我在 .Net 应用程序中使用 Pkcs11Interop 库与 Thales Luna HSM 进行通信。并使用 CKM_RSA_PKCS 机制通过 RSA 密钥解开 AES 密钥。
但是,尽管我通过解包调用获取了对象句柄,但解包的 AES 密钥并未保留在 HSM 中。我什至可以使用相同的会话对象使用未包装的 AES 密钥加密一些数据。我是否缺少任何禁止使用展开调用在 HSM 中保留密钥的参数?这是代码片段:
private void keyUnwrap() {
string wrappedKey = "81C6CAD32431D506113CB07A515422ED55779CEE8B8A927C9898496F3209EC115EACAE2F59673A5F1423C6878A99FAD68E9741876A2605B2969953918BB9F6D15A4120A12F69EB2C752E8634B11ABB8FD709C072765361A0FAD7877CC3B8A78F500B4E3C8107BBDBE2DB0E82061EFB6E9FC885CAC5D0575324350D2FCAA08C89401F3B6ABEFA425A922A6A0F9FD2F61FCF37DDF9F7BF918B7C2C9228F033AC3EC2F35561FA0F7D397245CC37B2BEEDFB8028A0249DB8A7D13B22384C474629473FF153BAEEA06659F2A1B521066CB39835C7B3F18D7D33249834AC9667718564A2F8E46AA40A9EB7DFC365BA9C5A784599A2D99BD2F4E1462C849E2ED54D448B";
List<ISlot> allSlots = pkcs11Library.GetSlotList(SlotsType.WithTokenPresent);
using (ISession session = slot[0].OpenSession(SessionType.ReadWrite)) {
// Login as normal user
session.Login(CKU.CKU_USER, "CO_PIN");
// get private key object
IObjectHandle privateKey = findObject(session, CKO.CKO_PRIVATE_KEY, "Wrapping_RSA_Key_Pair_PRV");
// Specify wrapping mechanism
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS);
// Define attributes for unwrapped key
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "Unwrapped_AES_Key"));
// Unwrap key
IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, privateKey, StringToByteArray(wrappedKey), objectAttributes);
IObjectHandle newkey = findObject(session, CKO.CKO_SECRET_KEY, "Unwrapped_AES_Key");
if (newkey == null) {
throw new Exception("Unwrapped object nit found.");
}
}
}
private IObjectHandle findObject(ISession session, CKO objectClass, string label) {
// Prepare attribute template that defines search criteria
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, objectClass));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, label));
// Initialize searching
session.FindObjectsInit(objectAttributes);
// Get search results
List<IObjectHandle> foundObjects = session.FindObjects(1);
// Terminate searching
session.FindObjectsFinal();
if (foundObjects.Count > 0) {
return foundObjects[0];
}
return null;
}
public static byte[] StringToByteArray(string hex)
{
return Enumerable.Range(0, hex.Length)
.Where(x => x % 2 == 0)
.Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
.ToArray();
}
我尝试使用 .Net Pkcs11Interop 库在 Thales Luna HSM 中解开 AES 密钥。
解包成功,因为我获得了解包密钥的句柄,并且可以在同一 pkcs11 会话中使用它来加密数据,但解包密钥不会保留在 HSM 中,这就是这里的问题。
您缺少
CKA_TOKEN
属性(请参阅第 4.4 节此处)。
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
(附加说明 - 也请考虑设置
CKA_PRIVATE
属性。)