Ncryptoki错误号208/209(导入证书)

时间:2017-05-17 06:28:46

标签: c# pkcs#11

我在使用NCryptoki将证书导入Alladin eToken时遇到了问题。

X509Certificate2 cert = new X509Certificate2(test.cer);
byte[] id = Encoding.ASCII.GetBytes("MyKeyPairID");
CryptokiCollection template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_CERTIFICATE));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CERTIFICATE_TYPE, Certificate.CKC_X_509));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_TOKEN, true));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_PRIVATE, false));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_LABEL, "MyLabel"));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, id));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_SUBJECT, cert.SubjectName.RawData));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_ISSUER, cert.Issuer));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.GetRawCertData()));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData));
CryptokiObject certificate = session.Objects.Create(template);

我收到错误209(0xD1)CKR_TEMPLATE_INCONSISTENT。如果我删除这一行:

template.Add(new ObjectAttribute(ObjectAttribute.CKA_VALUE, cert.RawData));

我收到错误208(0xD0)CKR_TEMPLATE_INCOMPLETE

2 个答案:

答案 0 :(得分:0)

您似乎为CKA_SUBJECTCKA_ISSUERCKA_SERIAL_NUMBER属性设置了错误的值。

以下代码包含Pkcs11InteropBouncyCastle库通常适用于我:

/// <summary>
/// Imports certificate into the PKCS#11 compatible device
/// </summary>
/// <param name="session">Session with user logged in</param>
/// <param name="certificate">Certificate that should be imported</param>
/// <param name="ckaLabel">Value of CKA_LABEL attribute</param>
/// <param name="ckaId">Value of CKA_ID attribute</param>
/// <returns>Handle of created certificate object</returns>
public static ObjectHandle ImportCertificate(Session session, byte[] certificate, string ckaLabel, byte[] ckaId)
{
    // Parse certificate
    X509CertificateParser x509CertificateParser = new X509CertificateParser();
    X509Certificate x509Certificate = x509CertificateParser.ReadCertificate(certificate);

    // Define attributes of new certificate object
    List<ObjectAttribute> certificateAttributes = new List<ObjectAttribute>();
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_MODIFIABLE, true));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, ckaLabel));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_CERTIFICATE_TYPE, CKC.CKC_X_509));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_TRUSTED, false));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_SUBJECT, x509Certificate.SubjectDN.GetDerEncoded()));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_ISSUER, x509Certificate.IssuerDN.GetDerEncoded()));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_SERIAL_NUMBER, new DerInteger(x509Certificate.SerialNumber).GetDerEncoded()));
    certificateAttributes.Add(new ObjectAttribute(CKA.CKA_VALUE, x509Certificate.GetEncoded()));

    // Create certificate object
    return session.CreateObject(certificateAttributes);
}

答案 1 :(得分:0)

您可以使用证书原始数据设置序列号:

template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.GetRawCertData()));

您可以通过以下方式进行设置:

template.Add(new ObjectAttribute(ObjectAttribute.CKA_SERIAL_NUMBER, cert.SubjectDN.GetDerEncoded()
相关问题
最新问题