[Softhsm-develop] Accessing private keys in the key store

JC lovecraftesque at yahoo.com
Thu Oct 21 16:26:32 UTC 2021


I have the following work sequence using the PKCS 11 API against SoftHSM:
1. Generate a number of RSA keys.2. Keep the key pairs in the key store.3. Later on, retrieve the a RSA key pair of a given modulus size from the key store. The only requirement is that the size of its modulus must be the one specified.4. Use the private key from the key pair retrieved to carry out a signature operation.
I can do the first two steps without any problems. For step number 3 I tried using the following code:

  CK_KEY_TYPE key_type = CKK_RSA;  CK_OBJECT_HANDLE rsa_key;  CK_OBJECT_CLASS type = CKO_PRIVATE_KEY;  CK_BBOOL true = TRUE;
  CK_ATTRIBUTE keyAttrs[] = {    { CKA_TOKEN, &true, sizeof(true) },    { CKA_KEY_TYPE, &key_type, sizeof(key_type) },    { CKA_CLASS, &class, sizeof(class) },    { CKA_MODULUS_BITS, &modulus_size, sizeof(modulus_size) }  };
  CK_ULONG template_size, returned;  CK_RV rv;
  template_size = sizeof(keyAttrs) / sizeof(CK_ATTRIBUTE);
  rv = f->C_FindObjectsInit(hSession, keyAttrs, template_size);  if (rv != CKR_OK) {      printf("C_FindObjectsInit: %d\n", rv);      break;  }
  rv = f->C_FindObjects(hSession, key, 1, &returned);  if (rv != CKR_OK) {    printf("C_FindObjects: %d\n", rv);    return rv;  }
  rv = f->C_FindObjectsFinal(hSession);  if (rv != CKR_OK) {    printf("C_FindObjectsFinal: %d\n", rv);    return rv;  }
  return rv;
This does not work. All of the C_Find* calls above return CKR_OK, but C_FindObjects cannot find any private keys matching the attributes in the keyAttrs array: the value of returned is set to 0 when this function returns. However, when I set CK_OBJECT_CLASS type equal to CKO_PUBLIC_KEY, I obtain a public key object handle.
I am obviously missing something big here, but, what? The PKCS 11 session under which this code is running was opened with CKF_RW_SESSION | CKF_SERIAL_SESSION flags, and the session state at this point is CKS_RW_USER_FUNCTIONS.
If a private key object handle cannot be obtained as above, how can it be done? I need such an object handle to compute signatures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/softhsm-develop/attachments/20211021/35c37daa/attachment.htm>


More information about the Softhsm-develop mailing list