I am trying to generate key pair using safenet sdk. Then I tried to sign the certificate informations with private key and verify using public key. But, the verification says signature is invalid. I checked whether generated public key and public key used to verify the information. They are the same. How can i resolve the issue?
std::string Dongle::sign(char *password, char* data, char* enrollmentId) {
CK_RV rv = CKR_OK;
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
LoadCryptoki(pkcs11_path);
rv = GetFirstSlotId(&slotId);
rv = C_OpenSession(slotId, (CKF_SERIAL_SESSION | CKF_RW_SESSION), NULL_PTR, NULL_PTR, &hSession);
CK_OBJECT_HANDLE hPrivateKey = Dongle::generateKeyPairUtil(hSession, password, enrollmentId);
std::string signature = Dongle::signUtil(hSession, hPrivateKey, password, data, enrollmentId);
printf("OPERATION SUCCESS\n");
//verify(password, signature, enrollmentId, );
end:
if (hSession) fl->C_CloseSession(hSession);
UnloadCryptoki();
return signature;
}
CK_OBJECT_HANDLE Dongle::generateKeyPairUtil(CK_SESSION_HANDLE hSession, char *password, char *enrollmentId) {
CK_RV rv = CKR_OK;
CK_BBOOL bFalse = CK_FALSE;
CK_BBOOL bTrue = CK_TRUE;
CK_KEY_TYPE keyType = CKK_RSA;
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
std::string labelPub = std::string("public") + enrollmentId;
std::string labelPriv = std::string("private") + enrollmentId;
CK_UTF8CHAR * labelPublic = convertToCK_UTF8CHAR(labelPub); //Label of public key.
CK_UTF8CHAR * labelPrivate = convertToCK_UTF8CHAR(labelPriv); //Label of private key.
// Setup public key attributes.
CK_OBJECT_CLASS classPublicKey = CKO_PUBLIC_KEY;
CK_ULONG vecModulusBits[] = { 2048 };
CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE publicKeyTemplate[] =
{
{ CKA_CLASS, &classPublicKey, sizeof(classPublicKey) },
{ CKA_LABEL, labelPublic, strlen((char*)labelPublic) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ CKA_TOKEN, &bTrue, sizeof(bTrue) },
{ CKA_PRIVATE, &bFalse, sizeof(bFalse) },
{ CKA_MODULUS_BITS, &vecModulusBits[0], sizeof(vecModulusBits[0]) },
{ CKA_PUBLIC_EXPONENT, &publicExponent, sizeof(publicExponent) },
{ CKA_VERIFY, &bTrue, sizeof(bTrue) }
};
// Setup private key attributes.
CK_OBJECT_CLASS classPrivateKey = CKO_PRIVATE_KEY;
CK_ATTRIBUTE privateKeyTemplate[] =
{
{ CKA_CLASS, &classPrivateKey, sizeof(classPrivateKey) },
{ CKA_LABEL, labelPrivate, strlen((char*)labelPrivate) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ CKA_TOKEN, &bTrue, sizeof(bTrue) },
{ CKA_PRIVATE, &bTrue, sizeof(bTrue) },
};
// Setup mechanism to generate an RSA key pair.
CK_MECHANISM mechanism;
memset (&mechanism, 0, sizeof (mechanism));
mechanism.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
// Login to the token with a user password.
C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, strlen(password));
// Try to find the two RSA keys with a specific label using the FindObject() function.
hPrivateKey = FindObjects(hSession, privateKeyTemplate, DIM(privateKeyTemplate));
hPublicKey = FindObjects(hSession, publicKeyTemplate, DIM(publicKeyTemplate));
// Generate a new RSA key pair if an RSA key with the same label doesn't exist on the token.
if ( ! (hPublicKey && hPrivateKey) )
{
printf("Wait for RSA key pair generation ... \n");
rv = C_GenerateKeyPair(hSession, &mechanism, publicKeyTemplate, 7, privateKeyTemplate, 5, &hPublicKey, &hPrivateKey);
if (rv == CKR_OK) {
printf("OPERATION SUCCESS. Key Pair Generated Successfully.\n");
}
}
else {
printf("Key Pair Already Exists \n");
}
end:
C_Logout(hSession);
return hPrivateKey;
}
std::string Dongle::signUtil(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPrivateKey, char* password, char* data, char* enrollmentId) {
//std::cout<<"data is: " << *data;
CK_RV retCode = CKR_OK;
int isPaddingRequired = 0;
int isDataFromUser = 0;
CK_MECHANISM mech;
CK_BYTE pSigData[3000];
CK_BYTE sign[2048];
#ifndef PKCS11_V1
CK_ULONG usSigLen = sizeof(pSigData);
#else
CK_ULONG usSigLen = 0;
#endif
char *pInputData = 0;
unsigned long ulInputDataLen = strlen(data);
std::cout << "length: " << ulInputDataLen;
CK_BYTE_PTR pInData = (CK_BYTE_PTR)data;
std::cout << "Mechanism: [6]SHA256-RSA" <<std::endl;
retCode = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, strlen(password));
mech.mechanism = CKM_SHA256_RSA_PKCS;
mech.pParameter = 0;
mech.ulParameterLen = 0;
isDataFromUser = 0;
if( retCode == CKR_OK )
{
if( isPaddingRequired )
{
for(unsigned long ulLoop=ulInputDataLen; ulLoop<64; ++ulLoop)
{
pInData[ulLoop] = 0;
}
ulInputDataLen = 64;
}
}
if (retCode == CKR_OK)
{
retCode = C_SignInit(hSession, &mech, hPrivateKey);
}
CK_ULONG usInLen = (CK_ULONG)ulInputDataLen;
// get the signature length
if(retCode == CKR_OK)
{
retCode = C_Sign(hSession, pInData, usInLen, (CK_BYTE_PTR)NULL_PTR, &usSigLen);
}
std::cout << "sig length: \n";
std::cout << usSigLen;
// get the signature
if(retCode == CKR_OK)
{
retCode = C_Sign(hSession, pInData, usInLen, (CK_BYTE_PTR)pSigData, &usSigLen);
}
std::string returnSignature = "";
std::string tempString = "";
std::cout << "return code: \n";
std::cout << retCode;
if( (retCode == CKR_OK) && usSigLen )
{
std::cout << "Signed Data " << std::endl << "(hex) ";
//returnSignature = base64_encode(pSigData,usSigLen);
//WriteBinaryFile(signfile, (char *)pSigData, usSigLen);
for(unsigned long ulLoop=0; ulLoop<usSigLen; ++ulLoop)
{
char pBuffer[25];
sprintf(pBuffer, "%02x", pSigData[ulLoop]);
std::cout << pBuffer;
//returnSignature += pBuffer;
}
returnSignature = (char *)pSigData;
returnSignature = base64_encode(pSigData, usSigLen);
std::cout << "returned signature: \n";
std::cout << returnSignature;
}
char arr[returnSignature.length() + 1];
for (int x = 0; x < sizeof(arr); x++) {
arr[x] = returnSignature[x];
}
verify(password,data,enrollmentId,pSigData,256,2048);
// Release memory
if( pInputData )
{
delete pInputData;
}
return returnSignature;
}
void Dongle::verify(char *password, char* data, char* enrollmentId, CK_BYTE_PTR signature, CK_ULONG sigLen, CK_ULONG sigDataLen) {
CK_BBOOL bFalse = CK_FALSE;
CK_BBOOL bTrue = CK_TRUE;
CK_KEY_TYPE keyType = CKK_RSA;
std::string labelPub = std::string("public") + enrollmentId;
CK_UTF8CHAR * labelPublic = convertToCK_UTF8CHAR(labelPub) ; //Label of public key.
// Setup public key attributes.
CK_OBJECT_CLASS classPublicKey = CKO_PUBLIC_KEY;
CK_ULONG vecModulusBits[] = { 2048 };
CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE publicKeyTemplate[] =
{
{ CKA_CLASS, &classPublicKey, sizeof(classPublicKey) },
{ CKA_LABEL, labelPublic, strlen((char*)labelPublic) },
{ CKA_KEY_TYPE, &keyType, sizeof(keyType) },
{ CKA_TOKEN, &bTrue, sizeof(bTrue) },
{ CKA_PRIVATE, &bFalse, sizeof(bFalse) },
{ CKA_MODULUS_BITS, &vecModulusBits[0], sizeof(vecModulusBits[0]) },
{ CKA_PUBLIC_EXPONENT, &publicExponent, sizeof(publicExponent) },
{ CKA_VERIFY, &bTrue, sizeof(bTrue) }
};
CK_RV rv = CKR_OK;
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
LoadCryptoki(pkcs11_path);
rv = GetFirstSlotId(&slotId);
rv = C_OpenSession(slotId, (CKF_SERIAL_SESSION | CKF_RW_SESSION), NULL_PTR, NULL_PTR, &hSession);
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
hPublicKey = FindObjects(hSession, publicKeyTemplate, DIM(publicKeyTemplate));
/* Verify the signature created by C_Sign. First we will verify that the
* same Cryptoki library was able to trust itself.
*
* C_VerifyInit will begin the verify operation, by specifying what mechanism
* to use (CKM_ECDSA, the same as the sign operation) and then specifying
* which public key handle to use.
*/
CK_RV retCode = CKR_OK;
CK_MECHANISM mechanism;
memset (&mechanism, 0, sizeof (mechanism));
mechanism.mechanism = CKM_SHA256_RSA_PKCS ;
retCode = C_VerifyInit( hSession,
&mechanism,
hPublicKey );
;
/* Given the signature and it's length, the Cryptoki will use the public key
* to see if the sender can be trusted. If C_Verify returns CKR_OK, it means
* that the sender of the message has the same private key as the private key
* that was used to generate the public key, and we can trust that the
* message we received was from that sender.
*
* Note that we are not using the actual message, but the digest that we
* created earlier of the message, for the verification.
*/
if(retCode == CKR_OK) {
retCode = C_Verify( hSession,
(CK_BYTE_PTR)data,
sigDataLen,
signature,
sigLen );
}
std::cout << "sig Data len: \n";
std::cout << sigDataLen;
std::cout << "sigLen: \n";
std::cout << sigLen;
std::cout << "return code is: \n";
std::cout << retCode;
if( retCode == CKR_OK )
{
std::cout << "The signature of the digest was verified with the" \
" public key and can be trusted.\r\n";
} else
{
std::cout << "Unable to verify the signature with the given public" \
" key, the message cannot be trusted.\r\n";
}
}