Retrieve key stored in HSM

1,808 views

Skip to first unread message

Pujan Maharjan

unread,

Apr 21, 2014, 4:38:32 AM4/21/14

to pkcs11...@googlegroups.com

Hello there !,

Could anyone tell me how to retrieve the key stored in HSM. I have referenced the samples from the Tests. And so far, i could generate the key at each session by using the default key of the HSM, but i want to retrieve a particular key from a particular slot for encryption.

I am using Safenet Protect Toolkit HSM as my HSM to store key.

Jaroslav Imrich

unread,

Apr 21, 2014, 3:56:50 PM4/21/14

to pkcs11...@googlegroups.com, pujanm...@gmail.com

Hello Pujan,

every key, certificate and any other PKCS#11 object stored in your HSM consists of a set of attributes, each of which has a given value. For example every object has CKA_CLASS attribute which defines the type of that particular object i.e. object representing private key has CKA_CLASS attribute set to the value CKO_PRIVATE_KEY, object representing public key has CKA_CLASS attribute set to the value CKO_PUBLIC_KEY etc. PKCS#11 interface allows to you to search for objects stored in your HSM and searching operation is based on "search template" that specifies attribute values to match on evaluated objects. For example you can use following search template to find all private RSA keys with label "MyKey":

// Prepare attribute template that defines search criteria

List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();

objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));

objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));

objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "MyKey"));

// Find all objects that match provided attributes

List<ObjectHandle> foundObjects = session.FindAllObjects(objectAttributes);

CKA_LABEL attribute usually stores human readable object name but please note that PKCS#11 does not enforce any uniqueness of attribute values. In other words there may always be more then one object present in your HSM with the same value of CKA_LABEL and you need to handle this situation in your code.

For more detailed information please take a look at our code sample covering object searching [0] and to better understand basic concepts of PKCS#11 API I recommend you to read also "Chapter 2 - Scope", "Chapter 6 - General overview" and "Chapter 10 - Objects" of PKCS#11 standard [1].

Please let me know if you have any further questions

Kind Regards

Jaroslav Imrich

www.pkcs11interop.net

[0] https://github.com/jariq/Pkcs11Interop/blob/master/src/Pkcs11InteropTests/HighLevelAPI/_17_ObjectFindingTest.cs

[1] http://pkcs11interop.net/rsa-pkcs11-2.20/pkcs-11v2-20.pdf

Reply all

Reply to author

Forward

This conversation is locked

You cannot reply and perform actions on locked conversations.

0 new messages