CreateObject PKCS#11失败

Question

我试着评论这个链接https://stackoverflow.com/a/39798597/448266，但不能因为声誉#。

我尝试了这个示例并运行良好，但是当我更改为任意值时，它返回异常消息: Net.Pkcs11Interop.Common.Pkcs11Exception : Method C_CreateObject返回2147483968

我正在使用safenet HSM。

plainKeyValue = Common.HelperFunctions.StringToByteArray("112233445566778899001122334455665566998844335511");

下面是代码的快照，我在键值上略有更改(如上面所示)。

 public static string generateAndCreateKeyObj()
    {
        using (IPkcs11 pkcs11 = Settings.Factories.Pkcs11Factory.CreatePkcs11(Settings.Factories, Configurations.Pkcs11LibraryPath, Settings.AppType))
        {
            // Find first slot with token present
            ISlot slot = Helpers.GetUsableSlot(pkcs11, Configurations.default_slot);

            // Open RW session
            using (Net.Pkcs11Interop.HighLevelAPI.ISession session = slot.OpenSession(SessionType.ReadWrite))
            {
                // Login as normal user
                session.Login(Configurations.user_type, "1234");

                // Prepare attribute template of new key
                List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_TOKEN, false)); //not stored in token
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_ENCRYPT, true));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_DECRYPT, true));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_WRAP, true));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_UNWRAP, true));
                objectAttributes.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_EXTRACTABLE, true));

                // Specify key generation mechanism
                IMechanism mechanism = Settings.Factories.MechanismFactory.CreateMechanism(CKM.CKM_DES3_KEY_GEN);

                // Generate key
                IObjectHandle secret_key = session.GenerateKey(mechanism, objectAttributes);


                ////////////////////////////////////////////////////////////////////////////////////////

                // Export the key
                byte[] plainKeyValue = null;
                List<IObjectAttribute> readAttrs = session.GetAttributeValue(secret_key, new List<CKA>() { CKA.CKA_VALUE });
                if (readAttrs[0].CannotBeRead)
                    throw new Exception("Key cannot be exported");
                else
                    plainKeyValue = readAttrs[0].GetValueAsByteArray();

                plainKeyValue = Common.HelperFunctions.StringToByteArray("112233445566778899001122334455665566998844335511");

                // Prepare attribute template of new key
                List<IObjectAttribute> oa = new List<IObjectAttribute>();
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_LABEL, "Imported key"));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_DES3));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_TOKEN, true));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_ENCRYPT, true));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_DECRYPT, true));
                oa.Add(Settings.Factories.ObjectAttributeFactory.CreateObjectAttribute(CKA.CKA_VALUE, plainKeyValue));


                IObjectHandle importedKey = session.CreateObject(oa);


                // Test encryption with generated key and decryption with imported key
                using (IMechanism mechanismx = Settings.Factories.MechanismFactory.CreateMechanism(CKM.CKM_DES3_CBC, session.GenerateRandom(8)))
                {
                    byte[] sourceData = ConvertUtils.Utf8StringToBytes("Our new password");
                    byte[] encryptedData = session.Encrypt(mechanismx, secret_key, sourceData);
                    byte[] decryptedData = session.Decrypt(mechanismx, importedKey, encryptedData);
                    if (Convert.ToBase64String(sourceData) != Convert.ToBase64String(decryptedData))
                        throw new Exception("Encryption test failed");
                }
                // Destroy object
                session.DestroyObject(importedKey);
                session.DestroyObject(secret_key);
                session.Logout();

                return HelperFunctions.ByteArrayToString(plainKeyValue);
            }
        }
    }

 // convert from string to array
    public static byte[] StringToByteArray(string hex)
    {
        byte[] result;
        try
        {
            result = Enumerable.Range(0, hex.Length)
                         .Where(x => x % 2 == 0)
                         .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
                         .ToArray();

            return result;
        }
        catch (Exception e)
        {
            throw new Exception(e.Message); ;
        }
    }

Answer 1

谢谢你的回复。

我发现，在safenet中，在创建键对象时，键平面值必须带有奇偶校验位，否则就会出现上述错误。

希望这能帮助那些犯同样错误的人。

Answer 2

您正在得到的异常说，低级PKCS#11函数C_CreateObject返回了特定于供应商的错误0x80000140。您需要讨论设备供应商或联系人供应商支持提供的文档，以更好地理解如何处理或避免此特定错误。