通过 Pkcs11Interop 库解包的密钥对象不会保留在 Thales Luna HSM 中

我在 .Net 应用程序中使用 Pkcs11Interop 库与 Thales Luna HSM 进行通信。并使用 CKM_RSA_PKCS 机制通过 RSA 密钥解开 AES 密钥。

但是，尽管我通过解包调用获取了对象句柄，但解包的 AES 密钥并未保留在 HSM 中。我什至可以使用相同的会话对象使用未包装的 AES 密钥加密一些数据。我是否缺少任何禁止使用展开调用在 HSM 中保留密钥的参数？这是代码片段：

private void keyUnwrap() {

    string wrappedKey = "81C6CAD32431D506113CB07A515422ED55779CEE8B8A927C9898496F3209EC115EACAE2F59673A5F1423C6878A99FAD68E9741876A2605B2969953918BB9F6D15A4120A12F69EB2C752E8634B11ABB8FD709C072765361A0FAD7877CC3B8A78F500B4E3C8107BBDBE2DB0E82061EFB6E9FC885CAC5D0575324350D2FCAA08C89401F3B6ABEFA425A922A6A0F9FD2F61FCF37DDF9F7BF918B7C2C9228F033AC3EC2F35561FA0F7D397245CC37B2BEEDFB8028A0249DB8A7D13B22384C474629473FF153BAEEA06659F2A1B521066CB39835C7B3F18D7D33249834AC9667718564A2F8E46AA40A9EB7DFC365BA9C5A784599A2D99BD2F4E1462C849E2ED54D448B";

    List<ISlot> allSlots = pkcs11Library.GetSlotList(SlotsType.WithTokenPresent);

    using (ISession session = slot[0].OpenSession(SessionType.ReadWrite)) {

        // Login as normal user
        session.Login(CKU.CKU_USER, "CO_PIN");

        // get private key object
        IObjectHandle privateKey = findObject(session, CKO.CKO_PRIVATE_KEY, "Wrapping_RSA_Key_Pair_PRV");

        // Specify wrapping mechanism
        IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS);
        
        // Define attributes for unwrapped key
        List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
        objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
        objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
        objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
        objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
        objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "Unwrapped_AES_Key"));

        // Unwrap key
        IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, privateKey, StringToByteArray(wrappedKey), objectAttributes);
        IObjectHandle newkey = findObject(session, CKO.CKO_SECRET_KEY, "Unwrapped_AES_Key");
        
        if (newkey == null) {
            throw new Exception("Unwrapped object nit found.");
        }
    }
}


 private IObjectHandle findObject(ISession session, CKO objectClass, string label) {
            // Prepare attribute template that defines search criteria
            List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
            objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, objectClass));
            objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, label));
            // Initialize searching
            session.FindObjectsInit(objectAttributes);
            // Get search results
            List<IObjectHandle> foundObjects = session.FindObjects(1);
            // Terminate searching
            session.FindObjectsFinal();

            if (foundObjects.Count > 0) {
                return foundObjects[0];
            }

            return null;
        }

public static byte[] StringToByteArray(string hex)
        {
            return Enumerable.Range(0, hex.Length)
                             .Where(x => x % 2 == 0)
                             .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
                             .ToArray();
        }

我尝试使用 .Net Pkcs11Interop 库在 Thales Luna HSM 中解开 AES 密钥。

解包成功，因为我获得了解包密钥的句柄，并且可以在同一 pkcs11 会话中使用它来加密数据，但解包密钥不会保留在 HSM 中，这就是这里的问题。