0

I'm trying to sign a xml file using PKCS11 library but I got some errors when I'm trying to sign. Here is my code and I pointed exception line. ComputeSignature method returns me exception and I'm confused.

...
                ObjectHandle publicKey = null;
                ObjectHandle privateKey = null;

                List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
                publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, "label"));
                session.FindObjectsInit(publicKeyAttributes);
                List<ObjectHandle> oObjCollection = session.FindObjects(1);

                List<ObjectHandle> foundPublicKeys = session.FindAllObjects(publicKeyAttributes);

                List<ObjectAttribute> objectAttributess = session.GetAttributeValue(foundPublicKeys[0], new List<CKA>() { CKA.CKA_ID, CKA.CKA_LABEL, CKA.CKA_VALUE });
                byte[] ckaIdd = objectAttributess[0].GetValueAsByteArray();
                string ckaLabel = objectAttributess[1].GetValueAsString();
                byte[] ckaValue = objectAttributess[2].GetValueAsByteArray();
                var _rawData = ckaValue ?? throw new ArgumentNullException(nameof(ckaValue));
                var _parsedCertificate = new X509Certificate2(_rawData);

                Cer c = new Cer();

                var Key = c.GetRSAPublicKey(_parsedCertificate);

                XmlDocument doc = new XmlDocument();
                doc.Load(@"C:\Users\MyUser\Desktop\SampleFile.xml");

                SignedXml signedXml = new SignedXml(doc);

                signedXml.SigningKey = Key;

                Reference reference = new Reference();
                reference.Uri = "";

                XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
                reference.AddTransform(env);

                signedXml.AddReference(reference);

                signedXml.ComputeSignature(); // Error occurs in this line

}}

signedXml.ComputeSignature() method occurs System.NotSupportedException

How can I sign xml file with key that I get from HSM Device?

TEngineer
  • 95
  • 1
  • 18
  • 2
    You definitely need a **private** key to sign data. The line that calls `GetRSAPublishKey` looks like a culprit then, if you only have the public key, you won't be able to sign anything. – Wiktor Zychla Apr 12 '18 at 13:26
  • I have a private key, but I can not get it out of HSM. – TEngineer Apr 12 '18 at 13:29
  • 1
    If the key is marked as non-exportable in HSM, there is no way to get it out of there. All you can do is to use the HSM's API, depending on what is available, creating signed XMLs can be a pain in the neck. – Wiktor Zychla Apr 12 '18 at 13:35
  • Can not we get the private key inside the device encrypted? – TEngineer Apr 12 '18 at 13:37
  • 1
    Possible duplicate of [Pkcs11 - How to add signature to xml file?](https://stackoverflow.com/questions/49686710/pkcs11-how-to-add-signature-to-xml-file) – jariq Apr 12 '18 at 19:00
  • @TEngineer: have no idea, depends on actual HSM. – Wiktor Zychla Apr 13 '18 at 07:12
  • @jariq Also needed to have private key for signature. But in Pkcs11Interop.X509Store project, signing through public key – TEngineer Apr 13 '18 at 09:10
  • @TEngineer No I am NOT signing with public key. – jariq Apr 13 '18 at 11:29
  • base.KeySizeValue = _certContext.CertificateInfo.ParsedCertificate.GetRSAPublicKey().KeySize; Is it signed with a private key here? – TEngineer Apr 14 '18 at 05:58
  • @TEngineer there is no signature generation performed on that line. It just reads the size of the key which same for the keypair. – jariq Apr 14 '18 at 18:42
  • nothing is ever signed using a public key. Signing something takes a private key. You don't take the private key from the HSM, you send the file to the HSM and request that it sign it, assuming you have the correct credentials. As said earlier in this thread, how you do that (send the file to the HSM for signature) depends on the HSM. PKCS11 is a likely API to use for that. – rip... Apr 14 '18 at 20:21
  • You may be able to get a *reference* to a private key stored on the HSM, then when you call C_sign you pass in the document to be signed and the key reference, and the HSM knows how to map the reference to the actual key... again, assuming you have the correct credentials. – rip... Apr 14 '18 at 20:27
  • @jariq thank you. I will take care of your sayings and try to apply them. – TEngineer Apr 16 '18 at 05:58
  • @rip thank you. I will take care of your sayings and try to apply them. – TEngineer Apr 16 '18 at 05:58

0 Answers0