EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Trying to write EC X509 certificates to PKCS#11 token

Posted: 11/07/2014 08:02:14
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

When I create self-signed X.509 certificates using RSA keys I can then write them to an nCipher HSM quite happily using SBPKCS11CertStorage.Add(cert, true).

When I use the same code to try to write a self-signed cert created using an EC key instead, the call to SBPKCS11CertStorage.Add fails with an exception (below). The cert that I am trying to write at that point looks fine in the Visual Studio debugger, and if I write it out to a pfx file it seems fine there as well.

Using SBB v12.

Any suggestions for anything I could try please ?



at SBPKCS11Base.__Global.PKCS11CheckError(Int64 HLib, Int32 FunctionCode, UInt32 ResultCode)

at SBPKCS11Base.TElPKCS11SessionInfo.AddObject(TSBPKCS11ObjectType ObjectType, Boolean Token, Boolean Private, Boolean Modifiable, TElPKCS11AttributeList Attributes)

at SBCryptoProvPKCS11.TElPKCS11CryptoKey.ImportSecret(Byte[] Buffer, Int32 StartIndex, Int32 Size, TElCPParameters Params)

at SBPKCS11CertStorage.TElPKCS11CertStorage.AddAsymmetricKeyPair(Int32 SessionIndex, TElKeyMaterial KeyMaterial, Byte[] KeyLabel, Byte[] KeyID, Boolean Exportable)

at SBPKCS11CertStorage.TElPKCS11CertStorage.Add(Int32 SessionIndex, TElX509Certificate X509Certificate, Boolean CopyPrivateKey, Boolean Exportable, Byte[] ID, Byte[] KeyLabel)

at SBPKCS11CertStorage.TElPKCS11CertStorage.Add(TElX509Certificate X509Certificate, Boolean CopyPrivateKey)
Posted: 11/07/2014 08:08:03
by Eugene Mayevski (Team)

The first question you need to answer (yourself) is whether the device supports EC certificates. PKCS#11 devices don't store cryptographic objects as BLOBs, instead they store them as the objects which can be used in cryptographic operations. So if EC certificate is not supported by the device, you can store one only as application data (if the device supports this type of data) but not as a certificate.

Sincerely yours
Eugene Mayevski
Posted: 11/07/2014 08:17:55
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Hi Eugene,

Quite right, and by default nCipher HSMs do not support EC operations. However, this one has been upgraded / unlocked to permit EC operations. I can cause it to generate EC key pairs, import externally generated EC key pairs, and perform EC sign/verify operations happily using my own (non-SBB) code.

So in this instance I do not think it is that.

This HSM appears to require keys to be written before certificates. I therefore compared the code that your ImportSecret() uses when building up the parameter block prior to calling AddObject() to write the key pair. I must admit that the set of CKA_ attributes look identical to those that I use in my own code when writing EC key pairs to this HSM, so it is far from obvious to me what is wrong.
Posted: 11/07/2014 08:19:30
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Sorry, should have added that the certificate *is* actually written to the HSM, but without the private key. I therefore assume that the problem is not writing the certificate itself, but rather the associated EC key pair.
Posted: 11/07/2014 10:49:13
by Ken Ivanov (Team)

Hi Andy,

On some occasions drivers require attributes to be written in some specific order or to be assigned with specific values (which obviously contradicts the PKCS#11 specification, yet understanding of this fact doesn't contribute to solving the issue). It's great that you have a working code, we could try to have a deeper look into ours if you share that with us.

Posted: 11/10/2014 03:09:39
by Andy Calvert (Standard support level)
Joined: 11/07/2007
Posts: 16

Hi Ken,

Could you send me a suitable email address please to which I could provide the code fragment ?

Posted: 11/10/2014 03:11:03
by Eugene Mayevski (Team)

Let's continue in HelpDesk ( https://www.eldos.com/helpdesk/ ) please. I have created a new support ticket based on your above message. You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.

Sincerely yours
Eugene Mayevski



Topic viewed 1197 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!