0

I've got a sample from eToken SDK that generates RSA keys, creates digital signature and verifies it. The algorithm in the sample is the following:

  • generate RSA keys (GENERATE_KEY_PAIR);
  • create security environment for signature (PUT_DATA_SECI);
  • restore security environment (MSE RESTORE);
  • sign data (PSO_CDS);
  • create security environment for verification (PUT_DATA_SECI);
  • restore security environment (MSE RESTORE);
  • verify signature (PDO_VDS).

I have imported external key containers with certificates to token and I need to get rid of RSA key generation item in algorithm. How may I find Object ID of my private key to pass it to PUT_DATA_SECI APDU command?

user2609706
  • 1
  • While I know CardOS, I'm not acquainted with the Aladdin middleware. There is a chance, that the key id can be read from a PKCS15 information file. If not, then at least the ID of the needed security environment should be stated there. So while in the latter case you don't know the key ID, you may simply restore an existing security environment. – guidot Jul 30 '13 at 08:24
  • Yep, I found out, that security environment is set up as of selecting private key file. PKCS#11 private keys index file (0x3XXX) contains also container UID that can be bound to public key. – user2609706 Aug 15 '13 at 11:02

1 Answers1

0

The private RSA stored on the token is RSA_PURE (0x0c). It can't be used for PSO_CDS operation. They have to properly pad the hash value (rfc-2313: block type 1 + hash OID) and to use PSO_DEC to get signature. The result will be the same binary data as for PSO_CDS.

user2609706
  • 1