Re: [OCF] PKCS11 -> C_CreateObject

Sylvain Ferey Wed, 31 Jan 2001 05:28:42 -0800
Hello Cedric,

according RSA PKCS#11 you can't create on a single operation a RSA private 
key & a cert.

you have to create the key transmitting (at least) the attributes CKA_CLASS 
= CKO_PRIVATE_KEY, CKA_KEY_TYPE = CKK_RSA; its "value" with the attributes 
{CKA_MODULUS & CKA_PRIVATE_EXPONENT} or {CKA_PRIME_1, CKA_PRIME_2, 
CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT}, and some usage attributes 
(SIGN, SIGN_RECOVER, ...), note that that CKA_LOCAL is true only for 
on-board generated key.

then you create the cert. (actually order is not relevant) transmitting (at 
least) CKA_CLASS = CKO_CERTIFICATE, CKA_CERTIFICATE_TYPE = CKC_X_509, its 
"value" with the attributes CKA_VALUE and a subject; the usage attributes 
are not expected for a cert.

regarding P12 structure, you're right they contain a certificate 
(optionally a chain of) and a private chain (ciphered with a sym. key 
computed from a hash of a password); but during an import Netscape will 
create the two objects separately in accordance with values found in the P12.

Sylvain Ferey.



At 10:54 31/01/01 +0100, Cédric Malderez wrote:
>Hello !!
>
>I'm trying to insert a private key & a Certificate into a smart card
>(Schlumberger Cryptoflex).
>This is the Attributes Type & Objects array ..
>
>int     pkAttributeTypes[] = {
>         PKCS11Object.CLASS,                     // Integer
>         PKCS11Object.KEY_TYPE,          // Integer
>         PKCS11Object.TOKEN,                     // Boolean
>         PKCS11Object.PRIVATE,           // Boolean
>         PKCS11Object.LABEL,                     // String
>         PKCS11Object.VALUE,                     // byte[]
>         PKCS11Object.SENSITIVE,         // Boolean
>         PKCS11Object.DECRYPT,           // Boolean
>         PKCS11Object.UNWRAP,            // Boolean
>         PKCS11Object.SIGN,                      // Boolean
>         PKCS11Object.SIGN_RECOVER,      // Boolean
>         PKCS11Object.DERIVE,            // Boolean
>         PKCS11Object.LOCAL,                     // Boolean
>         PKCS11Object.MODIFIABLE         // Boolean
>};
>Object  pkAttributeObjects[] = {
>         PKCS11Object.PRIVATE_KEY,
>         PKCS11Object.RSA,
>         new Boolean(true),
>         new Boolean(true),
>         new String("Label"),
>         certByteArray,
>         new Boolean(true),
>         new Boolean(true),
>         new Boolean(false),
>         new Boolean(true),
>         new Boolean(false),
>         new Boolean(false),
>         new Boolean(true),
>         new Boolean(true)
>};
>
>And When I launch C_CreateObject(pkAttributeTypes, pkAttributeObjects) ...
>it says that an Attribute type is invalid ... but I've list this attribute
>type array from a private key dump where the private key were stored into a
>smart card using Netscape P12 import !
>
>Do I need all of thoses attributes ... ?
>Someone has an idea ???
>
>
>Thanks !
>
>Sincerely
>Malderez Cedric



---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!                           [EMAIL PROTECTED]
! containing the word
!                           unsubscribe
! in the body.
Re: [OCF] PKCS11 -> C_CreateObject

Reply via email to
