Alladin eToken failure with importing RSA key

3

I am using SafeNet's (Alladin) eToken with PKCS11 interface to C#. I need to import a RSA key created without the eToken into the eToken.

The creation of the RSA key is done through:

RSACryptoServiceProvider RSA = new RSACryptoServiceProvider();
RSAParameters publicKey = RSA.ExportParameters(false);
RSAParameters privateKey = RSA.ExportParameters(true);
eTokenHelper.WritePrivateKeyToToken(session, privateKey, "private");

and the implementation of the WritePrivateKeyToToken above is:

public static void WritePrivateKeyToToken(PKCS11.Session session, System.Security.Cryptography.RSAParameters publicParams, string label)
    {

        List<PKCS11.Attribute> attList = new List<PKCS11.Attribute>{};


        attList.Add(new PKCS11.Attribute(PKCS11.CKA_CLASS, PKCS11.CKO_PRIVATE_KEY));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_KEY_TYPE, PKCS11.CKK_RSA));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE, true));
        //attList.Add(new PKCS11.Attribute(PKCS11.CKA_SUBJECT, cert.SubjectName.RawData));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_ID, 0xa1));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_LABEL, label));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_TOKEN, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODULUS, publicParams.Modulus));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_PUBLIC_EXPONENT, publicParams.Exponent));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE_EXPONENT, publicParams.D));
        // attList.Add(new ObjectAttribute(PKCS11.CKH_CLOCK, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODIFIABLE, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_LOCAL, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_EXTRACTABLE, false));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_NEVER_EXTRACTABLE, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_SENSITIVE, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_ALWAYS_SENSITIVE, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_DERIVE, false));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_LOCAL, false));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_DECRYPT, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN, true));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN_RECOVER, false));
        attList.Add(new PKCS11.Attribute(PKCS11.CKA_UNWRAP, false));

        PKCS11.Object.Create(session, attList.ToArray());
    }

when I run this code, I get the exception with code

public const int CKR_TEMPLATE_INCONSISTENT = 0x000000D1;

(the exception appears on the last line: Create()).

I will appreciate any assistance in understandin what am I doing wrong.

Thanks, Ronen

c#
rsa
pkcs#11
e-token
asked on Stack Overflow Oct 23, 2013 by user2910465

1 Answer

3

I have some problem. By the way, you set atribut PKCS11.CKA_LOCAL twice in the code. It is not corect. Do not set attribute PKCS11.CKA_LOCAL - it is set automatically. If is set PKCS11.SENSITIVE, it is not possible to set CKA_EXTRACTABLE, CKA_NEVER_EXTRACTABLE and CKA_ALWAYS_SENSITIVE.

This code should work:

   List<PKCS11.Attribute> attList = new List<PKCS11.Attribute>{};

    attList.Add(new PKCS11.Attribute(PKCS11.CKA_CLASS, PKCS11.CKO_PRIVATE_KEY));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_KEY_TYPE, PKCS11.CKK_RSA));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE, true));
    //attList.Add(new PKCS11.Attribute(PKCS11.CKA_SUBJECT, cert.SubjectName.RawData));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_ID, 0xa1));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_LABEL, label));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_TOKEN, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODULUS, publicParams.Modulus));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_PUBLIC_EXPONENT, publicParams.Exponent));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_PRIVATE_EXPONENT, publicParams.D));
    // attList.Add(new ObjectAttribute(PKCS11.CKH_CLOCK, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_MODIFIABLE, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_SENSITIVE, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_DERIVE, false));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_DECRYPT, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN, true));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_SIGN_RECOVER, false));
    attList.Add(new PKCS11.Attribute(PKCS11.CKA_UNWRAP, false));

    PKCS11.Object.Create(session, attList.ToArray());
answered on Stack Overflow Jul 7, 2014 by Jiri Novak

User contributions licensed under CC BY-SA 3.0