-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CKR_DATA_INVALID when attempting to sign data using SignPath Cryptoki library #235
Comments
If you want to use You can take a look at Pkcs11Admin code for a working code sample: https://github.com/Pkcs11Admin/Pkcs11Admin/blob/0.6.0/src/Pkcs11Admin/Pkcs11Slot.cs#L1066-L1073 Or maybe even better solution would be to use convenient |
@jariq hmm that won’t work for us, we need the signature to be attached to the original file as per Apple’s requirements: https://developer.apple.com/documentation/devicemanagement/configuring_multiple_devices_using_profiles#3234104
The resulting XML is still visible in a binary file with the signature wrapping the XML content. It’s the equivalent of using the Our existing signing code using a locally available X509 cert & private key pair, which works with arbitrary data (i.e. not hashes) looks like this if that helps: public byte[] Sign(X509Certificate2 signingCertificate, byte[] bytesToSign)
{
if (bytesToSign == null)
{
throw new ArgumentNullException(paramName: nameof(bytesToSign));
}
if (signingCertificate.HasPrivateKey == false)
{
throw new NotSupportedException("The signing certificate must have a private key");
}
var signer = new CmsSigner(signingCertificate);
var content = new ContentInfo(bytesToSign);
var cms = new SignedCms(content);
cms.ComputeSignature(signer);
return cms.Encode();
} To be honest the only reason I’m using
Perhaps the token that has been created for us doesn’t have the required capabilities? Apologies, I’m figuring this all out as I go 😅 |
You are currently experimenting with very low level RSA signatures while you need to create high-level CMS signature:
|
I tried the Pkcs11Interop.X509Store approach you linked earlier today but iirc the token I have doesn't have a certificate (it's currently 20:45 here so don't have the code to hand) |
Here is the code and log output from the Pkcs11Interop.X509Store approach, no certificates are returned at all. public static class HighLevel
{
public static byte[] Sign(byte[] dataToSign)
{
var pinProvider = new CryptokiPinProvider(Constants.PIN);
using var pkcs11Store = new Pkcs11X509Store(Constants.LoggerPath, pinProvider);
foreach (var slot in pkcs11Store.Slots)
{
foreach (var certificate in slot.Token.Certificates)
{
}
}
return null;
}
}
public class CryptokiPinProvider : IPinProvider
{
private readonly byte[] _pin;
public CryptokiPinProvider(string pin)
{
_pin = Encoding.UTF8.GetBytes(pin);
}
public GetPinResult GetKeyPin(
Pkcs11X509StoreInfo storeInfo,
Pkcs11SlotInfo slotInfo,
Pkcs11TokenInfo tokenInfo,
Pkcs11X509CertificateInfo certificateInfo)
{
return new GetPinResult(false, _pin);
}
public GetPinResult GetTokenPin(
Pkcs11X509StoreInfo storeInfo,
Pkcs11SlotInfo slotInfo,
Pkcs11TokenInfo tokenInfo)
{
return new GetPinResult(false, _pin);
}
} Expand logs
Meanwhile using
And the logs: Expand me
|
Import certificate stored in |
I'm trying to use Pkcs11Interop with the SignPath Cryptoki provider to CMS sign some data but getting the
CKR_DATA_INVALID
error at the point of callingsession.Sign
.I've include the code, exception, and logs from PKCS11-LOGGER, please can you advise?
Many thanks
Code
Exception
Logs from PKCS11-LOGGER
Expand me
The text was updated successfully, but these errors were encountered: