Parameters passed to the constructor of Net.Pkcs11Interop.PDF.Pkcs11RsaSignature class identify following things:
- which PKCS#11 library should be used (libraryPath)
- which token/smartcard stores the private key (tokenSerial and/or tokenLabel)
- which private key should be used for signing (ckaLabel and/or ckaId)
- which hash algorithm should be used during signature creation (hashAlgorithm)
If you know which PKCS#11 library should be used to access the smartcard then you can determine correct values for the rest of the parameters i.e. by running pkcs11-tool utility which is bundled with OpenSC middleware. Please find below the exact command and the output generated for my testing card (important parts are highlighted with bold text):
C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module cardos11.dll --list-slots --list-objects --login --pin 11111111 Available slots: Slot 0 (0x1): SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 token label : Pkcs11Interop token manufacturer : www.atos.net/cardos token model : CardOS V4.3B token flags : rng, login required, PIN initialized, token initialized, other flags=0x800 hardware version : 102.63 firmware version : 200.8 serial num : 7BFF2737350B262C Using slot 0 with a present token (0x1) Private Key Object; RSA label: John Doe ID: ec5e50a889b888d600c6e13cb0fdf0c1 Usage: sign Certificate Object, type = X.509 cert label: John Doe ID: ec5e50a889b888d600c6e13cb0fdf0c1
Based on this output these are the correct values of individual parameters for this card:
- libraryPath="cardos11.dll"
- tokenSerial="7BFF2737350B262C" and/or tokenLabel="Pkcs11Interop"
- ckaLabel="John Doe" and/or ckaId="ec5e50a889b888d600c6e13cb0fdf0c1"
Hope this helps.
Update for ObjectNotFoundException:
You are getting ObjectNotFoundException because there are two private keys with the exactly same label and ID stored in your token and therefore Pkcs11RsaSignature class cannot be sure which one should be used for signature creation. Just delete or rename one of them and it should be working.
Update for SoftHSM:
You can import PKCS#8 private key to SoftHSM with softhsm.exe tool:
C:\SoftHSM\bin>softhsm.exe --import doe.key --slot 0 --label "John Doe" --pin 11111111 --id "ec5e50a889b888d600c6e13cb0fdf0c1"
The key pair has been imported to the token in slot 0.
You can import DER encoded X.509 certificate to SoftHSM with pkcs11-tool.exe tool:
C:\SoftHSM\bin>"c:\Program Files (x86)\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" --module libsofthsm.dll --login --pin 11111111 --write-object doe.der --type cert --label "John Doe" --id "ec5e50a889b888d600c6e13cb0fdf0c1"
Using slot 0 with a present token (0x0)
Created certificate:
Certificate Object, type = X.509 cert
label: John Doe
ID: ec5e50a889b888d600c6e13cb0fdf0c1
Just make sure you will import the certificate with the same ID as the ID of private key.