[英]How to fix method C_GenerateKeyPair returned CKR_FUNCTION_FAILED
I am trying to use the Pkcs11Interop library to get my own certificate from HSM(Safenet inc) when i have generated public/private key i got error "Method C_GenerateKeyPair returned CKR_FUNCTION_FAILED"我正在尝试使用 Pkcs11Interop 库从 HSM(Safenet inc) 获取我自己的证书,当我生成公钥/私钥时出现错误“方法 C_GenerateKeyPair 返回 CKR_FUNCTION_FAILED”
My code我的代码
if (Net.Pkcs11Interop.Common.Platform.Uses64BitRuntime)
{
loggerLibraryPath = @"C:\inetpub\wwwroot\ETPkcs11\ETPkcsII\libs\pkcs11-logger-x64.dll";
}
else
{
loggerLibraryPath = @"C:\inetpub\wwwroot\ETPkcs11\ETPkcsII\libs\pkcs11-logger-x86.dll";
}
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_LIBRARY_PATH", pkcs11LibraryPath);
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_LOG_FILE_PATH", loogerLogFilePath);
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_FLAGS", "64");
if (System.IO.File.Exists(loogerLogFilePath))
{
System.IO.File.Delete(loogerLogFilePath);
}
using (Pkcs11 pkcs11 = new Pkcs11(loggerLibraryPath, AppType.SingleThreaded))
{
LibraryInfo libraryInfo = pkcs11.GetInfo();
var aviSlot = pkcs11.GetSlotList(SlotsType.WithTokenPresent).Where(slot => slot.GetSlotInfo().SlotFlags.TokenPresent).FirstOrDefault();
using (Session session = aviSlot.OpenSession(SessionType.ReadWrite))
{
// Login as normal user
session.Login(CKU.CKU_USER, "xxxxxxxx");
byte[] ckaId = session.GenerateRandom(20);
// Prepare attribute template of new public key
List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, Settings.ApplicationName));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ENCRYPT, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY_RECOVER, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_WRAP, true));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_MODULUS_BITS, 1024));
publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PUBLIC_EXPONENT, new byte[] { 0x01, 0x00, 0x01 }));
// Prepare attribute template of new private key
List<ObjectAttribute> privateKeyAttributes = new List<ObjectAttribute>();
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, Settings.ApplicationName));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SENSITIVE, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_DECRYPT, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN_RECOVER, true));
privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_UNWRAP, true));
// Specify key generation mechanism
Mechanism mechanism = new Mechanism(CKM.CKM_RSA_PKCS_KEY_PAIR_GEN);
// Generate key pair
ObjectHandle publicKeyHandle = null;
ObjectHandle privateKeyHandle = null;
session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);
// Do something interesting with generated key pair
// Destroy keys
session.DestroyObject(privateKeyHandle);
session.DestroyObject(publicKeyHandle);
session.Logout();
}
}
Here are some of the log这是一些日志
0x00002478 : 0x00001af8 : Attribute 7
0x00002478:0x00001af8:属性7
0x00002478 : 0x00001af8 : Attribute: 265 (CKA_SIGN_RECOVER)0x00002478:0x00001af8:属性:265(CKA_SIGN_RECOVER)
0x00002478 : 0x00001af8 : pValue: 0597E8500x00002478:0x00001af8:pValue:0597E850
0x00002478 : 0x00001af8 : ulValueLen: 10x00002478:0x00001af8:ulValueLen:1
0x00002478 : 0x00001af8 : *pValue: HEX(01)0x00002478:0x00001af8:*pValue:十六进制(01)
0x00002478 : 0x00001af8 : Attribute 80x00002478:0x00001af8:属性8
0x00002478 : 0x00001af8 : Attribute: 263 (CKA_UNWRAP)0x00002478:0x00001af8:属性:263(CKA_UNWRAP)
0x00002478 : 0x00001af8 : pValue: 0597E8300x00002478:0x00001af8:pValue:0597E830
0x00002478 : 0x00001af8 : ulValueLen: 10x00002478:0x00001af8:ulValueLen:1
0x00002478 : 0x00001af8 : pValue: HEX(01)0x00002478:0x00001af8: pValue:十六进制(01)
0x00002478 : 0x00001af8 :0x00002478:0x00001af8: End attribute template *
结束属性模板 *
0x00002478 : 0x00001af8 : phPublicKey: 0643EA740x00002478:0x00001af8:phPublicKey:0643EA74
0x00002478 : 0x00001af8 : *phPublicKey: 00x00002478:0x00001af8:*phPublicKey:0
0x00002478 : 0x00001af8 : phPrivateKey: 0643EA700x00002478:0x00001af8:phPrivateKey:0643EA70
0x00002478 : 0x00001af8 : *phPrivateKey: 00x00002478:0x00001af8:*phPrivateKey:0
0x00002478 : 0x00001af8 : Returning 6 (CKR_FUNCTION_FAILED)0x00002478:0x00001af8:返回6(CKR_FUNCTION_FAILED)
0x00002478 : 0x00001af8 : ****************************** 2019-03-22 16:37:32 *0x00002478:0x00001af8:******************************** 2019-03-22 16:37:32 *
0x00002478 : 0x00001af8 : Calling C_CloseSession0x00002478:0x00001af8:调用C_CloseSession
0x00002478 : 0x00001af8 : Input0x00002478:0x00001af8:输入
0x00002478 : 0x00001af8 : hSession: 24903690x00002478:0x00001af8:hSession:2490369
0x00002478 : 0x00001af8 : Returning 0 (CKR_OK)0x00002478:0x00001af8:返回0(CKR_OK)
0x00002478 : 0x00001af8 : ****************************** 2019-03-22 16:37:32 *0x00002478:0x00001af8:******************************** 2019-03-22 16:37:32 *
0x00002478 : 0x00001af8 : Calling C_Finalize0x00002478:0x00001af8:调用C_Finalize
0x00002478 : 0x00001af8 : Input0x00002478:0x00001af8:输入
0x00002478 : 0x00001af8 : pReserved: 000000000x00002478:0x00001af8:保留:00000000
0x00002478 : 0x00001af8 : Returning 0 (CKR_OK)0x00002478:0x00001af8:返回0(CKR_OK)
If facing CKR_FUNCTION_FAILED
, check the alias used.如果面对
CKR_FUNCTION_FAILED
,请检查使用的别名。 If there are multiple aliases, check one by one and pass the same to keystore.如果有多个别名,则一一检查并传递给keystore。
Unfortunately PKCS#11 API does not provide any details on why C_GenerateKeyPair
function failed but many PKCS#11 libraries support some kind of internal logging mechanism which may reveal the real cause of error. 不幸的是,PKCS#11 API没有提供有关
C_GenerateKeyPair
函数为何失败的任何详细信息,但是许多PKCS#11库支持某种内部日志记录机制,这可能揭示错误的真正原因。 Exact steps needed to enable logging should be present in the documentation provided by the PKCS#11 library vendor. PKCS#11库供应商提供的文档中应提供启用日志记录所需的确切步骤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.