1

当我生成公钥/私钥时,我正在尝试使用 Pkcs11Interop 库从 HSM(Safenet inc)获取我自己的证书,但出现错误“方法 C_GenerateKeyPair 返回 CKR_FUNCTION_FAILED”

我的代码

if (Net.Pkcs11Interop.Common.Platform.Uses64BitRuntime)
{
    loggerLibraryPath = @"C:\inetpub\wwwroot\ETPkcs11\ETPkcsII\libs\pkcs11-logger-x64.dll";
}
else
{
    loggerLibraryPath = @"C:\inetpub\wwwroot\ETPkcs11\ETPkcsII\libs\pkcs11-logger-x86.dll";
}
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_LIBRARY_PATH", pkcs11LibraryPath);
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_LOG_FILE_PATH", loogerLogFilePath);
System.Environment.SetEnvironmentVariable("PKCS11_LOGGER_FLAGS", "64");

if (System.IO.File.Exists(loogerLogFilePath))
{
    System.IO.File.Delete(loogerLogFilePath);
}

using (Pkcs11 pkcs11 = new Pkcs11(loggerLibraryPath, AppType.SingleThreaded))
{
    LibraryInfo libraryInfo = pkcs11.GetInfo();
    var aviSlot = pkcs11.GetSlotList(SlotsType.WithTokenPresent).Where(slot => slot.GetSlotInfo().SlotFlags.TokenPresent).FirstOrDefault();

    using (Session session = aviSlot.OpenSession(SessionType.ReadWrite))
    {
        // Login as normal user
        session.Login(CKU.CKU_USER, "xxxxxxxx");
        byte[] ckaId = session.GenerateRandom(20);

        // Prepare attribute template of new public key
        List<ObjectAttribute> publicKeyAttributes = new List<ObjectAttribute>();
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, Settings.ApplicationName));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ENCRYPT, true));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY, true));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_VERIFY_RECOVER, true));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_WRAP, true));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_MODULUS_BITS, 1024));
        publicKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PUBLIC_EXPONENT, new byte[] { 0x01, 0x00, 0x01 }));

        // Prepare attribute template of new private key
        List<ObjectAttribute> privateKeyAttributes = new List<ObjectAttribute>();
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, Settings.ApplicationName));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_ID, ckaId));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SENSITIVE, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_DECRYPT, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_SIGN_RECOVER, true));
        privateKeyAttributes.Add(new ObjectAttribute(CKA.CKA_UNWRAP, true));

        // Specify key generation mechanism
        Mechanism mechanism = new Mechanism(CKM.CKM_RSA_PKCS_KEY_PAIR_GEN);

        // Generate key pair
        ObjectHandle publicKeyHandle = null;
        ObjectHandle privateKeyHandle = null;
        session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);

        // Do something interesting with generated key pair
        // Destroy keys
        session.DestroyObject(privateKeyHandle);
        session.DestroyObject(publicKeyHandle);

        session.Logout();
    }
}

这是一些日志

0x00002478 : 0x00001af8 : Attribute 7
0x00002478 : 0x00001af8 : Attribute: 265 (CKA_SIGN_RECOVER)
0x00002478 : 0x00001af8 : pValue: 0597E850
0x00002478 : 0x00001af8 : ulValueLen: 1
0x00002478 : 0x00001af8 : *pValue: HEX(01)
0x00002478 : 0x00001af8 : Attribute 8
0x00002478 : 0x00001af8 :属性:263(CKA_UNWRAP)
0x00002478:0x00001af8:pValue:0597E830
0x00002478:0x00001af8:ulValueLen:1
0x00002478:0x00001af8: pValue:HEX(01)
0x000:0x008: End attribute template *
0x00002478 : 0x00001af8 : phPublicKey: 0643EA74
0x00002478 : 0x00001af8 : *phPublicKey: 0
0x00002478 : 0x00001af8 : phPrivateKey: 0643EA70
0x00002478 : 0x00001af8 : *phPrivateKey: 0
0x00002478 : 0x00001af8 : Returning 6 (CKR_FUNCTION_FAILED)
0x00002478 : 0x00001af8 : *** ****************************** 2019-03-22 16:37:32 *
0x00002478:0x00001af8:调用 C_CloseSession
0x00002478:0x00001af8:输入
0x00002478 : 0x00001af8 : hSession: 2490369
0x00002478 : 0x00001af8 : 返回 0 (CKR_OK)
0x00002478 : 0x00001af8 : ****************************** 2019 -03-22 16:37:32 *
0x00002478:0x00001af8:调用 C_Finalize
0x00002478:0x00001af8:输入
0x00002478:0x00001af8:预保留:00000000
0x00002478:0x00001af8:返回 0 (CKR_OK)

4

2 回答 2

0

如果面向CKR_FUNCTION_FAILED,请检查使用的别名。如果有多个别名,则一一检查并将其传递给密钥库。

于 2021-11-08T13:11:07.360 回答
-1

不幸的是,PKCS#11 API 没有提供C_GenerateKeyPair函数失败原因的任何详细信息,但许多 PKCS#11 库支持某种内部日志记录机制,这可能会揭示错误的真正原因。启用日志记录所需的确切步骤应包含在 PKCS#11 库供应商提供的文档中。

于 2019-04-07T21:14:36.007 回答