How to get started pkcs11interop

359 views
Skip to first unread message

billib...@gmail.com

unread,
Dec 1, 2016, 11:20:23 PM12/1/16
to Pkcs11Interop
I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.

Thanks

Jaroslav Imrich

unread,
Dec 2, 2016, 3:19:10 AM12/2/16
to Pkcs11Interop, billib...@gmail.com
On 2 December 2016 at 05:20, <billib...@gmail.com> wrote:
I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.

Thanks

--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11interop+unsubscribe@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.

billib...@gmail.com

unread,
Dec 6, 2016, 12:24:35 AM12/6/16
to Pkcs11Interop, billib...@gmail.com
On Friday, December 2, 2016 at 3:19:10 PM UTC+7, Jaroslav Imrich wrote:
> I believe these resources might be helpful for you:
>
>
> PKCS#11 specification:
> https://github.com/Pkcs11Interop/PKCS11-SPECS/raw/master/v2.20/pkcs-11v2-20.pdf
>
> Getting started with Pkcs11Interop:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/GETTING_STARTED.md
>
> Pkcs11Interop code samples:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/CODE_SAMPLES.md
>
>
>
> Regards, Jaroslav
>
>
>
> On 2 December 2016 at 05:20, <billib...@gmail.com> wrote:
> I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.
>
>
>
> Thanks
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.

>
> To post to this group, send email to pkcs11...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/pkcs11interop.

On Friday, December 2, 2016 at 3:19:10 PM UTC+7, Jaroslav Imrich wrote:
> I believe these resources might be helpful for you:
>
>
> PKCS#11 specification:
> https://github.com/Pkcs11Interop/PKCS11-SPECS/raw/master/v2.20/pkcs-11v2-20.pdf
>
> Getting started with Pkcs11Interop:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/GETTING_STARTED.md
>
> Pkcs11Interop code samples:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/CODE_SAMPLES.md
>
>
>
> Regards, Jaroslav
>
>
>
> On 2 December 2016 at 05:20, <billib...@gmail.com> wrote:
> I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.
>
>
>
> Thanks
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.


>
> To post to this group, send email to pkcs11...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/pkcs11interop.

On Friday, December 2, 2016 at 3:19:10 PM UTC+7, Jaroslav Imrich wrote:
> I believe these resources might be helpful for you:
>
>
> PKCS#11 specification:
> https://github.com/Pkcs11Interop/PKCS11-SPECS/raw/master/v2.20/pkcs-11v2-20.pdf
>
> Getting started with Pkcs11Interop:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/GETTING_STARTED.md
>
> Pkcs11Interop code samples:
> https://github.com/Pkcs11Interop/Pkcs11Interop/blob/master/doc/CODE_SAMPLES.md
>
>
>
> Regards, Jaroslav
>
>
>
> On 2 December 2016 at 05:20, <billib...@gmail.com> wrote:
> I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.
>
>
>
> Thanks
>
>
>
> --
>
> You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.


>
> To post to this group, send email to pkcs11...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/pkcs11interop.

Now, I can rsa signing with private key but I get struck with verifying.

How can I extract public key from X509 certificate? or "CKA_VALUE" of certificate is the public key?

Here is my code:

List<ObjectAttribute> cerAttrs = new List<ObjectAttribute>();
cerAttrs.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
cerAttrs.Add(new ObjectAttribute(CKA.CKA_CERTIFICATE_TYPE, CKC.CKC_X_509));

List<ObjectHandle> cerObjs = session.FindAllObjects(cerAttrs);
bool isValid = false;
session.Verify(mech, cerObjs[0], byteMessage, signature, out isValid); <<< error on this line
Console.WriteLine(isValid.ToString());

Thanks

billib...@gmail.com

unread,
Dec 6, 2016, 4:03:13 AM12/6/16
to Pkcs11Interop, billib...@gmail.com
On Friday, December 2, 2016 at 11:20:23 AM UTC+7, billib...@gmail.com wrote:
> I need a few hints about where should I start with RSA signing and verifying by using pkcs11interop.
>
> Thanks

I can extract public key from CKA_VALUE by using X509Certificate2 lib but only in string and byte array format, How to convert it back to ObjectHandle/keyHandle/key object to verify signature?

Here is my code:

//after cert is found
List<CKA> ckas = new List<CKA>();
ckas.Add(CKA.CKA_VALUE);

List<ObjectAttribute> cerAttr = session.GetAttributeValue(cerObjs[0], ckas);

byte[] certData = cerAttr[0].GetValueAsByteArray();

X509Certificate2 xCert = new X509Certificate2(certData);

Console.WriteLine(xCert.GetPublicKey());

Thanks

Jaroslav Imrich

unread,
Dec 11, 2016, 2:57:27 PM12/11/16
to Pkcs11Interop, Billy F.
On 6 December 2016 at 10:03, <billib...@gmail.com> wrote:
I can extract public key from CKA_VALUE by using X509Certificate2 lib but only in string and byte array format, How to convert it back to ObjectHandle/keyHandle/key object to verify signature?

Here is my code:

//after cert is found
List<CKA> ckas = new List<CKA>();
ckas.Add(CKA.CKA_VALUE);

List<ObjectAttribute> cerAttr = session.GetAttributeValue(cerObjs[0], ckas);

byte[] certData = cerAttr[0].GetValueAsByteArray();

X509Certificate2 xCert = new X509Certificate2(certData);

Console.WriteLine(xCert.GetPublicKey());

You will need to use BouncyCastle or some other general purpose cryptographic library to get modulus and public exponent of the certified RSA public key. This code sample (not tested) might help you getting started:

            // Get X509Certificate2 instance somehow
            System.Security.Cryptography.X509Certificates.X509Certificate2 cert = null;

            // Get public key with BouncyCastle library
            Org.BouncyCastle.X509.X509CertificateParser x509CertificateParser = new Org.BouncyCastle.X509.X509CertificateParser();
            Org.BouncyCastle.X509.X509Certificate x509Certificate = x509CertificateParser.ReadCertificate(cert.RawData);
            Org.BouncyCastle.Crypto.AsymmetricKeyParameter pubKeyParams = x509Certificate.GetPublicKey();
            Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters rsaPubKeyParams = pubKeyParams as Org.BouncyCastle.Crypto.Parameters.RsaKeyParameters;

            // Define public key object attributes
            List<ObjectAttribute> pubKeyAttributes = new List<ObjectAttribute>();
            pubKeyAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PUBLIC_KEY));
            pubKeyAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
            pubKeyAttributes.Add(new ObjectAttribute(CKA.CKA_MODULUS, rsaPubKeyParams.Modulus.ToByteArrayUnsigned()));
            pubKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PUBLIC_EXPONENT, rsaPubKeyParams.Exponent.ToByteArrayUnsigned()));

            // Create public key object
            ObjectHandle pubKeyHandle = session.CreateObject(pubKeyAttributes);

Regards, Jaroslav
Reply all
Reply to author
Forward
0 new messages