我正在使用SafeNet的(Alladin)eToken和C#的PKCS11接口。 我需要将没有eToken创建的RSA密钥导入到eToken中。
通过以下方式创建RSA密钥:
RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();
RSAParameters publicKey = RSA.ExportParameters(false);
RSAParameters privateKey = RSA.ExportParameters(true);
eTokenHelper.WritePrivateKeyToToken(session, privateKey, "private");
以及上面WritePrivateKeyToToken的实现是:
public static void WritePrivateKeyToToken(PKCS11.Session session, System.Security.Cryptography.RSAParameters publicParams, string label)
{
List<PKCS11.Attribute> attList = new List<PKCS11.Attribute>{};
attList.Add(new PKCS11.Attribute(PKCS11.CKA_CLASS, PKCS11.CKO_PRIVATE_KEY));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_KEY_TYPE, PKCS11.CKK_RSA));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE, true));
//attList.Add(new PKCS11.Attribute(PKCS11.CKA_SUBJECT, cert.SubjectName.RawData));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_ID, 0xa1));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_LABEL, label));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_TOKEN, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODULUS, publicParams.Modulus));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PUBLIC_EXPONENT, publicParams.Exponent));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE_EXPONENT, publicParams.D));
// attList.Add(new ObjectAttribute(PKCS11.CKH_CLOCK, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODIFIABLE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_LOCAL, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_EXTRACTABLE, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_NEVER_EXTRACTABLE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SENSITIVE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_ALWAYS_SENSITIVE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_DERIVE, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_LOCAL, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_DECRYPT, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN_RECOVER, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_UNWRAP, false));
PKCS11.Object.Create(session, attList.ToArray());
}
当我运行此代码时,我得到代码
的异常public const int CKR_TEMPLATE_INCONSISTENT = 0x000000D1;
(异常出现在最后一行:Create())。
在理解我做错了什么的时候,我将不胜感激。
谢谢, RONEN
答案 0 :(得分:3)
我有一些问题。顺便说一句,您在代码中设置了两次PKCS11.CKA_LOCAL。它不是核心。不要设置属性PKCS11.CKA_LOCAL - 它会自动设置。如果设置为PKCS11.SENSITIVE,则无法设置CKA_EXTRACTABLE,CKA_NEVER_EXTRACTABLE和CKA_ALWAYS_SENSITIVE。
此代码应该有效:
List<PKCS11.Attribute> attList = new List<PKCS11.Attribute>{};
attList.Add(new PKCS11.Attribute(PKCS11.CKA_CLASS, PKCS11.CKO_PRIVATE_KEY));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_KEY_TYPE, PKCS11.CKK_RSA));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE, true));
//attList.Add(new PKCS11.Attribute(PKCS11.CKA_SUBJECT, cert.SubjectName.RawData));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_ID, 0xa1));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_LABEL, label));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_TOKEN, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODULUS, publicParams.Modulus));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PUBLIC_EXPONENT, publicParams.Exponent));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE_EXPONENT, publicParams.D));
// attList.Add(new ObjectAttribute(PKCS11.CKH_CLOCK, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODIFIABLE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SENSITIVE, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_DERIVE, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_DECRYPT, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN, true));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN_RECOVER, false));
attList.Add(new PKCS11.Attribute(PKCS11.CKA_UNWRAP, false));
PKCS11.Object.Create(session, attList.ToArray());