对称密钥的解包抛出 Pkcs11Exception / CKR_GENERAL_ERROR

Question

我正在尝试将 Wrap / Unwrap example 从 RSA 密钥对转换为单个 AES 密钥：

// Open RW session
using (ISession session = slot.OpenSession(SessionType.ReadWrite))
{
  string userPin = "1234";

  // Login as normal user
  session.Login(CKU.CKU_USER, userPin);

  // Generate symetric secret key
  IObjectHandle secretKey = Helpers.GenerateKey(session);

  // Generate symetric key
  IObjectHandle publicKey = Helpers.GenerateKey(session);

  // Specify wrapping mechanism
  IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_AES_KEY_WRAP);

  // Wrap key
  byte[] wrappedKey = session.WrapKey(mechanism, publicKey, secretKey);

  // Define attributes for unwrapped key
  List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();

  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DERIVE, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "UnWrapperTest"));

  // Unwrap key
  IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, secretKey, wrappedKey, objectAttributes);
  }
}

与

public static IObjectHandle GenerateKey(ISession session)
{
  // Prepare attribute template of new key
  List<IObjectAttribute> objectAttributes = new List<IObjectAttribute>();
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_SECRET_KEY));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_AES));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_TOKEN, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_ENCRYPT, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DECRYPT, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_DERIVE, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_EXTRACTABLE, true));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_VALUE_LEN, 32));
  objectAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, "WrapperTest"));

  // Specify key generation mechanism
  IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_AES_KEY_GEN);

  // Generate key
  return session.GenerateKey(mechanism, objectAttributes);
}

但是IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, secretKey, wrappedKey, objectAttributes); 行总是抛出Net.Pkcs11Interop.Common.Pkcs11Exception: 'Method C_UnwrapKey returned CKR_GENERAL_ERROR' 异常。

作为“HSM”，我使用的是SoftHSM2 on Windows。

我做错了什么？

披露：我也在GitHub交叉发布这个问题

Answer 1

发现问题：

IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, secretKey, wrappedKey, objectAttributes);

应该阅读

IObjectHandle unwrappedKey = session.UnwrapKey(mechanism, publicKey, wrappedKey, objectAttributes);