Adding real multi-part operations

[lo1ol]

Hello,

I'm trying to add primitive classes to Bouncy Castle, which will implements pkcs#11 signature, encryption, digest and so on. For example, to add pkcs#11 signature, I have to implement ISigner interface, which requeres Update function.

The problem is that HighLevel API of PKCS11Interop doesn't allow to do this. What do you think about adding pkcs#11 classes (ISigner, IVerifier, IDigester, IEncryptor, IDecryptor and so on), which allow real multi-part operaion support?

Usage of them may be similar to this:

var signer = factory.MultiPartOperations.CreateSigner(mechanism, privateKey);
signer.Update(data1);
signer.Update(data2);
var result = signer.GetResult();

What do you think about this interface? I can help you with implementation.

[jariq]

Pkcs11Interop strictly follows vanilla PKCS#11 standard and proposed interfaces are BouncyCastle specific so I cannot say I like proposed approach very much. If it is really needed I would rather expose PKCS#11 functions you are missing in HighLevelAPI:

• C_SignInit as ISession::SignInit
• C_SignUpdate as ISession::SignUpdate
• C_SignFinal as ISession::SignFinal
• ...

With these new methods you should be able to easily implement ISigner and other BouncyCastle specific interfaces in your project. Would something like that work for you? It would of course require Pkcs11Interop 6 to be released as this is an API breaking change.

BTW did you check whether your ISigner implementation will work with any real word scenarios in BouncyCastle? As far as I remember only a few classes were really using it. For example when I was using BouncyCastle to create PKCS#10 request in Pkcs11Admin (see code here) I could not use ISigner at all. BouncyCastle APIs seem to be very inconsistent and almost every class in that library requires different approach 🤷🏻‍♂️

[lo1ol]

Thank you for your fast answer!

I got your opinionn about BC, and agree with you. But I don't know any alternative to BC on C#. May be do you know?

Any way, multi-part HighLevelAPI operations are not urgent changes: I can use low-level api for implementation. If pkcs#11 functions will be used by somebody, I've write you and we can add HighLevel Init/Update/Final functions.

[jariq]

I'm also not aware of any alternatives to BouncyCastle.

[manison]

If it is really needed I would rather expose PKCS#11 functions you are missing in HighLevelAPI:

👍 With this it would be also easier to implement the ICryptoTransform which would allow plugging a PKCS#11 device into the .NET CryptoStream infrastructure smoothly. Today one must go through the low level API which is hassle to deal with because it needs to be implemented in 4 variants.

[adcy]

Also tried integrate with ICryptoTransform api and encountered troubles because of lack init/update/final in high level api.

[jariq]

@adcy this issue originally discussed signing with BouncyCasle with ISigner. Could you please share more details on what kind of cryptographic operation do you want to integrate with ICryptoTransform? Your input will help me decide which operations are needed most.

[adcy]

@jariq I tried to create implementation of System.Security.Cryptography.HashAlgorithm. The problem is in the point that HashAlgorithm contains not overridable implementation for computing hash over System.IO.Stream which calls abstract HashCore(byte[], int start, int size) multiple times. In essence implementation of HashAlgorithm must do same things that Digest(IMechanism, Stream) do internally.

[ch0mik]

up