0

Pkcs11X509Certificate is unable to find the private key in some tokens.

Pkcs11X509Certificate.GetRSAPrivateKey() yields null. Then, when I run SignedXml.ComputeSignature(), I get the following error:

System.Security.Cryptography.CryptographicException: 'Signing key is not loaded.'

Dalmo
  • 1
  • 2
  • You can check this link: https://stackoverflow.com/questions/45553015/cryptographicexception-signing-key-is-not-loaded – Nevermore Nov 21 '21 at 07:51

1 Answers1

0

Adding the code below (proof of concept) to the Pkcs11X509Certificate.FindKey works. Basically I removed CKA.CKA_LABEL from the search template attributes and it finds the certificate Private Key.

// Contrary to what PKCS#11 specification suggests, subject of the private key is not readable even after login.
// So if we cannot find private key with subject, we will search for private keys without subject. 
if (keyHandle == null)
{
    searchTemplate = new List<IObjectAttribute>()
    {
        session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, keyClass),
        session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true),
        session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId),
        //session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, ckaLabel),
    };

    foreach (IObjectHandle foundObjectHandle in session.FindAllObjects(searchTemplate))
    {
        keyHandle = foundObjectHandle;
        break;
    }
}
Dalmo
  • 1
  • 2
  • I was wondering if this could be added to the Pkcs11Interop.X509Store project at GitHub. – Dalmo Nov 19 '21 at 05:20
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Neeraj Nov 19 '21 at 07:14