I am using Pkcs11Interop library in a .Net application to communicate with Thales Luna HSM. And unwrapping a AES key via RSA key using CKM_RSA_PKCS mechanism.
But unwrapped AES key does not gets persisted in HSM although I gets the handle of object in return of unwrap call. I can even encrypt some data using the unwrapped AES key using same session object. Am I missing any parameter that forbids the key persistence in HSM with unwrap call?. Here is the code snippet:
private void keyUnwrap() {
string wrappedKey = "81C6CAD32431D506113CB07A515422ED55779CEE8B8A927C9898496F3209EC115EACAE2F59673A5F1423C6878A99FAD68E9741876A2605B2969953918BB9F6D15A4120A12F69EB2C752E8634B11ABB8FD709C072765361A0FAD7877CC3B8A78F500B4E3C8107BBDBE2DB0E82061EFB6E9FC885CAC5D0575324350D2FCAA08C89401F3B6ABEFA425A922A6A0F9FD2F61FCF37DDF9F7BF918B7C2C9228F033AC3EC2F35561FA0F7D397245CC37B2BEEDFB8028A0249DB8A7D13B22384C474629473FF153BAEEA06659F2A1B521066CB39835C7B3F18D7D33249834AC9667718564A2F8E46AA40A9EB7DFC365BA9C5A784599A2D99BD2F4E1462C849E2ED54D448B";
List<ISlot> allSlots = pkcs11Library.GetSlotList(SlotsType.WithTokenPresent);
using (ISession session = slot[0].OpenSession(SessionType.ReadWrite)) {
// Login as normal user
session.Login(CKU.CKU_USER, "CO_PIN");
// get private key object
IObjectHandle privateKey = findObject(session, CKO.CKO_PRIVATE_KEY, "Wrapping_RSA_Key_Pair_PRV");
// Specify wrapping mechanism
IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS);
// Define attributes for unwrapped key
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "Unwrapped_AES_Key"));
// Unwrap key
IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, privateKey, StringToByteArray(wrappedKey), objectAttributes);
IObjectHandle newkey = findObject(session, CKO.CKO_SECRET_KEY, "Unwrapped_AES_Key");
if (newkey == null) {
throw new Exception("Unwrapped object nit found.");
}
}
}
private IObjectHandle findObject(ISession session, CKO objectClass, string label) {
// Prepare attribute template that defines search criteria
List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, objectClass));
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, label));
// Initialize searching
session.FindObjectsInit(objectAttributes);
// Get search results
List<IObjectHandle> foundObjects = session.FindObjects(1);
// Terminate searching
session.FindObjectsFinal();
if (foundObjects.Count > 0) {
return foundObjects[0];
}
return null;
}
public static byte[] StringToByteArray(string hex)
{
return Enumerable.Range(0, hex.Length)
.Where(x => x % 2 == 0)
.Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
.ToArray();
}
I tried to unwrap an AES key in Thales Luna HSM using the .Net Pkcs11Interop library.
Unwrapping succeed as I got the handle of unwrapped key and can encrypt the data with it as well within the same pkcs11 session, but the unwrapped key does not get persisted in HSM which is the problem here.
You are missing the CKA_TOKEN attribute (see section 4.4 here).
objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
(An additional note -- consider setting the CKA_PRIVATE attribute as well.)