Safenet Luna SA

[Yule, Brian]

Hi,

 

Can you help point me in the right direction for some code to use the pkcs11interop framework for contacting a safenet luna sa hsm?

 

Regards,

 

Brian Yule

[Jaroslav Imrich]

Hello Brian,

Pkcs11Interop source code contains unit tests covering all the methods of PKCS#11 API. These tests can be viewed online [0], they are well documented and they serve as our official code samples. If you are looking for an example of simple standalone console application that uses Pkcs11Interop then you can take a look at our Pkcs7SignatureGenerator sample application [1].

To use our tests with Luna SA you just need to change the value of Net.Pkcs11Interop.Tests.Settings.Pkcs11LibraryPath property [2] (it is used as a first parameter in the constructor of Net.Pkcs11Interop.HighLevelAPI.Pkcs11 class in all the tests) so it points to the PKCS#11 library provided with Luna SA by SafeNet which should be installed on your local system. According to Luna SA documentation [3] this libray should be installed in X:\Program Files\LunaSA\cryptoki.dll.

Let me know if you have more questions.

Regards, Jaroslav

 
[0] https://github.com/jariq/Pkcs11Interop/tree/2.0.2/src/Pkcs11InteropTests/HighLevelAPI
[1] https://github.com/jariq/Pkcs7SignatureGenerator
[2] https://github.com/jariq/Pkcs11Interop/blob/2.0.2/src/Pkcs11InteropTests/Settings.cs#L28
[3] http://amazon-aws-hsmaas-safenet-docs.s3-website-us-east-1.amazonaws.com/007-011136-002_lunasa_5-1_webhelp_rev-a/startpage.htm#StartTopic=Content/sdk/s1_-_general.htm

--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at http://groups.google.com/group/pkcs11interop.

[joshz...@gmail.com]

Hi Jaroslav,

I have questions:
1) how to login SafeNet Luna SA HSM (get session)
2) Can I get my certificate chain

I want to use iTextsharp to sign the PDF, it requires private key and chain.

Thanks,
Josh


>
> Brian Yule

[joshz...@gmail.com]

Hi Jaroslav,

I found how to make session,
using (Pkcs11 pkcs11 = new Pkcs11(Settings.Pkcs11LibraryPath, false))
{
// Find first slot with token present
Slot slot = Helpers.GetUsableSlot(pkcs11);

// Open RW session

using (Session session = slot.OpenSession(false))
{
// Login as normal user
session.Login(CKU.CKU_USER, Settings.NormalUserPin);
// Generate key pair

Helpers.GenerateKeyPair(session, out publicKey, out privateKey);
}
}
one more question,
how to conver objectHandle privatekey to org.bouncycastle.crypto.asymmetrickeyparameter

[Jaroslav Imrich]

Hello Josh,

you can safe yourself a lot of time if you take a look at Pkcs11Interop.PDF [0] project which acts as a integration layer between Pkcs11Interop and iTextSharp libraries. It can be installed from NuGet.org [1] and the source code is available at GitHub.com [2]. There is also a ready to use command line application included [3].

[0] http://pkcs11interop.net/extensions/pdf/
[1] https://www.nuget.org/packages/Pkcs11Interop.PDF/
[2] https://github.com/jariq/Pkcs11Interop.PDF
[3] https://github.com/jariq/Pkcs11Interop.PDF/blob/1.2.0/src/Pkcs11Interop.PDF.Demo/DemoApp.cs

--

Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
jarosla...@gmail.com

[kshama...@gmail.com]

Hello Jaroslav,

Can you please give me a direction for Pkcs11Interop.PDF project. Actually I am using a alladin etoken for pdf signature.
I am not much aware about these parameter PKCS#11 library(libraryPath),_tokenSerial,_tokenLabel_pin,_ckaLabel,_ckaId,_incorrectString.
Kindly assist me.

[Jaroslav Imrich]

Hello Kshama,

parameter libraryPath should point to PKCS#11 library (unamanged dll acting as a token driver) which is usually provided by your token vendor. Consult your token documentation to determine exact name/path of the library. Parameters tokenSerial and tokenLabel are used for token identification because there can be more than one token connected to your computer. Parameter PIN is self explanatory. Parameters ckaLabel and ckaId identify specific key object which should be used for signing and is stored on the token. Parameter hashAlgorithm identifies hash/digest algorithm used during RSA signature creation.

I believe you should first try to play a little with included demo command line application [0], examine its parameters, its code and then you should understand the basics. Demo application also lists all available tokens and keys and displays the values of the parameters you need.

[0] https://github.com/jariq/Pkcs11Interop.PDF/blob/1.2.0/src/Pkcs11Interop.PDF.Demo/DemoApp.cs

Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
jarosla...@gmail.com

[Kshama Porwal]

Thanks a lot for quick response.

while i am using the demo application i am getting this error " win32 exception :The specified procedure could not be found".

Kindly assist.

--

Regards
Kshama Porwal

[Jaroslav Imrich]

I would guess that you are using wrong dll as PKCS#11 library but to confirm this please post full exception stack trace.

Regards, Jaroslav

[Kshama Porwal]

Thanks a lot Jaroslav,
I have assigned this as a library path 
 const string _argPkcs11Library = "C:\\Windows\\System32\\eTOKCSP.dll";

as per your demo documentation you have assigned "siecap11.dll" but this dll has not exists in my file directory.

 Here it is the full exception
   at Net.Pkcs11Interop.Common.UnmanagedLibrary.GetFunctionPointer(IntPtr libraryHandle, String function)
   at Net.Pkcs11Interop.LowLevelAPI4.Pkcs11.C_GetFunctionList(CK_FUNCTION_LIST& functionList)
   at Net.Pkcs11Interop.LowLevelAPI4.Pkcs11..ctor(String libraryPath)
   at Net.Pkcs11Interop.HighLevelAPI4.Pkcs11..ctor(String libraryPath, Boolean useOsLocking)
   at Net.Pkcs11Interop.HighLevelAPI.Pkcs11..ctor(String libraryPath, Boolean useOsLocking)
   at Net.Pkcs11Interop.PDF.Pkcs11Explorer..ctor(String libraryPath) in E:\Pkcs11Interop.PDF-John\Pkcs11Interop.PDF-John\src\Pkcs11Interop.PDF\Pkcs11Explorer.cs:line 51
   at Net.Pkcs11Interop.PDF.DemoApp.Main(String[] args) in E:\Pkcs11Interop.PDF-John\Pkcs11Interop.PDF-John\src\Pkcs11Interop.PDF.Demo\DemoApp.cs:line 324

Kind Regards,

--

Regards
Kshama Porwal

[Jaroslav Imrich]

Confirmed. That library does not implement PKCS#11 interface. Please consult your device documentation to find out the name/path of the correct library.

Regards, Jaroslav

[Kshama Porwal]

Hi Jaroslav,
Thanks for confirming.

After digging a lot i found the eToken dll in my file directory "C:\\Windows\\System32\\eTPKCS11.dll".

then i put all the value as expected,getting this error Private key with label "lp-1c422290-1258-401a-a6f3-5370ed1404b8" and id "" was not found.

Can you please assist me how could i find this key CKA_LABEL/ckaId in my device.

I had used the OpenSC tool but no success.

--

Regards
Kshama Porwal

[Jaroslav Imrich]

It was already mentioned that demo application lists all available tokens and keys and displays the values of the parameters you need. Here is the example:

Step #1: List available tokens (smartcards):
  Pkcs11Interop.PDF.Demo.exe
    --pkcs11-library "siecap11.dll"
    --list-tokens

Step #2: List private keys and certificates available on specified token (smartcard):
  Pkcs11Interop.PDF.Demo.exe
    --pkcs11-library "siecap11.dll"
    --list-objects
    --token-serial "7BFF2737350B262C"
    --token-label "Pkcs11Interop"
    --pin "11111111"

Step #3: Sign PDF document:
  Pkcs11Interop.PDF.Demo.exe
    --pkcs11-library "siecap11.dll"
    --sign
    --token-serial "7BFF2737350B262C"
    --token-label "Pkcs11Interop"
    --pin "11111111"
    --key-label "John Doe"
    --key-id "EC5E50A889B888D600C6E13CB0FDF0C1"
    --input-pdf "c:\temp\unsigned.pdf"
    --output-pdf "c:\temp\signed.pdf"
    --hash-alg "SHA256"
    --certs-dir "c:\temp\additional-certs"

Regards, Jaroslav