search

PeculiarVentures / pkcs11js

A Node.js implementation of the PKCS#11 2.40 interface
MIT License
111 stars 33 forks source link

Pkcs11Error: CKR_OBJECT_HANDLE_INVALID #87

Open zercek23 opened 3 years ago

zercek23 commented 3 years ago

Hi, recently I installed softhsm2 from source to my ubuntu 20.04 lts server. And I created a nodejs server. To communicate with softhsm, I installed your package to my nodejs app. I looked up for usage of your package. And i went through some of your example steps. I accomplished to create session, generate pair key with RSA mechanism, sign a data with my private key and verify this signature with my public key in one nodejs server. Everything went well, but my goal was generating keys and signing data in one nodejs server and in another nodejs server, getting this signature and public key by http request and verify sended signature with sended public key. I have sended signature and public key from my first nodejs app to second nodejs app. But in second nodejs app, I am getting below error in the line of

pkcs11.C_VerifyInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, Buffer.from(response.publicKey));

Full Error: [Pkcs11Error: CKR_OBJECT_HANDLE_INVALID] { method: 'crypto_init', nativeStack: ' at Error (native) crypto_init:641', code: 130 }

I am sending data like this: { "signature": { "type": "Buffer", "data": [ 42, 170, 24, 40, 115, 61, 58, 177, 159, 108, 180, 246, 219, 43, 187, 18, 49, 36, 10, 200, 96, 35, 49, 90, 71, 159, 183, 0, 61, 133, 108, 89, 243, 108, 207, 225, 183, 199, 249, 80, 236, 201, 193, 234, 211, 226, 155, 119, 78, 233, 101, 203, 225, 47, 180, 126, 170, 38, 232, 3, 132, 103, 119, 234, 127, 41, 172, 230, 150, 152, 167, 223, 175, 177, 246, 156, 50, 83, 116, 136, 81, 234, 60, 247, 38, 21, 194, 40, 73, 180, 71, 57, 159, 10, 192, 185, 221, 113, 99, 88, 223, 157, 220, 177, 196, 220, 218, 68, 196, 83, 158, 124, 203, 230, 29, 0, 224, 110, 88, 16, 158, 138, 182, 152, 181, 189, 223, 167, 78, 209, 203, 73, 7, 43, 65, 243, 98, 147, 7, 140, 49, 47, 102, 238, 85, 92, 207, 183, 62, 188, 185, 7, 95, 198, 193, 132, 22, 153, 214, 248, 211, 104, 127, 175, 106, 214, 198, 37, 26, 163, 174, 12, 39, 249, 78, 47, 26, 136, 163, 42, 110, 16, 150, 214, 61, 171, 133, 150, 158, 97, 255, 223, 77, 148, 91, 75, 40, 93, 103, 169, 52, 239, 40, 49, 116, 200, 26, 126, 183, 113, 92, 235, 20, 92, 189, 168, 109, 79, 125, 48, 42, 110, 219, 34, 181, 2, 249, 57, 24, 36, 198, 100, 224, 8, 77, 18, 84, 228, 124, 16, 128, 164, 86, 11, 196, 67, 198, 235, 150, 67, 235, 134, 218, 115, 220, 5 ] }, "publicKey": { "type": "Buffer", "data": [ 2, 0, 0, 0, 0, 0, 0, 0 ] } }

And I am handling these objects like this: pkcs11.C_VerifyInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, Buffer.from(response.publicKey)); pkcs11.C_VerifyUpdate(session, Buffer("Incoming message 1")); const verify = pkcs11.C_VerifyFinal(session, Buffer.from(response.signature));

Incase maybe you want to see signing process: pkcs11.C_SignInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, keys.privateKey); pkcs11.C_SignUpdate(session, Buffer("Incoming message 1")); const signature = pkcs11.C_SignFinal(session, Buffer(256));

So I really searched for this error. But I couldn't find anything. And I wanted to ask you for help. I would be glad if you help.

microshine commented 3 years ago

@zercek23 Have you seen graphene-pk11 and node-webcrypto-p11 modules?

node-webcrypto-p11 allows using RSA and ECDSA mechanisms easier.

If you've got the public key in SoftHSM storage just use crypto.keyStorage.getItem method.

If you've got the blob of the public key use crypto.subtle.importKey (WebCrypto API)

to verify your signature you just need to call standard WebCrypto API verify method

await crypto.subtle.verify({name: "RSASSA-PKCS1-v1_5"}, publicKey, signature, data);

For more examples see this link