Integrating pkcs11interop with Nitrokey HSM

[Atul Ilwadi]

Hello 

We need to integrate NitroKey HSM in .net application . We need to Decrpyt the data using the Private key stored in HSM. 

Library which I got from Nitrokey is OPENSC for Windows 

https://sourceforge.net/projects/opensc/files/OpenSC/opensc-0.16.0/OpenSC-0.16.0-win64_vs12-Release.msi/download

I was able to create Public and Private Keys in HSM using pkcs11-tool.exe of OpenSC . 

Also was able to get the Objects using FindObjects

How to use DECRYPT Method . Please advise as we are stuck on this now . 

session.Decrypt(mechanism, generatedKey, encryptedData);

what will be generatedKey parameter in this function?? And how to pass it 

I assume we have to pass the objecthandle of Private key to above function. How to get that from Findobjects. 

Regards

Atul

[Atul Ilwadi]

Hello 

In continuation , we tried few things to Decrypt but it gave error : 

Code :

 

var publicKey = "<RSAKeyValue><Modulus>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3duNs0t/tFQkyJkepyUAld4q8OoVsxXr0gGdFDqtrdAXQc2/EiumoYtPVFktg3GUn8Nn1C2c9BPwBxO2qRhRF75+puCJr4UrV2SMHTrjLR/2NolTMXFsbaT3/OZ+IL+7SViq+Cr2Wugrwbdc6+xOwMJkzShWI0xia4b1sH5qeB9kikDhR85teTh8OWDFNp3sQNGPOGbU4OAXSTZIQcP9caYZKedtNMuV8krF/qL/EpeityhUE/hoCVMP6t8sfwGRuMSZBk5LLMjQx9p2uiM3xfy/GRCxTR7RxVrNwYct1TpvMS1GShOniHIja7t6SBIBB+Qw+gJAeDcuIReJnhyJTQIDAQAB</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>";

 

        var strSymetricKey = Encoding.UTF8.GetBytes("MySym_V9PkaVK38U_Key");

 

        using (var rsa = new RSACryptoServiceProvider(2048))

        {

 

            // client encrypting data with public key issued by server

            //

            rsa.FromXmlString(publicKey);

            var encryptedSymetricKey = rsa.Encrypt(strSymetricKey, true);

 

            var base64EncryptedSymetricKey = Convert.ToBase64String(encryptedSymetricKey);

 

            using (Pkcs11 pkcs11 = new Pkcs11(pkcs11LibraryPath, false))

            {

                Slot slot1 = Helpers.GetUsableSlot(pkcs11);

 

                // Open RW session

                using (Session session = slot1.OpenSession(false))

                {

                    // Login as normal user

                    session.Login(CKU.CKU_USER, "648219");

                    // Let's create two objects so we can find something

                    ObjectHandle objectHandle1 = Helpers.CreateDataObject(session);

                    ObjectHandle objectHandle2 = Helpers.CreateDataObject(session);

                    // Prepare attribute template that defines search criteria

                    List<ObjectAttribute> objectAttributes = new List<ObjectAttribute>();

                    objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_DATA));

                    objectAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));

                   

                    // Initialize searching

                    session.FindObjectsInit(objectAttributes);

 

                    // Get search results

                    List<ObjectHandle> foundObjects = session.FindObjects(2);

 

                    // Terminate searching

                    session.FindObjectsFinal();

 

                    // Do something interesting with found objects

                    if (foundObjects.Count >= 2)

                    {

                        byte[] iv = session.GenerateRandom(8);

                        // Specify encryption mechanism with initialization vector as parameter

                        Mechanism mechanism = new Mechanism(CKM.CKM_RSA_PKCS, iv);

                        // Decrypt data

                        byte[] decryptedData = session.Decrypt(mechanism, foundObjects.Last(), encryptedSymetricKey);

 

                        // Do something interesting with decrypted data

                        // Assert.IsTrue(Convert.ToBase64String(sourceData) == Convert.ToBase64String(decryptedData));

                    }

 

                    session.DestroyObject(objectHandle2);

                    session.DestroyObject(objectHandle1);

 

                    session.Logout();

[Atul Ilwadi]

Hello Jaroslav

 

Thanks for all the support you have provided till now . We were able to do the Encrypt/decrypt the Database keys using RSA Keys stored in Nitrokey HSM and your pkcs11interop library.

 

Application and Decryption is working fine now. We Created pem file of the Public key and this link helped us how to use it http://stackoverflow.com/questions/11506891/how-to-load-the-rsa-public-key-from-file-in-c-sharp

 

However we are facing a strange issue in Accessing the OpenSC PKCS#11 library when multiple users access it at same time.

 

Please note that we have a asp.net web Application hosted on Windows 2012 R2 Server using IIS . On Every Application LOGIN  (whenever any users Login to the Application) , we access the OpenSC PKCS#11 library for pkcs11LibraryPath as per :

 

https://github.com/Pkcs11Interop/Pkcs11Interop/blob/3.2.0/doc/GETTING_STARTED.md

 

 

Steps we have taken is :

1. 1)Path of the Library is in the Bin Folder
   

<add key="pkcs11LibraryPath" value="C:\inetpub\vhosts\amytest.risqgroup.com\httpdocs\amy\bin\opensc-pkcs11.dll"/>

1. 2)Bin Folder have NETWORK SERVICE and LOCAL SERVICE FULL Permissions
   
2. 3)Application POOL in IIS is set as LOCAL SERVICE (as suggested in your Google Groups)
   

 

Issues we are facing:

1)      When Multiple users are trying to Login to Application at the same time , since it loads the pkcs11library at Login instance , the Application POOL of IIS Hangs

2)      Also we get the error as “HSM Not found” when the IIS Process hangs

3)      Application Pool throws JIT Exception for w3wp.exe

4)      Please note that if only one users access the application (or Multiple users access the application at time Intervals) then it works FINE

 

Request you to please suggest or Help us in this to Complete the HSM Integration process.

Regards

Atul 

On Tuesday, 16 August 2016 16:00:58 UTC+5:30, Atul Ilwadi wrote: