mechanism, hSignerKey);
printf("cert signer initiated with rv=%x\n", rv);
mechanism.mechanism = CKM_ENCODE_X_509;
certTemplate[2].valueLen = (CK_SIZE)strlen((char*)certLabel);
certTemplate[3].valueLen = (CK_SIZE)strlen((char*)subject)+1;
certTemplate[4].valueLen = (CK_SIZE)strlen((char*)subject)+1;
rv = C_DeriveKey(hSession, &mechanism,
hPubKey,
certTemplate, NUMITEMS(certTemplate),
phCert);
printf("cert generation finished with rv=%x\n", rv);
return 0;
}
由于整个过程不涉及任何包装,我不知道如何调试它。有谁知道它有什么问题吗? (注意:插槽已预先存在并已初始化。)
问题是由于缺少 CKA_SERIAL_NUMBER,根据受版权保护的 PKCS11 API 指南(ProtectToolkit C 程序员手册,版权所有 © Eracom Technologies),当未提供序列号时,错误CKR_WRAPPING_KEY_HANDLE_INVALID 将被退回。
因此,要么将 CKA_USAGE_COUNT 添加到签名密钥,要么通过在证书模板中指示 CKA_SERIAL_NUMBER/CKA_SERIAL_NUMBER_INT 来指示证书的序列号将解决问题。