I have generated a RSA public-private keypair in HSM using PKCS11Interop generate key API. I want to export the keypair. I used Findobject API to get the keys, the API returs an ObjectHandle , while reading attributes using GetAttributeValue API , I am not able to read the key's value. And when I set the key's attribute to CKA_EXTRACTABLE to true, I am not able to generate the key altogether.
Also I need to import externally provided keypair in HSM.
Any help is highly appreciated.
What you are trying to do is considered insecure
in the HSM world. It defeats the purpose of having an HSM.
But, can it be done? Yes. Provided the HSM vendor should support it.
The HSM vendor decides if the keys generated on the HSM can be extractable or if any Key that was generated by any software (outside the HSM) can be imported into the hardware. PKCS#11 is just an interface through which you interact with the HSM. If the HSM doesn't support an operation, it throws an exception which is eventually thrown by the PKCS11 api.
This is what is happening in your case for both the extraction and importing operations. The HSM on which you are trying to do these operations may not support it. So you need to check with the HSM vendor how you can perform these operations on their product.
P.S: Thales nShield should/may have a configuration file through which you can run the HSM in insecure mode.
Note: Extracting a Key/Key Pair
generated on the HSM (or) importing any Key/Key Pair that was generated outside the HSM are not considered as insecure operations in the real world.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With