search

parallaxsecond / rust-cryptoki

Rust wrapper for the PKCS #11 API, Cryptoki
https://docs.rs/cryptoki/
Apache License 2.0
77 stars 61 forks source link

Signing and Verifying #159

Closed hcldan closed 1 year ago

hcldan commented 1 year ago

I'm kind of at a loss for this, but maybe I'm missing something silly...

I'm trying to sign and then verify the signature

    let sig = session.sign(&Mechanism::RsaPkcs, key_handle, &digest)?;
    eprintln!("verify: {:?}", session.verify(&Mechanism::RsaPkcs, cert_handle, &digest, &sig));

I keep getting verify: Err(Pkcs11(KeyTypeInconsistent))

The cert is queried looking for all x509 certs capable of signing. I get the Id attribute of the cert and look for Attribute::Private(true) Attribute::Id(id) and find the key.

I've looked at pkcs11 examples in c and such and it looks like this should work? Is my card just messed up?

hcldan commented 1 year ago

Need to search for the public key (not certificate) when using verify

wiktor-k commented 1 year ago

Yeah... in my experience the certs are there only for convenience of other clients and the card treats them as opaque blobs unusable to anything on card.