使用Thales nShield HSM的PKCS11interop c#包装器库导出/导入RSA密钥对? [英] Export/Import RSA keypair using PKCS11interop c# wrapper library from Thales nShield HSM?
问题描述
我已使用PKCS11Interop生成密钥API在HSM中生成了RSA公共密钥对。
我要导出密钥对。我使用Findobject API来获取密钥,该API会返回ObjectHandle,而使用GetAttributeValue API读取属性时,我无法读取密钥的值。
当我将CKA_EXTRACTABLE的密钥属性设置为true时,我无法完全生成密钥。
此外,我还需要导入外部提供的密钥对HSM。
我们非常感谢您的帮助。
在HSM世界中,尝试执行的操作被视为不安全。
但是,可以做到吗?是。
HSM卖方决定是否可以提取在HSM上生成的密钥,或者由任何软件生成的任何密钥(在外部)。 HSM)可以导入到硬件中。 PKCS#11只是您与HSM交互的接口。如果HSM不支持某个操作,它将引发一个异常,该异常最终将由PKCS11 api引发。和导入操作。您尝试在其上执行这些操作的HSM可能不支持它。因此,您需要向HSM供应商咨询如何对他们的产品执行这些操作。
PS:Thales nShield应该/可以拥有一个配置文件,可以通过该文件运行
注意:提取在HSM上生成的密钥/密钥对(或)导入在HSM之外生成的任何密钥/密钥对在现实世界中都不被视为不安全的操作。
I have generated a RSA public-private keypair in HSM using PKCS11Interop generate key API. I want to export the keypair. I used Findobject API to get the keys, the API returs an ObjectHandle , while reading attributes using GetAttributeValue API , I am not able to read the key's value. And when I set the key's attribute to CKA_EXTRACTABLE to true, I am not able to generate the key altogether.
Also I need to import externally provided keypair in HSM.
Any help is highly appreciated.
What you are trying to do is considered insecure in the HSM world. It defeats the purpose of having an HSM.
But, can it be done? Yes. Provided the HSM vendor should support it.
The HSM vendor decides if the keys generated on the HSM can be extractable or if any Key that was generated by any software (outside the HSM) can be imported into the hardware. PKCS#11 is just an interface through which you interact with the HSM. If the HSM doesn't support an operation, it throws an exception which is eventually thrown by the PKCS11 api.
This is what is happening in your case for both the extraction and importing operations. The HSM on which you are trying to do these operations may not support it. So you need to check with the HSM vendor how you can perform these operations on their product.
P.S: Thales nShield should/may have a configuration file through which you can run the HSM in insecure mode.
Note: Extracting a Key/Key Pair generated on the HSM (or) importing any Key/Key Pair that was generated outside the HSM are not considered as insecure operations in the real world.
这篇关于使用Thales nShield HSM的PKCS11interop c#包装器库导出/导入RSA密钥对?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
