pkcs11interop for Luna SA HSM
josh live
Hello,
I want to use SafeNet Luna SA HSM.
I have installed Luna client.
But I don’t know how to use it to link my account to retrieve my private key and certificate chain using .Net.
Does your libraries support it?
Thanks,
Josh
Jaroslav Imrich
PKCS#11 library which acts as a "HSM driver" gets usually installed along with the software provided by the HSM vendor (consult your HSM documentation for the exact library location). Pkcs11Interop should help you use that ANSI C library easily in your .NET application. Please take a look at the picture with Pkcs11Interop architecture [0] for more detailed explanation and focus yourself on the left side of the picture which displays layers of standard .NET application communicating with HSM via Pkcs11Interop.
More information about object retrieving can be found in one of the older threads [1] in our mailing list. We also provide code samples [2] covering all methods of PKCS#11 API.
[0] http://pkcs11interop.net/doc/
[1] https://groups.google.com/d/msg/pkcs11interop/Aazi3gcUiRM/cKWLF2XUQQUJ
[2] http://pkcs11interop.net/doc/examples.html
--
--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at http://groups.google.com/group/pkcs11interop.
josh live
Hi Jaroslav,
When I try pkcs11interop.PDF for my SafeNet HSM.
I got error on Pkcs11RsaSignature method.
The error is Value cannot be null.\r\nParameter name: value
at System.BitConverter.ToString(Byte[] value)
at Net.Pkcs11Interop.Common.ConvertUtils.BytesToHexString(Byte[] value)
at Net.Pkcs11Interop.PDF.Pkcs11RsaSignature.FindPrivateKey(String ckaLabel, Byte[] ckaId)
at Net.Pkcs11Interop.PDF.Pkcs11RsaSignature.InitializePkcs11Signature(String libraryPath, String tokenSerial, String tokenLabel, Byte[] pin, String ckaLabel, Byte[] ckaId, HashAlgorithm hashAlgorihtm)
at Net.Pkcs11Interop.PDF.Pkcs11RsaSignature..ctor(String libraryPath, String tokenSerial, String tokenLabel, String pin, String ckaLabel, String ckaId, HashAlgorithm hashAlgorihtm)
at Net.Pkcs11Interop.PDF.Tests.Pkcs11RsaSignatureExample.SignPdfDocument() in i:\josh-Document\Esign\PKCS11Interop.PDF\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF.Tests\Pkcs11RsaSignatureExample.cs:line 88
at testPkcs11InteropPDFSign.Program.Main(String[] args) in i:\josh-Document\Esign\PKCS11Interop.PDF\Pkcs11Interop.PDF-master\src\Pkcs11InteropPDFSign\testPkcs11InteropPDFSign\Program.cs:line 15
at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
josh live
Hi Jaroslav,
I can get private key, but cannot get certificate
byte[] signingCertificate = pkcs11RsaSignature.GetSigningCertificate();
use List<ObjectHandle> foundObjects = session.FindAllObjects(privateKeyAttributes);
can see all my handles including certificates
What is wrong in GetSigningCertificate()
Thank you,
Josh
Jaroslav Imrich
Jaroslav Imrich
josh live
at System.BitConverter.ToString(Byte[] value)
at Net.Pkcs11Interop.Common.ConvertUtils.BytesToHexString(Byte[] value)
at Net.Pkcs11Interop.PDF.Pkcs11RsaSignature.GetSigningCertificate()
at Net.Pkcs11Interop.PDF.Tests.Pkcs11RsaSignatureExample.SignPdfDocument() in i:\josh-Document\Esign\PKCS11Interop.PDF\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF.Tests\Pkcs11RsaSignatureExample.cs:line 91
Jaroslav Imrich
I have sent exception in previous email. Another question is why pkcs11RsaSignature has non-public member?
josh live
Hi Jaroslav,
Which certificate label I can rename as same as private key label?
I have 3 certificates that GlobalSign generated, and imported to HSM.
Thank you,
Josh
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 2:26 PM
To: pkcs11...@googlegroups.com
Cc: josh....@live.ca
Subject: Re: [pkcs11interop] pkcs11interop for Luna SA HSM
Hello Josh,
josh live
Hi Jaroslav,
When I create CSR file, I used same label name for private handle.
Cmu requestcertificate , it ask me select privatehandle, the privatehandle is same as private key label (privatekey_securesign)
Thank you,
Josh
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 2:26 PM
To: pkcs11...@googlegroups.com
Cc: josh....@live.ca
Subject: Re: [pkcs11interop] pkcs11interop for Luna SA HSM
Hello Josh,
josh live
Hi Jaroslav,
They are same label name for privatekey_securesign and GlobalSignAdobeCATest
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 2:26 PM
To: pkcs11...@googlegroups.com
Cc: josh....@live.ca
Subject: Re: [pkcs11interop] pkcs11interop for Luna SA HSM
Hello Josh,
josh live
Sent: Thursday, August 6, 2015 2:44 PM
To: 'Jaroslav Imrich' <jarosla...@gmail.com>; pkcs11...@googlegroups.com
Jaroslav Imrich
please take a look at Pkcs11Interop.PDF.Demo console application which is part of the solution. It can list all the objects present on the device (see bellow for the usage). Send me the list of your objects privately and I should be able to guide you and most likely also resolve your pairing problem.
C:\Pkcs11Interop.PDF\src\Pkcs11Interop.PDF.Demo\bin\Release>Pkcs11Interop.PDF.Demo.exe
Demonstration application for Pkcs11Interop.PDF library
Copyright (c) 2013-2014 JWC s.r.o. <http://www.jwc.sk>
Author: Jaroslav Imrich <jim...@jimrich.sk>
Example usage:
List available tokens (smartcards):
Pkcs11Interop.PDF.Demo.exe
--pkcs11-library "siecap11.dll"
--list-tokens
List private keys and certificates available on specified token (smartcard):
Pkcs11Interop.PDF.Demo.exe
--pkcs11-library "siecap11.dll"
--list-objects
--token-serial "7BFF2737350B262C"
--token-label "Pkcs11Interop"
--pin "11111111"
Sign PDF document:
Pkcs11Interop.PDF.Demo.exe
--pkcs11-library "siecap11.dll"
--sign
--token-serial "7BFF2737350B262C"
--token-label "Pkcs11Interop"
--pin "11111111"
--key-label "John Doe"
--key-id "EC5E50A889B888D600C6E13CB0FDF0C1"
--input-pdf "c:\temp\unsigned.pdf"
--output-pdf "c:\temp\signed.pdf"
--hash-alg "SHA256"
--certs-dir "c:\temp\additional-certs"
josh live
Hi Jaroslav,
I have changed certificate GlobalSignAdobeCATest to privatekey_securesign as same label. The problem has been solved.
I got another error on ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
“Provided certificates do not contain self-signed root certificate"
at Net.Pkcs11Interop.PDF.CertUtils.BuildCertPath(Byte[] signingCertificate, List`1 otherCertificates)
at Net.Pkcs11Interop.PDF.Tests.Pkcs11RsaSignatureExample.SignPdfDocument() in i:\josh-Document\Esign\PKCS11Interop.PDF\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF.Tests\Pkcs11RsaSignatureExample.cs:line 97
at testPkcs11InteropPDFSign.Program.Main(String[] args) in i:\josh-Document\Esign\PKCS11Interop.PDF\Pkcs11Interop.PDF-master\src\Pkcs11InteropPDFSign\testPkcs11InteropPDFSign\Program.cs:line 15
at System.AppDomain._nExecuteAssembly(RuntimeAssembly assembly, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 2:56 PM
To: pkcs11...@googlegroups.com
Jaroslav Imrich
I have changed certificate GlobalSignAdobeCATest to privatekey_securesign as same label. The problem has been solved.
I got another error on ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
“Provided certificates do not contain self-signed root certificate"
josh live
Hi Jaroslav,
I have imported all certificates (3) in HSM, and pkcs11RsaSignature.GetAllCertificates() is done.
I checked your code
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
trustAnchors.Add(new TrustAnchor(otherCert, null));
}
Why I need read CA again? The certificates should include CA. I imported all of them in HSM
Thanks,
Josh
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 3:24 PM
To: pkcs11...@googlegroups.com
Cc: josh live <josh....@live.ca>
Subject: Re: [pkcs11interop] pkcs11interop for Luna SA HSM
Hey Josh,
josh live
I already get 3 certificates.
From: Jaroslav Imrich [mailto:jarosla...@gmail.com]
Sent: Thursday, August 6, 2015 3:24 PM
To: pkcs11...@googlegroups.com
Cc: josh live <josh....@live.ca>
Subject: Re: [pkcs11interop] pkcs11interop for Luna SA HSM
Hey Josh,
Jaroslav Imrich
Nilesh Chaudhari
Dear Jaroslav
I am also struggling the same issue mentioned in the above cases as
1.I had check whether slots is present in HSM or not as like
if (string.IsNullOrEmpty(libraryPath))
throw new ArgumentNullException("libraryPath");
_pkcs11 = new Pkcs11(libraryPath, true);
_slot = GetUsableSlot(_pkcs11); //FindSlot(tokenSerial, tokenLabel);
I have create one methods to pass pkcss clas directly as
//NILESH
private Slot GetUsableSlot(Pkcs11 pkcs11)
{
// Get list of available slots
List<Slot> slots = pkcs11.GetSlotList(true);
// Let's use first slot with token present
return slots[0];
}
but i want to know
FindSlot(tokenSerial, tokenLabel) is not executed whether i had passed tokenlabel which is same as HSM slots.Please guide
2.Issue is Provided certificates do not contain self-signed root certificate I have do same as you mentioned solution but failed to execute
1. Import all required certificates to HSM and then use only GetAllCertificates() method of Pkcs11RsaSignature class to read them
2. Read CA certificates from somewhere else just like Pkcs11Interop.PDF.Demo.exe application does
error raise @
ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
Please guide me I am so struggling on same issue
Regards
Nilesh
josh zhang
There is two key point,
1) get root certificate from your certificate provider, e. g. Adobe root certificate
2) the label of public and private has to been same in your HSM
Josh Zhang
Nilesh Chaudhari
I have done one suggested solution by you i.e. label name is same for public and private and another i have trying if you have any other solution then let me know
Regards
Nilesh
Jaroslav Imrich
I am sorry but I am not sure what is "the same issue mentioned in the above cases" and I currently cannot read all 20+ older posts so I am blocking further replies to this old thread.
Please post your problem again to this mailing list with a new subject and please don't forget to include the exception you are getting along with the full stacktrace otherwise I won't be able to help you.
Regards, Jaroslav