使用 pkcs11interop 创建 ECDSA 密钥对时出错
Erroring out creating an ECDSA Key pair with pkcs11interop
我正在连接到支持 secp256r1 的 Gemalto HSM。我有以下代码使用 Pkcs11interop 创建 ECDSA 密钥对。我正在使用 BouncyCastle NistNamedCurves 和 X962Parameters 获取 paramsBytes。
HSM 不断返回 CKR_ATTRIBUTE_TYPE_INVALID。我是 ECDSA 的新手,所以我可能错过了一些东西。有什么想法吗?
X9ECParameters x9Ec = NistNamedCurves.GetByName("P-256");
X962Parameters x962 = new X962Parameters(x9Ec);
byte[] paramsBytes = x962.GetDerEncoded();
// The CKA_ID attribute is intended as a means of distinguishing multiple key pairs held by the same subject
byte[] ckaId = session.GenerateRandom(20);
// Prepare attribute template of new public key
List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
// Prepare attribute template of new private key
List<ObjectAttribute> privateKeyAttributes = new List<ObjectAttribute>();
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SENSITIVE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
// Generate key pair
Mechanism mechanism = new Mechanism(CKM.CKM_ECDSA_KEY_PAIR_GEN);
ObjectHandle publicKeyHandle = null;
ObjectHandle privateKeyHandle = null;
session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle,
out privateKeyHandle);
知道是怎么回事了。 HSM 不喜欢
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
关于私钥。 PKCS 声明 ECDSA 参数需要在 public 密钥上,不能在私钥上,并且此实现强制执行了这一点。
我正在连接到支持 secp256r1 的 Gemalto HSM。我有以下代码使用 Pkcs11interop 创建 ECDSA 密钥对。我正在使用 BouncyCastle NistNamedCurves 和 X962Parameters 获取 paramsBytes。
HSM 不断返回 CKR_ATTRIBUTE_TYPE_INVALID。我是 ECDSA 的新手,所以我可能错过了一些东西。有什么想法吗?
X9ECParameters x9Ec = NistNamedCurves.GetByName("P-256");
X962Parameters x962 = new X962Parameters(x9Ec);
byte[] paramsBytes = x962.GetDerEncoded();
// The CKA_ID attribute is intended as a means of distinguishing multiple key pairs held by the same subject
byte[] ckaId = session.GenerateRandom(20);
// Prepare attribute template of new public key
List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
// Prepare attribute template of new private key
List<ObjectAttribute> privateKeyAttributes = new List<ObjectAttribute>();
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SENSITIVE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
// Generate key pair
Mechanism mechanism = new Mechanism(CKM.CKM_ECDSA_KEY_PAIR_GEN);
ObjectHandle publicKeyHandle = null;
ObjectHandle privateKeyHandle = null;
session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle,
out privateKeyHandle);
知道是怎么回事了。 HSM 不喜欢
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));
关于私钥。 PKCS 声明 ECDSA 参数需要在 public 密钥上,不能在私钥上,并且此实现强制执行了这一点。