带有 PKCS#11 的 AWS cloudhsm 无法导出 RSA 公钥

Question

我在 AWS 供应商 PKCS 库之上使用带有 PKCS11Interop c# 库的 AWS 云 HSM 生成 RSA 密钥对。想要使用 PKCS 11 getAttributeValue 方法从 HSM 导出公钥。

响应指出无法读取属性，我已正确标记所有属性值以便能够导出密钥，有人可以指出我做错了什么吗？

我的示例代码

private static void GenerateRSAKeyPair(ISession session, out IObjectHandle publicKeyHandle, out IObjectHandle privateKeyHandle, string keyAlias = null)
    {

        byte[] ckaId = null;
        if (string.IsNullOrEmpty(keyAlias))
            ckaId = session.GenerateRandom(20);
        else
            ckaId = Encoding.UTF8.GetBytes(keyAlias);

        // Prepare attribute template of new public key
        List<IObjectAttribute> publicKeyAttributes = new List<IObjectAttribute>();
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_PUBLIC_KEY));
        //publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, false)); // Throws InvalidAttribute Value
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId));
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_WRAP, true));
        //publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SENSITIVE, true));
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_MODULUS_BITS, 2048));
        publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PUBLIC_EXPONENT, new byte[] { 0x01, 0x00, 0x01 }));

        // Prepare attribute template of new private key
        List<IObjectAttribute> privateKeyAttributes = new List<IObjectAttribute>();
        privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
        //privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_PRIVATE, true)); 
        //publicKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_SENSITIVE, true));
        privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ID, ckaId));
        privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_UNWRAP, true));

        // Specify key generation mechanism
        IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_X9_31_KEY_PAIR_GEN);

        // Generate key pair
        session.GenerateKeyPair(mechanism, publicKeyAttributes, privateKeyAttributes, out publicKeyHandle, out privateKeyHandle);
    }  


private static byte[] GetKeyAttributeValue(ISession session, IObjectHandle keyHandle)
    {
        var readAttrs = session.GetAttributeValue(keyHandle, new List<CKA>() { CKA.CKA_VALUE });
        if (readAttrs[0].CannotBeRead)
            throw new Exception("Key cannot be exported");
        else
            return readAttrs[0].GetValueAsByteArray();
    }

Answer 1

RSA 公钥对象没有CKA_VALUE 属性。相反，有两个名为 CKA_MODULUS 和 CKA_PUBLIC_EXPONENT 的属性构成了键值。

Answer 2

正如@Homaei 建议的那样

我创建了以下代码以从 c# 代码中导出公钥。

                var modulus = GetKeyAttributeValue(session, publicKey, CKA.CKA_MODULUS);
                var exponent = GetKeyAttributeValue(session, publicKey, CKA.CKA_PUBLIC_EXPONENT);

                RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(dwKeySize: 2048);
                RSAParameters rsaParam = rsa.ExportParameters(false);
                rsaParam.Modulus = modulus;
                rsaParam.Exponent = exponent;
                rsa.ImportParameters(rsaParam);

                var writer = System.IO.File.CreateText("exportedFromCode.txt");

                //https://stackoverflow.com/questions/28406888/c-sharp-rsa-public-key-output-not-correct/28407693#28407693
                ExportPublicKey(rsa, writer);