Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Export/Import RSA keypair using PKCS11interop c# wrapper library from Thales nShield HSM?

I have generated a RSA public-private keypair in HSM using PKCS11Interop generate key API. I want to export the keypair. I used Findobject API to get the keys, the API returs an ObjectHandle , while reading attributes using GetAttributeValue API , I am not able to read the key's value. And when I set the key's attribute to CKA_EXTRACTABLE to true, I am not able to generate the key altogether.

Also I need to import externally provided keypair in HSM.

Any help is highly appreciated.

like image 364
S Ghosh Avatar asked Oct 29 '22 11:10

S Ghosh


1 Answers

What you are trying to do is considered insecure in the HSM world. It defeats the purpose of having an HSM.

But, can it be done? Yes. Provided the HSM vendor should support it.

The HSM vendor decides if the keys generated on the HSM can be extractable or if any Key that was generated by any software (outside the HSM) can be imported into the hardware. PKCS#11 is just an interface through which you interact with the HSM. If the HSM doesn't support an operation, it throws an exception which is eventually thrown by the PKCS11 api.

This is what is happening in your case for both the extraction and importing operations. The HSM on which you are trying to do these operations may not support it. So you need to check with the HSM vendor how you can perform these operations on their product.

P.S: Thales nShield should/may have a configuration file through which you can run the HSM in insecure mode.

Note: Extracting a Key/Key Pair generated on the HSM (or) importing any Key/Key Pair that was generated outside the HSM are not considered as insecure operations in the real world.

like image 126
always_a_rookie Avatar answered Nov 15 '22 06:11

always_a_rookie