How to upload public RSA key to HSM (using PKCS#11 library)?

Question

I am quite new to using PKCS#11 library so maybe someone with more experience can clear things up.

I want to do the following:

1. upload to HSM existing RSA public key (which was generated on PC)
2. and later use this uploaded key to wrap symmetric key that was generated on HSM.

I know how to generate symmetric key, but how to upload existing RSA public key?

Is this even possible using PKCS#11 library?

There seems to be similar question at Wrap a secret key with a public key using PKCS#11 but it uses RSA key pair that is generated on HSM. I need to upload RSA public key to HSM myself.

Answer 1

We can use C_CreateObject function of PKCS#11 to import a public key to HSM. This can be found from

RSA PKCS#11 Functions -> Object Management Functions -> C_CreateObject

There is also an example of load public key. But it requires the support of token to load the public key from cryptoki library.

CK_SESSION_HANDLE hSession;
CK_OBJECT_HANDLE hKey;
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_RSA;
CK_BYTE modulus[] = {... };
CK_BYTE exponent[] = {... };
CK_ATTRIBUTE keyTemplate[] = {
    {CKA_CLASS, &keyClass, sizeof(keyClass)}
    ,
    {CKA_KEY_TYPE, &keyType, sizeof(keyType)}
    ,
    {CKA_WRAP, &true, sizeof(true)}
    ,
    {CKA_MODULUS, modulus, sizeof(modulus)}
    ,
    {CKA_PUBLIC_EXPONENT, exponent, sizeof(exponent)}
};

CK_RV rv;

/* Create an RSA public key object */
rv = C_CreateObject(hSession, &keyTemplate, 5, &hKey);
if (rv == CKR_OK) {
.
.
}