CKR_DATA_INVALID when attempting to sign data using SignPath Cryptoki library #235
Assignees
Labels
Comments
|
If you want to use You can take a look at Pkcs11Admin code for a working code sample: https://github.com/Pkcs11Admin/Pkcs11Admin/blob/0.6.0/src/Pkcs11Admin/Pkcs11Slot.cs#L1066-L1073 Or maybe even better solution would be to use convenient |
|
@jariq hmm that won’t work for us, we need the signature to be attached to the original file as per Apple’s requirements: https://developer.apple.com/documentation/devicemanagement/configuring_multiple_devices_using_profiles#3234104
The resulting XML is still visible in a binary file with the signature wrapping the XML content. It’s the equivalent of using the Our existing signing code using a locally available X509 cert & private key pair, which works with arbitrary data (i.e. not hashes) looks like this if that helps: public byte[] Sign(X509Certificate2 signingCertificate, byte[] bytesToSign)
{
if (bytesToSign == null)
{
throw new ArgumentNullException(paramName: nameof(bytesToSign));
}
if (signingCertificate.HasPrivateKey == false)
{
throw new NotSupportedException("The signing certificate must have a private key");
}
var signer = new CmsSigner(signingCertificate);
var content = new ContentInfo(bytesToSign);
var cms = new SignedCms(content);
cms.ComputeSignature(signer);
return cms.Encode();
}To be honest the only reason I’m using
Perhaps the token that has been created for us doesn’t have the required capabilities? Apologies, I’m figuring this all out as I go 😅 |
|
You are currently experimenting with very low level RSA signatures while you need to create high-level CMS signature:
|
|
I tried the Pkcs11Interop.X509Store approach you linked earlier today but iirc the token I have doesn't have a certificate (it's currently 20:45 here so don't have the code to hand) |
|
Here is the code and log output from the Pkcs11Interop.X509Store approach, no certificates are returned at all. public static class HighLevel
{
public static byte[] Sign(byte[] dataToSign)
{
var pinProvider = new CryptokiPinProvider(Constants.PIN);
using var pkcs11Store = new Pkcs11X509Store(Constants.LoggerPath, pinProvider);
foreach (var slot in pkcs11Store.Slots)
{
foreach (var certificate in slot.Token.Certificates)
{
}
}
return null;
}
}
public class CryptokiPinProvider : IPinProvider
{
private readonly byte[] _pin;
public CryptokiPinProvider(string pin)
{
_pin = Encoding.UTF8.GetBytes(pin);
}
public GetPinResult GetKeyPin(
Pkcs11X509StoreInfo storeInfo,
Pkcs11SlotInfo slotInfo,
Pkcs11TokenInfo tokenInfo,
Pkcs11X509CertificateInfo certificateInfo)
{
return new GetPinResult(false, _pin);
}
public GetPinResult GetTokenPin(
Pkcs11X509StoreInfo storeInfo,
Pkcs11SlotInfo slotInfo,
Pkcs11TokenInfo tokenInfo)
{
return new GetPinResult(false, _pin);
}
}Expand logsMeanwhile using
And the logs: Expand me |
|
Import certificate stored in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm trying to use Pkcs11Interop with the SignPath Cryptoki provider to CMS sign some data but getting the
CKR_DATA_INVALIDerror at the point of callingsession.Sign.I've include the code, exception, and logs from PKCS11-LOGGER, please can you advise?
Many thanks
Code
Exception
Logs from PKCS11-LOGGER
Expand me
The text was updated successfully, but these errors were encountered: