HSM中具有不可导出密钥的RSA加密 [英] RSA Encryption with non exportable key in HSM
问题描述
我正在尝试使用这段代码(RSA密钥CSP50C8C7CD不可导出,并且在HSM中)用C#中的RSA(CSP中的交换密钥)对symetric密钥进行加密:
I'm trying to encrypt a symetric key with a RSA (Exchange Key in CSP) in C# using this piece of code (the RSA key CSP50C8C7CD is not exportable, and it's in HSM):
CspParameters csp_dnet = new CspParameters(1, "XXX CSP");
csp_dnet.Flags = CspProviderFlags.UseNonExportableKey;
csp_dnet.KeyContainerName = "test";
RSACryptoServiceProvider rsa_dnet = new RSACryptoServiceProvider(csp_dnet);
// Create 3DES key
TripleDES tripleDES = new TripleDESCryptoServiceProvider();
// Encrypt 3DES with RSA
byte[] encryptedSessionKey = rsa_dnet.Encrypt(tripleDES.Key, false);
看到CSP日志,我注意到C#正在尝试导出密钥以继续进行操作.下面的CSP日志仅显示有关** rsa_dnet.Encrypt **的内容:
Seeing the CSP log, I note that the C# is trying to export the key to proceed with the operation. The CSP log below just showing the piece about **rsa_dnet.Encrypt** use:
LOG CSP
...
[12/12/2012 17:28:45] [3688] D [CryptExportKey] Blob type: PRIVATEKEYBLOB
...
[12/12/2012 17:28:45] [3688] E [CryptExportKey] Return: FALSE. An internal error occurred.
Windows SO正在调用CryptExportKey,传递PRIVATEKEYBLOB意味着要导出私钥.
Windows SO is calling a CryptExportKey passing PRIVATEKEYBLOB means to export de private key.
LOG HSM
...
2012/12/12 17:44:02 [4DD18140] new key 'test/CSP50C8C7CD', t: 6, a: 0
2012/12/12 17:44:14 [4DC2A1C0] 'test' auth ok, 10.0.87.19
2012/12/12 17:44:17 [4DC2A1C0] 'test/CSP50C8C7CD' not exportable, conn: 9 --- ERROR
在HSM中,此日志表明Windows SO正在尝试提取私钥(这意味着ERRO,因为该密钥不可导出).
In HSM this log show that the Windows SO is trying to extract the private key (what means the ERRO because the key is non exportable).
当我在HSM中使用可导出密钥CSP50C8C7CE时,日志显示一切正常:
When I use a exportable key CSP50C8C7CE in HSM, the log show that is everything all right:
LOG HSM
...
2012/12/12 17:47:46 [4DEF4040] 'test' auth ok, IP: 10.0.87.19
2012/12/12 17:47:46 [4DEF4040] export: 'test/CSP50C8C7CE', 1462
2012/12/12 17:47:46 [4DEF4040] export: 'test/CSP50C8C7CE', 1462
2012/12/12 17:47:46 [4DEF4040] delete 'test/CSP50C8C7CE'
2012/12/12 17:47:46 [4DEF4040] import obj 'test/CSP50C8C7CE', 00000004
2012/12/12 17:47:46 [4DEF4040] pk test/CSP50C8C7CE [1]
2012/12/12 17:47:46 [4DEF4040] import obj 'cf1c34c8be5d2fa8a4575c63dd903454', 00000003
2012/12/12 17:47:46 [4DEF4040] delete 'test/CSP50C8C7CE'
2012/12/12 17:47:46 [4DEF4040] imp obj 'test/CSP50C8C7CE', 00000006
2012/12/12 17:47:47 [4DEF4040] export: 'cf1c34c8be5d2fa8a4575c63dd903454', 24
2012/12/12 17:47:47 [4DEF4040] delete 'cf1c34c8be5d2fa8a4575c63dd903454'
请注意,此日志显示了很多RSA密钥导入/导出操作. (参考:CSP50C8C7CE-可导出密钥).
Note that this log show lot's of RSA key import/export operations (Reference:CSP50C8C7CE - Exportable key).
问题:库System.Cryptography中的Encrypt函数需要密钥必须始终可导出吗?或者我在程序中犯了任何错误?可能缺少任何参数吗?
Question: The Encrypt function in library System.Cryptography needs the key must be always exportable? Or I make any mistake in my program? Any missed parameter perhaps?
推荐答案
您好,JR_Vasconcelos,
Hi JR_Vasconcelos,
欢迎使用MSDN论坛支持.
Welcome to MSDN Forum Support.
我们正在对此问题进行研究.我们可能需要一些时间才能回复您.
We're doing research on this issue. It might take some time before we get back to you.
真诚的
贾森·王(Jason Wang)
Jason Wang
这篇关于HSM中具有不可导出密钥的RSA加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
