PKCS11Interop : How to extract certificate with private key?

Question

I have a third-party application (which we don't want to use), that can extract certificates from our card reader with the private key, and insert it to store. As I said, we don't want to use it for many reasons, so we tried to read card reader directly through PKCS11. As we develop in C#, we use th PKCS11 Interop library to manage it. However, I cannot retrieve the associate private key linked to this certificate. How can I do it ?

Here's my code :

List objectAttributes = new List();
objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_CERTIFICATE));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_PRIVATE, false));
objectAttributes.Add(new ObjectAttribute(CKA.CKA_TOKEN, true));
//objectAttributes.Add(new ObjectAttribute(CKA.CKA_LABEL, UTF8Encoding.UTF8.GetBytes("Certificat d'Authentification CPS")));
//CurrentSession.FindObjectsInit(objectAttributes);
oObjCollection = CurrentSession.FindAllObjects(objectAttributes);
//if (oObjCollection.Count > 0)
foreach (var item in oObjCollection)
{
  var oAttriVal = CurrentSession.GetAttributeValue(item, new List() { CKA.CKA_VALUE, CKA.CKA_ID }).FirstOrDefault();
  oResult = new X509Certificate2(oAttriVal.GetValueAsByteArray());
  X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
  store.Open(OpenFlags.ReadWrite);
  store.Add(oResult);
  store.Close();
}

If I try to retrieve the private key, I can, but it is not readable, else I cannot see how to associate it to my retrieved certificate ?

List objectAttributes = new List();
                objectAttributes = new List();

                objectAttributes = new List();
                objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
                objectAttributes.Add(new ObjectAttribute(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));

                CurrentSession.FindObjectsInit(objectAttributes);
                var oObjCollection = CurrentSession.FindObjects(1);
                if (oObjCollection.Count > 0)
                {
                    oPrivKeyObjectHandle = oObjCollection[0];
                }
                List privKeyAttributes = new List();
                if (oPrivKeyObjectHandle != null)
                {
                    List privKeyAttrsToRead = new List();
                    privKeyAttrsToRead.Add(CKA.CKA_LABEL);
                    privKeyAttrsToRead.Add(CKA.CKA_ID);
                    privKeyAttrsToRead.Add(CKA.CKA_VALUE);
                    privKeyAttrsToRead.Add(CKA.CKA_VALUE_BITS);

                    privKeyAttributes = CurrentSession.GetAttributeValue(oPrivKeyObjectHandle, privKeyAttrsToRead);
                }
                CurrentSession.FindObjectsFinal();

Thanks for helping

cdie · Accepted Answer

I finally managed to make it works.

My procedure is the following : I used third party software to analyse private key of the certificate put in store.

When I do so, I load CspParameters from the third party DLL like this :

var oParams = new CspParameters(1, "ASIP Sante Cryptographic Provider");
oParams.Flags = CspProviderFlags.UseExistingKey;
oParams.KeyNumber = (int)KeyNumber.Signature;
oParams.KeyContainerName = System.Text.RegularExpressions.Regex.Replace(GetAttributeValue(item, CKA.CKA_SUBJECT).First().GetValueAsString(), @"[^\u0020-\u007E]", string.Empty);

In my specific case, the KeyContainerName was the subject with only ASCII chars (it is NOT a default scenario).

When I create RSACryptoServiceProvider with this CSP, it works great, and I finally can not use third party application.

Note that ASIP Sante Cryptographic Provider is the provider installed with the third party software, that comes with a specific DLL for Windows CSP.

This code might not be compatible with Mono, Linux/Mac ...

PKCS11Interop : How to extract certificate with private key?

Answers (2)

Related Questions