Identification of private key in Pkcs11Interop.PDF library

StackOverflow https://stackoverflow.com/questions/22883775

Question

I am trying to setup up an example application with the Pkcs11Interop.PDF extension. I am unfortunately getting a System.ArgumentNullException setting the ckaId. What would work here? I tried different numbers here which all gave me a System.ArgumentOutOfRangeException.

The setup is using the VirtualCryptoki-64-1.0.6.7.exe application to simulate a Smartcard.

The troubling call is:

pkcs11RsaSignature = new Pkcs11RsaSignature(libraryPath, tokenSerial, tokenLabel, pin, ckaLabel, ckaId, hashAlgorithm);

The hash algorithm I use is:

HashAlgorithm hashAlgorithm = HashAlgorithm.SHA256;

Update after using the pkcs11-tool:

The content of the virtual card is:

    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module "C:\windows\System32\vcki.dll" --list-slots --list-objects --login --pin 1234
Available slots:
Slot 0 (0xd47db04d): Virtual Smart Card Reader
  token label:   Virtual SC-A0101010101
  token manuf:   Cryptware
  token model:   VirtualSmartCard
  token flags:   rng, login required, PIN initialized, token initialized, other flags=0x200
  serial num  :
Using slot 0 with a present token (0xd47db04d)
Certificate Object, type = X.509 cert
  label:      ibisit
  ID:         4a656e73204b6175666d616e6e
Public Key Object; RSA 1024 bits
  label:      ibisit
  ID:         4a656e73204b6175666d616e6e
  Usage:      encrypt, verify
Private Key Object; RSA
  label:      ibisit
  ID:         4a656e73204b6175666d616e6e
  Usage:      decrypt, sign
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Public Key Object; RSA 1024 bits
  label:      ibisit
  ID:         4a656e73204b6175666d616e6e
  Usage:      encrypt, verify
Private Key Object; RSA
  label:      ibisit
  ID:         4a656e73204b6175666d616e6e
  Usage:      decrypt, sign
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

The parameters I use are:

string libraryPath = @"C:\Windows\System32\vcki.dll";
string tokenSerial = null;
string tokenLabel = @"Virtual SC-A0101010101";
string pin = @"1234";
string ckaLabel = @"ibisit";
string ckaId = "4a656e73204b6175666d616e6e";
HashAlgorithm hashAlgorithm = HashAlgorithm.SHA256;

I am unfortunatly getting a Net.Pkcs11Interop.PDF.ObjectNotFoundException setting the ckaId. Changing the pin gives me a different exception so I am definetely accessing the right device here.

Update after switching to SoftHSM: jariq stated that too many objects with the same id were there problem here. Unfortunately the Virtual Key Explorer would not let me delete any object so I switched to SoftHSM (which I was using at the beginning). I am getting "Certificate with label "ibis-it key" and id "A1B2" was not found". I suppose the problem here is that this virtual card only holds a RSA keypair not a certificate.

The output of the pkcs11-tool is: 

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module "C:\SoftHSM\lib\libsofthsm.dll" --list-slots --list-objects --login --pin smart
Available slots:
Slot 0 (0x0): SoftHSM
  token label:   SoftHSM
  token manuf:   SoftHSM
  token model:   SoftHSM
  token flags:   rng, login required, PIN initialized, token initialized, other flags=0x40
  serial num  :  1
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      ibis-it key
  ID:         a1b2
  Usage:      verify
Private Key Object; RSA
  label:      ibis-it key
  ID:         a1b2
  Usage:      sign

The Problem is that SoftHSM only imports PKCS#8 (RSA) key pairs, so there will never be a certificate here. I suppose you have been using it with RSA key pairs but not with certificates.

Was it helpful?

Solution

Parameters passed to the constructor of Net.Pkcs11Interop.PDF.Pkcs11RsaSignature class identify following things:

  • which PKCS#11 library should be used (libraryPath)
  • which token/smartcard stores the private key (tokenSerial and/or tokenLabel)
  • which private key should be used for signing (ckaLabel and/or ckaId)
  • which hash algorithm should be used during signature creation (hashAlgorithm)

If you know which PKCS#11 library should be used to access the smartcard then you can determine correct values for the rest of the parameters i.e. by running pkcs11-tool utility which is bundled with OpenSC middleware. Please find below the exact command and the output generated for my testing card (important parts are highlighted with bold text):

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module cardos11.dll --list-slots --list-objects --login --pin 11111111
Available slots:
Slot 0 (0x1): SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
  token label        : Pkcs11Interop
  token manufacturer : www.atos.net/cardos
  token model        : CardOS V4.3B
  token flags        : rng, login required, PIN initialized, token initialized, other flags=0x800
  hardware version   : 102.63
  firmware version   : 200.8
  serial num         : 7BFF2737350B262C
Using slot 0 with a present token (0x1)
Private Key Object; RSA
  label:      John Doe
  ID:         ec5e50a889b888d600c6e13cb0fdf0c1
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      John Doe
  ID:         ec5e50a889b888d600c6e13cb0fdf0c1

Based on this output these are the correct values of individual parameters for this card:

  • libraryPath="cardos11.dll"
  • tokenSerial="7BFF2737350B262C" and/or tokenLabel="Pkcs11Interop"
  • ckaLabel="John Doe" and/or ckaId="ec5e50a889b888d600c6e13cb0fdf0c1"

Hope this helps.

Update for ObjectNotFoundException:

You are getting ObjectNotFoundException because there are two private keys with the exactly same label and ID stored in your token and therefore Pkcs11RsaSignature class cannot be sure which one should be used for signature creation. Just delete or rename one of them and it should be working.

Update for SoftHSM:

You can import PKCS#8 private key to SoftHSM with softhsm.exe tool:

C:\SoftHSM\bin>softhsm.exe --import doe.key --slot 0 --label "John Doe" --pin 11111111 --id "ec5e50a889b888d600c6e13cb0fdf0c1"
The key pair has been imported to the token in slot 0.

You can import DER encoded X.509 certificate to SoftHSM with pkcs11-tool.exe tool:

C:\SoftHSM\bin>"c:\Program Files (x86)\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" --module libsofthsm.dll --login --pin 11111111 --write-object doe.der --type cert --label "John Doe" --id "ec5e50a889b888d600c6e13cb0fdf0c1"
Using slot 0 with a present token (0x0)
Created certificate:
Certificate Object, type = X.509 cert
  label:      John Doe
  ID:         ec5e50a889b888d600c6e13cb0fdf0c1

Just make sure you will import the certificate with the same ID as the ID of private key.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top