Using PKCS#11Interop for digital signing

354 views
Skip to first unread message

phan...@gmail.com

unread,
May 15, 2014, 4:39:18 AM5/15/14
to pkcs11...@googlegroups.com
Hi,

I've been able to use your libraries so far by making use of the samples without much trouble - I've been able to import certificates using this library onto my token that successfully marry with a private key.

However, when I come to sign with the loaded certificate, I receive "CKR_FUNCTION_FAILED" from C_Sign_Init. At the moment I'm calling the following as per your example:


//sign
Mechanism mechanism = new Mechanism(CKM.CKM_SHA1_RSA_PKCS);

byte[] signature = null;

using (Stream inputStream = new FileStream(@"D:\test.txt", FileMode.Open, FileAccess.ReadWrite))
{
// Sign data
signature = session.Sign(mechanism, cert, inputStream);
}

I notice your examples indicate signing using a private key, not a certificate - but I do have the ObjectHandle containing the right certificate being passed to the call to sign. Note I am expecting the resulting signature to be appended to the file/returned in the byte array for me to write to a new file along with the original data.

Am I going about this in the right way? Or is this something that PKCS#11Interop doesn't support?

Thanks,

Pete

Jaroslav Imrich

unread,
May 15, 2014, 5:30:32 PM5/15/14
to pkcs11...@googlegroups.com, phan...@gmail.com
Hello Pete,

I can confirm that Pkcs11Interop fully supports digital signature creation with keys accessible via PKCS#11 interface. However if you want to sign anything you will need to use the private key object not the certificate object. Digital signature technology is based on the public-key cryptography which uses the concept of asymmetric key pairs. Each key pair consists of its private part (private key) and public part (public key). Private key can be used by its owner for signature creation and it should be kept secret at all cost because if anyone gains access to your private key he can sign anything as you - that's why we store private keys on smartcards protected by a PIN code. Public key however can be used for signature verification and therefore should be shared publicly so anyone can verify your signature. But public key does not say anything about its owner so when you want to bind your identity (name, surname, address, etc.) with your public key you ask certificate authority - CA - to issue a certificate for you. CA verifies both your public key and your identity and signs this information with its private key and that's how the certificate is created. As you can see certificate contains only the public key so it can be used only for signature verification not for signature creation. For signature creation you need to use private key.

Please let me know if you have any further questions

Kind Regards

Jaroslav Imrich



--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at http://groups.google.com/group/pkcs11interop.
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages