SafeNet Data Objects

[bartengine27]

Dear,

Adding data objects on a Gemalto ID Prime MD with the Pkcs11Interop library succeeds as far that the data objects are visible in the SafeNet Authentication Client. Querying the data objects with the Pkcs11Interop library or with Pkcs11Admin fails (no data objects are visible).

Is this a known issue?

Thanks,
Bart

[jariq]

No, that is not a known issue. Please post the attributes you are using to create those objects.

[bartengine27]

Dear Jariq,

Thanks for asking!

Below more info.

Thanks,
Bart

        private static void GenerateDataObject()
        {
            using (IPkcs11Library pkcs11Library = factories.Pkcs11LibraryFactory.LoadPkcs11Library(factories, pkcs11LibraryPath, AppType.MultiThreaded))
            {
                // Find first slot with token present
                ISlot slot = Helpers.GetUsableSlot(pkcs11Library);

                // Open RW session
                using (ISession session = slot.OpenSession(SessionType.ReadWrite))
                {
                    // Login as normal user
                    session.Login(CKU.CKU_USER, Settings.NormalUserPin);
                    byte[] encryptedBackupSecret = ConvertUtils.Utf8StringToBytes("my secret");                    
                    // https://thalesdocs.com/gphsm/ptk/5.9/docs/Content/PTK-C_Program/Obj_Classes/create_mod_copy_del.htm
                    // check CKF_LOGIN_REQUIRED 
                    List<IObjectAttribute> createObjectAttributes = new List<IObjectAttribute>();
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_DATA));
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true));
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "data_object_test"));
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_APPLICATION, "element"));
                    createObjectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_VALUE, encryptedBackupSecret));
                    var createdObject = session.CreateObject(createObjectAttributes);            

                    session.Logout();
                }
            }
        }

[jariq]

CKA_PRIVATE attribute is set to True so this data object is visible only when user is logged in.

Did you perform login before you searched for data objects?

[bartengine27]

Thanks for asking. I'm using the following code:

        static void FindAttributesCKODATA()
        {            
            using (IPkcs11Library pkcs11Library = factories.Pkcs11LibraryFactory.LoadPkcs11Library(factories, pkcs11LibraryPath, AppType.MultiThreaded))
            {
                // Find first slot with token present
                ISlot slot = Helpers.GetUsableSlot(pkcs11Library);
                Console.WriteLine(slot.GetTokenInfo().Label);
                // Open RW session
                using (ISession session = slot.OpenSession(SessionType.ReadWrite))
                {
                    // Login as normal user
                    session.Login(CKU.CKU_USER, Settings.NormalUserPin);                    
                    List<IObjectAttribute> keyAttributes = new List<IObjectAttribute>()
                    {
                        new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_DATA),
                    };
                    
                    List<IObjectHandle> foundObjects = session.FindAllObjects(keyAttributes);

                    // Prepare list of empty attributes we want to read
                    List<CKA> attributes = new List<CKA>();
                    attributes.Add(CKA.CKA_LABEL);
                    attributes.Add(CKA.CKA_VALUE);

                    foreach (var v in foundObjects)
                    {
                        List<IObjectAttribute> objectAttributes = session.GetAttributeValue(v, attributes);
                        Console.WriteLine("Attribute values of object with id " + v.ObjectId);
                        foreach (var o in objectAttributes)
                        {
                            Console.WriteLine("\t" + o.GetValueAsString());
                        }
                    }
                }
            }
        }

foundObjects Is empty if I run this on Windows. On Ubuntu 22.04 x64 I get:

Unhandled exception. System.InvalidCastException: Unable to cast object of type 'Net.Pkcs11Interop.LowLevelAPI41.CK_ATTRIBUTE' to type 'Net.Pkcs11Interop.LowLevelAPI80.CK_ATTRIBUTE'

Your feedback is appreciated!

Regards,
Bart

[jariq]

Problem might be here:

                    List<IObjectAttribute> keyAttributes = new List<IObjectAttribute>()
                    {
                        new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_DATA),
                    };

Try changing it to:

                    List<IObjectAttribute> keyAttributes = new List<IObjectAttribute>()
                    {
                        session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_DATA),
                    };

[bartengine27]

Thanks for your suggestion!

No difference on Windows.

On Ubuntu 22.04 x64 the InvalidCastException is gone, which is great, the data object, however, is not readable.

[bartengine27]

Dear @jariq

Do you have an update? Anything I can do to help?

Thanks,
Bart