Amazon web services AWS CloudHSM PKCS#11带有PKCS11Interop,为包装操作CKR#u参数提供错误\u错误
我正在使用最新的AWS cloud HSM和PKCS11Interop c#library的PKCS供应商库。Amazon web services AWS CloudHSM PKCS#11带有PKCS11Interop,为包装操作CKR#u参数提供错误\u错误,amazon-web-services,pkcs#11,pkcs11interop,amazon-cloudhsm,Amazon Web Services,Pkcs#11,Pkcs11interop,Amazon Cloudhsm,我正在使用最新的AWS cloud HSM和PKCS11Interop c#library的PKCS供应商库。 正在尝试模拟CKM.CKM\u RSA\u AES\u KEY\u WRAP的示例代码 包装AES 256密钥时出现以下错误 Net.Pkcs11Interop.Common.Pkcs11Exception:“方法C\u WrapKey返回CKR\u参数\u BAD” 在Net.Pkcs11Interop.HighLevelAPI80.Session.WrapKey(IMechanis
正在尝试模拟CKM.CKM\u RSA\u AES\u KEY\u WRAP的示例代码 包装AES 256密钥时出现以下错误 Net.Pkcs11Interop.Common.Pkcs11Exception:“方法C\u WrapKey返回CKR\u参数\u BAD” 在Net.Pkcs11Interop.HighLevelAPI80.Session.WrapKey(IMechanism机制、IOObjectHandle wrappingKeyHandle、IOObjectHandle keyHandle) 我的示例代码
public ActionResult<string> WrapUnwrap(string keyAlias)
{
using (IPkcs11Library pkcs11Library = Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11Library(Settings.Factories, Settings.Pkcs11LibraryPath, Settings.AppType))
{
// Find first slot with token present
ISlot slot = Helpers.GetUsableSlot(pkcs11Library);
// Open RW session
using (ISession session = slot.OpenSession(SessionType.ReadWrite))
{
// Login as normal user
session.Login(CKU.CKU_USER, Settings.NormalUserPin);
// Generate asymetric key pair
IObjectHandle publicKey = null;
IObjectHandle privateKey = null;
GenerateRSAKeyPair(session, out publicKey, out privateKey);
//Generate symmetric key : AES 256
var keyToWrap = GenerateAESKey(session);
// Specify wrapping mechanism
var oaepParams = session.Factories.MechanismParamsFactory.CreateCkRsaPkcsOaepParams(
ConvertUtils.UInt64FromCKM(CKM.CKM_SHA256),
ConvertUtils.UInt64FromCKG(CKG.CKG_MGF1_SHA256),
ConvertUtils.UInt64FromUInt32(CKZ.CKZ_DATA_SPECIFIED),
null);
var rsaParams = session.Factories.MechanismParamsFactory.CreateCkRsaAesKeyWrapParams(256, oaepParams);
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_AES_KEY_WRAP);
// Wrap key
byte[] wrappedKey = session.WrapKey(mechanism, publicKey, keyToWrap);
if (wrappedKey == null)
throw new Exception("Failed to wrap key.");
// Define attributes for unwrapped key
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
// Unwrap key
IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, privateKey, wrappedKey, objectAttributes);
session.DestroyObject(privateKey);
session.DestroyObject(publicKey);
session.DestroyObject(keyToWrap);
session.DestroyObject(unwrappedKey);
session.Logout();
}
}
return Ok();
}
private static void GenerateRSAKeyPair(ISession session, out IObjectHandle publicKeyHandle, out IObjectHandle privateKeyHandle)
{
// The CKA_ID attribute is intended as a means of distinguishing multiple key pairs held by the same subject
byte[] ckaId = session.GenerateRandom(20);
// Prepare attribute template of new public key
List<IObjectAttribute> publicKeyAttributes = new List<IObjectAttribute>();
publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
//publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, false)); // Throws InvalidAttribute Value
publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId));
publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_WRAP, true));
publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODULUS_BITS, 2048));
publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_EXPONENT, new byte[] { 0x01, 0x00, 0x01 }));
// Prepare attribute template of new private key
List<IObjectAttribute> privateKeyAttributes = new List<IObjectAttribute>();
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
//privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true));
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId));
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP, true));
// Specify key generation mechanism
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_X9_31_KEY_PAIR_GEN);
// Generate key pair
session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);
}
private static IObjectHandle GenerateAESKey(ISession session, string keyAlias = null)
{
byte[] ckaId = null;
if (string.IsNullOrEmpty(keyAlias))
ckaId = session.GenerateRandom(20);
else
ckaId = Encoding.UTF8.GetBytes(keyAlias);
// Generate symetric key
// Prepare attribute template of new key
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_VALUE_LEN, 32));// means 256 bit
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId));
//objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_WRAP_WITH_TRUSTED, false));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DESTROYABLE, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
//objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SIGN, false));
// Specify key generation mechanism
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_AES_KEY_GEN);
// Generate key
IObjectHandle generatedKey = session.GenerateKey(mechanism, objectAttributes);
return generatedKey;
}
public ActionResult WrapUnwrap(字符串keyAlias)
{
使用(IPkcs11Library pkcs11Library=Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11Library(Settings.Factories,Settings.Pkcs11LibraryPath,Settings.AppType))
{
//查找存在令牌的第一个插槽
ISlot插槽=Helpers.GetUsableSlot(pkcs11Library);
//开放RW会话
使用(ISession session=slot.OpenSession(SessionType.ReadWrite))
{
//以普通用户身份登录
登录(CKU.CKU_USER,Settings.NormalUserPin);
//生成不对称密钥对
IObjectHandle publicKey=null;
IObjectHandle privateKey=null;
GeneratorSakeyPair(会话,输出公钥,输出私钥);
//生成对称密钥:AES 256
var keyToWrap=GenerateAESKey(会话);
//指定包装机制
var oaepParams=session.Factories.MechanismParamsFactory.CreateCkRsaPkcsOaepParams(
从CKM(CKM.CKM\U SHA256)转换UINT64,
来自CKG的转换UINT64(CKG.CKG\U MGF1\U SHA256),
从UINT32转换为ConvertUtils.UINT64(指定了CKZ.CKZ_数据),
无效);
var rsaparms=session.Factories.MechanismParamsFactory.createckrsaaseskeywrapparams(256,oaepParams);
IMechanism mechanism=session.Factories.MechanismFactory.Create(CKM.CKM\u RSA\u AES\u KEY\u WRAP);
//包裹键
字节[]wrappedKey=session.WrapKey(机制、公钥、keytorrap);
if(wrappedKey==null)
抛出新异常(“未能包装密钥”);
//定义展开关键点的属性
List objectAttributes=new List();
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_类,CKO.CKO_密钥));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE,CKK.CKK_AES));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT,true));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT,true));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE,true));
//展开键
IObjectHandle unwrappedKey=会话.unwrappkey(机制、私钥、wrappedKey、objectAttributes);
会话。销毁对象(私钥);
会话。销毁对象(公钥);
会话。销毁对象(keyToWrap);
会话.DestroyObject(UnwrappeKey);
session.Logout();
}
}
返回Ok();
}
专用静态void生成器MakeyPair(ISession会话、out IObjectHandle publicKeyHandle、out IObjectHandle privateKeyHandle)
{
//CKA_ID属性用于区分同一主题持有的多个密钥对
字节[]ckaId=session.generateradom(20);
//准备新公钥的属性模板
List publicKeyAttributes=新列表();
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_标记,true));
//publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE,false));//抛出无效属性值
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID,ckaId));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_WRAP,true));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_module_BITS,2048));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_index,新字节[]{0x01,0x00,0x01}));
//准备新私钥的属性模板
List privateKeyAttributes=新列表();
添加(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_标记,true));
//添加(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE,true));
Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID,ckaId));
添加(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP,true));
//指定密钥生成机制
IMechanism mechanism=session.Factories.MechanismFactory.Create(CKM.CKM\u RSA\u X9\u 31\u KEY\u PAIR\u GEN);
//生成密钥对
GenerateKeyPair(机制、publicKeyAttributes、privateKeyAttributes、out publicKeyHandle、out privateKeyHandle);
}
专用静态IObjectHandle GenerateAsKey(ISession会话,字符串keyAlias=null)
{
字节[]ckaId=null;
if(string.IsNu)
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_AES_KEY_WRAP,rsaParams);