Search code examples
pkcs#11ecdsahsmgemaltopkcs11interop

Erroring out creating an ECDSA Key pair with pkcs11interop

I am connecting to Gemalto HSM which supports secp256r1. I have the following code to create an ECDSA key pair using Pkcs11interop. I am getting the paramsBytes using BouncyCastle NistNamedCurves and X962Parameters.

The HSM keeps comming back with CKR_ATTRIBUTE_TYPE_INVALID. I am new to ECDSA so I may have missed something. Any ideas?

                X9ECParameters x9Ec = NistNamedCurves.GetByName("P-256");
                X962Parameters x962 = new X962Parameters(x9Ec);
                byte[] paramsBytes =  x962.GetDerEncoded();

                // The CKA_ID attribute is intended as a means of distinguishing multiple key pairs held by the same subject
                byte[] ckaId = session.GenerateRandom(20);

                // Prepare attribute template of new public key
                List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY, true));
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));

                // Prepare attribute template of new private key
                List<ObjectAttribute> privateKeyAttributes = new List<ObjectAttribute>();
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, true));
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, keyName));
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SENSITIVE, true));
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN, true));
                privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));

                // Generate key pair
                Mechanism mechanism = new Mechanism(CKM.CKM_ECDSA_KEY_PAIR_GEN);
                ObjectHandle publicKeyHandle = null;
                ObjectHandle privateKeyHandle = null;
                session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle,
                    out privateKeyHandle);
Solution

  • Found out what was going on. The HSM did not like the 

    privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ECDSA_PARAMS, paramsBytes));

    on the private key. PKCS states that the ECDSA params need to be on the public key and can't be on the private key and this implementation enforced that.