PKCS#10 request for a object key pair from PKCS#11

问题

I have a RSA 1024 key pair generated using standard call from PKCS#11. I need to generate a PKCS#10 CSR for the public key.

MS has the IEnroll4 dll which will allow to raise a CSR using createRequestWStr. The samples indicate that you need to generate a new key pair(a container with 2 objects in MS CAPI) and MS automatically gives the the public key context for csr generation.

In my case, I already have a key pair generated using pkcs#11(as 2 objects but no key container). MS dll is not allowing me to proceed further. QUERY 1: Can some body point out how I can resolve this issue. ----------------------------------------------------------------------------

Alternatively, I was thinking to write my own code for CSR generation based on RSA standards. I am having the ASN 1.0 format The ASN.1 syntax for a Certification Request is:

CertificationRequest ::= SEQUENCE {
   certificationRequestInfo CertificationRequestInfo,
   signatureAlgorithm       SignatureAlgorithmIdentifier,
   signature                Signature
}

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING

CertificationRequestInfo ::= SEQUENCE {
   version                 Version,
   subject                 Name,
   subjectPublicKeyInfo    SubjectPublicKeyInfo,
   attributes [0] IMPLICIT Attributes
}    
Attributes ::= SET OF Attribute

QUERY 2: How do I use the above syntaxes? I am totally new to this syntax? Which resources should I need to look at to write my own code?

回答1:

If you need to generate your certificate-request with the PKCS#11-interface (i.e. you cannot use a CSP-interface instead) your best bet is to avoid IEnroll.

For C++ your (free and open source) options seems to be to look into OpenSSL or Botan. I am not terribly fond of OpenSSL's API, but it works. I have never used Botan, but it seems pretty nice. There are also many excellent choices if you are willing to pay for them.

Alternatively, if you want to write the ASN.1 yourself you probably want to read A Layman's Guide to a Subset of ASN.1, BER, and DER. The formal specifications are in X.208 and X.209, but those are hard reading.

You want to generate a DER encoding of the ASN.1 (that is described in the link).

Here is an example encoding:

308201493081b3020100300e310c300a06035504031303666f6f30819d300d06092a864886f70d01
0101050003818b00308187028181009c921beeef551bcb051518f0c48bfe72cb1d5609a64a005e0c
008580bb81b3a43cea280d5bffa4e777733845fc2f485f1c8ccc0b2914f30d1e41369fd4a6758a3c
c887834c4d6177bd96b9f341232b00d453f28f2ae5ad5e3b0324d0b5b440a0901968fd556470dd4d
2ea2e99dd99c580703c042853265374cd3622f6c3369e5020103300d06092a864886f70d01010505
000381810068c0266a16117b37fb15ad143e2941ff8b8f082daf4ec02789db01636f51c739f199fb
19c56228cc12b9e482b966f8650fa3fdb24e31e97eef15f61aabc91dc194aeba4ebce5eab0c5e3db
36cc090a0e4b2c7d3ac27eeb0d3900d73bd88172464b890a8f9a58a0d34c0f5e226b6173cc92a316
4bbbf1d12f29d1e2ad3f36c977

or translated with the excellent dumpasn1 utility:

   0 30  329: SEQUENCE {
   4 30  179:   SEQUENCE {
   7 02    1:     INTEGER 0
  10 30   14:     SEQUENCE {
  12 31   12:       SET {
  14 30   10:         SEQUENCE {
  16 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  21 13    3:           PrintableString 'foo'
            :           }
            :         }
            :       }
  26 30  157:     SEQUENCE {
  29 30   13:       SEQUENCE {
  31 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
  42 05    0:         NULL
            :         }
  44 03  139:       BIT STRING 0 unused bits, encapsulates {
  48 30  135:           SEQUENCE {
  51 02  129:             INTEGER
            :               00 9C 92 1B EE EF 55 1B CB 05 15 18 F0 C4 8B FE
            :               72 CB 1D 56 09 A6 4A 00 5E 0C 00 85 80 BB 81 B3
            :               A4 3C EA 28 0D 5B FF A4 E7 77 73 38 45 FC 2F 48
            :               5F 1C 8C CC 0B 29 14 F3 0D 1E 41 36 9F D4 A6 75
            :               8A 3C C8 87 83 4C 4D 61 77 BD 96 B9 F3 41 23 2B
            :               00 D4 53 F2 8F 2A E5 AD 5E 3B 03 24 D0 B5 B4 40
            :               A0 90 19 68 FD 55 64 70 DD 4D 2E A2 E9 9D D9 9C
            :               58 07 03 C0 42 85 32 65 37 4C D3 62 2F 6C 33 69
            :                       [ Another 1 bytes skipped ]
 183 02    1:             INTEGER 3
            :             }
            :           }
            :       }
            :     }
 186 30   13:   SEQUENCE {
 188 06    9:     OBJECT IDENTIFIER
            :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
 199 05    0:     NULL
            :     }
 201 03  129:   BIT STRING 0 unused bits
            :     68 C0 26 6A 16 11 7B 37 FB 15 AD 14 3E 29 41 FF
            :     8B 8F 08 2D AF 4E C0 27 89 DB 01 63 6F 51 C7 39
            :     F1 99 FB 19 C5 62 28 CC 12 B9 E4 82 B9 66 F8 65
            :     0F A3 FD B2 4E 31 E9 7E EF 15 F6 1A AB C9 1D C1
            :     94 AE BA 4E BC E5 EA B0 C5 E3 DB 36 CC 09 0A 0E
            :     4B 2C 7D 3A C2 7E EB 0D 39 00 D7 3B D8 81 72 46
            :     4B 89 0A 8F 9A 58 A0 D3 4C 0F 5E 22 6B 61 73 CC
            :     92 A3 16 4B BB F1 D1 2F 29 D1 E2 AD 3F 36 C9 77
            :   }

来源：https://stackoverflow.com/questions/967762/pkcs10-request-for-a-object-key-pair-from-pkcs11